Keeping up with new privacy and cybersecurity laws will prove challenging for enterprises in 2026, many of which already struggle to determine which laws apply to them. Artificial intelligence (AI) further complicates matters, expanding data and privacy concerns through increased third-party risks, new data collection and sharing challenges, and additional attack vectors.
That trend will persist into 2026, building on a turbulent 2025 when the Department of Justice announced compliance for a new Data Security Program, the Federal Trade Commission updated the Children's Online Privacy Protection Act (COPPA), and the US Department of Health and Human Services proposed amendments to the Health Insurance Portability and Accountability Act (HIPAA) security rule. These developments highlight how drastically the landscape has evolved over the past decade, demonstrating the difficulty of compliance.
What's on the Docket for 2026?
Compliance will be a major project for enterprises this year. Many are still striving to adhere to laws announced or passed in 2025. The key priorities for US clients of law firm McDermott, Will and Schulte include minimum age requirements for apps, expanded data privacy requirements, and regulations on AI use in human resources, according to partner David Saunders.
App age signal laws remain a top concern. State regulations would require app stores and developers to verify ages during downloads and purchases. In late December 2025, a federal judge temporarily blocked a Texas law scheduled to take effect Jan. 1, 2026. A similar Louisiana law was struck down by the state supreme court (with an appeal planned), while a Utah law took effect in mid-2025. Companies are focused on the issue because Apple and Google have released API documentation, putting additional responsibility on developers to restrict content for children under 13. Saunders notes that many companies scrambled to prepare only to have courts enjoin the laws days before they took effect, and legal challenges keep matters uncertain.
New California Consumer Privacy Act (CCPA) requirements will also be a major undertaking. Mandatory cyber-risk audits and risk assessments will come into effect, along with stricter rules for sensitive information, data collection, and consent notices. Preparation starts now.
Finally, HR AI laws regulating the use of AI in hiring, firing, and promotion decisions are a focus. Resume screening raises discrimination and bias concerns. Illinois passed a law amending its Human Rights Act, effective Jan. 1, 2026. Saunders emphasizes that companies are now catching up to these existing laws.
Federal Landscape and State Enforcement
Demian Ahn, a data, cybersecurity, and privacy partner at Wilson Sonsini, notes that a proposed amendment to the HIPAA Security Rule is a big question for clients. He anticipates regulations may be less prescriptive than originally proposed, while national security-related rules align with the DoJ's Data Security Program. The Cyber Incident Reporting for Critical Infrastructure (CIRCIA) rule is due for implementation in May 2026.
However, predictions for the federal legal environment in 2026 leave many question marks. The Trump administration has been inconsistent on cybersecurity, with a divergence between harmonization and simply not enforcing proposed regulations. If this trend continues, enforcement will likely target organizations with national security implications, while AI dominates headlines.
At the state level, attorney general offices will step into the enforcement void, continuing to enforce existing privacy laws and target companies. Saunders agrees that no significant federal privacy or AI legislation is expected, saying, "If anything happens on the federal level, I'll give you a nickel. I think it's going to continue to be on the state level, and frankly that's more complicated and introduces more burdensome compliance rubrics for companies." Companies would prefer federal legislation to avoid the patchwork of state laws.
Expect the Unexpected
Regardless of what new laws emerge, figuring out which apply remains the most challenging aspect for companies. Saunders notes that each state likes its own slightly different definition, making compliance a moving target. "The fun thing about privacy in my world is there's going to be something this year that I didn't expect," he says.
He advises that companies cannot know every law in every jurisdiction—there is no such thing as a 100% privacy-compliant company. The best approach is to identify the laws generating the most risk and requiring the most investment, handle compliance for those, and rely on a trickle-down effect that often covers other applicable laws. "The question is, 'How do you find the ones who are generating the most risk and will require the most investment?' Stay on top of the big things, handle compliance with those, and there's usually an excellent trickle-down effect where you'll almost by accident comply with other laws that apply to you that you may not even know."
Source: Dark Reading News