Keeping up with new privacy and cybersecurity laws has become increasingly challenging for enterprises, which often struggle to determine which regulations apply to them. The rise of artificial intelligence (AI) exacerbates these issues by heightening data and privacy concerns and increasing third-party risks. Additionally, new technological tools present challenges in data collection and sharing, as well as complicating regulatory compliance and creating new attack vectors.
This trend of complexity is expected to persist into 2026.
Updated laws and regulations are being introduced to safeguard valuable data and individual privacy. Notably, in 2025, the Department of Justice (DoJ) initiated compliance measures for a new Data Security Program, while the Federal Trade Commission updated the Children’s Online Privacy Protection Act. Furthermore, the US Department of Health and Human Services proposed amendments to the Health Insurance Portability and Accountability Act security rule. Each of these changes underscores the significant evolution of the regulatory landscape over the past decade and the difficulties organizations face in achieving compliance.
While it's challenging to predict the specific privacy and cybersecurity laws that will emerge in 2026, particularly at the federal level, it is evident that compliance challenges will continue. David Saunders, a privacy and cybersecurity partner at McDermott, Will, and Schulte, notes, "It's made more challenging by the frequency of how quickly things change in the environment. I get it, but it's hard to expect compliance from companies when it's constantly changing. At some point, it has a deterrent effect on compliance."
What's on the Docket for 2026?
As companies prepare for 2026, compliance will likely entail substantial projects. Many organizations are still working to adhere to laws enacted in 2025, yet they can apply lessons learned as new laws are finalized.
Three primary legal focal points for US clients, as identified by Saunders, are minimum age requirements for apps, expanded data privacy requirements, and regulations governing AI usage in human resources.
App age signal laws remain a major concern. These regulations would mandate app stores like Google and Apple, as well as developers, to verify user ages during downloads and potentially for purchases. In late December, a federal judge temporarily blocked a Texas Senate bill known as the App Store Accountability Act, which was scheduled to take effect on January 1. Similarly, a Louisiana law faced a setback when it was struck down by the state supreme court, although an appeal is anticipated. Conversely, a law in Utah was enacted in mid-2025.
Despite the legal uncertainties, companies are proactively addressing these issues, especially since both Apple and Google have released API documentation. Developers may need to modify their code to comply with new standards under tight deadlines, which also places additional responsibilities on them to restrict content for users under 13 years of age.
Organizations are particularly focused on comprehending the implications of the Texas law while remaining vigilant about developments in Utah and Louisiana. "It's still front-of-mind because the laws were first of their kind," Saunders states.
However, many businesses found themselves scrambling to prepare for these regulations only to have courts intervene just days before their implementation. The ongoing appeals also leave many questions unanswered.
According to Saunders, "I anticipate legal challenges, but, in the meantime, companies at least have to prepare." Companies that derive revenue from advertising, especially makeup brands, face unique challenges due to age limit laws. Each item for sale on an app must be assigned an age rating, which can be cumbersome for companies with diverse product lines.
"That's a bad way to legislate and a bad way to seek compliance," warns Saunders, adding that while legislators may not have ill intentions, they might not fully grasp the burdens these regulations impose.
More to Come
New requirements under the California Consumer Privacy Act (CCPA) will also necessitate significant projects for many companies. While some requirements are already in effect, mandatory cyber-risk audits and assessments will take effect next year, according to Saunders. The CCPA will introduce stricter regulations regarding sensitive information, data collection, and consent notifications, necessitating early preparation.
Additionally, the use of AI in human resources, including resume screening and hiring practices, is becoming a critical focus as companies approach 2026. The rapid ability of AI to filter through resumes raises concerns about discrimination and bias, prompting states to enact laws regulating AI's role in employment decisions. For example, Illinois has amended its Human Rights Act to address such discrimination risks, effective January 1.
"This year, companies are catching up to the reality that these laws now exist," Saunders observes.
Trump Administration 'Inconsistent' Regarding Cyber Policies
A proposed amendment to the HIPAA Security Rule remains a significant concern for many clients, according to Demian Ahn, a partner at Wilson Sonsini who specializes in data, cybersecurity, and privacy. He predicts that the regulations may be less prescriptive than initially proposed, although those related to national security will likely align with the DoJ's Data Security Program. One crucial rule, the Cyber Incident Reporting for Critical Infrastructure (CIRCIA), is set to be implemented in May.
However, the legal landscape at the federal level for 2026 is filled with uncertainties. Ahn remarks, "In 2025, the Trump administration has been inconsistent and a work in progress for cybersecurity. There's a big difference between harmonization, which was a focus of many administration officials and members of Congress, and not advancing proposed regulations."
If this trend continues, the administration will likely enforce existing laws and introduce new regulations for organizations in national security-related industries. Meanwhile, AI will remain a significant topic in cybersecurity discussions.
What Can Enterprises Expect at the State Level?
As the new year unfolds, companies can expect continued enforcement at the state level. Attorney general offices are poised to take on a more prominent role amid expectations of reduced federal enforcement, stepping in to fill a regulatory void, according to Ahn.
Saunders shares this perspective, predicting minimal federal legislation concerning privacy or AI. "If anything happens at the federal level, I'll give you a nickel," he remarks. He anticipates a continued focus on state regulations, which could complicate compliance for organizations.
Companies express a preference for federal legislation in the privacy domain, as navigating a patchwork of state laws poses significant compliance challenges. Furthermore, lawmakers often lack a deep understanding of how AI and privacy intersect with cybersecurity, complicating effective legislation.
Expect the Unexpected in 2026
As 2026 approaches, companies must grapple with the complexities of determining which laws apply to them. This challenge extends to legal professionals, as each state has its own slightly different regulations. "The fun thing about privacy in my world is that something unexpected will emerge this year," Saunders says.
The notion that a company can be fully aware of every single law across all jurisdictions is unrealistic. "There's no such thing as a 100% privacy-compliant company on the face of the planet," asserts Saunders. He advises companies to remain vigilant about new laws and compliance standards, focusing on the significant risks while inadvertently achieving compliance with lesser-known regulations.
"The question is, 'How do you find the ones who are generating the most risk and will require the most investment?'" he explains. "Stay on top of the big things, handle compliance with those, and there's usually a trickle-down effect where you'll almost by accident comply with other laws that apply to you that you may not even know."
Source: Dark Reading News