2026 Privacy Trends: What’s Coming in Enforcement, Compliance, and Consumer Expectations in Privacy in the US

We’ve seen so much movement in the privacy landscape in the last ten years. There was no indication that things were slowing down in 2025, and our predictions for 2026 suggest that the momentum will keep up in the new year.  

In this blog post, we provide a brief, high-level summary of what we saw this year before digging into five key trends – from compliance to enforcement to better privacy practices – we predict will dominate privacy discussions in 2026.  

What Happened in 2025 in Privacy 

2025 saw a lot of action in privacy globally, within the US, and within California more locally. GDPR enforcement activities in Europe remained high, with some significant penalties levied against US companies throughout the year. Meanwhile, California’s Privacy Protection Agency (CalPrivacy) also issued some significant fines. 

Outside of enforcement, we also saw a host of new compliance requirements introduced in 2025. We outlined some of the new state laws coming into effect in 2025 in an earlier post, so we recommend reading that post to get caught up. Worth noting on the compliance front going forward, privacy lawmaking efforts did not pass in Massachusetts and Vermont this year. However, it does seem to be an ongoing priority for lawmakers in both states.   

In California, the following are just some of the new laws that impact privacy rights: 

• SB 446 (Data Breach Notification) Effective January 1, 2026, this law tightens the deadline for notifying victims of a data breach to a strict 30 days after discovery (replacing the previous “most expedient time” standard). 

• DELETE Act (SB 362) This act creates a centralized “one-stop shop”  allowing consumers to request the deletion of their personal data from all registered data brokers with a single click, which brokers must honor starting August 2026. 

• AB 566 (Opt Me Out Act): Effective January 1, 2027, this mandates that all web browsers operating in California must feature a built-in, easy-to-use setting that sends a universal opt-out preference signal (like GPC) to every website a user visits.  

• AB 656 (Social Media Deletion) This law requires large social media platforms to provide a clear, “dark pattern”-free “Delete Account” button that automatically and permanently deletes the user’s account and associated personal data. 

• SB 361 (Defending Californians’ Data Act) Expanding on the DELETE Act, this requires data brokers to explicitly disclose if they collect sensitive data (such as reproductive health, biometric, or citizenship status) and whether they sell it to government agencies or AI developers. 

Plus, a reminder that there are a range of CCPA regulations that will be going into effect on January 1, 2026, including:  

1. Mandatory risk assessments in certain situations, such as selling or sharing personal information, processing sensitive personal information, and training certain automated technologies (among other things).  
2. Mandatory opt-out mechanisms.  
3. Accessibility requirements for Requests-to-know.  
4. New requirements on businesses to provide details about the source of incorrect information when asked.  
5. Obligations to ensure that corrected information remains corrected.  
6. A new  right to contest health information accuracy.  
7. Revised regulations deeming personal information of consumers under 16 years old as  sensitive.  

5 Key Privacy Trends to Watch in 2026 

Tightening Enforcement of Opt-Out Signals 

We mentioned California’s Opt-Me-Out law, coming into effect in 2027 above – but that’s not the only change happening in the opt-out signal space. CalPrivacy issued a $1.3 million penalty in September against Tractor Supply Company (the largest rural lifestyle retailer in the US) for California Consumer Privacy Act (CCPA) violations. The violations included failing to provide an effective opt-out mechanism, as well as an inadequate privacy policy and privacy contracts, and failing to notify job applicants of their rights.  

American Honda Motor Co. and Todd Snyder Inc. were also issued mid-to-high six figure penalties for violations including failing to process consumer requests to opt out of the sale or sharing of personal information. In other words, this was a theme in enforcement in 2025.  

Going forward, we expect to see continued enforcement relating to opt-out signals throughout 2026. Worth noting is that Michael Macko, head of the CPPA’s Enforcement Division, stated in a press release covering the Todd Snyder, Inc. penalty that “using a consent management platform doesn’t get you off the hook for compliance.” So, it’s clear that claiming technical issues with a third-party supplier is not a defense here.  

As for your next steps towards compliance, it’s worth reviewing your existing practices to determine how easy it is for users to send opt-out signals to your company online. If there’s no symmetry in choice or user preferences aren’t being respected quickly, that should raise a flag for potential non-compliance.  

More Privacy Risk Assessments Being Conducted 

A host of amendments to the CCPA regulations were approved in September 2025, including changes that require businesses to complete privacy risk assessments in certain situations that present a ‘significant risk’. CalPrivacy will require businesses to submit prescribed information regarding these assessments, so it’s not going to be a task you can do half-heartedly if required. 

The bar for what’s deemed an activity that poses a significant risk is not high. The following activities are some of the activities expressly included:  

1. Selling or sharing personal information.  
2. Processing sensitive personal information (with exclusions for employees or contracted workers).  
3. Using automated decision-making technologies for a significant decision concerning a consumer. 
4. Using automated processing to infer or extrapolate certain information about consumers if they’re applying for an educational program, job, study program, or to work as an independent contractor. 
5. Using automated processing to infer or extrapolate certain information about a consumer based on their presence in a sensitive location.  
6. Processing personal information to train certain automated decision-making technologies, including facial recognition or emotion recognition tools. 

The approved regulations provide some illustrative examples, if you’re interested.   

As a result, we’d expect to see a significant increase in the number of businesses conducting thorough privacy risk assessments throughout 2026 in anticipation of the law’s effective date in 2027.  

Greater Efforts to Manage Data Sprawl 

Stepping away from compliance and into more future-proof privacy practices, we’d expect to see increased interest from businesses in managing data sprawl.  

Data sprawl refers to the accumulation of data scattered across a disconnected network of software, devices, and storage locations. Sprawled data is challenging to secure and manage and, as a result, is difficult to correct and/or delete. It’s also often invisible to IT, which makes it a significant privacy risk to your business.  

Managing data sprawl is a step towards a more mature privacy posture. It’s a step up from data mapping, which simply documents your data flows (though this remains an essential element of your privacy framework).  

Given the growing risks of unsecured data, we’d expect to see heavier reliance on systems that actively verify where data is and any potential unauthorized sharing of that data. We’d also expect to see greater reliance on tools or processes that automate data removal when it hits specific deadlines, such as time spent in a system.  

Increasingly Sophisticated Cyber Attacks Against US Businesses 

There are a host of exciting cyber-developments that may launch in 2026 – including increased reliance on autonomous AI Agents. 

One threat that we’re expecting will continue to increase is the rising risk of hackers logging into your systems using compromised credentials. It’s becoming increasingly easy to deepfake audio and video, which means employees can no longer trust their ears or eyes in the business context. There’s a risk of a surge in attacks relying on social engineering against employees that either target businesses with poor security practices or bypass traditional multi-factor authentication methods.  

So, we’d expect to see identity threat detection and responses become more mainstream this year. This change requires businesses to train their teams on the, at times, sci-fi-sounding risks that are emerging in the cyber-attack sphere. Training should focus on critical thinking about actions from other team members.  In particular, it should cover processes for verifying someone’s identify before changing permissions, accessing data or documents, or making payments – particularly those with changing payment methods.  

Moving from Consumer Data to Synthetic Data 

Finally, we may see a shift from businesses using consumer data to greater use of synthetic data. Synthetic data is information that is artificially generated to reflect the properties of real-world data without containing any actual personal information.  

Using synthetic data comes with significant perks, such as:  

• Decreasing – or even eliminating – the risk of a data breach (since real data isn’t processed or stored). 

• Solving data provenance issues in training models, since you created the data and own it entirely.  

• Reducing red tape associated with access to data, since access doesn’t need to be as carefully managed.  

• Eliminating data residency risk, as synthetic data won’t trigger cross-border transfer mechanisms.  

Again, while this may sound futuristic, there are compelling business uses for synthetic data for many US businesses today. Examples of strategic use cases could be:  

• Third-party collaboration with reduced risk: businesses are free to share synthetic datasets with third parties – even offshore teams – without needing complex third-party vendor agreements.  

• AI and Machine Learning Training: managing data deletion or correction is burdensome when that data has been used to train AI or other machines. Synthetic datasets can overcome this issue, since the data reflects real-world data but doesn’t include personal information from any individuals.  

• Software testing: developers can use synthetic data to populate staging environments for stress testing – without risking the accidental exposure of real customer personal information or company intellectual property in less-secure sandbox environments.  

A final note: we wanted to include this trend since it’s interesting and has quite high potential value for businesses – but we aren’t sure 2026 will see widespread adoption. We’ll have to wait and see.  

If you’re looking to improve your business’ privacy practices going into 2026, reach out. Our privacy attorneys are available to help. 

• Privacy