Key Priorities for 2026
Issues to consider in allocating your budget
2025 brought significant changes in priorities among regulators and legislators on key privacy and advertising issues. We have our finger on the pulse, so to help you allocate your legal/compliance budget, we asked our team “What is one legal issue (or to-do item) to prioritize in 2026?” Here are our answers:
Auditing Opt-Out and DSR Compliance (from Justine Gottshall): So much of the enforcement by AGs has been around actual compliance that it is essential to audit whether your opt-outs (cookies and tracking technologies and form-based, typically around sales, sharing and targeting) and your DSR processes are working exactly as promised and intended. It is not sufficient to rely on disclosures or a third party – it is becoming essential to audit those processes regularly.
Protecting Minors’ Privacy (from Tatyana Ruderman): In 2025 we continued to see new minor privacy laws and requirements pass and take effect for younger than 18 and younger than 16 – we have also seen movement at the federal level on this bipartisan issue, with amendments to COPPA taking effect in April 2026. Some of the state laws have really strict requirements (for example some states are outright prohibiting sales/targeted advertising using minors’ data) – and some go beyond privacy and regulate platforms’ design and functionality. And, the standards for when these laws apply can be tricky. You may not think you are (or want to) targeting minors, but in practice, does your site actually attract or is likely to be accessed by teens?
2026 New and Amended Consumer Privacy Laws (from Joyce Kim): Indiana, Kentucky, and Rhode Island will join the growing number of states with comprehensive privacy laws, while California, Connecticut, and Oregon are introducing amendments to their existing frameworks. Now is the time to update privacy notices and consumer rights mechanisms, and prepare for new data processing restrictions and enhanced protections for minors. For a detailed analysis of California's amendments, check out the Essential CA Privacy Update Series.
Donations (from Heather Nolan): Does your organization offer to make a donation in connection with someone’s behavior (“round up your purchase”, “follow us and we’ll donate”)? It’s time to consider your compliance requirements. Hawaii’s law is now in effect and is in some ways more expansive than the broad registration and other requirements from California’s law and regulations.
Food Labeling and Advertising (from Mindy Abern): Keep an eye on the FDA, who is working to modernize food labeling. In an effort to promote public health, we anticipate regulatory changes regarding front-of-package nutrition labeling and online product listings, as well as increased scrutiny of nutrient claims.
Check your uses of AI in your HR practices (from Dave Radmore): California continues to lead the way in privacy and AI regulation in the HR space. New regulations from the state’s civil rights department went into effect in October regarding the use of automated decision systems (broader than generative AI systems) that discriminate against protected classes of applicants or employees. And the CPPA introduced new regulations that go into effect on January 1, 2027 for the use of AI in connection with significant decisions, including employment decisions relating to hiring, promotions or benefits. The new regulations will require clear notice, mandatory risk assessments and affording employees and applicants rights to opt out of automated decision making and to appeal any decisions made using automated decision making. Early 2026 is the time to make sure your HR practices are compliant.
Rigorous Security Auditing (from Mark Paulding): Businesses should make sure that they are rigorously auditing their data security programs and remediating identified risks, vulnerabilities, and threats in a timely manner. Among the significant modifications in the amended CCPA regulations is a rather proscriptive approach to data security auditing. The new CCPA security auditing regulations set out explicit tasks to be performed, describe how audits should be performed and documented, and specify particular data security practices that must be addressed in audits (such as access management, secure software development, and network segmentation). It appears that a similarly proscriptive approach will be included in the amendments to the HIPAA Security Rule (expected to be promulgated around May 2026). These changes follow the trend seen in the New York Department of Financial Services cybersecurity regulations and the amendment of the GLB Safeguards Rule in recent years. Therefore, it is likely that other state and federal regulators will adopt similar requirements in the foreseeable future.
Subscription/Autorenewal Compliance (from Ben Stein): Even though the FTC’s Negative Option Rule (a/k/a “Click to Cancel”) did not ultimately take effect in 2025, subscription compliance issues were and will continue to be substantial fodder for enforcement authorities and class-action suits. If your business offers a subscription program - as so many do - ensuring that you’re clearly disclosing the subscriptions terms at the outset, securing adequate consent to those terms, making cancellation straightforward, and following all other compliance requirements continues to be a key priority.
Enhanced AI Disclosures/Consumer Protection (from Rosanne Yang): Businesses’ integration of AI into consumer-facing operations continues to grow. Despite the December White House Executive order casting uncertainty on certain types of state-level AI regulations, the need for transparency and accuracy in AI has not changed, as the FTC and other regulators continue to focus on deceptive practices. In 2026, businesses should establish robust disclosure frameworks that clearly identify when consumers are interacting with AI systems—whether in customer service, content generation, or decision-making processes—and what those systems are doing with their data (and revisit those for ongoing accuracy if disclosures are already in place). Businesses should also enhance their procedures for ensuring that AI-generated marketing claims and content are accurate, recognizing that companies remain liable for false or misleading statements by their AI tools.
Monitoring Influencers (Again!) (from Jamie Rubin): Is this microphone on? Regulators and plaintiff’s attorneys will continue to pursue brands for influencers who fail to properly disclose they were paid by a brand. Even the FDA says it will clamp down on undisclosed paid influencer promotions. Check out our post from earlier this year to give you a flavor for what’s at stake and how plaintiffs are entering the fray.
Ensure Transparency and Truthfulness in Reviews & Testimonials (from Sara Chubb): The requirement that reviews be truthful and authentic is nothing new, however the FTC’s (new-ish) Consumer Reviews Rule puts a finer point on compliance requirements and tees up the FTC to seek civil penalties of up to $53,088 per violation of the Rule. The FTC sent out 10 warning letters to companies in December 2025 about possible violations of the Rule signaling enforcement may be a priority in 2026. The Rule prohibits many deceptive practices, including obvious bad acts like businesses writing, creating, or selling fake or misleading reviews or testimonials, as well as practices like incentivizing positive or negative reviews, various practices relating to review suppression, and misrepresenting a review website as independent when it is not. Companies should ensure they have visibility into how marketing teams solicit and use consumer reviews to ensure compliance.
Vendors Are Claiming They Use AI in Their Services — How This Matters for Your Contracts (from Max Landaw): Many vendors are now claiming they are using artificial intelligence capabilities in all their processes to let their customers know that they are on the cutting edge. Sometimes this is just a recharacterization of their services, a type of marketing. But sometimes, this means something much more extensive such as the development or deployment of sophisticated foundation models to optimize their services. It’s going to be crucial in 2026 to check your contracts with vendors who make these AI claims, especially the data protection provisions. You might find that a simple controller to processor relationship is now much more complex because the vendor is using your users’ personal data for their own purposes, to train their AI models.
Reflect and Refresh Green Claims (from Sophia Allen): Every January, many of us take time to reflect upon the goals we set out to achieve the year before. This month is also a good time to take stock of all the “green” and environmental claims you are currently making. For example, consider your aspirational claims: If you have a stated goal that you aim to achieve by 2030, what progress did you make towards that goal last year? Have you documented that progress? Are you on track to meet your goal, or are adjustments needed? How are you working towards that goal in 2026? Or, consider your current recycling-based claims. Have you changed suppliers? Are you using new materials? Are key recycling facilities and programs still open and running and sufficiently available to your consumers? Will any planned changes affect the claims you are making on your packaging, on your website, on socials, or through influencers? Take some time to reflect on all of your environmental claims and make sure they align with your practices in the new year.
Originally published by InfoLawGroup LLP. If you would like to receive regular emails from us, in which we share updates and our take on current legal news, please subscribe to InfoLawGroup’s Insights HERE.