As we look ahead to 2026, the landscape of privacy and cybersecurity laws is expected to present significant challenges for enterprises. Keeping pace with evolving regulations has become increasingly complicated, particularly as businesses grapple with understanding which laws apply to their operations.

The influence of artificial intelligence (AI) further complicates these issues, as it broadens the scope of data privacy concerns and introduces increased third-party risks. New tools bring about challenges related to data collection, sharing protocols, and the emergence of unique attack vectors.

Regulatory updates are being made to reflect the need for enhanced data protection and individual privacy. In 2025, notable developments included the Department of Justice (DoJ) unveiling a new Data Security Program, the Federal Trade Commission revising the Children's Online Privacy Protection Act, and the US Department of Health and Human Services proposing amendments to the Health Insurance Portability and Accountability Act security rule. These changes underscore the rapid evolution of the legal landscape over the past decade, indicating that compliance will continue to be a significant hurdle for organizations.

“The frequency of changes in the regulatory environment makes compliance more challenging,” notes David Saunders, a privacy and cybersecurity partner at a law firm. “It can be hard to expect compliance from companies when regulations are in a constant state of flux, which can deter compliance efforts.”

What’s on the Docket for 2026?

Compliance with new laws will likely require substantial projects for many businesses in 2026. Many are still working to comply with laws introduced in 2025. However, lessons learned from past experiences can be applied as new regulations come into effect.

Key upcoming legal priorities for US clients include minimum age requirements for applications, expanded data privacy regulations, and guidelines governing the use of AI in human resources. App age verification laws are a primary area of concern, with state regulations mandating that app stores and developers verify user ages during downloads and purchases.

A federal judge recently temporarily blocked a Texas Senate bill known as the App Store Accountability Act, which was set to take effect on January 1. Meanwhile, a similar law in Louisiana was struck down by the state supreme court, although an appeal is underway. Utah, however, successfully enacted its own version in mid-2025.

Despite the legal uncertainties, companies are focusing on these issues, as major players like Apple and Google have published their API documentation. This has prompted developers to modify their code to comply with new frameworks and standards under tight deadlines. The API requirements also place additional responsibilities on developers, particularly in ensuring that content aimed at children under the age of 13 is properly gated.

“The laws are unprecedented, and companies are still grappling with their implications,” Saunders explains. “The sudden legal changes at year-end left many scrambling to prepare, only to have them enjoined just before implementation.”

More to Come

New requirements stemming from the California Consumer Privacy Act (CCPA) will also necessitate considerable effort from many companies. While some requirements are currently in effect, mandatory cyber-risk audits and risk assessments will come into play next year. The CCPA will introduce stricter requirements regarding sensitive information, data collection practices, and consent notices.

The use of AI in hiring and employment decisions is another critical area of focus as we enter 2026. AI tools can streamline processes like resume screening, but they also raise significant concerns about bias and discrimination. States are becoming increasingly aware of these issues, with some enacting regulations governing AI usage in the workforce, such as Illinois, which amended its Human Rights Act to address rising discrimination concerns.

Anticipating Federal Actions

A proposed amendment to the HIPAA Security Rule has also raised questions among clients, according to experts in the field. While there may be less prescriptive regulations than initially thought, those related to national security will likely align with the DoJ's Data Security Program. A key rule, the Cyber Incident Reporting for Critical Infrastructure (CIRCIA), is set for implementation in May.

The federal government's approach to cybersecurity has been inconsistent, according to industry analysts, with the current administration's regulatory efforts remaining a work in progress. Businesses operating in sectors with national security implications can expect an enforcement of existing laws and the introduction of new regulations.

State-Level Expectations

Looking ahead, companies should prepare for continued enforcement at the state level as attorney general offices may fill the void left by federal enforcement. Many experts predict a lack of significant federal legislation regarding privacy or AI issues, which may create additional complexities for organizations navigating diverse state laws.

“Companies would prefer a unified federal approach, especially in the privacy arena, as state-by-state compliance can be burdensome,” Saunders adds. “Legislators often struggle to understand AI and privacy in the context of cybersecurity, complicating effective legislation.”

Expect the Unexpected in 2026

As 2026 approaches, the challenge of determining applicable laws will remain daunting for companies. Each state has its own definitions and requirements, making comprehensive compliance nearly impossible. “The landscape will undoubtedly shift in ways we can't fully predict,” Saunders says. “While no company can claim to be 100% compliant with privacy laws, staying informed and proactive about new developments is essential.”

To navigate these complexities, businesses should focus on identifying the most significant risks and investing in compliance efforts accordingly. “By concentrating on major regulatory changes, companies may inadvertently align with additional laws that apply to them,” Saunders concludes.

Source: Dark Reading News