AI dominated the conversation at the IAPP Summit 2026, as it has in the last several years. 

This post distills themes about AI governance from across the summit into practical guidance for businesses navigating high-stakes AI compliance questions.

At the 2026 IAPP Global Summit in Washington, D.C., a panel titled “State Collaboration on Privacy” brought together state privacy enforcers to discuss how they are working together and what businesses should expect. 

The panelists were:

$1.5 billion. That number got the room’s attention at the 2026 IAPP Global Summit: $1.5 billion is the theoretical penalty exposure for a single data broker that misses just one deletion cycle under California’s new Delete Request and Opt-Out Platform (DROP), a first-of-its-kind centralized deletion mechanism that goes live on August 1, 2026.

Privacy law doesn’t stand still, and neither do the regulators shaping it. 

Key Takeaways

• The U.S.

Since 2023, Washington courts have seen more than 25 cases filed for alleged violations of Washington’s Commercial Electronic Mail Act (CEMA). 

This Article outlines recent litigation trends and key takeaways following a Washington Supreme Court decision regarding CEMA’s reach.

During the first Trump administration, the Federal Trade Commission hosted a workshop on informational injuries, and on February 26, 2026, the agency revisited the issue in a workshop on “Consumer Injuries and Benefits in the Data-Driven Economy.” 

The Federal Trade Commission recently convened stakeholders, including researchers, academics, industry representatives, consumer advocates, and government regulators, for a public workshop to discuss age verification, a concept implemented in regulations worldwide as a tool to advance online safe

Will the United Kingdom Ban Social Media for Children Under 16? 

On February 5, 2026, South Carolina’s governor signed House Bill 3431, the Age-Appropriate Code Design, into law. The law took effect immediately, with no cure period, and imposes expansive new design, data, and governance obligations on online services reasonably likely to be accessed by minors.  

While 2025 saw no new state comprehensive privacy laws enacted, state enforcement activity accelerated—individually and collaboratively—reflecting trends likely to intensify in 2026. 

Key enforcement focus areas included youth privacy and online safety, consumer rights, and data brokers/data sales. This post discusses highlights from 2025 and looks at expected trends in 2026.

This past year saw significant change at the Federal Trade Commission, as Andrew Ferguson was appointed chairman by President Donald Trump, replacing Lina Khan, who served as chair during the Biden administration. 

The state privacy law landscape in 2025 remained highly dynamic, even though no new states enacted omnibus privacy laws for the first time in years. 

The financial toll of cyberattacks is continuing to rise, with global cybercrime costs projected to hit $10.8 trillion annually by the end of 2026, up from $3 trillion a decade ago. 

2025 saw a range of activity at the intersection of privacy, data security, and national security, including new types of threats, significant U.S. regulatory actions by multiple agencies, legislative lapses and new priorities, and judicial approval (at least for now) of the EU-U.S. Data Privacy Framework.