AI dominated the conversation at the IAPP Summit 2026, as it has in the last several years. 

This post distills themes about AI governance from across the summit into practical guidance for businesses navigating high-stakes AI compliance questions.

At the 2026 IAPP Global Summit in Washington, D.C., a panel titled “State Collaboration on Privacy” brought together state privacy enforcers to discuss how they are working together and what businesses should expect. 

The panelists were:

Privacy law doesn’t stand still, and neither do the regulators shaping it. 

Since 2023, Washington courts have seen more than 25 cases filed for alleged violations of Washington’s Commercial Electronic Mail Act (CEMA). 

This Article outlines recent litigation trends and key takeaways following a Washington Supreme Court decision regarding CEMA’s reach.

While 2025 saw no new state comprehensive privacy laws enacted, state enforcement activity accelerated—individually and collaboratively—reflecting trends likely to intensify in 2026. 

Key enforcement focus areas included youth privacy and online safety, consumer rights, and data brokers/data sales. This post discusses highlights from 2025 and looks at expected trends in 2026.

Key Takeaways

• New York now requires businesses to disclose when they use personal data to generate individualized, algorithmically determined prices for consumers in New York.
• Several exceptions apply, including entities subject to insurance law, certain financial institutions, and certain subscription pricing practices.

The wave of online safety regulation is continuing to surge, with Brazil’s recent enactment of Law No. 15,211/2025—the Digital Statute for Children and Adolescents (Digital ECA)—as the latest addition. 

On September 23, 2025, the California Privacy Protection Agency confirmed that their cyber audit regulations will at long last go into effect on January 1, 2026. 

You can be forgiven for losing track since these were first proposed in September 2023, but now is the time to start considering how they will apply to your company and budgeting for that impact. 

150 consumer complaints per week. A consortium of privacy regulators. “Hundreds of open investigations.” 

The U.S. Department of Justice (DOJ) “Data Security Program” (DSP), also known as the “Sensitive Data Rule” or “Bulk Data Rule,” has prompted numerous questions about its scope and application. 

The Maryland Online Data Privacy Act (MODPA) is just around the corner, and businesses should consider preparing to address novel compliance obligations that also rank among the most stringent to date. 

In a major move signaling the growing power of multi-state cooperation on privacy enforcement, the California Privacy Protection Agency (CPPA), alongside the Attorneys General of California, Colorado, and Connecticut (collectively, the “Coalition”), announced an investigative sweep targeting businesses that fail to honor

California’s legislature has once again taken center stage in the national privacy conversation, passing a flurry of privacy bills during a marathon session that stretched into the night of September 12. 

After years of drafting, discussions, and debates, the California Privacy Protection Agency (CPPA) Board reached a significant milestone in its efforts to bring to fruition regulations that have been in discussion by the CPPA Board for several years. 

With 2025 more than half over and many state legislatures adjourned for the year, we look back at significant legislative developments concerning state comprehensive consumer privacy laws.