AI dominated the conversation at the IAPP Summit 2026, as it has in the last several years. 

This post distills themes about AI governance from across the summit into practical guidance for businesses navigating high-stakes AI compliance questions.

At the 2026 IAPP Global Summit in Washington, D.C., a panel titled “State Collaboration on Privacy” brought together state privacy enforcers to discuss how they are working together and what businesses should expect. 

The panelists were:

Privacy law doesn’t stand still, and neither do the regulators shaping it. 

Since 2023, Washington courts have seen more than 25 cases filed for alleged violations of Washington’s Commercial Electronic Mail Act (CEMA). 

This Article outlines recent litigation trends and key takeaways following a Washington Supreme Court decision regarding CEMA’s reach.

While 2025 saw no new state comprehensive privacy laws enacted, state enforcement activity accelerated—individually and collaboratively—reflecting trends likely to intensify in 2026. 

Key enforcement focus areas included youth privacy and online safety, consumer rights, and data brokers/data sales. This post discusses highlights from 2025 and looks at expected trends in 2026.

This past year saw significant change at the Federal Trade Commission, as Andrew Ferguson was appointed chairman by President Donald Trump, replacing Lina Khan, who served as chair during the Biden administration. 

Earlier this month an appellate court in New Jersey issued an opinion in State v. Bryant, holding that tower dumps are Fourth Amendment searches that require particularized warrants supported by probable cause. 

On November 24, 2025, trade association NetChoice secured a win in its constitutional challenge to Maryland's Age-Appropriate Design Code Act (Kids Code or Act) when the U.S. District Court for the District of Maryland denied a motion to dismiss. 

Key Takeaways

• The SEC’s agreement with defendants to dismiss, with prejudice, its case against SolarWinds Corporation (SolarWinds) and its chief information security officer (CISO) signals a retreat from aggressive, novel enforcement theories in cybersecurity disclosure cases.
• Although technical cybersecurity violations without investor harm

Congress included in the appropriations bill of November 12, 2025, an extension of the Cybersecurity Information Sharing Act of 2015 (CISA 2015), 6 U.S.C. §§ 1501–10, through January 30, 2026. 

Congress members have proposed legislation that would introduce new measures to enhance the United States’ cybersecurity resilience in the face of advancing quantum computing capabilities.

On September 23, 2025, the California Privacy Protection Agency confirmed that their cyber audit regulations will at long last go into effect on January 1, 2026. 

You can be forgiven for losing track since these were first proposed in September 2023, but now is the time to start considering how they will apply to your company and budgeting for that impact. 

State Updates, Security Mandates, and the Federal Regulatory Horizon

150 consumer complaints per week. A consortium of privacy regulators. “Hundreds of open investigations.” 

The U.S. Department of Justice (DOJ) “Data Security Program” (DSP), also known as the “Sensitive Data Rule” or “Bulk Data Rule,” has prompted numerous questions about its scope and application.