2026 Q1: Top Updates in Privacy and AI
The following insights reflect Jackie’s personal analysis of the recent updates. While we hope you find them helpful, they are not legal advice. Reading this does not create an attorney-client relationship. You should not act on this information without seeking professional counsel.
AI:
Key themes: Despite the US Executive Orders, state-level AI laws in the US continue to be passed and take effect; Grok is under global regulatory scrutiny for unlawful processing related to non-consensual sexual images.
Cue the fireworks (literal and political), multiple AI laws that we covered in previous recaps entered into effect to kick off the new year. On January 1, several new AI laws took effect in California, including: the California Transparency in Frontier AI Act (TFAIA), which requires large AI providers to disclose information about training data and capabilities and SB 243 (Companion Chatbots Act), which mandates disclosure obligations for AI companion apps, requires minor-specific protections (explicit content filters, break reminders, suicidal ideation protocols with crisis referral requirements), and creates a private right of action for injuries from noncompliance. In Texas, the Responsible AI Governance Act went into effect, establishing obligations for developers and deployers of AI systems used in high-risk contexts (see our Q2 recap for more on this one). Note that any and all of these laws could be deemed “onerous” under the Executive Order on AI. Speaking of which, the AI Litigation Task Force established under the EO became operational as of January 10.
***Take-away: While the EO establishes a climate of uncertainty, AI laws are still taking effect and are likely to be enforced. A wise approach is to pay attention and prepare for compliance, which at a minimum can proactively place your business in the forefront from a customer trust perspective, a value-add.
Is your new bestie an AI chatbot? Your bestie will likely be required to have some protective guardrails in place, as more companion chatbot laws are emerging. In March, Washington passed House Bill 2225 regulating companion chatbots, which is similar to California’s chatbot law. The law covers AI chatbots that use natural language, “provide adaptive, human-like responses” to inputs and sustain relationships across interactions. The law applies broadly to any “operator” that makes available or controls access to such a chatbot and includes requirements for mandatory disclosures (i.e., “this is not a human”), protections for minors, and mental-health protocols for preventing self-harm. Violations are deemed unfair or deceptive acts under the Washington Consumer Protection Act. The chatbot law goes into effect January 1, 2027. This law aligns with the trend to hold tech companies accountable for the mental health implications of their services, as evidenced in the recent New Mexico case against Meta, for example.
***Take-away: If you plan to offer an AI chatbot, do the analysis to see if it might trigger this law (or similar laws), and be prepared to implement the relevant protections and give the necessary disclosures as baseline requirements of doing business. Chatbot laws like this are likely to continue to proliferate, especially with intense legislative and regulatory focus on minors and mental-health.
Grok has come under scrutiny in multiple geos due to the generation of non-consensual sexual images. In January, the California Attorney General issued a cease and desist letter to xAI. In Brazil, the National Data Protection Agency (ANPD) and two other regulatory authorities issued recommendations to X related to such images and launched a deeper investigation following reports and complaints. A noteworthy soundbyte in a technical note from the ANPD asserts that where AI-generated images refer to identified or identifiable individuals, they should be considered personal data. In February, the UK Information Commissioner’s Office (“ICO”) announced formal investigations, looking into whether Grok processed personal data lawfully, fairly and transparently and whether appropriate safeguards were in place to prevent the generation of harmful images.
***Take-away: If you’re offering an AI tool that generates images, ensure appropriate safeguards and disclosures are in place to prevent harmful use. Be on the lookout, as it’s possible (and even likely) that other regulators will take the view that AI-generated images that identify or could identify an individual constitute personal data and will treat the images accordingly.
Privacy:
Key themes: New privacy laws and amendments keep coming; children’s privacy legislation continues to ramp up; changes in Europe are still in progress.
We’re back with the Q1 2026 edition of “new state privacy law trivia”! Which state privacy law took effect in Q1? Answer: Three new state privacy laws went into effect on January 1–Indiana, Kentucky, and Rhode Island. What’s our total count of state privacy laws in effect? With the addition of these three, we’re up to 19. The applicability thresholds under all three of these laws mirror those of other states, with the Indiana and Kentucky numeric threshold starting at 100,000 consumers, while Rhode Island’s is set at 35,000 consumers. All three laws include data rights and impact assessment requirements. Both the Indiana and Kentucky laws include a 30 day right to cure. None of the laws include a private right of action. Rhode Island’s law is unique in that it does not include a requirement to recognize universal opt-out mechanisms and includes a requirement for commercial websites to provide a privacy notice, regardless of whether the applicability threshold is met.
***Take-away: By now, you should have this process down! Evaluate whether you may cross the applicability thresholds of any of these new laws and prepare to fold them into your compliance program. While the 30 day cure period provides some added flexibility, it’s best to proactive with your compliance measures, especially with respect to items like risk assessment requirements.
We’ll need include a “which state amended its privacy law” segment as well! Quick note that the amendment to Oregon’s privacy law banning the sale of precise geolocation data and the sale of minors’ (under 16) personal data went into effect on January 1.
***Take-away: Review your targeted advertising activities to make sure you’re not running afoul of the newly amended law’s requirements.
OK! (pun intended) We also have a newly passed privacy law on the scene. In March, Oklahoma joined the growing list of states with privacy laws. The OK law follows the same basic framework as other state privacy laws and includes provisions for consumer data rights and risk assessments. It excludes B2B processing. Like Indiana and Kentucky, it includes 30 day right to cure with no sunset. The new law takes effect January 1, 2027.
***Take-away: While you’re confirming compliance for the three new laws that went into effect this January, check into whether you may also have to comply with Oklahoma’s law as well.
Adding to the state privacy compliance “to do” list, the new CCPA regulations (formally approved by the Office of Administrative Law in September 2025—check out the Q3 recap for more) entered into effect in January. Key requirements include: (a) Automated Decision-Making Technology (ADMT): Businesses using ADMT must provide pre-use notices and honor consumer rights to access information about and opt out of ADMT use. Full compliance for in-scope ADMT uses is due by January 1, 2027; (b) Privacy Risk Assessments: Required before initiating processing that presents a “significant risk to privacy” (e.g., selling/sharing data, sensitive data processing, AI training, facial/emotional recognition). Processing activities occurring prior to January 1, 2026 and continuing into 2026 must be assessed by December 31, 2027. The first round of summary reports are due to the CPPA by April 1, 2028; (c) Cybersecurity Audits: Annual independent audits are required for businesses that meet the specified thresholds; phased compliance timelines based on revenue (first audits for companies with $100M+ in 2026 revenue due by April 1, 2028).
***Take-away: If you haven’t already started, begin planning for how you’ll orchestrate and operationalize these requirements so you’re on track to meet the reporting requirements, because we all know they’ll come around sooner than you think! Some initial steps? Evaluate your processing activities to identify those that might trigger a risk assessment and go from there. Start prepping those risk assessments and planning for cybersecurity audits now.
What happened in the realm of children’s privacy and age verification in Q1? The FTC issued a formal policy statement announcing it will not bring enforcement actions under the COPPA Rule against operators that collect personal information solely for the purpose of age verification, provided they satisfy specific conditions, including not retaining the data beyond what is necessary, not disclosing it to third parties who lack adequate safeguards, and not using it for any other purpose. This is a notable regulatory accommodation for the growing age-verification industry, signaling FTC support for platforms implementing age gates involving more “robust” data collection. Note: This “no enforcement” standard applies only to personal data collected for age verification purposes. All other COPPA requirements are still subject to enforcement.
***Take-away: For businesses who handle children’s data, review your age gates and the data collected for that purpose. Evaluate whether your age gate aligns with FTC guidance and your data collection and handling for age verification purposes aligns with the standards under the new policy statement. Be on the lookout for support for age gates that involve collection of additional and potentially more sensitive types of data as well.
Also in the “Kids Zone” this quarter, South Carolina enacted H3431, an Age-Appropriate Design Code Act (AADC). The law took immediate effect once signed in February with no cure period. How many age appropriate design code acts do we have now? Based on our research, South Carolina is the fifth U.S. state to enact an AADC law, following California, Maryland, Nebraska, and Vermont. (Nebraska’s AADC law went into effect in January.) The SC law applies to covered online services “reasonably likely to be accessed” by users under 18 and that meet certain numeric thresholds that mirror state privacy law applicability thresholds. The SC AADC Act imposes a reasonable care standard and obligations on covered entities including data minimization, default protections for minors, restrictions on addictive design features, prohibition on targeted advertising to minors, parental monitoring notice, mandatory annual independent audits, and submission of audit reports to the state Attorney General. Within days, Trade association NetChoice filed a lawsuit challenging the law on First and Fourteenth Amendment grounds, similar to challenges it has filed against AADC laws in other states.
***Take-away: While we’ll have to wait and see how the NetChoice lawsuit unfolds, plan for compliance now if the SC AADC Act applies to you as it’s still in effect. Given the regulatory trends, entities likely will need to have these protections in place or potentially face lawsuits under state consumer protection laws like the recent lawsuit against Meta in New Mexico, in which a $375 million verdict was issued against Meta for safety failures of its platform in protecting children.
Over in the EU, the Digital Omnibus debate continues. In February, the EDPB and EDPS issued a joint opinion that included the GDPR and ePrivacy Directive as key focus points. The joint opinion expressed concerns about proposed changes to the definition “personal data” because “they go far beyond a targeted or technical amendment of the GDPR.” The EDPB and EDPS were in favor of an increase in the risk threshold for reporting a data breach and an extension of the reporting time for a data breach notification. Note that in a leaked version of the compromise text, the proposed changed to the definition of “personal data” was removed. A joint opinion on the AI elements of the package was issued in January.
***Take-away: The Digital Omnibus package process is still underway, but progress is happening. Stay tuned for ongoing updates and pivots, especially as the compromise text is being developed.
Enforcement:
California keeps up its brisk pace of enforcement activity; Texas takes action to enforce children’s privacy protections; big decisions await for VPPA pixel lawsuits; European regulators gear up for 2026 enforcement priorities.
California has been busily enforcing the CCPA, staying true to the prevailing trend of active enforcement and increasing penalties. The state’s regulators are embracing that fire horse spirit of the lunar new year, that’s for sure. We’ll start with the California Attorney General, which issued a USD $2.75 million fine against Disney for CCPA violations, the largest CCPA fine yet, as of Q1. According to the final judgment, Disney failed to properly implement opt-out requests across platforms and devices. The CA AG found gaps with Disney’s opt-out toggles, webform, and honoring the Global Privacy Control preferences. The core theme, a user that’s logged into their account should be able to opt-out once for all accounts across a company’s platforms and across all of their connected devices. Other violations included failure to implement in-app opt-out methods and failure to apply a webform-based opt-out to all targeted advertising activities, including third-party adtech vendors.
***Take-away: If you link devices and services for advertising purposes, you need to link them for opt-out purposes as well. Review your mechanisms for honoring sale/sharing opt-outs and determine whether you apply opt-outs across devices and services connected to a logged-in user’s account. If you identify gaps, prioritize address them to mitigate your risk. Also confirm whether you have opt-out mechanisms in your apps. If you’re directing users to a website to opt out, consider revising your approach.
Calprivacy (formerly the CPPA) has been active in Q1, issuing two back-to-back settlement decisions in March. (1) The California Privacy Protection Agency Board approved a USD $1.1 million settlement against PlayOn Sports, a digital ticket and livestreaming company used for high school events, including sporting events. The decision cited CCPA violations related to user tracking and inadequate opt-out mechanisms. According to CalPrivacy, PlayOn required users to accept tracking to use the service and did not provide a sufficient direct opt-out option, instead relying solely on third-party opt-out systems (NAI and DAA). The settlement also requires compliance with CCPA opt-in requirements for children under 16. (2) Days later CalPrivacy announced a settlement against Ford Motor Company, imposing a USD $375,703 fine and other remediation measures. Violations cited in the decision included Ford’s requirement that users complete an email verification step before they could opt out of sale/sharing, which conflicts with the CCPA’s requirement for an easy opt-out process that requires minimal data collection. CalPrivacy cited the “unnecessary friction” created by this step. Note that the decision includes screenshots of the offending email verification requirement, and they are obviously templates from a data rights management platform.
***Take-away: Pay careful attention to your sale/sharing opt-out process and be sure it’s aligned with your actual data flows and is not introducing friction. Avoid implementing data rights response processes “out of the box” from software providers. The regulators have continued to advise that customization is needed to be in compliance with the legal requirements.
Texas remains on the active enforcement radar for Q1 as well. In February, the Texas Attorney General filed a lawsuit against Snap for violations of the Texas Deceptive Trade Practices Act and the SCOPE Act (a minors’ privacy law). Claims include inadequate safety warnings, false representations to parents about Snapchat's safety, and allegations that features like "Snapstreaks" are designed to foster addictive behaviors in violation of consumer protection laws.
***Take-away: Texas means business when it comes to enforcing protections of minors online. If minors are using your services, review your disclosures and ensure you’ve implemented appropriate protections, and those protections are actively enforced.
Check your privacy disclosures! The European DPAs are gearing up for enforcement. In March, the EDPB launched its Coordinated Enforcement Action Framework for 2026. The 2026 effort is focused on GDPR transparency and information obligations (Articles 12–14). Twenty-five DPAs across Europe will participate, contacting controllers in various sectors through enforcement actions or fact-finding exercises. Following 2025's enforcement focus on the right to erasure, this pivot to transparency enforcement means organizations can expect a wave of regulator inquiries about their privacy notices, especially in sectors with AI or complex data supply chains.
***Take-away: Review your disclosures, particularly your privacy notice, and make updates as needed. Pressure test your current disclosures against the GDPR standard that they be “concise, transparent, intelligible and easily accessible form, using clear and plain language” (GDPR Article 12).
Remember the Video Privacy Protection Act (VPPA)? The old law intended to apply to VHS video rentals was making waves as it was being applied to online videos and data sharing via pixels. This law is set to be debated by the top court in the US, as the Supreme Court granted certiorari in Salazar v. Paramount Global. In this case, the plaintiff alleges that Paramount embedded Facebook tracking pixels on its 247Sports website and shared users' video viewing data with Facebook in violation of the Video Privacy Protection Act. The case raises questions about the application of the VPPA to modern tracking technologies and could have broad implications for the use of third-party pixels by online services.
***Take-away: Stay tuned for the outcome of this case, as it could impact your use of pixels and video-based media on your websites and services.
And of course, we know you’re curious to know, how did Max Schrems and the NOYB kick of Q1 of 2026? They’re chalking up another win! This time, a 2024 NOYB complaint related to tracking students led to a January decision by the Austrian Data Protection Authority (the DSB) against Microsoft 365 Education. The DSB found that Microsoft illegally installed cookies that analyze behavior and collected data used for advertising on the device of a student without consent. Significantly, the DSB also held that Microsoft US was the entity that was the appropriate controller responsible, not Microsoft Ireland.
***Take-away: The decision is a reminder for companies providing services to students to be aware of what cookies and trackers are being deployed with respect to minor users and to ensure proper consent, or avoid trackers in these use cases. The regulator’s decision to hold the US entity responsible rather than the Irish entity is a warning that US global companies could find their US entities being held responsible for violations of European privacy laws despite naming an Irish entity as the relevant controller for European processing.