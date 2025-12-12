As 2025 comes to a close, we asked several members of Taft's Privacy and Data Security practice group to share their thoughts on what should be on a client's "wish list" for the holiday season, or on a list of resolutions for 2026.

Here are their thoughts for businesses considering to not only meet the requirements of new laws and mitigate existing risks, but also looking to seize the opportunity to maximize the impact of technology to unleash the power in their data.

Know What your Website is Doing!

ByScot Ganow, Partner, Practice Group Chair

An ongoing issue many of our clients are dealing with are claims under the California Information Privacy Act (CIPA). This is actually a criminal statute and should not be confused with the California Consumer Privacy Act (CCPA). A cottage industry of California plaintiffs' firms are sending demand letters, filing suits, and initiating arbitrations for alleged CIPA violations. Here at Taft, we are seeing 1-2 new claims a week threatening litigation with the client over their website's use of technologies such as:

Pixels and beacons

Chat bots

Video and session replay tracking

Cookies

In conjunction with annual privacy policy review suggested below, we highly recommend clients audit their websites to understand not only the data they collect manually from visitors, but also what they collect (and share) through these automated technologies.

Have an Artificial Intelligence Game Plan

ByZach Heck, Partner

Companies have to make planning for Artificial Intelligence a priority in 2026 – both internally and externally.

Establish and enforce an internal AI governance plan. Businesses, regardless of size, structure, or industry should create a comprehensive internal framework governing the responsible use of AI across their business functions. This framework should set clear rules for how generative and agentic AI tools are deployed by employees, define accountability for data accuracy, confidentiality, and compliance, and ensure alignment with emerging regulatory standards on privacy, intellectual property, and discrimination. Ongoing oversight and training promote transparency, ethical integrity, and responsible innovation within the organization.

Develop an external AI contracting and oversight strategy. Organizations should likewise adopt a parallel governance plan for contracting with third-party AI solution providers. This should include contract clauses addressing data ownership, confidentiality, model explainability, liability for outputs, and ongoing compliance with evolving privacy and AI laws. Clients should also implement due diligence and monitoring mechanisms to assess vendor practices, reducing legal and reputational risk while maintaining ethical and transparent use of external AI technologies.

Annual Privacy Policy Review

ByZenus Franklin, Associate

At this time of year, we always encourage businesses to take time to review their website or mobile application privacy policies, including any internal practices, to ensure compliance with applicable law. New comprehensive state privacy laws are set to take effect in January 2026 and beyond (i.e., Indiana, Kentucky, and Rhode Island). By the end of 2026, we will have nearly 20 states with comprehensive state privacy laws. These new or amended laws may impose new obligations related to consumer rights, data processing, automated-decision making, use of artificial intelligence, and consumer disclosures.

To prepare, businesses should annually:

assess the applicability of new and amended comprehensive state privacy laws to their business and customers;

review tracking technologies used on their websites and mobile applications;

determine whether to implement cookie banners or other consent mechanisms for the use such tracking technologies; and

review and update privacy policies to reflect current data collection and processing practices.

Review Autorenewal Processes & Avoid Dark Patterns

ByJordan Jennings, Associate

Regulators are increasingly targeting business use of "dark patterns" – deceptive website design tactics that manipulate user choices, such as hiding cancellation options behind multiple screens or offering misleading discount options on a website.

Similarly, recent updates to autorenewal laws (e.g., online subscriptions) under various state laws have focused on eliminating dark patterns from the subscription process. Over 30 states have adopted some form of an autorenewal law requiring clear notice, consumer consent, easy cancellation mechanisms and timely renewal reminders.

Enforcement of unfair and deceptive trade practices on websites, including dark patterns and non-compliant autorenewals, is expected to be a key regulatory focus in the coming year. Businesses offering online business-to-consumer services, including subscriptions, should review their websites and subscription process to ensure (i) subscription cancellation is as simple as sign-up and (ii) no deceptive design elements appear on the website. Failure to do so could lead to large regulatory fines and penalties.

