Your 2026 Privacy, Security And Artificial Intelligence Checklist

Litigation / Enforcement. Your company may be surprised to learn that privacy litigation and enforcement discussed above can be triggered by common activity, such as the use of online analytics, targeted advertising, text messaging, real-time chat or chatbots, sharing personal data with service providers, and embedded video, among others. What defensive strategies has your company implemented?

Opt-Outs. Multiple state privacy regulators are highly focused on opt-out rights. Does your website honor the Global Privacy Control? Have you audited your cookie manager technology to ensure that it is operational? Have you assessed specific opt-outs required under more than 20 state comprehensive privacy laws now in effect?

AI Tech. Do you use AI technology in your company? Perhaps to screen potential new hires? You may be subject to numerous laws requiring multiple notices, anti-bias assessments, internal policies and change-management measures, and other requirements. Obligations may increase in the context of decision-making technology and/or technology used around financial or lending services, education, employment or independent contracting, healthcare, housing, insurance, legal services, or essential government services.

Contracting. Do your vendor contracts include an up-to-date personal data privacy addendum reflecting specific legal requirements? Do your customer contracts allocate compliance risks in a rational manner? Do you have a consistent strategy for addressing customer concerns about privacy?

Privacy Notices. Have you assessed whether you are in scope of the numerous new comprehensive state privacy laws? In any case, website privacy notices should also be updated annually – indeed, under some state rules, must be updated once every 12 months.

Data Protection Impact Assessments, Risk Assessments, and Cyber Audits. Numerous laws now require the production of specific assessments and audits. Triggering activity can include collection of sensitive information, targeted advertising, profiling activities, engagement in data sales, uses of automated processing or automated decision-making technology, and/or simply processing a sufficiently large amount of consumer data if a "business" under California law.

Children's Privacy. Children's privacy does not just mean COPPA (the federal not just mean COPPA (the federal Children's Online Privacy Protection Act) anymore. Over a dozen states have passed laws targeting the privacy of minors, with a particular focus on online/digital and/or social media activity. Have you assessed your collection and use of children's data under these new laws?

International Data Transfers. If your company has international locations, affiliates, and/or subsidiaries, do you have a data transfer mechanism for the company group? Potential solutions include intra-company agreements and/or other measures but growing global companies must assess these options.

Governance. The list of issues provided here is partial and not intended to be exhaustive. Your business may face other challenges in context. That is why it is important to view privacy, security and AI compliance as a process to be managed over time. Good governance processes will include review and accountability, with assigned roles and responsibilities. Renew your company's commitment to governance in the new year.

To keep up with the latest in this area, please sign up to receive these posts via email and you can followTaft Privacy, Security and Artificial Intelligence on LinkedInfor even more. Should you need counsel in any of these areas,Taft's attorneysare ready to assist.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.