The feds (and states) up the heat on kid privacy

Earlier this year, the Federal Trade Commission (FTC) finalized its revised Children’s Online Privacy Protection Act (COPPA) regulations. Those regulations required COPPA-regulated companies to provide greater transparency, introduced new data-sharing limitations, and enhanced security requirements, signaling a shift toward tighter control over how children’s data flows through digital ecosystems.

But that’s not where the focus on children’s privacy stopped – states are filling gaps that COPPA leaves open, especially for teens. Across the country, legislatures have begun passing Age-Appropriate Design Code (AADC)-style laws that require platforms to assess and minimize risks to minors, default to high-privacy settings, and limit data collection unless it is strictly necessary. Several states also now impose age-verification and parental-consent requirements for minors (in some cases, anyone under the age of 18) who wish to create social media accounts or access certain online services. This expanding state-level framework – combined with federal proposals such as the Kids Online Safety Act – signals a future in which children’s online experiences are shaped not only by data-privacy rules but also by broader safety, design, and consent standards that apply across childhood and adolescence.

States adopt app age-signal requirements

Adding substantial new obligations to app stores and mobile app developers, four states – California, Louisiana, Texas, and Utah – have enacted laws that will require mobile app stores and mobile app developers to verify the age of users and implement certain safeguards based on the user’s age. For the first time, these laws will require app stores to tell mobile app developers the age of the app user. This has significant COPPA implications and introduces a private right of action for residents of Utah. These laws may also trigger significant new obligations under state and federal laws because developers may now have “actual knowledge” they are handling data about minors (with many obligations applying to data about users under 18, not just under 13). The first age-signal law, in Texas, is set to go into effect January 1, 2026, but there is already a constitutional challenge to the law, which may delay its effective date. We recently summarized the requirements of these new laws and outlined steps that mobile app developers and app stores need to take in response.

California ramps up enforcement and regulation

Where to start with California? The California Privacy Protection Agency (CPPA) rebranded to “CalPrivacy,” CalPrivacy finalized wide-ranging new California Consumer Privacy Act (CCPA) regulations, and CCPA enforcement by both the California Attorney General’s office and CalPrivacy reached new heights in 2025. All of that bears watching as we turn the page to 2026.

The new CCPA regulations that go into effect on January 1, 2026, do not just tweak existing CCPA regulations – they also introduce new risk assessment, new rules related to cookies/pixels, and new data broker requirements. Additional cybersecurity audit and automated decisionmaking rules and requirements will also take effect in the future. Each of these new requirements are worth focusing on because CCPA enforcement is at an all-time high, and seems to be only increasing.

Focus on new CCPA cybersecurity audits

As mentioned above, cybersecurity audits are one major new requirement under the CCPA regulations. The CCPA audit regulation includes 18 specific areas of the company’s cybersecurity program that must be assessed in a formal audit report. The regulation also includes independence requirements for the chosen auditor. One bright note is that the regulation allows companies with existing assessment and certification obligations, such as ISO 27001, to leverage those assessments where they overlap with the California requirements.

The first audit certifications will be due in April 2028, required of companies with annual revenue exceeding $100 million who collect the personal information of more than 250,000 Californians, or sensitive information from more than 50,000 Californians. The following year, companies with annual revenue of $50 – 100 million will be required to complete the audit.

Website tracking: Make sure you’re (still) doing it right

Last year, we wrote, “There has been an explosion of enforcement and litigation targeting the use of cookies, chat bots, session replay, and other technologies (collectively, cookies).” Looking back on the last 12 months, it’s fair to say even that was an understatement. We saw dozens of plaintiffs’ firms, several pro se claimants, and regulators continue to push the envelope of antiquated wiretapping laws into the digital age. We responded by publishing resources to help our clients adapt and adjust their risk profiles to balance business utility and legal risk. Those resources include a customizable set of cookie compliance and consent management deliverables to kick-start the compliance effort. And, despite a federal judge declaring the California Invasion of Privacy Act (CIPA) a “total mess” in a recent case and imploring the California legislature to take action, SB690 (which would amend CIPA to create a safe harbor where companies offer CCPA opt-out rights) appears stalled in the California house. Plaintiffs’ attorneys are also expanding claims to cover ECPA, the federal wiretapping law, particularly for companies subject to DOJ Bulk Data Transfer rule, HIPAA, and GLBA. The result is what is shaping up to be another year of aggressive regulator actions and a multimillion-dollar cottage industry of website tracking shake-down letters akin to Telephone Consumer Protection Act (TCPA) and Americans with Disabilities Act (ADA) trolls.

United States enacts new rules limiting data transfers to sanctioned countries (and then some!)

In January 2025, the US Department of Justice finalized its bulk data transaction rule, which significantly restricts (or prohibits) the transfer of personal and deidentified data (depending on volume) to companies and people in several jurisdictions, including China (including Hong Kong and Macao), Cuba, Iran, North Korea, Russia, and Venezuela.

While the rule took effect in April 2025, and the enforcement “grace period” passed in October 2025, companies are still grappling with compliance, depending on their particular risk profile and business operations. Many are watching for the first enforcement activity under this rule, which we expect to see in 2026. Among the important things for companies to think about in ensuring compliance with the rule are robust data mapping and inventory practices, careful assessment of network access to sensitive data sources and uses, strong vendor and partner diligence and contracting, effective development of a compliance program, and appropriate governance, in consultation with experienced counsel.

CIRCIA countdown: Preparing for expansive new federal incident-reporting rules

One of the most consequential federal cybersecurity developments continues to be the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), which will eventually impose new cyber-incident and ransomware-payment reporting obligations on an estimated 300,000 entities across the 16 critical infrastructure sectors. In the fall of 2025, the federal Cybersecurity and Infrastructure Security Agency (CISA) delayed the publication of its final rulemaking, which is now expected in May 2026.

However, the clock starts soon and the updated timeline does not reduce the stakes. CIRCIA and the CISA rule will mandate that critical-infrastructure entities notify CISA within 72 hours of discovering a “covered cyber incident” and within 24 hours of making a ransomware payment. They also will require expansive recordkeeping and include penalties and civil enforcement actions.

Covered entities should use this window to enhance and stress-test their compliance programs, including by updating incident-response plans and implementing retention protocols.

AI threat landscape expand

While 2025 saw what is believed to be the first AI-orchestrated attack, we doubt that it will be the last as we turn the page to 2026. Incident-response and threat-intelligence sources now link widespread use of AI and automation to faster reconnaissance, more convincing phishing, and shorter times from initial compromise to data theft. In some cases, exfiltration is compressed from days to hours. In other words, AI has begun to significantly lower the technical proficiency needed for a threat actor to exploit systems. Research and other real-world cases point to emerging AI-specific risks such as data poisoning, prompt injection, and attacks that target the AI systems organizations are deploying.

Fortunately, new AI technologies are being developed to counteract these trends. On the defense side, security vendors and enterprise teams are also using AI to their advantage. These include AI-assisted detection at the network perimeter, faster endpoint triage, automated analysis of large volumes of telemetry, deploying agents to monitor high-value assets, and autonomous AI patching. McDermott Will & Schulte is working with forensic partners to help clients integrate these technologies with AI governance frameworks, AI inventories, and incident-response playbooks tailored to AI-enabled threats.

EU streamlines privacy and cybersecurity frameworks

As described below, many headlines have focused on European Commission’s proposed rollback of certain marquee legislation, which now moves to the legislative approval and member state implementation phases. However, there is a lot more to watch in the European Union as we enter 2026.

Digital Omnibus(es)

In the EU, the standout development to watch in 2026 is the European Commission’s pivot toward simplification after years of expansive digital regulation. In November 2025, the Commission introduced two major proposals as part of its Digital Package on Simplification: the Digital Omnibus and the Digital Omnibus on AI. These proposals focus on five main areas: cybersecurity incident reporting (the Network and Information Security Directive 2 (NIS2), General Data Protection Regulation (GDPR), and Cyber Resilience Act (CRA)); data protection (GDPR); the ePrivacy Directive (or Cookie Law); the Data Act and a suite of related data-governance laws; and the Artificial Intelligence (AI) Act.

Key changes introduced by the Digital Omnibus include a new definition of personal data, a centralized incident-reporting channel, higher thresholds for GDPR breach notifications, new legal bases for processing sensitive data for AI testing and development, a unified approach to data protection impact assessments (DPIAs), simplified transparency and research and development (R&D) compliance requirements, more business-friendly exceptions from data subject access request (DSAR) requirements, as well as exceptions from the consent requirement for certain cookies processing personal data, the prohibition to re-ask for consent for six months after a user declines such consent, and the requirement to honor automatic consent signals (including through browsers).

Key changes introduced by the Digital Omnibus on AI include a proposed 16-month (with a backstop of December 2, 2027) delay on enforceability of certain rules applicable to high-risk AI, subject to development of applicable standards, a grace period for transparency/marking obligations, a new legal basis for processing of sensitive data for bias detection, a shift of AI literacy obligations from companies to Member States and/or the European Commission, and several other smaller adjustments and simplifications.

While these proposals promise meaningful simplification, they are not yet in force, and companies should closely monitor the legislative process throughout 2026.

When is data pseudonymous?

In a recent EDPS v. SRB judgment, the EU Court of Justice clarified that pseudonymized data may remain personal data for the original controller, but not necessarily for the recipient, depending on whether the recipient can identify the individuals. Businesses should monitor how this new approach will be enforced by EU supervisory authorities.

Continued implementation of NIS2 requirements

The EU is raising expectations through landmark legislation – most notably NIS2, the Critical Entities Resilience (CER) Directive, the CRA, and the Digitial Operational Resilience Act (DORA) – aimed at strengthening digital resilience. As of today, roughly half of EU Member States have transposed NIS2. At the same time, the CRA enters a pivotal implementation phase in 2026: vulnerability and incident-reporting obligations will begin in September 2026, with full product-security requirements following in December 2027. Many organizations are already conducting product-level applicability assessments, establishing vulnerability-handling and incident-response processes, and benchmarking their security practices against CRA requirements. Addressing these challenges requires active leadership engagement, the empowerment and education of key stakeholders, and the cultivation of a security-conscious culture across the entire organization.

If you have questions or would like to discuss any of these developments, contact the authors or your regular McDermott Will & Schulte lawyer.