2026 Enforcement Will Continue Surface-Level Fixes but Could Go Beyond, Lawyers Say

Susan Duarte, data privacy lawyer at Marashlian & Donahue, said she was “amazed” at the level of enforcement in 2025, especially around the global privacy control (GPC) signal.

In particular, the California Privacy Protection Agency’s (CalPrivacy) settlement with Tractor Supply Co. (see 2509300010) showed “it's not just the big guys” that regulators are watching. “They're looking at everyone.” As such, companies should “make sure [they] have that GPC signal on, and it's working,” Duarte said.

Julie Rubash, chief privacy officer for vendor Sourcepoint, agreed: “Every time I see … someone from CalPrivacy or even the [attorney general's] office … they're always" talking about GPC, she said. “It's very top of mind for them right now” and will be into 2026, especially given the investigative sweep -- alongside Connecticut and Colorado -- with respect to GPC (see 2509090045).

She also said regulators' future “focus is pretty clear” when you look at what they did in 2025. “It's actually the low-hanging fruit stuff that they're going after.” These include opt-outs and making sure they actually work, as well as transparency and “being very clear about what companies are doing.”

In addition, Rubash said contracts came up often in 2025 regulatory actions, so businesses should ensure they “have the proper contracts in place with all of [their] third parties.”

Something else that “just keeps coming up” and will likely continue in 2026, Duarte said, is “people say[ing] things in their privacy policy that they don't do.” When it comes to compliance, a privacy policy “could be enough, as long as it actually reflects what you're doing.”

Companies “should make sure that it's an actual notice” that they review and that it’s “correct” and “makes sense.”

In general, states are getting “prescriptive” about “user experience” and how “data subject access requests” are done, Duarte said.

Rubash flagged California’s settlement with Healthline (see 2507010074) as significant due to its indirect reference to the IAB multi-state privacy string. The attorney general found that the health information website “was using an outdated string” and “not necessarily using it with respect to all the signatories to the multi-state privacy agreement.” This was important because it indirectly “put a stamp of approval” on the multi-state privacy string and agreement. The AG didn't say what Healthline did was inefficient, just that it used the string in the wrong way.

It also “was a little bit of a cleanup,” Rubash said, as “there are a lot of companies out there ... using the multi-state privacy string with respect to a broad array of vendors who are not necessarily signatories” to the agreement. “It was important to say that if you're going to use this, you have to use it correctly.”

Looking to 2026, Laura Riposo VanDruff, a consumer privacy, data security and consumer protection lawyer at Kelley Drye, is “interested” in what enforcement looks like, especially at CalPrivacy. The agency got “increasingly muscular” recently and will have “more tools to work with” in 2026 concerning data brokers with the Deletion Request and Opt-Out Platform (DROP) mechanism (see 2511100015).

CalPrivacy also unveiled its Data Broker Enforcement Strike Force in November, which bears watching, VanDruff said (see 2511190041). Additionally, she's “interested” in tracking the bipartisan coalition of state privacy regulators (see 2504160037), to see “how they share resources, how they align on priorities, and what that looks like for business in 2026.”