Privacy and Cybersecurity 2025–2026: Key Insights, Challenges, and Future Trends | White & Case LLP

The landscape of data privacy and cybersecurity saw significant transformations in 2025, as organizations grappled with new regulations and compliance requirements set forth by both federal and state authorities. As we dive into 2026, let’s explore the key updates and changes over the past year and examine the implications for businesses navigating this complex environment.

A Look Back at 2025

Throughout 2025, important enforcement actions and legislative developments shaped the framework for data privacy and cybersecurity compliance, imposing greater responsibilities on businesses regarding personal data management.

Laws, Amendments, & Regulations

In April 2025, the U.S. Department of Justice’s Bulk Data Rule took effect, ushering in a new regulatory landscape. This rule established stringent cybersecurity measures for entities processing bulk personal and government-related data, especially concerning transactions involving foreign and covered persons. Notably, businesses must now maintain meticulous records and assess their data-sharing practices to ensure compliance with the new regulations. The implementation includes a rigorous cybersecurity control system and regular assessments to identify any vulnerabilities.

Also in April, the Federal Trade Commission (FTC) unveiled final amendments to the Children’s Online Privacy Protection Act (COPPA), which became effective on June 23, 2025. The new amendments imposed more stringent requirements on website operators collecting data from children under 13, mandating a written security program for children’s personal information and giving parents more authority to control their child’s data usage. Organizations were urged to revise their data handling practices to accommodate these changes, reflecting an industry-wide shift toward a more protective stance regarding children’s data.

The introduction of Minnesota’s Consumer Data Privacy Act on July 31, 2025, marked another leap forward in consumer rights. This Act expanded the scope to include nonprofit organizations while allowing consumers to challenge profiling decisions directly. In an effort to uphold consumer rights, the Act also exempted small businesses from compliance mandates, balancing regulatory expectations with economic realities.

On October 1, 2025, the Maryland Online Data Privacy Act came into effect, applying to businesses that control or process data from at least 10,000 consumers, with specific criteria focusing on revenue derived from the sale of personal data. This statute notably restricts the sale of sensitive personal data, even with the consumer’s consent, reflecting a growing trend toward heightened privacy protection.

Connecticut’s Data Privacy Act (CTDPA) underwent significant amendments signed into law by Governor Ned Lamont on June 25, 2025. These changes raised the consumer data threshold for applicability and broadened the definition of sensitive data. The progression toward empowering consumers included a right to contest profiling decisions and expanded access rights regarding personal data. These amendments will come into effect on July 1, 2026, signaling an ongoing evolution in consumer privacy rights.

Colorado’s Senate Bill (SB) 24-041, effective October 1, 2025, revised the Colorado Privacy Act (CPA) to establish strict requirements regarding minors’ data processing. This legislation emphasizes responsible data collection practices and mandates that organizations conducting business with minors take special care to protect their data privacy, setting a precedent for how businesses should handle underage users’ information.

Attorney General Enforcement Actions

2025 also witnessed a surge in collaborative efforts among state Attorneys General to enforce privacy laws, with several high-profile settlements making headlines.

• On November 6th, 2025, a significant settlement involved the Attorneys General of California, Connecticut, and New York with Illuminate Education, Inc. following a data breach that compromised the personal information of millions of students. Illuminate was found to have inadequate security measures and misleading privacy policy claims, resulting in a $5.1 million penalty and the implementation of improved data security safeguards.
• The Attorneys General of Colorado, Connecticut, and California conducted an investigation into compliance with the Global Privacy Control (GPC), emphasizing the importance of consumer rights and transparency in data management. Businesses that failed to process consumer opt-out requests via GPC faced scrutiny and were urged to rectify their practices promptly.
• The California Privacy Protection Agency (CPPA) also took action, initiating enforcement against various entities for alleged violations of the California Consumer Privacy Act (CCPA). These included businesses that mismanaged opt-out processes and failed to provide adequate consumer transparency regarding data usage.

Additionally, Texas’ Attorney General pursued lawsuits against several television manufacturers for unlawfully collecting viewing data without users’ consent, while Florida’s Attorney General acted against Roku for similar violations involving children’s personal information, reflecting a nationwide trend in vigilant enforcement of data privacy laws.

FTC Enforcement Actions

The Federal Trade Commission made headlines with several enforcement actions underlining its commitment to data privacy protection. Heightened scrutiny on practices surrounding children’s data was evident as the FTC tackled violations of COPPA, indicating a major pivot towards safeguarding children’s online experiences.

Media Company to Pay $10 Million to Settle FTC Allegations

Recently, a prominent media company faced a hefty $10 million settlement over allegations related to unlawful data collection from children on YouTube. Accusations included incorrect labeling of content and failing to secure necessary parental consent, highlighting critical gaps in compliance practices. In addition to the financial penalty, the company must develop and enforce a rigorous compliance program for future content rating.

The FTC’s actions against robot toy maker, Apitor, also drew attention, as the company was penalized $500,000 for allowing unauthorized collection of children’s geolocation data. The enforcement required Apitor to implement measures ensuring compliance with COPPA regulations moving forward.

Moreover, significant civil penalties were assessed against Cognosphere, the developers of Genshin Impact, for violating COPPA by targeting children in their advertising and misrepresenting game features. This informal legislation illustrates the heightened expectations the FTC has for companies engaging with young audiences.

The 2026 Outlook

As we venture into 2026, organizations must prepare for an increasingly complex landscape marked by new regulations and rigorous enforcement actions. The introduction of consumer privacy statutes in states like Kentucky, Rhode Island, and Indiana indicates an expanding web of compliance requirements. The trend suggests that consumers will have greater agency in controlling their personal data as states refine their legal frameworks.

With California continuing to advance its privacy legislation, the emphasis on automated decision-making technology (ADMT) and cybersecurity audits stands out, reflecting the evolving risk landscape driven by technological advancements. Meanwhile, federal anticipations, especially from the FTC, signal a stricter approach towards the regulation of children’s online activities, with a spotlight on transparency and user consent.

Moreover, the cyber threat landscape is evolving. Businesses must brace for more sophisticated attacks fueled by artificial intelligence, necessitating an urgent investment in employee training focused on data protection. Compliance leaders face the dual challenge of navigating new legal frameworks while reinforcing cybersecurity measures against an array of burgeoning threats.

As an era of profound regulatory change unfolds, organizations must adapt swiftly to meet the demands for compliance with an expanding set of privacy and cybersecurity laws. The onus will increasingly lie on in-house counsels and compliance teams to ensure rigorous oversight and strategic adaptation to these emerging legal requirements.

Sean Onwualu (White & Case, Law Clerk, New York) contributed to the development of this publication.