{"id":175875,"date":"2026-01-08T15:53:00","date_gmt":"2026-01-08T20:53:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/01\/08\/privacy-and-cybersecurity-client-alert-january-2026-2026-privacy-compliance-uplifts-and-enforcement-risks-shook-hardy-bacon-l-l-p\/"},"modified":"2026-01-09T06:56:39","modified_gmt":"2026-01-09T11:56:39","slug":"privacy-and-cybersecurity-client-alert-january-2026-2026-privacy-compliance-uplifts-and-enforcement-risks-shook-hardy-bacon-l-l-p","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/01\/08\/privacy-and-cybersecurity-client-alert-january-2026-2026-privacy-compliance-uplifts-and-enforcement-risks-shook-hardy-bacon-l-l-p\/","title":{"rendered":"Privacy and Cybersecurity Client Alert | January 2026 | 2026 Privacy Compliance Uplifts and Enforcement Risks | Shook, Hardy & Bacon L.L.P."},"content":{"rendered":"

Privacy and Cybersecurity Client Alert | January 2026 | 2026 Privacy Compliance Uplifts and Enforcement Risks | Shook, Hardy & Bacon L.L.P.<\/a><\/p>\n

https:\/\/www.jdsupra.com\/legalnews\/privacy-and-cybersecurity-client-alert-7255771\/<\/a><\/p>\n

Publish Date: 2026-01-08 15:53:00<\/a><\/p>\n

Source Domain: www.jdsupra.com<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n

A compliance roadmap for a year that brings new state laws, more demanding requirements, and greater enforcement risks.<\/p>\n

While the pace of new privacy legislation slowed last year, 2025 marked a significant pivot by regulators toward finalizing demanding regulations and starting aggressive enforcement. For 2026, we recommend businesses shift from \u201cwait and see\u201d to active operational updates, particularly regarding opt-out signals, risky processing, and sensitive data processing.<\/p>\n

Critical Risk\u2014Executive Liability <\/p>\n

California is making executives have skin in the game. The state is requiring a member of a business\u2019s executive management team to attest to the accuracy of the business\u2019s risk assessments for certain processing of personal information (PI). This elevates privacy to a governance mandate with personal legal risks for the executive.<\/p>\n

Compliance Roadmap<\/p>\n

To assist with long-term planning, we summarize the key action items for businesses:<\/p>\n

New Compliance Tasks in 2026 <\/p>\n

This year brings a variety of new compliance obligations to consider. The big tasks include:<\/p>\n

\tEvaluate uplifts for new and old states. We have Virginia-style laws that took effect in Indiana, Kentucky, and Rhode Island on January 1, while Montana and Connecticut expanded their laws to cover more companies with more demanding requirements on notice, consumer rights, data protection assessments, and more.
\n\tReview HR disclosures. HR data is no longer a \u201cblind spot\u201d for regulators. California announced its first settlement concerning HR data, and Colorado\u2019s BIPA-like obligations regarding biometric data apply to employee data.
\n\tStart risk assessments in California. Businesses must conduct detailed risk assessments before starting certain processing, such as selling personal information or processing sensitive data. For any activity started before 2026, businesses have until December 2027 to complete any required risk assessment.
\n\tMap disclosures to vendors. California now requires new policy disclosures, including what personal information the business provided to contractors or service providers (more generally known as \u201cprocessors\u201d in other states).
\n\tUpdate websites for opt-out requests. Businesses must honor opt-out signals in Oregon and Delaware, while California requires a website to display whether it honored that signal and to allow users to verify the status of their opt-out request.
\n\tScrutinize precise geolocation data. Colorado updated its definition of sensitive data to cover precise geolocation data, and Oregon made it illegal to sell such data.<\/p>\n

Enforcement Risks and Trends for 2026<\/p>\n

Last year saw state regulators significantly expand enforcement, including the first settlement based on HR data and the first lawsuit alleging violations of a comprehensive privacy law. Expect more action in 2026 because we have more laws, fewer states with cure periods, greater inter-state collaboration, and rising political pressure to make headlines with splashy privacy actions.<\/p>\n

A few considerations to inform your compliance priorities:<\/p>\n

\tThe era of \u201cfix it later if we have to\u201d is largely over. A right to cure is only available in Delaware, Indiana, Iowa, Kentucky, Minnesota (until January 31), Nebraska (until July 1), New Jersey (until July 15), Utah, Tennessee, Texas, and Virginia.
\n\tPublicly viewable issues are prime targets. Regulators frequently have targeted violations that they could spot without a subpoena, such as broken or confusing opt-out processes, noncompliant or inaccurate privacy policies, and excessive data collection from consumers trying to exercise their privacy rights.
\n\tChildren\u2019s privacy is a hot topic. Both state and federal regulators have focused on settlements concerning children\u2019s data, and state laws often impose obligations beyond those in the Children\u2019s Online Privacy Protection Act (COPPA).
\n\tPrecise geolocation data is in the crosshairs. States are cracking down on the processing of precise geolocation data. Texas and California targeted companies\u2019 processing of that data, while the Oregon and Colorado legislatures added restrictions on how companies can use such data.
\n\tSettlement costs are rising. California reached multiple $1 million+ settlements, which doesn\u2019t even account for the costs associated with the injunctive relief.
\n\tContracts are not just technicalities. California has repeatedly dinged businesses for not having the necessary data-protection-addendum language.<\/p>\n

Missing from the above: federal risk. The risk of federal action is slim for most businesses. Federal legislation is not realistic any time soon. And the primary privacy regulator at the federal level for most businesses, the Federal Trade Commission, is focused on COPPA violations rather than the mushier unfairness cases that dominated prior years.<\/p>\n

Looking to 2027 and Beyond<\/p>\n

While you wouldn\u2019t exactly call this year a light uplift, the next few years really lay it on heavy. We recommend peeking ahead and getting a head start on the obligations we know are coming down the pipeline for businesses subject to the California Consumer Privacy Act (CCPA):<\/p>\n

\tEvaluate automated decisionmaking. Starting in January 2027, businesses making housing, employment, or other significant decisions without meaningful human involvement must provide consumers notice and the opportunity to opt out.
\n\tMap audit framework against CCPA standards. Starting in April 2028 (or later for smaller businesses), many businesses must complete an annual cybersecurity audit involving granular requirements. We covered the requirements in a prior alert.<\/p>\n

Summary<\/p>\n

Although we have fewer radical changes than past years, there are a few action items that businesses should keep in mind:<\/p>\n

\tEvaluate Program Scope. Assess changes needed based on (1) updates in Connecticut and Montana and (2) new laws in Indiana, Kentucky, and Rhode Island.
\n\tAudit Public Features. Ensure the privacy policy is accurate, consumer choices are clear, opt-out tools operate properly, and identity-verification processes are tailored.
\n\tStart Risk Assessments. Identify activities triggering a California risk assessment.
\n\tBrief Executives on Personal Liability. Inform designated executive on their personal liability for California risk assessments.<\/p>\n

More to Explore<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

Privacy and Cybersecurity Client Alert | January 2026 | 2026 Privacy Compliance Uplifts and Enforcement…<\/p>\n","protected":false},"author":1,"featured_media":175876,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/jdsupra-static.s3.amazonaws.com\/profile-images\/og.15792_3102.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24],"class_list":["post-175875","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/175875"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=175875"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/175875\/revisions"}],"predecessor-version":[{"id":175877,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/175875\/revisions\/175877"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/175876"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=175875"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=175875"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=175875"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}