The data privacy regulatory environment has never been more complex, and 2026 marks an inflection point. More than twenty U.S. states now have comprehensive privacy laws in effect or approaching effective dates. The SEC’s cybersecurity disclosure rules are generating their first full cycle of public filings. Enforcement actions under the California Consumer Privacy Act have moved from novelty to routine. And the question of a federal privacy framework, long discussed and repeatedly deferred, is once again generating serious legislative activity. Businesses need a clear-eyed view of where requirements stand and what the near-term horizon looks like.
The State Law Mosaic
The core consumer rights established across most state privacy laws — the right to know, the right to delete, the right to opt out of sale and targeted advertising — have become the baseline for any serious privacy program. The divergences that matter most now are in the treatment of sensitive data categories, the scope of universal opt-out mechanisms, the applicability thresholds for smaller businesses, and the emerging requirements around automated decision-making and profiling. Companies operating in multiple states need a compliance architecture that handles these variations systematically rather than on a state-by-state patch basis.
Cybersecurity Disclosure Requirements
Public companies are now required to disclose material cybersecurity incidents within four business days of determining materiality and to provide annual disclosures about cybersecurity risk management, strategy, and governance. The materiality determination — which must be made promptly, often in the middle of an active incident response — is among the most consequential and least-understood obligations in the new framework. Incident response plans that do not include a materiality analysis protocol are incomplete.
AI and Privacy: The Emerging Frontier
Automated decision-making, AI-driven profiling, and the use of large training datasets are generating new questions under existing privacy frameworks. Several states have proposed or enacted specific AI governance requirements, and the FTC has signaled active interest in AI-related privacy enforcement. Companies deploying AI tools that process personal data should assess those deployments against applicable privacy law requirements now, before enforcement establishes the outer boundaries of permissible practice.
Snow+Snow’s privacy and cybersecurity practice provides comprehensive counsel on privacy program design, incident response, regulatory compliance, and emerging AI governance requirements. We work with clients across industries to build privacy programs that are durable, scalable, and defensible.
