Key point: The Utah legislature just passed a first-of-its-kind digital identity law that gives residents new rights over what personal information they share when verifying their identity. If your business chooses to participate as a verifier in Utah’s state-endorsed digital ID program—or builds the technology behind it—new consent, purpose-limitation, and loyalty obligations apply starting May 6, 2026.
Key point: Whether your business runs a retail loyalty program, a restaurant rewards app, a software referral campaign, or an online sweepstakes, these programs often collect customer information, and that can trigger real privacy compliance obligations that are easy to overlook.
The Rules Vary by Program. Privacy Obligations Do Not.
Online promotional activities frequently involve the collection, use, and sharing of consumer personal information, and data privacy laws play an important role across all of them. Examples:
All these instances trigger compliance obligations—even if the activities feel informal or low-risk.
Key point: 2026 may be a pivotal year for organizations to monitor cyber incident reporting requirements—the voluntary sharing allowed under CISA 2015 remains available, but only through September, and regulations delineating who and how mandatory reporting requirements are managed under CIRCIA are coming.
With three new state privacy laws that took effect on January 1, 2026 (Indiana, Kentucky, and Rhode Island), adding to an extensive list of others, many organizations are discovering that their website privacy practices haven’t kept pace. Even those that updated their websites recently are finding hidden gaps, often due to unnoticed changes in technological tools and files, such as first and third-party cookies, third-party analytics software, and/or third-party scripts, tags, and pixels. A website audit can prevent enforcement issues and potential litigation or arbitration demands.
In October 2023, California passed the Delete Act, which, in addition to requiring data brokers to register with the state, directed Cal Privacy (f/k/a the California Privacy Protection Agency or CPPA) to create a data deletion software tool by January 1, 2026. This deletion software tool, now called the Delete Request and Opt-Out Platform (DROP), allows California residents to submit a single request to require all registered data brokers to 1) delete their personal information, and 2) stop selling or sharing that information through one verified, government‑administered process, rather than contacting hundreds of companies individually.
Key point: Historically, civilian‑agency contractors who handled Controlled Unclassified Information (CUI) enjoyed an informal compliance environment, with a requirement to adhere to NIST SP 800‑171 often framed as self‑attestation. That world is now decisively over, with the GSA following a path similar, but not identical, to the DoD’s CMMC requirements.
Key point: Colorado’s Department of Law is soliciting public comments through September 5, 2025, on revised privacy rules to protect minors’ personal data and online privacy.
On July 29, the Colorado Department of Law issued a notice of proposed rulemaking to revise the state’s privacy rules following the legislature’s 2024 amendments to the Colorado Privacy Act (“CPA”). The revised rules include new protections for the personal data of minors and are currently open to public comment. Written comments should be submitted via the CPA rulemaking comment portal by September 5, 2025. Additional comments may be submitted at a public hearing scheduled for September 10, 2025.
Keypoint: As leadership at the CFPB shifts, responses to the CFPB’s Notice of Proposed Rulemaking to implement Section 1033 of the Dodd Frank Act looms.
More than a decade ago, the Dodd Frank Act created the Consumer Financial Protection Bureau (CFPB) and gave it authority to promulgate rules implementing Section 1033 of the Act. Under Section 1033, upon request, a financial services provider “shall make available to a consumer information in its control or possession concerning the product or service that the consumer has obtained, including information relating to any transaction, series of transactions, or to the account including costs, charges and usage data. The information shall be made available in an electronic form usable by consumers.”
On January 28, 2021, privacy professionals around the world will celebrate Data Privacy Day. This year, we decided to mark the occasion by gathering our team’s thoughts and expectations on what we expect to be the biggest privacy law stories in 2021 and beyond.
Last year we wrote a similar article, attempting to predict how the privacy landscape would unfold in 2020. We got some things right (e.g., the emergence of CCPA 2.0). But, let’s be honest, in March everything changed, including privacy law. As spring turned into summer our writing focused on the privacy law implications of COVID-19, including contact tracing, no contact temperature taking, and the unanticipated collection of heath information, among other unexpected topics. We also took note of developments overseas, including the Court of Justice of the European Union’s Schrems II decision and the emergence of Brazil’s federal privacy law, LGPD.
If there was one takeaway from 2020 from a privacy law perspective it was this – while it is impossible to predict its path, privacy law is rapidly growing and evolving, almost on a daily basis, and in nearly every corner of the world. With that, we turn to our 2021 predictions.
On December 10, 2020, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) released a proposed rule that would revise the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
In its news release, OCR noted that the changes “seeks to promote value-based health care by examining federal regulations that impede efforts among healthcare providers and health plans to better coordinate care for patients.” The proposed changes come on the heels of the recently delayed Information Blocking Rule, which seeks to prohibit interferences with access, exchange, or use of electronic health information (EHI). The key proposed changes are discussed below.