Customer loyalty program concept in e-commerce for customer engagement. Man holding phone displaying earning points after purchasing online.

Key point: Whether your business runs a retail loyalty program, a restaurant rewards app, a software referral campaign, or an online sweepstakes, these programs often collect customer information, and that can trigger real privacy compliance obligations that are easy to overlook.

The Rules Vary by Program. Privacy Obligations Do Not.

Online promotional activities frequently involve the collection, use, and sharing of consumer personal information, and data privacy laws play an important role across all of them. Examples:

  • A retailer runs a points-based loyalty program which collects purchase history and behavioral data.
  • A company with a household brand name runs a sweepstakes and collects contact information for prize fulfillment.
  • A manufacturer offers mail-in rebates and collects names, addresses, and receipts to provide the rebates.
  • A mobile app runs a referral campaign and collects device identifiers and app usage data.
  • A sports betting app runs an advertising campaign to attract participants and inadvertently collects personal information from middle school kids who like sports.

All these instances trigger compliance obligations—even if the activities feel informal or low-risk.

Lock Illustration

Key point: 2026 may be a pivotal year for organizations to monitor cyber incident reporting requirements—the voluntary sharing allowed under CISA 2015 remains available, but only through September, and regulations delineating who and how mandatory reporting requirements are managed under CIRCIA are coming.

A recent ruling by the Southern District Court of New York sets a historical precedent for the use of generative AI platforms in the legal profession. The court found that a client’s prompts to a generative AI system and documents generated by AI to share with counsel are not protected by the attorney-client privilege or

employee-scaled.jpeg

With three new state privacy laws that took effect on January 1, 2026 (Indiana, Kentucky, and Rhode Island), adding to an extensive list of others, many organizations are discovering that their website privacy practices haven’t kept pace. Even those that updated their websites recently are finding hidden gaps, often due to unnoticed changes in technological tools and files, such as first and third-party cookies, third-party analytics software, and/or third-party scripts, tags, and pixels. A website audit can prevent enforcement issues and potential litigation or arbitration demands.

In October 2023, California passed the Delete Act, which, in addition to requiring data brokers to register with the state, directed Cal Privacy (f/k/a the California Privacy Protection Agency or CPPA) to create a data deletion software tool by January 1, 2026. This deletion software tool, now called the Delete Request and Opt-Out Platform (DROP), allows California residents to submit a single request to require all registered data brokers to 1) delete their personal information, and 2) stop selling or sharing that information through one verified, government‑administered process, rather than contacting hundreds of companies individually.

Key point: Historically, civilian‑agency contractors who handled Controlled Unclassified Information (CUI) enjoyed an informal compliance environment, with a requirement to adhere to NIST SP 800‑171 often framed as self‑attestation. That world is now decisively over, with the GSA following a path similar, but not identical, to the DoD’s CMMC requirements.

Litigation targeting website tracking technologies—such as cookies, pixels, session replay, and analytics tools—remains a major risk for businesses in 2025 and beyond. Courts continue to shape the boundaries of liability, consent, and compliance, with California and federal courts issuing several pivotal decisions this year. The legal landscape is evolving, with new theories, defenses, and legislative proposals emerging.

Privacy Litigation Image

In this post: (1) Courts find cookie banners and sign-in banners place users on notice of privacy policy; (2) but policy must explicitly notify users of practice to establish consent; (3) Courts disagree whether disclosure of Facebook ID violates VPPA; (4) Courts dismiss wiretapping claims after finding messages not received while “in transit”; (5) Defendants forced to litigate in Plaintiffs’ chosen forum as three courts deny motions to transfer venue.