Key point: CISA’s virtual town hall meetings for CIRCIA rulemaking have been rescheduled for June 15-18, 2026.
On May 26, 2026, CISA announced the dates for the rescheduled CIRCIA rulemaking town hall meetings between June 15-18, 2026. The agency’s use of town halls is discretionary and is not mandated within the federal rulemaking process. CISA
Key point: Colorado has repealed and replaced the Colorado AI Act, amid years of skepticism from industry critics.
On May 14, Colorado Governor Jared Polis signed SB 26-189 into law, repealing and replacing the landmark Colorado Artificial Intelligence Act (CAIA), just under two months before it was set to take effect. CAIA was enacted in 2024 with an amended effective date of June 30, 2026.
Key point: The Utah legislature just passed a first-of-its-kind digital identity law that gives residents new rights over what personal information they share when verifying their identity. If your business chooses to participate as a verifier in Utah’s state-endorsed digital ID program—or builds the technology behind it—new consent, purpose-limitation, and loyalty obligations apply starting May 6, 2026.
Key point: Whether your business runs a retail loyalty program, a restaurant rewards app, a software referral campaign, or an online sweepstakes, these programs often collect customer information, and that can trigger real privacy compliance obligations that are easy to overlook.
The Rules Vary by Program. Privacy Obligations Do Not.
Online promotional activities frequently involve the collection, use, and sharing of consumer personal information, and data privacy laws play an important role across all of them. Examples:
All these instances trigger compliance obligations—even if the activities feel informal or low-risk.
Key point: 2026 may be a pivotal year for organizations to monitor cyber incident reporting requirements—the voluntary sharing allowed under CISA 2015 remains available, but only through September, and regulations delineating who and how mandatory reporting requirements are managed under CIRCIA are coming.
A recent ruling by the Southern District Court of New York sets a historical precedent for the use of generative AI platforms in the legal profession. The court found that a client’s prompts to a generative AI system and documents generated by AI to share with counsel are not protected by the attorney-client privilege or
With three new state privacy laws that took effect on January 1, 2026 (Indiana, Kentucky, and Rhode Island), adding to an extensive list of others, many organizations are discovering that their website privacy practices haven’t kept pace. Even those that updated their websites recently are finding hidden gaps, often due to unnoticed changes in technological tools and files, such as first and third-party cookies, third-party analytics software, and/or third-party scripts, tags, and pixels. A website audit can prevent enforcement issues and potential litigation or arbitration demands.
In October 2023, California passed the Delete Act, which, in addition to requiring data brokers to register with the state, directed Cal Privacy (f/k/a the California Privacy Protection Agency or CPPA) to create a data deletion software tool by January 1, 2026. This deletion software tool, now called the Delete Request and Opt-Out Platform (DROP), allows California residents to submit a single request to require all registered data brokers to 1) delete their personal information, and 2) stop selling or sharing that information through one verified, government‑administered process, rather than contacting hundreds of companies individually.
Key point: Historically, civilian‑agency contractors who handled Controlled Unclassified Information (CUI) enjoyed an informal compliance environment, with a requirement to adhere to NIST SP 800‑171 often framed as self‑attestation. That world is now decisively over, with the GSA following a path similar, but not identical, to the DoD’s CMMC requirements.
Key point: The President’s latest Executive Order establishes the Genesis Mission and aspires to use AI to accelerate scientific discovery in sectors such as biotech, quantum, nuclear power, and semiconductors.