Privacy and Cybersecurity 2025–2026: Insights, challenges, and trends ahead

Alert
|
12 min read
F. Paul Pittman |
Hope Anderson |
Abdul M. Hafiz

As organizations across the country adapt to an ever-changing digital environment, 2025 brought a wave of important updates in data privacy and cybersecurity at both the federal and state levels. New and amended state laws, increased regulatory scrutiny and evolving enforcement priorities are shaping the way businesses manage personal data and respond to cyber threats. As we enter 2026, we recap significant developments from the past year and provide an outlook on what to expect this year to help your organization remain compliant and prepared for the challenges ahead.

A Look Back at 2025

2025 has been a year filled with notable enforcement actions and decisions while several regulations and comprehensive state data privacy laws have become effective.

Laws, Amendments, & Regulations

Beginning in April 2025, the U.S. Department of Justice's Bulk Data Rule took effect (with additional requirements taking effect in October 2025) which introduced a new regulatory framework relating to how U.S. persons engage in certain transactions with foreign and covered persons that receive or otherwise process bulk personal data or government-related data. In many covered transactions, the Bulk Data Rule requires entities to implement stringent cybersecurity controls to prevent covered persons from accessing relevant data. Notably, moving forward entities must abide by the record keeping requirements where applicable as well as continue to assess whether their data sharing (including intra-corporate data sharing via employment agreements) triggers compliance with the Bulk Data Rule.

In April 2025, the Federal Trade Commission (FTC) published its final amendments to the Children's Online Privacy Protection Act (COPPA) regulations, which took effect on June 23, 2025. The amendments expanded the requirements for website and online service operators that collect personal information from children under 13 years of age, including implementing a written children's personal information security program and providing parents with greater control over how operators use and share their child's personal data. The new amendments also require organizations to review and update their data collection, retention, security and disclosure practices as necessary to comply with the amendments.

On July 31, 2025, Minnesota's Consumer Data Privacy Act took effect. While similar in many respects to other U.S. state data privacy laws, the Minnesota Privacy Act has broader application where it includes nonprofit organizations and provides for expanded consumer rights where it permits consumers to review and challenge profiling decisions. Notably, the Minnesota Privacy Act also exempts small businesses from compliance obligations under the law.

The Maryland Online Data Privacy Act also took effect on October 1, 2025. Under this law, the applicability threshold is much lower than other U.S. state data privacy laws where it applies to entities who control or process the personal data of at least 10,000 consumers and derived more than 20% of its gross revenue from the sale of personal data or processes or collect personal data from 35,000 Maryland consumers. Additionally, the Maryland law prohibits the selling of sensitive personal data regardless of a consumer's consent.

On June 25, 2025, Governor Ned Lamont signed SB 1295, significantly amending Connecticut's Data Privacy Act (CTDPA). Key updates include revised thresholds that increased the number of consumers' personal data a controller must process from 25,000 to 35,000 for the law to apply. Additionally, the bill eliminated the applicability requirement that 25% of a controller's gross revenue be derived from the sale of personal data. Additionally, the definition of sensitive data was also expanded to include: a mental or physical health "disability or treatment" (in addition to "condition" or "diagnosis"), status as a nonbinary or transgender person, information derived from genetic or biometric data, neural data, financial information, and government-issued ID numbers. This update also contained a new right to contest certain profiling decisions and expanded the right to access personal data to include inferences about the consumer derived from their personal data and whether a consumer's personal data is being processed for profiling to make a decision that produces any legal or similarly significant effect concerning the consumer. The amendments also make modest updates to data minimization, purpose limitation, and consent requirements, introduced new impact assessment obligations related to profiling, and banned targeted advertising for minors. The amendment will become effective on July 1, 2026.

Colorado Senate Bill (SB) 24-041, which became effective on October 1, 2025, significantly amended the Colorado Privacy Act (CPA) to impose heightened obligations on entities processing the personal data of minors—defined as individuals under 18 years of age, particularly where there is a reasonably foreseeable risk of harm. The obligations include not processing minor's data for targeted advertising, conducting data protection assessments, and ensuring its features are not designed to increase or extend a minor's use of the online service or product. Unlike the original CPA, the amendments under SB 24-041 relating to minors applies regardless of revenue or data processing thresholds. SB 24-041 applies to any controller or processor that offers an online service, product, or feature to Colorado consumers whom the controller knows or willfully disregards are minors.

Attorney General Enforcement Actions

In 2025, we saw a growing trend of state Attorneys General and regulators collaborating to enforce and remedy privacy violations that impact their respective laws, which include:

  • On November 6th, 2025, the Attorneys General of California, Connecticut, and New York reached a settlement with Illuminate Education, Inc. after a data breach exposed the personal information of millions of students across the effected states; with over 434,000 California students, 1.7 million New York students, and 28,610 Connecticut students. The breach occurred when a hacker accessed Illuminate's network using credentials from a former employee, whose access had not been removed, and exploited other security weaknesses such as lack of monitoring for suspicious activity and improper backup database protections. Investigators also found that Illuminate made false and misleading statements in its privacy policy about its data security practices and falsely advertised its compliance with student privacy standards. As a result of the settlement, Illuminate agreed to pay $5.1 million in penalties and to implement robust data security measures, including improved access controls, real-time monitoring, and enhanced protections for backup databases.
  • The Attorneys General of Colorado, Connecticut, and California, alongside the California Privacy Protection Agency (CPPA), announced an investigative sweep involving potential noncompliance with the Global Privacy Control (GPC). The GPC is an easy-to-use browser setting or extension that automatically signals to businesses a consumer's request to stop selling or sharing their personal information to third parties. As part of the sweep, the coalition sent letters to businesses that do not appear to be processing consumer requests to opt out of the sale of their personal information submitted via the GPC as required by law and requested that those businesses come into immediate compliance.
  • Notably, the CPPA announced that it was teaming up with the Attorneys General from California, Oregon, Colorado, Connecticut, Delaware, Indiana, New Jersey, Minnesota and New Hampshire to form a bipartisan consortium to share resources and investigate potential violations of their respective states' comprehensive data privacy laws.

As California has both its Attorney General and the CPPA to bring enforcement actions, both were very active in 2025. The CPPA brought its first three enforcement actions under the state's comprehensive consumer data privacy regime (Tractor Supply Company, Todd Snyder, Inc., and American Honda Motor Co.). Likewise, the California Attorney General announced three separate settlements alleging CCPA violations (Healthline Media LLC, Sling TV, and Jam City, Inc.). Collectively, these actions addressed violations relating to ineffective or non-symmetrical opt-out mechanisms, improper data sharing with third parties, burdensome processes for consumers to exercise their rights, inadequate privacy policies and service provider agreements, and the absence of certain protections relating to children's privacy.

Texas' Attorney General also sued several television manufacturers for allegedly unlawfully collecting personal data through Automated Content Recognition technology which can monitor consumers' viewing activity in real time and transmit that information back to the television manufacturers without the user’s knowledge or consent. Similarly, Florida's Attorney General brought the first enforcement action under the state's data privacy law alleging video streaming provider, Roku, collected and sold children's personal information without first obtaining consent and failed to notify consumers that it sold their sensitive data.

FTC Enforcement Actions

Under the current administration, the FTC has signaled that it's enforcement priorities will include protecting children's privacy, halting the unfair collection and selling of sensitive data, pursuing violations of the Fair Credit Reporting and Gramm-Leach-Bliley Acts, and going after entities with deficient security practices.

Media Company to Pay $10 Million to Settle FTC Allegations

As of December 30th, 2025, a prominent media company will pay $10 million to settle FTC allegations that it allowed personal data to be collected from children who viewed kid-directed videos on YouTube without notifying parents or obtaining their consent as required by the Children's Online Privacy Protection Act (COPPA). The FTC, alleged that the company violated COPPA by failing to properly label some videos that it uploaded to YouTube as "Made for Kids." The mislabeling allowed the company to collect personal data from children and use that data for targeted advertising. The company received a portion of the revenue that YouTube generated from advertising placed within its videos as well as from advertising it sold directly. The mislabeling also exposed children to age-inappropriate YouTube features like autoplay to videos not "Made for Kids." In addition to the fine, the company must comply with COPPA regulations and implement a program to review whether its YouTube videos should be designated as "Made for Kids," unless YouTube adopts age assurance technologies or changes its labeling system.

Similarly on September 30th, 2025, the FTC imposed a $500,000 penalty against robot toy maker, Apitor, for allowing the collection of children's data without parental consent. The FTC alleged that despite claims in Apitor's privacy policies that it complies with COPPA, it failed to notify parents and obtain their consent before collecting or causing a third party to collect geolocation data from children. As part of the proposed settlement, Apitor must ensure all third-party software complies with COPPA, delete improperly collected data unless parental consent is obtained, and adhere to specific requirements including parental notification, verifiable consent, and data retention limits.

Likewise, in January 2025, the FTC announced a settlement with Cognosphere who allegedly actively marketed its video game, Genshin Impact, to children and collected their personal information in violation of COPPA. In addition, the FTC alleged that Cognosphere deceived players about odds of winning particular prizes and how much it would cost to win those prizes, which are alleged to be unfair to children and teenagers. Cognosphere agreed to pay $20 million and to block children under 16 from making in-game purchases without parental consent.

In May 2025, the FTC finalized its settlement with GoDaddy alleging that it misled consumers by failing to implement data security protections, which led to several data breaches between 2019 and 2022. The FTC alleged that since 2018, GoDaddy has failed to implement adequate security measures to protect and monitor its website hosting products for security threats. The FTC also alleged that GoDaddy deceived users about its compliance with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. The settlement prohibits GoDaddy from misrepresenting its security measures and programs, including the extent that they comply with any privacy or security program of any government, self-regulatory, or standard-setting organization. Additionally, GoDaddy must implement comprehensive information security programs, and hire an independent third-party assessor to conduct reviews of its information security programs.

The FTC acted against General Motors (GM) and OnStar over allegations they collected, used, and sold drivers' precise geolocation data and driving behavior information from millions of vehicles—data that can be used to set insurance rates—without adequately notifying consumers and obtaining their affirmative consent. The consent agreement, which became effective January 2025, would prohibit GM and OnStar from misrepresenting information about how they collect, use, and share consumers' location and driver behavior data. Notably, this enforcement action is similar to the lawsuit against GM by the Arkansas Attorney General in 2025 as well as the lawsuit brought by Texas' Attorney General against Allstate in 2024.

The 2026 Outlook

As we navigate 2026, organizations are poised to face increasingly stringent requirements and enforcement actions from state and federal authorities. States remain at the forefront of privacy regulation, with comprehensive laws in Kentucky, Rhode Island, and Indiana joining the patchwork on January 1st of now 20 states enforcing consumer privacy statutes. California continues to refine its privacy framework with recently amended final regulations on automated decision-making technology (ADMT) access, opt-out rights, risk assessments, and cybersecurity audits. Importantly, as the current federal administration is reluctant to regulate the use of artificial intelligence highlighted by President Trump's Ensuring a National Policy Framework for Artificial Intelligence Executive Order signed in December 2025, states will continue to fill this void as evidenced by states' regulatory approach to implement guardrails regarding ADMT.

Regarding enforcement, actions by state attorneys general is expected to increase, with multi-jurisdictional collaborations becoming commonplace especially in areas of shared concern such as opt-out mechanisms. Further, the cure provisions to remedy alleged violations under Oregon's Consumer Privacy Act has lapsed which could spur additional enforcement. On the federal level, the FTC will likely continue to intensify its focus on protecting minors through strict enforcement of the updated COPPA regulations. Enhanced transparency requirements and limitations on cross-platform data sharing of minor's data signal potential scrutiny of businesses processing data of underage users.

Relating to cybersecurity, emergent cyber threats from artificial intelligence-driven ransomware and supply chain vulnerabilities necessitate heightened vigilance. Organizations will be expected to invest in training its employees to detect and report sophisticated phishing scams, enhance third-party risk oversight, and adopt privacy-enhancing technologies, such as quantum-resistant encryption. Meanwhile, regulatory demands, including proof of proactive cybersecurity measures, serve as a sharp reminder of implementing robust compliance measures.

In-house counsels and compliance leaders must continue to grapple with the evolving legal frameworks ranging from state data privacy laws, federal laws and regulations relating to bulk data, children's privacy, and health and financial data, coupled with bolstering cybersecurity policies, procedures, and controls to combat the ever-increasing list of malicious and bad actors.

Sean Onwualu (White & Case, Law Clerk, New York) contributed to the development of this publication.

White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.

This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.

© 2026 White & Case LLP

Contacts

F. Paul Pittman
F. Paul Pittman
Partner|Washington, DC
Services
Data, Privacy & Cybersecurity, Fintech & Digital Assets, Technology, Mergers & Acquisitions, Life Sciences and Healthcare, Privacy Advisory and Compliance
Hope Anderson
Hope Anderson
Partner|Los Angeles
Services
Data, Privacy & Cybersecurity, Technology, Artificial Intelligence (AI), Privacy Advisory and Compliance, AI Regulatory, Content and non-privacy data regulation
Abdul M. Hafiz
Abdul M. Hafiz
Law Clerk|Washington, DC
Services
Data, Privacy & Cybersecurity, Litigation, Life Sciences and Healthcare

Service areas

Top