Privacy and AI Checklist for the New Year

2025 marked an increase in enforcement activity, including massive (8- and 9-figure) judgments and settlements focused on ad tracking, analytics, wiretapping, text messaging, data subject rights, sensitive data collection, and other topics. That punitive trend only promises to continue in 2026. 

 

Beware of the impact on businesses of all sizes and types. Taft | Morris Manning continues to help its clients find the correct answers in their context for addressing these risks. Issues you may want to consider in the new year: 

 

Litigation / Enforcement: You may be surprised to learn that privacy litigation and enforcement discussed above can be triggered by common activity, such as the use of online analytics, targeted advertising, text messaging, real-time chat or chatbots, sharing personal data with service providers, and embedded video, among others. What defensive strategies has your company implemented? 

 

Opt-Outs: Multiple state privacy regulators are highly focused on opt-out rights. Does your website honor the Global Privacy Control? Have you audited your cookie manager technology to ensure that it is operational? Have you assessed specific opt-outs required under 19+ state comprehensive privacy laws now in effect? 

 

AI Tech: Do you use AI technology in your business? Perhaps to screen potential new hires? You may be subject to numerous laws requiring multiple notices, anti-bias assessments, internal policies and change-management measures, and other requirements. Obligations may increase in the context of decision-making technology and/or technology used around financial or lending services, education, employment or independent contracting, healthcare, housing, insurance, legal services, or essential government services. 

 

Contracting: Do your vendor contracts include an up-to-date personal data privacy addendum reflecting specific legal requirements? Do your customer contracts allocate compliance risks in a rational manner? Do you have a consistent strategy for addressing customer concerns about privacy?

 

Privacy Notices: Have you assessed whether you are in scope of the numerous new comprehensive state privacy laws? In any case, website privacy notices should also be updated annually – indeed, under some state rules, must be updated once every 12 months. 

 

Data Protection Impact Assessments, Risk Assessments, and Cyber Audits: Numerous laws now require the production of specific assessments and audits. Triggering activity can include the collection of sensitive information, targeted advertising, profiling activities, engagement in data sales, uses of automated processing or automated decision-making technology, and/or simply processing a sufficiently large amount of consumer data if a “business” under California law. 

 

Children’s Privacy: Children’s privacy does not just mean COPPA (the federal Children’s Online Privacy Protection Act) anymore. Over a dozen states have passed children’s privacy laws, with a particular focus on online/digital and/or social media activity. Have you assessed your collection and use of children’s data under these new laws? 

 

International Data Transfers: If your company has international locations, affiliates, and/or subsidiaries, do you have a data transfer mechanism for the company group? Potential solutions include intra-company agreements and/or other measures, but growing global companies must assess these options. 

 

Governance: The list of issues provided here is partial. Your business may face other challenges in context. That is why it is important to view privacy and AI compliance as a process to be managed over time. Good governance processes will include review and accountability, with assigned roles and responsibilities. Renew your company’s commitment to governance in the new year.  

 

Taft | Morris Manning contacts:

The above information is provided by Morris, Manning & Martin, LLP for general information purposes only and does not constitute legal advice or establish an attorney-client relationship.