Regulatory Enforcement: What’s on the Agenda for 2026?

Dechert recently issued some predictions about key cyber, AI and privacy legal developments that might play out over the course of 2026.  Here’s some of what they had to say about regulatory enforcement priorities in the upcoming year:

– We’ll see U.S. regulatory enforcement increase at the state level with multi-state investigations and/or one-off AG actions by offices hoping to make a name for themselves by becoming leaders in this space. We expect that Texas, Florida, California, Colorado, Oregon, and Connecticut will take the lead. Actions related to information security and children’s privacy will continue to be popular. We will not be surprised if the Texas AG’s office becomes one of the most important and active U.S. privacy regulators in 2026.

– At the federal level, we’ll continue to see a different FTC than which we have become accustomed. We expect to see FTC efforts focused on children’s privacy. The FTC and SEC are unlikely to aggressively target companies that have been the victim of cyberattacks as they have in the past, nor will they go after individual executives, which previously was a popular (and often unfair) tactic.

– EU/UK regulators will be more active in 2026, but not necessarily specifically targeting U.S. companies. We likely will see higher fines under GDPR.

– The SEC’s amended Regulation S-P went into effect on December 3 for larger in scope financial services firms, and it is critical that such companies comply. A consumer notification regime that adds on to, but does not replace, state data breach notification requirements means impacted consumers will receive many more data breach notifications, but often it will be unclear what, if any, of their information has been compromised (since the forensic exams may not be completed by the time notices need to go out). This will result in more “useless notices” being put out into the ether that will have the effect of further desensitizing consumers to these types of notices and to data breaches more generally. Nonetheless, the SEC and OCIE will prioritize compliance with the new Reg. S-P obligations (particularly those related to policies and procedures and service provider contracts) in its examinations.

– On the heels of Australia’s ban on social media for children under 16, and with the U.S. states passing age verification requirements for certain apps, we expect to see even more jurisdictions limiting aspects of the internet globally. In general, we’ll see increased limits and gatekeeping on how children use the internet.

Dechert also expects that companies will move quickly to install AI governance programs and incorporate AI-enabled cybersecurity tools, and that the number of compliance checks and regulatory actions by governments will increase as well.