The world of data privacy is changing rapidly, presenting significant challenges for business leaders. New laws are emerging, plaintiffs’ attorneys are finding creative ways to use old statutes, and cybercriminals are leveraging AI to launch sophisticated attacks.

Staying ahead of the risks is crucial. This article breaks down the biggest threats businesses face and provided practical steps to protect your organization.

What Are the Top Privacy and Security Risks?

In 2026, business leaders will face three key challenges.

1. The Rising Tide of Website Litigation

Plaintiffs’ counsel persistently target businesses of all sizes with demand letters, arbitration, and litigation around the use of common website tools and features. This year alone, hundreds of lawsuits and arbitration claims have been filed alleging that the use of third-party website tracking tools, like cookies and pixels, or features, like AI-powered chatbots, violate the California Invasion of Privacy Act and related privacy laws. With courts divided, evolving theories of liability, and stalled legislative remedies, we expect this trend to continue into 2026 and beyond.

2. Mounting Compliance Requirements as Enforcement Ramps Up

In the absence of comprehensive federal privacy protections, state lawmakers have enacted a variety of new privacy protections, increasing compliance requirements for many businesses.

“Forty-nine states and the District of Columbia introduced or considered at over 800 consumer privacy bills in 2025 and over 30 states enacted at least 100 new laws.” National Conference of State Legislatures, July 28, 2025.

Such laws regulate categories of personal information, such as health data and driving records; protect specific populations, such as veterans, students, and minors’ data (those under age 18); impose restrictions on specific technologies, such as chatbots, connected cars, facial recognition, social media platforms, and app stores; or create new obligations related to common marketing practices, including promotional text messages or data sharing arrangements, which may now be subject to expanded data broker laws.

Monitoring the legal landscape for new privacy requirements is particularly important, as state attorneys general are stepping up enforcement efforts, often by working together to investigate matters and sharing information. In 2026, we are likely to see:

• • The first fines imposed under the Oregon Consumer Protection Act (OCPA), as the law’s 30-day cure period sunsets. Come January 1, 2026, the Oregon Attorney General’s office will no longer be required to give businesses an opportunity to fix violations prior to pursuing penalties, which can include fines of up to $7,500 per violation.
  • Coordinated inquiries and investigations by state attorneys general in areas that have been identified as enforcement priorities. These efforts will likely target the collection and use of sensitive categories of data, such as kids’ data or location data, and industries and technologies facing broad scrutiny. For example, concerns related to the housing market could drive closer examination of home buying technology and rising unemployment may prompt investigations related to the use of AI tools in the workplace.
  • Attorney general inquiries requiring businesses to produce data protection risks assessments. Under most state privacy laws, businesses are required to conduct and document a risk assessments prior to engaging in certain types of data processing, including, without limitation, targeted advertising. We’ll likely see more emphasis on risk assessments, particularly in the context of enforcement sweeps targeting particular industries or technologies.

3. Relentless Attacks and the Increasing Risk of Data Breach Litigation

In 2025, cybersecurity attacks grew in frequency, scale, and sophistication. Leveraging AI, malicious actors are acting faster and more efficiently and launching attacks that are harder to detect. Data breach litigation is also on the rise, driven by this increase in cyberattacks, clearer legal grounds for consumer lawsuits, and tools that enable plaintiffs’ counsel to quickly find clients after a breach is announced. In Washington state alone, data breach case filings are on track to more than double in 2025 compared to the previous year. In the face of these trends, most organizations will increase their spend on cybersecurity investments and incident response and preparation in 2026.

What Steps Can Business Leaders Take to Reduce Risk?

Navigating this complex environment requires a proactive approach. Here are some potential actionable steps organizations can considering taking to reduce website and data breach litigation risks, enhance compliance, and avoid regulatory scrutiny.

• Review and Update Privacy Policy and Terms

A comprehensive and accurate Privacy Policy is table stakes for compliance and can reduce litigation risks. A well-drafted Terms of Use for websites and apps, with key dispute resolution terms, also plays a key role in reducing risks.  Consider revising these documents so they are written in plain language and easy for consumers to locate.

Internally, consider ensuring Data Protection Impact Assessments are completed on key data processing activities across your organization. Such assessments should be ready to be shared with an attorney general upon request.

• Audit Your Website and Apps

Regulators and plaintiffs’ lawyers can spot common compliance issues within seconds of  visiting a website or downloading an app. It may be a good idea to review websites and apps to identify any area where additional notice, consent, and/or choice should be provided. Assess (a) key customer experiences that involve the collection of data (e.g., sign-up for promotional emails or texts) and (b) the use of cookies, pixels, SDKs, and other technologies that transmit data to third parties, such as ad platforms or marketing providers. Ensure privacy choices are offered and effective when required and the Privacy Policy and Terms of Use are clear and conspicuous.

• Develop a Robust Incident Response Plan

When the next data breach occurs, be prepared. One way to prepare is with a solid incident response plan, which outlines responders’ roles and responsibilities, describes communication protocols for a variety of scenarios, contains key resources (e.g., network schemas, insurance documents, contact lists, templates), outlines planned technical procedures or measures, and contemplates foreseeable challenges.

• Prep Responders on Communication Practices

Responders may want to assume litigation will ensue and engage counsel early, effectively leverage legal privileges, use secure communication channels, and avoid common incident response mistakes.

• Implement Smart Data Retention and Deletion Policies

Consider deleting sensitive information, paper or digital, online or on-premises, when you no longer have a legal or business need to retain such records. Consider retention policies for employee and recruiting records, as well sensitive customer data.

• Train All Employees to Avoid, Spot, and Report Security Risks

95% of all data breaches are caused by human error, according to Mimecast. One way to combat human error is by providing all employees with effective, ongoing training to help them avoid and spot security risks. Also consider implementing an easy method for employees to report security risks.

• Be Ready for Consumer and AG Requests

If subject to state comprehensive privacy laws, including the Oregon Consumer Protection Act, remember:

• • State attorneys general can request that you share Data Protection Impact Assessments as part of any inquiry or investigation. Ensure such assessments have been completed where required and are ready to be shared.
  • You must provide consumers, upon request, a list of all third parties with whom you’ve shared personal information. Creating and maintaining such a list requires cross functional collaboration, as input will be required from every department of an organization.

This article summarizes aspects of the law and opinions that are solely those of the authors. This article does not constitute legal advice. For legal advice regarding your situation, you should contact an attorney.