IAPP Director Expects States to Extend Focus on AI, Kids Privacy in 2026
In 2026, states and regulators will likely focus on many of the same areas they examined previously, including kids’ privacy and AI, said Cobun Zweifel-Keegan, managing director of IAPP, Washington, D.C., in an interview with Privacy Daily. On the federal level, a flood of privacy legislation is expected by year-end, he added.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Legislatures are "gearing up for next year,” with no signs of "slowing down,” Zweifel-Keegan said. He expects bills about “a lot of the same things as before, nothing too new,” with “comprehensive consumer laws introduced and … pushed in places that don't have them yet.”
In addition, kids’ privacy and safety will continue as priorities, he said, and app store accountability acts are something that could become more common. “The most active state legislators are still really fired up about these issues.” As for the opposition they're receiving, including "super PACs that are being set up to stop them,” it's “just making them angrier and more motivated.”
At both the federal and state levels, chatbots -- specifically companion chatbots -- will “be a huge area of legislative scrutiny,” especially in relation to kids, Zweifel-Keegan said.
Though AI will continue to be a hot topic, it will likely be “less of the automated decision-making-type laws” and instead be “more targeted,” though proposals will still come from the same legislators. He pointed to Connecticut state Sen. James Maroney (D), who “is adopting a different strategy,” and said Connecticut in general will be a state to watch next year on AI (see 2510220015)
Other states that Zweifel-Keegan cited as “interesting to watch” include Virginia, which has some “new ideas,” though it may not pass many things, and New York, particularly on the Responsible AI Safety and Education Act (see 2511170054).
Though states didn't enact any new comprehensive privacy laws in 2025, Zweifel-Keegan said he's unsure if that means “the momentum [for them] is sort of slowing or not.” He noted that “there were still plenty of bills introduced, and some of them got relatively close,” but “no cigar” (see 2510270028).
Enforcement Predictions
Enforcers have made it clear that data brokers remain top of mind, Zweifel-Keegan said. “I think we'll keep seeing scrutiny for car companies and then the related data infrastructure, like the insurance companies,” similar to Texas' action against Allstate (see 2501130047).
He also said Florida’s action against Roku (see 2510140024) “raises interesting nerd questions," such as "How do we think about privacy at the household level with these devices that are shared?” and “How does that work in the state privacy plan context?”
The Roku suit was brought under the Florida Digital Bill of Rights, which the IAPP doesn't consider a comprehensive privacy law, since “most" of its "operative provisions are extremely narrow in application due to multiple high thresholds of applicability,” according to a blog post that Zweifel-Keegan co-authored.
But the suit signals “that the Florida AG is interested in taking an expansive reading of the scope of that law,” Zweifel-Keegan told us, which means “it might apply to more companies than the companies would think.”
“It's another example of bipartisan enforcement,” which is “aggressive on all sides of the political spectrum.”
Since the Texas attorney general may focus on his Senate race and there has been some staff turnover in the AG office (see 2510060016), Zweifel-Keegan said he expects “a slower year” on privacy enforcement from the state. “We probably” will have to wait “before we see a lot of activity from Texas again, but the unit is there,” and “in theory, it's doing things, so we'll see.”
“They do have budget," along with at least three attorneys and a technologist position, so it’s “a bigger team than most of the other states,” he noted. That's “the main indicator ... It makes a difference when you have a bigger team.”
At the federal level, “the one big question for next year is whether the DOJ will enforce the data security rule,” Zweifel-Keegan said (see 2503100057), which he will be “watching really closely."
"A lot of companies are deeply involved in trying to figure out how to comply with that, and if there's no enforcement, they probably won't be as concerned anymore,” he added. But “there's definitely that hanging over them,” since “a lot of it ... requires additional compliance obligations that are new in the privacy space.”
Federal Agenda
Heavy legislative activity at the federal level, "at least in terms of things being introduced,” seems a given after the pause during the government shutdown, said Zweifel-Keegan.
“Everything's kind of piled up for the end of the year,” with somewhere “between 12 and 20 bills,” including “a giant package of kids’ privacy [and] safety bills out of the House,” he said. “Supposedly,” the IAPP official added, a draft of a comprehensive consumer privacy bill should be published by the end of the year as well.
On Tuesday, the House Commerce Committee said it would discuss an updated version of the Kids Online Safety Act (KOSA) during a Dec. 2 subcommittee hearing. Also on the agenda are 18 other bills, including the Children and Teens’ Online Privacy Protection Act (COPPA 2.0) and the App Store Accountability Act (see 2511250080).