Top AI, Privacy, and Cyber Enforcement Takeaways from the 2026 IAPP Global Summit
The 2026 International Association of Privacy Professionals (IAPP) Global Summit in Washington, D.C. (March 30–April 2) underscored a consistent message from privacy, artificial intelligence (AI), and cybersecurity regulators: paper compliance is no longer sufficient. While policies, notices, and internal frameworks remain essential, enforcement is increasingly focused on whether compliance programs operate effectively in practice and withstand scrutiny from a consumer-impact perspective.
The summit’s discussions reflected a more coordinated enforcement environment, with increased focus on operational execution, governance, and executive and board accountability.
Enforcement Expands and Becomes More Coordinated
Regulators emphasized that enforcement capacity is growing. Smaller states are leveraging the resources of larger states, and cross-border information sharing is routine. As one regulator noted, “the army is growing,” highlighting both increased enforcement staffing, and the potential for higher penalties.
Formal collaboration mechanisms, such as the Consortium of Privacy Regulators, are reinforcing practices that already existed informally. For companies operating across jurisdictions, this means that an inquiry in one state may quickly cascade into parallel investigations elsewhere, amplifying legal, operational, and reputational risk.
Governance Expectations Shift to the C-Suite and Beyond
A striking theme was the growing emphasis on C‑suite and board‑level involvement in privacy governance. In a recent enforcement action, the California Privacy Protection Agency required the board-level oversight of privacy risk assessments and identification of responsible board members.
Regulators also signaled that mandated board review may become more common in future enforcement actions. While regulators emphasized that their decision to name executives or board members in complaints depends on context, knowledge, and culpability, they were clear that senior leadership cannot assume immunity from scrutiny. Privacy, cybersecurity, and AI governance are enterprise risks that demand executive engagement.
Regulators Focus on Operationalizing Privacy and Security Principles
Regulators stressed that adherence to core privacy and security principles, such as transparency, data minimization, purpose limitation, and storage limitation, is critical. These principles are enforcement baselines.
Regulators expect companies to collect only the minimum personal information necessary to process privacy requests and to comply with retention and deletion requirements, even for de-identified data. Particular attention is being paid to mergers and acquisitions and post‑divestiture environments, where data governance practices may not be consistently assessed. Regulators also cautioned about re‑identification risks when datasets are combined across platforms.
Regulators Target Friction in Exercising Privacy Rights
Regulatory attention continues to focus on whether consumers can meaningfully exercise their privacy rights, especially opt-out rights. Regulators expect companies to test their own rights processes and identify friction points.
California regulators have emphasized that privacy rights attach to consumers, not devices or platforms, requiring execution across cross-platform analytics and advertising programs. Other states, including Oregon and Minnesota, have echoed concerns that difficulty in exercising privacy rights may signal broader compliance gaps.
Sensitive Data and Children’s Privacy Remain High-Priority Enforcement Areas
Children’s data and other sensitive data, such as health, genetic, and precise geolocation information, remain high‑priority enforcement areas. Federal Trade Commission (FTC) leadership noted concerns about design features that promote addiction or excessive engagement, particularly in social media and gaming contexts, especially when they affect children.
These risks intersect with emerging age‑verification requirements, federal enforcement initiatives, and state privacy laws, making children’s privacy a significant compliance and reputational issue.
AI Enforcement Focuses on Harm and Explainability
AI enforcement is increasingly grounded in consumer harm. Regulators highlighted risks associated with chatbots, particularly those interacting with children, and the use of AI and predictive analytics to make decisions that impact consumers.
Regulators emphasized that transparency around inputs, logic, and outcomes is critical. Regulators also noted that AI governance cannot be separated from privacy and security compliance given AI’s dependence on personal data processing.
Cybersecurity Risk and Breaches Remain Enforcement Priorities
Cybersecurity enforcement remains active, particularly where breaches affect vulnerable populations or involve delayed notification. Regulators discussed the importance of securing data even when processing is outsourced, a critical issue in SaaS and cloud‑based processing.
Post‑merger and acquisition environments were identified as high‑risk areas, with enforcement often tied to failures in IT diligence, integration, and post‑close risk assessments.
Data Broker and Deletion Obligations Are Expanding
Regulators noted increased enforcement scrutiny of data broker activity. California’s Delete Request and Opt‑Out Platform (DROP) has already processed large volumes of consumer requests, and forthcoming obligations will require covered entities to regularly download, process, and report on deletion requests. Failure to comply with deletion requests may result in penalties of $200 per day per consumer.
Several states, including Vermont, Texas, and Oregon, have or are considering data broker laws. The FTC has also approached data broker regulation from a data transfer perspective, including warnings tied to compliance with the Protecting Americans’ Data from Foreign Adversaries Act of 2024.
Importantly, regulators cautioned that data broker obligations may apply based on activity rather than labels. Businesses may be subject to these requirements even if they do not view themselves as data brokers, particularly where they sell, share, or aggregate personal data.
Preparing for and Responding to Enforcement Actions
Given the increased risk of enforcement, companies should keep the following in mind:
- Maintain Appropriate Documentation and Protect Privilege. Document the steps taken to implement a reasonable and defensible privacy compliance program, including evidence of C‑suite and board oversight. Maintaining documentation supports timely responses to regulator inquiries. Delayed responses may be interpreted as an indicator of noncompliance. Consider how to maintain privilege when creating and disseminating documentation.
- Identify Regulatory Concerns Early. Understand regulators’ objectives and anticipate areas of concern, even if they are not initially raised; enforcement priorities can change over the course of an investigation. Reviewing public enforcement actions, regulatory guidance, and enforcement reports can help identify regulatory priorities.
- Have a Clear Communications Vision. Align internal stakeholders and determine what information to communicate to regulators. Avoid assumptions about what regulators may already know. They may not be familiar with the operational nuances of compliance and may rely on the business to provide clear and accurate context. Ensure that external communications protocols, including with the press, are clearly understood.
- Consider Multijurisdictional Operations. Practices in one jurisdiction may trigger inquiries in another and may not satisfy requirements elsewhere. Anticipate regulators sharing information and maintain documentation to justify any differences in practices across jurisdictions.
Ransomware Fusion Center
Stay ahead of evolving ransomware threats with Alston & Bird's Ransomware Fusion Center. Our Privacy, Cyber & Data Strategy Team offers comprehensive resources and expert guidance to help your organization prepare for and respond to ransomware incidents. Visit Alston & Bird's Ransomware Fusion Center to learn more and access our tools.
If you have any questions, or would like additional information, please contact one of the attorneys on our Privacy, Cyber & Data Strategy team.
You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.