Data Privacy, AI Regulatory, and Compliance Update: 2026

Data Privacy, AI Regulatory, and Compliance Update: 2026

2026 will be one of the more active periods of privacy compliance in recent memory.  Multiple U.S. state laws covering comprehensive privacy, data brokerage, and age verification will take effect, alongside major international developments: Vietnam’s first national data protection law goes into effect, the United Kingdom is rolling out digital verification services, Australia has new transparency mandates for automated decisions, and the European Union’s Data Act design obligations all take effect.  Collectively, these measures mark a global shift from privacy “as disclosure” to privacy “as infrastructure,” where technical design, interoperability, and verified user control define compliance as much as policy and consent.

2026 also marks a shift in global AI governance.  Across the United States, Europe, and Asia, jurisdictions are implementing the first binding regulatory regimes designed to move AI oversight from principle to enforceable obligation.  While the EU AI Act’s high-risk system rules likely take effect in August 2026 (pending potential delays proposed by the EU Commission), several U.S. states, particularly California, Texas, and Colorado, are also entering the compliance phase of their AI and data-privacy programs.  Together, these developments may signal the end of the AI “self-regulation” era and the rise of multi-layered, legally mandated governance frameworks.

There are several new laws and amendments taking effect in early 2026.

Key Takeaways:

  • There are three new U.S. comprehensive privacy laws - Indiana, Kentucky, and Rhode Island transition from planning to enforcement on January 1, 2026.
  • Texas SB 2420 (“App Store Accountability Act”) and Texas CUBI Amendments (via HB 149).
  • Vietnam's PDPL (Law No. 91/2025/QH15) - Vietnam’s first statutory personal data protection law replaces the more limited Decree 13 and realigns Vietnam’s data privacy regime.  In addition, Vietnam’s national AI law takes effect March 1, 2026.
  • U.S. state-level AI laws in California and Texas are set to take effect in early 2026.
  • This year’s wave of new laws, from U.S. state regimes and Texas’s biometric and broker amendments to the EU Data Act, Vietnam's PDPL, and Australia’s ADM transparency rule, will push organizations to treat privacy as a design and infrastructure problem, not just a paperwork and documentation exercise.
  • Regulators are embedding privacy expectations into the architecture of consent, identity, and data portability itself.

Read the complete client alert.

*  *  *

Kasowitz’s Data Strategy, Privacy, and Security team has deep knowledge in the data, privacy, and security sectors, and is familiar with the potentially existential risks faced by companies that rely on data as an engine of commerce and innovation.  Global data, AI, privacy, and security threats are “bet the company” issues that Kasowitz is well equipped to handle.  Our team consists of seasoned lawyers who have worked at or represented the largest and most innovative companies in the world, former regulators, and former government attorneys.  We leverage our extensive subject matter knowledge to support companies through global privacy and technology counseling, regulatory support in the AI, privacy and security space, litigation, and incident preparedness and response.

For more information, please contact:

Brandy Worden
Partner
bworden@kasowitz.com 

Frederick C. Bingham
Associate
fbingham@kasowitz.com 

Cyrus Borhani
Associate
cborhani@kasowitz.com 

 

Contacts

Brandy Worden

Brandy Worden

Partner / Los Angeles

View Full Bio

Practice Areas

Industries