Data Privacy, AI Regulatory, and Compliance Update: May 2026

2026 is shaping up to be a transition year for privacy and AI compliance.  In California, privacy controls are moving from individualized, website-by-website opt-outs toward centralized and automated infrastructure through DROP and the Opt Me Out Act.  At the same time, AI regulation is becoming more operational: the EU AI Act continues its phased rollout while the pending Omnibus package reforms may delay key high-risk AI compliance deadlines; Colorado has replaced its original AI Act with a narrower transparency-focused ADMT regime; and Connecticut has advanced a broad AI safety and transparency framework addressing employment tools, AI companions, synthetic content, subscription-based AI services, and frontier models.

For businesses, the common theme is that regulators are moving beyond policy disclosures and toward technical implementation, recordkeeping, workflow automation, vendor coordination, and auditable compliance processes.  Companies should use the 2026-2027 period to confirm whether they are in scope, map affected systems and data flows, and update governance programs before these new requirements become enforcement priorities.

Key Takeaways:

• California’s Data Broker Deletion Request Portal (DROP) requires data brokers to begin processing DROP deletion requests on August 1, 2026.
• California’s “Opt Me Out Act” brings the state’s privacy opt-out requirements to the browser level.
• Certain obligations under the European Union AI Act become fully applicable on August 2, 2026, with other compliance deadlines delayed pending finalization of the recently agreed upon amendments to the EU AI Act through the EU AI Omnibus. 
• Colorado transitions to a transparency regime through reforms to the Colorado AI Act.
• Connecticut passes comprehensive regulation addressing artificial intelligence.  The measure is expected to be signed by the Governor with provisions scheduled to take effect between 2026 and 2027.

Read the complete client alert.

*  *  *

Kasowitz’s Data Strategy, Privacy, and Security team has deep knowledge in the data, privacy, and security sectors, and is familiar with the potentially existential risks faced by companies that rely on data as an engine of commerce and innovation.  Global data, AI, privacy, and security threats are “bet the company” issues that Kasowitz is well equipped to handle.  Our team consists of seasoned lawyers who have worked at or represented the largest and most innovative companies in the world, former regulators, and former government attorneys.  We leverage our extensive subject matter knowledge to support companies through global privacy and technology counseling, regulatory support in the AI, privacy and security space, litigation, and incident preparedness and response.

For more information, please contact:

Brandy Worden
Partner
bworden@kasowitz.com

Frederick C. Bingham
Associate
fbingham@kasowitz.com  

Cyrus Borhani
Associate
cborhani@kasowitz.com