Data Privacy Resources and Priorities for U.S. Organizations in 2026

Want to receive these privacy recaps in your inbox each week? Subscribe here.

This week, we take a short break from the news cycle to focus instead on drawing a general picture and gathering useful data privacy resources for U.S. organizations. 

For more data privacy news, see you next week with our host, Julie Rubash.

United States

Data Privacy in the U.S: Resources and Priorities for Organizations in 2026

Data privacy in the U.S. is becoming more complex by the day, and we know organizations need guidance and support to feel confident in their approach. 

This week, we’re sharing some useful Didomi links and resources to bookmark, starting with an overview of the U.S. privacy legal landscape:

The U.S. currently has 20 active state privacy laws:

• California Consumer Privacy Act
• Colorado Privacy Act
• Connecticut Data Privacy Act
• Delaware Personal Data Privacy Act
• Florida Digital Bill of Rights
• Indiana Consumer Data Protection Act
• Iowa Consumer Data Protection Act
• Kentucky Consumer Data Protection Act
• Maryland Online Data Privacy Act
• Minnesota Consumer Data Privacy Act
• Montana Consumer Data Privacy Act
• Nebraska Data Privacy Act
• New Hampshire Privacy Act
• New Jersey Data Privacy Law
• Oregon Consumer Privacy Act
• Rhode Island Data Transparency and Privacy Protection Act
• Tennessee Information Protection Act
• Texas Data Privacy and Security Act
• Utah Consumer Privacy Act
• Virginia Consumer Data Protection Act

Each one of these laws defines the requirements organizations must follow to lawfully collect, process, and leverage user data, as well as the rights afforded to consumers. These and other sector-specific laws also define critical standpoints on issues such as children’s privacy, attitude towards Artificial Intelligence, and sensitive personal information (SPI). 

Other state and federal laws, such as the California Invasion of Privacy Act (CIPA), are also emerging as drivers of litigation, which in turn is pushing companies to increasingly implement consent banners for risk prevention, as explained by Brian Kane in our 2026 State of Privacy report:

“We’re going to continue to see the U.S. move to a de facto opt-in regime—not because of any single regulation, but more so the death by a thousand cuts. 

Between CIPA enforcement, VPPA cases, children’s privacy litigation, and general consumer protection trends, we’ll reach a tipping point where >50%+ of U.S. websites will have consent messages prompting explicit opt-in, even when it’s not legally mandated. It’s not regulation driven, but more about risk management at scale.” – Brian Kane, co-founder and COO at Sourcepoint

To help make sense of this complex ecosystem, frameworks are emerging. The Global Privacy Protocol (GPP) from the IAB aims to streamline consent signals across regulations, while Global Privacy Control (GPC), backed by several state laws and soon to be further reinforced by California’s Opt Me Out Act, seeks to simplify privacy choices for users online.

GPC in particular has been identified by Julie Rubash as a key trend for 2026, a prediction that recent enforcement news has already started to confirm:

“This will be the year that U.S. regulatory enforcement really gets into the weeds. Surface-level compliance isn’t going to cut it anymore.

‍Regulators, especially in California, are stressing the importance of implementing consumer privacy rights correctly and exhaustively on the backend, from a technical perspective. This means ensuring GPC signals are honored and opt outs flow across platforms and consumer touch points, as well as having a full and complete understanding of (and proper contractual relationships and opt-out signaling capabilities with) every third party to whom personal information is sold or shared on an ongoing basis.

‍Regulators will dig deep to understand how data flows work, and they’ll expect organizations to be right there with them. So make sure to get your ducks in a row: the hard questions are coming.“

– Julie Rubash, General Counsel and Chief Privacy Officer at Sourcepoint by Didomi (source: 2026 data privacy trends: Predictions from the experts)

There are many more topics to cover, and we will continue to do so weekly in these pages. For now, and in light of the recent announcement surrounding Disney’s historic CCPA settlement, we will conclude by inviting you to watch this webinar we recently ran in collaboration with DBR Tech Law, on the topic of privacy on CTV: 

A LITTLE MORE PRIVACY, IF YOU PLEASE

• Alabama Governor signs App Store Accountability Act
• Maryland Online Data Privacy Act (MODPA): Everything you need to know
• Johnson & Johnson Agrees to US$4.7m Settlement Over Neutrogena Skin360 BIPA Claims
• EU Digital Omnibus: Mapping supporters, critics and key arguments 
• UK GDPR: Everything you need to know

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.