Key Takeaways:
- California’s updated CCPA rules demand formal AI oversight, documented risk assessments, and defensible cybersecurity governance.
- Automated decision-making tools may require opt-out mechanisms, meaningful human review, and detailed documentation.
- Indiana, Kentucky, Rhode Island, and Virginia introduce new thresholds and youth-focused requirements that complicate multi-state compliance strategies.
—
Privacy regulation continues to evolve rapidly across the United States. Expanded California Consumer Privacy Act (CCPA) requirements, new state consumer privacy laws, and increased oversight of automated decision-making technologies are raising expectations around governance, documentation, and operational accountability.
For middle-market organizations, these developments signal an important shift: privacy is no longer a standalone compliance exercise. It is increasingly tied to enterprise risk management, cybersecurity oversight, and responsible use of AI-driven tools.
Organizations that reassess their privacy programs now will be better positioned to navigate multi-state complexity, regulatory scrutiny, and growing stakeholder expectations.
Below are some of the key developments shaping the 2026 privacy landscape:
California: Expanded Expectations Under CCPA
California continues to set the pace for privacy regulations. Recent updates significantly refine and expand obligations in several areas.
Automated Decision-Making Technology (ADMT)
Organizations using automated decision-making tools that replace or substantially replace human judgment must provide consumers with opt-out rights in certain circumstances.
Importantly, human review must be meaningful. Individuals responsible for review should understand the system’s output and have the authority to change or correct decisions. This requirement affects companies using AI or algorithmic tools in areas such as hiring, underwriting, marketing segmentation, and education-related decision-making.
For many organizations, this introduces new governance and documentation expectations around AI oversight and decision transparency.
Risk Assessments for High-Risk Processing
California broadens the scope of activities requiring formal risk assessments, including:
- Selling or sharing personal information
- Processing sensitive personal information
- Using ADMT for significant decisions
- Certain AI model training activities
- Automated profiling in employment, education, or contracting contexts
These assessments move privacy programs closer to enterprise risk management frameworks. Organizations should be prepared to document risk evaluation processes and mitigation strategies in a structured, defensible manner.
Cybersecurity Audit Requirements
Updated regulations clarify expectations for organizations whose processing activities present significant risk. The definition of “reasonable security” continues to evolve, and regulators are increasingly focused on whether companies can prove consistent, documented controls.
For middle-market organizations, this may require strengthening cybersecurity governance, formalizing policies, and aligning privacy and security oversight functions.
Data Broker Obligations
California’s Delete Act and the delete request and opt-out platform (DROP) portal introduce more operational rigors for covered data brokers. Requirements include honoring centralized deletion requests and conducting periodic deletion sweeps.
Entities working under multiple trade names or complex corporate structures should confirm that registration and disclosure practices meet current expectations.
Indiana, Kentucky, and Rhode Island: Expanding the Multi-State Landscape
Comprehensive privacy laws taking effect in Indiana, Kentucky, and Rhode Island further expand the state-by-state compliance environment.
Indiana and Kentucky largely follow Virginia-style frameworks, including:
- Applicability thresholds based on consumer volume or revenue from data sales
- Data protection impact assessment requirements
- Opt-outs for targeted advertising and data sales
- Governance standards for deidentified and pseudonymous data
- Cure periods for certain violations
Rhode Island applies lower processing thresholds in some cases and does not include several provisions found in other state frameworks, such as universal opt-out recognition or a statutory cure period.
For organizations working across multiple states, these nuances can create operational complexity. A harmonized, scalable approach to compliance is increasingly important to reduce administrative burden and keep consistency.
Virginia: Youth-Focused Digital Governance
Virginia’s new social media restrictions for minors, effective January 1, 2026, reflect a growing national emphasis on youth data protection.
The law requires certain platforms to:
- Use commercially reasonable age-screening mechanisms
- Limit minors under 16 to one hour of daily use per platform unless parental consent is obtained
- Use age verification data solely for age-related purposes
- Treat users as minors when device settings show minor status
The statute also restricts discriminatory pricing or feature limitations tied to these usage limits.
Organizations working with digital platforms, media services, or youth-facing applications should review age verification processes, consent management practices, and data minimization controls to align with evolving expectations.
What These Changes Mean for Middle-Market Organizations
Across jurisdictions, regulators are emphasizing:
- Risk-based compliance frameworks
- Oversight of automated decision-making technologies
- Documented governance and impact assessments
- Cybersecurity accountability
- Youth data protections
This shift places greater importance on cross-functional coordination among legal, IT, finance, and risk management teams.
For many organizations, 2026 presents an opportunity to:
- Reevaluate high-risk data processing activities
- Align privacy assessments with enterprise risk management
- Formalize AI governance practices
- Strengthen cybersecurity documentation and oversight
- Develop scalable multi-state compliance frameworks
Privacy regulation is continuing to mature, and enforcement trends suggest increasing expectations for demonstrable accountability.
Organizations that frame a proactive, structured approach to governance will be better positioned to manage risk, respond to regulatory inquiries, and maintain stakeholder confidence in a complex and evolving environment.
Strengthening Privacy Governance Through Integrated Cybersecurity and Risk Oversight
Navigating the 2026 privacy landscape requires more than policy updates. It requires integrated governance across privacy, cybersecurity, and enterprise risk management.
MGO works with middle-market organizations to evaluate high-risk data activities, formalize AI and automated decision-making oversight, and align privacy programs with evolving regulatory expectations. Our Cybersecurity and Data Privacy practice brings together technical security experience, risk assessment capabilities, and governance frameworks to support audit preparedness and scalable compliance programs.
By connecting privacy strategy with cybersecurity controls and enterprise risk oversight, we help organizations strengthen resilience, manage regulatory exposure, and support long-term stakeholder confidence. Reach out to our team today to learn how MGO can help your organization build a privacy governance program that’s ready for what’s ahead.