Key Takeaways from Two Major Privacy Industry Summits

As I shared in last week’s edition, I attended both the IAB Public Policy & Legal Summit and the IAPP GPS sessions. This week, I want to focus on what I learned at IAB and in the US State Privacy Law workshop. Here’s the summary from my many pages of notes.

Sorry folks – it’s another week of dense copy. There’s just SO much to say! This time, I think you should get a sweet treat while reading!

The California Privacy Protection Agency Is Not Slowing Down

Let’s start with California, because it always sets the tone, and Tom Kemp, Executive Director of CalPrivacy, kicked off the day at IAB.

CalPrivacy has staff with deep technical expertise, including computer science Ph.D.s, because technical compliance is what they care about. The agency is literally walking in a consumer’s shoes to see what that experience looks like.

A major focus is on reducing consumer friction with privacy rights, and the audience was reminded to walk a mile in the customer’s shoes. Hint – test your own privacy rights processes (we love doing this for companies!).

CalPrivacy created a new role for a Chief Auditor on staff and is building out that team. This team will likely work with the enforcement division.

California’s privacy risk assessment requirements are a major focus. Friendly reminder that risk assessments, with attestations, are required for certain processing activities under California law, and cyber reviews are also on the table.

Data minimization is the backbone of California’s program. A new internal advisory is coming, with public comments to follow. The rulemaking process moves through three stages: employee review, proposed regulations, and final rule.

Regarding data brokers, California’s Data Broker Registry has approximately 270,000 registered entities. That’s with no advertising. Imagine what happens when some media gets behind it? Plus, it keeps changing daily, so it’s likely even higher now.

CalPrivacy is actively identifying businesses that should be registered but aren’t. The definition of a data broker is BROAD, as many privacy pros were sharing in the hallway discussion.

The penalty for not registering? Starting this fall, companies not registered face fines of $200 per day for failure to delete.

I have talked to a lot of companies that still haven’t prepared for the Delete Act. If you’re not sure if you’re a data broker, now is a good time to read up and get registered.

If you’re a company, talk with your marketing and sales teams who buy data from data brokers, as their pools of data will slowly shrink as more Californians register with DROP to have their data deleted.

What else should companies be on the lookout for? Watch CA AB 2021 this year, which includes whistleblower protections.

🌟 Actionable Items:

Confirm whether your company qualifies as a California data broker and register if required. The fine risk is real and starts this fall.
Document your data minimization practices now; the advisory process is beginning, and you want to be ahead of it.
Review your California risk assessment program as attestations are required for certain processing activities, and CalPrivacy is paying close attention.
If you haven’t had a technical audit of your opt-out mechanisms, prioritize that before an auditor does it for you.
Act like a customer on your own site. Test your privacy rights processes and read your privacy notice.

State Privacy Law Highlights

One of the most useful sessions went deep on state-specific nuances, and the differences matter more than people think. Here’s a breakdown of what stood out. Reminder, these are just the nuggets that stood out to me … not everything you need to know about these laws!

Oklahoma: The newest signed law on the block (and while writing this newsletter I learned, next up is Alabama, which is awaiting the governor’s signature) covers approximately 30% of the state’s population.

Virginia: Requires a meaningful, readable privacy notice. Consumers cannot be required to enter a “contract” to invoke their rights. Virginia does not require honoring GPC specifically, but consistently honoring opt-outs at the account level or across all devices satisfies the requirement. Contracts with processors must include data security requirements. Virginia coordinates with states that have an unfairness standard, even though it doesn’t have one itself.

Maryland: Requires data minimization. It bans the sale of sensitive data and requires a list of third parties to whom sensitive data has been sold. Fines: $2,500–$7,500 per violation.

Oregon: Same third-party disclosure requirement as Maryland for sensitive data. Utah vehicle manufacturer data rules align with Oregon’s approach.

Connecticut: If you process sensitive data, you are now in scope. Fintech companies are likely now covered. CT requires disclosure if AI is used for long-term care management training. Data minimization applies to new uses of material.

Montana: 25,000-consumer threshold. Heightened requirements for minor data. No automated decision-making for minor data without providing access rights. Similar to Minnesota.

New Jersey: Strictest GPC requirements of any state. Privacy policy must be specific enough to reflect what data is actually collected and how it is used. NJ also has UDAAP authority that fills in gaps where the privacy statute is silent. The new governor highlighted youth privacy in his inaugural address, making this a political priority, not just a legal one.

Delaware: Controllers must ensure downstream third parties comply with the law. Just signing a contract is not enough. Both DE and NJ legally require honoring GPC.

💡 Interesting note: What’s interesting about Delaware and New Jersey is that a regulator and a legislator from each state were present on their respective panels. They have strong views on various issues (like kids in DE and which groups had carveout exemptions in NJ).

Vermont: The most stringent AADC in the country. Requires an independent third-party audit covering nine specific topics, with the results publicly posted by the AG. Personal liability applies to officers and board members for willful or reckless violations.

New York: Pricing law requires specific disclosures.

Alabama, Louisiana, Texas, and Utah: Specific requirements for mobile apps related to age and children’s data.

Automated Decision-Making (Multiple States): A pre-use notice is required before automated decision-making is used. Consumers must have the right to opt out and appeal. The logic must be explained. Resume screening is a likely specific enforcement target. Assessment documentation must include who participated and when.

🌟 Actionable Items:

Map your operations against each applicable state law as each have distinct requirements that are not always interchangeable.
If you use automated decision-making for hiring, lending, or similar purposes, implement a pre-use notice and an opt-out/appeal mechanism, plus perform a privacy risk assessment.
Review your privacy notice for specificity; vague language can be a documented liability.
Audit your downstream partner chain, not just your direct vendors.
If you are not in scope for a law or there’s a carve-out, document that determination somewhere. Don’t leave it as an unwritten assumption.

Children’s Privacy: Active Enforcement, Not Just Legislation

Children’s data is no longer just a legislative priority. It is an active enforcement priority at both the state and federal levels.

States with active or effective AADC or similar laws: California, Colorado, Delaware, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, and Virginia.Core requirements across these laws: establish and configure default settings that protect minors, provide a privacy notice directed at children, signal when a child is being tracked, provide tools for exercising rights, do not use precise geolocation unless strictly necessary, and only collect age-appropriate data for the specific purpose.

Some laws have a really narrow scope, like Nebraska, which applies to companies with annual revenue of $25M, 50,000 or more consumers, AND at least 50% of the revenue comes from the sale or sharing of data.

Alabama, Louisiana, Texas, and Utah have specific requirements for mobile apps.

🌟 Actionable Items:

If your product could be accessed by minors, map your practices against the applicable state privacy laws, including AADC.
Confirm your default settings protect minors.
If you collect data for targeted advertising directed at children, confirm you have separate parental consent in place.
Perform privacy risk assessments now and for new features/upgrades.
Do not use precise geolocation for minor users unless it is strictly necessary for the service.
Review any public claims your company makes about age verification effectiveness – regulators are watching.

States really talk.

I know, I know. We say it all the time. It’s true. Both panels of regulators and legislators emphasized how they are talking to each other. While each state might need to differ slightly for its constituents, they are trying to harmonize requirements where they can share information.

Opt-Outs, GPC, Consent & Litigation: The Technical Gap Is Where Companies Get Hurt

Regulators are testing opt-outs. CalPrivacy and other state regulators are actively running tests to see what happens after a consumer exercises a right. They’re not just reading privacy notices. They’re clicking buttons and watching what happens on the back end.

Is your GPC signal actually being passed downstream to all partners and systems? Having a banner that acknowledges GPC is not the same as your ad tech stack executing on it. If a known user opts out, the opt-out needs to connect to their account and all associated systems, including pseudonymous profiles.

The concept of “essential” cookies is under scrutiny. First, there was a discussion about whether a GDPR cookie concept should be used on cookie banners in the US. Then a question was raised: Can a tag that starts as essential become non-essential when its function becomes multipurpose?

On CIPA, wiretapping and pixel litigation overall: States are scrutinizing both the design of consent experiences and how opt-outs actually work. Florida is the second-highest state for wiretapping-related demand letters, and the total universe of relevant states can reach up to 30. Plaintiffs continue to move the goalposts. Having a banner in place is a business vs. litigation risk decision and it’s also not always sufficient. Notices and terms also need to be reviewed and considered.

There was a friendly reminder that passing full URLs with sensitive parameters to third parties is a specific documented litigation risk.

Consent collision risk occurs when you have opt-in requirements under one framework and opt-out requirements under another; the interaction between them creates real compliance risk. In general, privacy pros agreed that consent design needs to be symmetrical with accept and reject.

CIPA vs. CCPA was a hot topic, and the recommendations ran the gamut from full opt-in (GDPR style) to notice only. I was in multiple breakout rooms where this was discussed + a panel + side discussions. The consensus is that this is a tricky area for business. It comes down to balancing revenue/business risk + litigation risk + compliance risk. I’ve decided this is one of the greyest areas of privacy.

Litigation is increasing. Legacy systems are the biggest vulnerability. Old pixels, old tags, stale integrations are where violations are being found.

🌟 Actionable Items:

Do a “spring cleaning” of your tech stack. Remove pixels, tags, and integrations you no longer need.
Confirm no full URLs with sensitive parameters are being passed to third parties.
Maintaining visual data flow maps is valuable both for compliance and for explaining complex technology to courts and regulators.
Keep records of internal privacy decision-making: when decisions were made, who was involved, and why.
Schedule a proactive meeting with litigation counsel now to review current exposure – before you receive a demand letter.
Run a technical test of your opt-out flow end-to-end. Not just the UI, but what actually happens downstream with partners and systems.
Audit every pixel and tag: do you need it, does it need to be in that location, what is it collecting, and are full URLs with sensitive parameters being passed to third parties?
Confirm GPC signals are flowing to all partners and systems, not just acknowledged at the banner level.
Review your consent design for symmetry of accepting and rejecting. (Reminder of the Honda case as a cautionary tale).
If a known user opts out, confirm the opt-out connects to their full account profile, not just a cookie.
Visual data maps will help companies fully understand the pixels on the site, the data collected, and the overall risk.
Have proactive meetings with litigation counsel now to learn the latest trends and how to mitigate proactively. This proactive investment is far less than the cost of a demand letter.

Vendor and Third-Party Risk: DPAs Are Not Enough

A Data Processing Agreement alone is not sufficient for vendor oversight. DPA plus a documented assessment is the emerging standard (see the theme of needing to document everything??)

Vendors should be tiered by risk, and the level of oversight should match the tier. A vendor cannot be classified as a service provider for activities outside the actual scope of what they are doing for you. The contractual language needs to reflect the actual relationship, not an idealized version of it.

Assessment timing: assessments should happen before initiating a new processing activity, at minimum every three years, and as needed when circumstances change.

Delaware controllers have an explicit obligation to conduct due diligence on downstream third parties, not just direct vendors.

🌟 Actionable Items:

Tier your vendors by risk level and confirm high-risk vendors have both a DPA and a documented assessment.
Review whether any vendor is classified as a service provider for activities outside the actual scope of your engagement with them.
Confirm downstream partners are contractually required to comply with applicable state laws and verify that they actually do.
Establish an assessment cadence before new activity, at minimum every three years, and as needed when things change.

You made it this far. What should you remember?

Privacy in 2026 is a kitchen table issue. Consumers care. A lot. Some say that AI helped accelerate the issue. The media has too. And now legislators and regulators are trying to protect consumers. Now is the time to ensure your program is keeping up.

Wow – that was a lot to summarize and digest. I hope you found it helpful and have a few takeaways to help plan the rest of your quarter. What surprised you the most?

Jodi

💡 When you’re ready, here’s how we can help:

⚙ Privacy Advisory & Implementation: We help companies navigate privacy requirements with confidence. Our advisory support covers strategy, operations, and real-world implementation.

⚙ Fractional Privacy Services: We provide fractional privacy leadership tailored to your needs and pace. From program development to day-to-day support, we help you build and sustain a strong privacy program.