I made it! Yes, I felt like I won the lottery when my standby seat was cleared, and I made it on the flight this week.
It was one of those days trying to travel in the aftermath of a snow and ice storm. After the first flight was cancelled, I politely declined the automatic rebook by changing planes in Nashville (which, of course, I checked and no, that didn’t actually make it to DC), and the standby flight was continuously delayed. I was #6 on the list. I made many friends and learned the life stories of other fliers that day. One fellow passenger even said, “Oh my goodness, you’re traveling with your pop-up banner, you have to get on this flight!”
Snow, ice, and travel delays didn’t stop many other privacy pros from gathering for the first Privacy State of the Union, hosted by Red Clover Advisors, Kelley Drye, and Ketch for an all-day summit at Kelley Drye’s beautiful new Washington, DC offices.
Check out this awesome view at the cocktail hour (me + our Director of Business Development, Robert Fowler)
We heard some amazing travel stories.
People braved cancelled flights. Some had so many delays they didn’t get to their hotel room until 4 am, and others were scraping snow and ice. One person relied on the help of a stranger using a chain to help dig out their stuck car. Others donned long coats and boots as they walked, and some stayed overnight to avoid slick roads.
One thing is clear … privacy pros are passionate to gather and learn from each other. And that we did.
Our agenda was packed with sessions on forecasting the privacy & AI legislation season, fireside chats with regulators, conversations with privacy professionals tackling tough issues like children’s data, sensitive data and advertising, discussions on media, CTV, and a lot of hallway sidebars.
All that travel heartache and months of preparation were worth it when we heard from people who have made new friends, gained new mentors, met #IRL for the first time, and shared their favorite takeaways with their own teams and on social media for others to learn.
So what did we cover? We started with what’s happening on the state privacy front.
State Privacy Laws Are Still Expanding (And Fast)
In a discussion moderated by Molly Crawford of IAB, Andrew Kingman of Mariner Strategies, and Evangelos Razis from the House Energy and Commerce Committee, they walked us through what we might expect this year.
Remember how 2025 was the first year in four years where no new state passed a comprehensive privacy law? Just amendments. Well, don’t get comfortable.
Pay close attention to the Northeast. Vermont and Massachusetts are moving forward in tandem with similar bills. Massachusetts has two bills in the same committee right now, and we should expect to see a draft in the next few weeks. In the Southeast, Arkansas, Georgia, and Oklahoma are states to watch, as is the Pacific Northwest.
Many companies are still grappling with CIPA lawsuits. For comparison, in 2022 there were 2,800 CIPA lawsuits, and it’s estimated to be ~10 times that many demand letters now. The industry is hoping to find a solution by the end of the year, yet privacy attorneys also warn that plaintiff attorneys are crafty, so companies are not out of the woods yet. It’s important that companies balance CIPA and business risk.
Eighteen bills have advanced to the full committee, falling into three buckets: well-known updates like COPPA 2.0, state analogs, and emerging tech concerns like chatbots, where we’re still figuring things out. The age verification piece is getting serious attention through bills like the SCREEN Act and the App Store Accountability Act. Relying on minors to check a box isn’t working anymore, and legislators know it.
Here’s the complicated part: age gating brings real constitutional challenges, and we may see it litigated. We’re already seeing Colorado and Connecticut add children’s provisions to their laws, and those haven’t been challenged yet.
Chatbots – there are a LOT of AI bills targeted at protecting kids and their engagement with chatbots. Stay tuned for these.
Federal privacy law – Will there be one? Rumor has it that they’re planning to put forth a legislative draft this year, and they’re trying to learn from what states have already done. Many committee members have comprehensive privacy frameworks in their home states and want to build on those lessons rather than start from scratch.
The FTC Is Ramping Up & Protecting Kids is A Priority
We moved on to a discussion with FTC’s Director of the Bureau of Consumer Protection, Chris Mufarrige, moderated by Alysa Hutnik of Kelley Drye. He said that his office is down 60 FTE and actively hiring (know anyone looking for a job?).
He shared the FTC’s priorities as captured in this news piece from Bloomberg Law
The FTC will focus on children’s data and will continue to “play a big role in our enforcement docket this coming year,” Mufarrige said.
Also, as written in the article (which they did such a great job summarizing), “protecting children’s privacy online will continue to play a big role in our enforcement docket this coming year,” Mufarrige said. The commission will also be focusing on how age verification interacts with the Children’s Online Privacy Protection Act to identify “any tension between the two, and how we could resolve that.”
Major updates to state and federal regulations are expected to take center stage in 2026, so now is the time to prepare for more robust COPPA compliance. Age assurance, age verification, and age signaling will be critical areas to watch, and the expanded scope of regulatory language capturing companies that don’t traditionally focus on children’s data signals the need for all organizations to move toward a more mature compliance framework.
For companies that process kids (including teens) data, paying attention to these federal and state bills is important to focus on.
Remember when we talk about kids beyond COPPA, teens are included.
Privacy sidebar: his response to the question what’s the best advice you ever got from a mentor? “Don’t let your inbox set your agenda.” If the day-to-day overtakes you, you’ll get lost and won’t do what you set out to do. That’s good advice for all of us in privacy.
Great reminder that I know I’ll try to put into practice!
Just like state privacy regulators are working together, expect to see more collaboration between the FTC and the states.
The Age Verification Puzzle Everyone’s Trying to Solve
The panel with Jennifer Cheng from Disney, Julian Corbett from OpenAge Initiative, and Aubrey Wesser from Verizon, moderated by Laura VanDruff from Kelley Drye, got into the weeds on what keeps privacy pros up at night: age verification and what happens when different signals conflict.
Here’s the challenge: if you have reliable evidence that someone is 13 versus 18, what approach do you take? Are you in line with age-assurance frameworks or ignoring them? Age-assurance laws fundamentally change the landscape because companies will then have actual information, not just self-reported ages. That means COPPA compliance plus age design code laws that may also apply. There was a discussion that trying to operationalize this state-by-state is going to be incredibly hard.
Another concern that came up repeatedly: people don’t want to upload sensitive biometric information to multiple sites. There’s real worry this could break the internet if everyone has to verify their age separately on hundreds of sites they’ve never heard of. The industry needs to find common ground and workable frameworks.
More questions arose, like – If you get age information in an app, how does that apply to the web? Do you need to process it, maybe store the signal or the full date of birth (this gets expensive), and apply it to all user experiences across marketing, product, and front-end disclosures? Is App Store consent enough for COPPA compliance?
Then there’s the sensitive data concern: if you get age information, what controls and firewalls do you have so that others don’t get it and can’t use it for other purposes? No, no, no marketing team – you can’t use consent data for marketing purposes.
Thoughts from Regulators
John Eakins, Deputy Attorney General in Delaware, and Paul Singer, currently at Kelley Drye and formerly from the Texas Attorney General’s office shared a refreshingly practical regulator perspective.
As moderator, Alysa Hutnik reminded the audience that regulators are people too. They go on websites and apps and can see what’s in a privacy notice, how a cookie consent software is working, what kind of data is being collected, and what’s not working or doesn’t feel right.
Delaware’s office is looking at mobile devices, connected TVs, business practices, and mobile SDKs and asking companies how information gets shared with third parties.
John’s advice was direct: know your data flow across devices. Be sure you can exercise choice. Know who you’re buying from and selling to. Delaware asks this all the time of companies, and they expect you to do sophisticated diligence. Now is a good time to figure out if your company can answer these questions.
Here’s where it gets interesting: if you get an inquiry, you have an opportunity to build credibility with the AG’s office. A heavy-handed litigation approach from day one may raise defenses, making it more difficult.
Delaware’s biggest pet peeve? Privacy policies that say “you may have the right to opt out.” That’s not going to cut it. If your company is in scope for Delaware, companies need to list the actual rights clearly. Also, if your privacy policy has a date on top that says January 1, 2024, expect them to get out the red marker.
Action tip: Go do a date check and make sure it’s in the current year.
Beyond privacy laws, both AGs emphasized they’re also looking at UDAAP laws (each state has its own Unfair, Deceptive, or Abusive Acts or Practices), which can absolutely include privacy issues. One business activity can trigger multiple types of scrutiny, such as UDAAP, privacy, and security concerns, all at once.
CTV and Media: The Old Tech That Needs New Attention
Colleen Barry of Ketch moderated a great session on Media, CTV, and AdTech. Max Anderson from Ketch dropped some truth about connected TV that people don’t fully appreciate: old tech matters. Physical devices have physical constraints that create unique privacy challenges.
Andrew Hall from EchoStar shared music to my ears on cookie/digital governance. They have business teams conduct quarterly reviews of which pixels are on the site. This is a great example of how business teams can get engaged, shifting privacy activities from just legal and compliance. They’ve created a checklist and training for each brand and require one to two people from each brand to participate in quarterly discussions.
Next up after writing this newsletter is finishing the final touches on a web technology governance training. We’re doing a 101 version to educate broadly on the need and requirements of the organization’s web tech governance policy. Then we’ll have a 201 version to go deeper on web tech risks and how to actually review a new web tech pixel.
Finally, Tricia Cross from Fox corporation offered great final advice – hold hands tightly with internal teams; it can’t just be privacy or legal managing all the requirements.
Conversation with Mike Macko, Head of Enforcement, CalPrivacy
Cobun Zweifel-Keegan from the IAPP moderated the fireside chat with Michael Macko, Head of Enforcement at CalPrivacy (formerly known as the CPPA, the California Privacy Protection Agency).
Mike was full of SO many nuggets it’s hard to really summarize them all! He reminded the audience about inferences and how that counts as personal information.
He also emphasized something really important about enforcement philosophy. CalPrivacy is not just looking for technical compliance violations. They do go through interfaces as consumers to find opt-out user experience issues. However, different enforcement actions may highlight different parts of the law to highlight the importance of each topic (for example, Tractor Supply emphasized employee privacy).
What should companies do? Think from a regulator and a customer’s point of view. What would a regulator or customer think of how data is being processed? Can you defend a decision that your organization made?
Expect CalPrivacy, among other regulators, to be busy with enforcements in 2026.
Advertising & Sensitive Data
The panel on Advertising in 2026 with sensitive data was moderated by Tony Ficarrotta at NAI led by a panel with Ben Chapman from Swoop, Jen Clark from Publicis Groupe, and yours truly. We discussed that it’s essential to know exactly what data organizations are collecting, what inferences are made, and what the customer expects.
We also dug into the “reveal” standard, and the answer is it depends on a LOT of questions. Is it really de-identified data? What’s the context? How is it collected?
Great way to answer all these questions? Privacy risk assessments, and we covered those in last week’s newsletter.
Advertisers need to have good documentation to show legal compliance and are highly encouraged to comply with self-regulatory guidelines from NAI.
Check out this attendee’s post on the panel … he summarized it so well!
If you’re in media or CTV, remember the ecosystem dependencies. Your privacy choices need to work across devices and platforms. If someone is logged in, can you figure out who they are without making them fill out separate forms everywhere?
The Bottom Line
2026 is shaping up to be a pivotal year. The message from regulators and privacy pros was clear – know your data flows cold, if you work with kids, buckle up for a bumpy ride, perform privacy risk assessments, think from the lens of a consumer, and start with auditing your website, including privacy notices, rights, and opt-out. Every time we do this for companies, we always find something that they can tweak to make it more compliant and more clear for the consumer.
And that’s a wrap on the 2026 Privacy State of the Union. It was a true pleasure to work with Ketch and Kelley Drye to plan this amazing event. We’re so grateful to all the speakers and attendees who spent time to prepare, bring thoughtful questions, and engage in our amazing privacy community.
What’s your biggest takeaway from the Privacy State of the Union recap?
Drop me a line and let me know … I’m loving all the replies so keep them coming!
Before I sign off, let me share about the FREE virtual Bridge Summit hosted by Privado.AI happening THIS week. It’s Feb 4-5, and you can register here. Be sure to mark your calendar for Feb 4th at 1p PST/4p EST when I’ll be speaking on Web Tech Governance. There are amazing speakers both days … check it out!
With that, I’m signing off to gear up for the next winter storm in Atlanta.
Until next time,
Jodi
💡 When you’re ready, here’s how we can help:
⚙ Privacy Advisory & Implementation: We help companies navigate privacy requirements with confidence. Our advisory support covers strategy, operations, and real-world implementation.
⚙ Fractional Privacy Services: We provide fractional privacy leadership tailored to your needs and pace. From program development to day-to-day support, we help you build and sustain a strong privacy program.