From 2025–2026, the fastest‑rising compliance risks cut across sectors and center on: (1) data privacy and children’s data, (2) AI and automated decision‑making governance, and (3) cybersecurity obligations for bulk and sensitive data. Collectively, these create a complex, multi‑jurisdictional compliance environment for any organization handling personal data or deploying AI systems.

1. Data privacy, especially children’s and sensitive data

Key developments:

• Children’s privacy and COPPA expansion

• Amendments effective June 2025 strengthen requirements for handling data of children under 13, including:

  • Written security programs for children’s personal information.

  • Stricter parental control over collection, use, and sharing [1].

• Enforcement actions against gaming, streaming, and education platforms already underscore heightened scrutiny.

• New and amended state privacy laws

• Minnesota Privacy Act (effective July 31, 2025):

  • Broad coverage including nonprofits.

  • Expanded consumer rights to review and challenge profiling [1].

• Maryland Online Data Privacy Act (effective Oct 1, 2025):

  • Low thresholds (10,000 consumers) and revenue‑based triggers.

  • Strong restrictions on selling sensitive personal data [1].

• Connecticut CTDPA amendments (effective July 1, 2026):

  • Expanded definition of sensitive data (mental health, gender identity, biometric/genetic, financial, neural data, government IDs).

  • New rights to contest profiling and stricter data minimization and consent [1].

• Colorado minors’ amendments (effective Oct 1, 2025):

  • Heightened obligations for processing minors’ data, including bans on targeted advertising and requirements that features not “dark‑pattern” minors into extended use [1].

• Bulk Data Rule (DOJ, 2025)

• Introduces stringent controls and record‑keeping for transactions involving bulk personal or government‑related data, including intra‑group sharing [1].

Why risk is rising rapidly:

• Proliferation of differing state standards increases the odds of noncompliance.

• Children’s data and sensitive data are enforcement focal points for both regulators and class‑action litigators.

• Organizations that repurpose data for analytics or AI without revisiting consent and minimization requirements are particularly exposed.

2. AI and automated decision-making (ADMT) governance

Developments:

• State‑level ADMT and AI governance

• Regulations and rulemaking (e.g., California CPPA regulations) introduce:

  • Required AI/ADMT risk assessments.

  • Access and opt‑out rights for significant automated decisions.

  • Cybersecurity audits tied specifically to ADMT processing [1].

• Corporate disclosures and oversight expectations

• Fortune 100 disclosures show rapid growth in board‑level discussion of AI governance and cyber‑AI risks, reflecting both regulatory expectations and investor pressure.

• Companies highlight risks such as:

  • Regulatory enforcement for biased or opaque AI.

  • Cybersecurity threats amplified by AI.

  • Reputational risk from AI‑driven errors or unfair decisions.

Why risk is rising fast:

• Laws are evolving faster than internal governance systems, leading to gaps between what organizations deploy and what they can justify.

• AI increasingly touches high‑stakes areas—credit, employment, healthcare, safety—where regulators can argue that existing anti‑discrimination and consumer‑protection laws already apply, even without AI‑specific statutes.

• Many organizations lack robust AI inventories, model documentation, or bias monitoring, making it hard to answer regulators’ basic questions.

3. Cybersecurity and bulk/sensitive data protection

Developments:

• Regulatory and enforcement drivers

• Bulk Data Rule explicitly ties cross‑border and bulk data transactions to strong cybersecurity requirements and detailed record‑keeping [1].

• Privacy laws increasingly link compliance to:

  • Risk‑based security programs.

  • Incident response and breach notification capabilities.

  • Continuous monitoring and third‑party/vendor management.

• Multi‑state AG actions (e.g., breaches in education technology, TV manufacturers’ automated content recognition data) show coordinated enforcement trends [1].

• Threat landscape

• AI‑enabled ransomware and supply‑chain attacks increase breach likelihood and complexity.

• Regulators and guidance documents now mention emerging expectations like:

  • Privacy‑enhancing technologies.

  • Quantum‑resistant encryption as forward‑looking controls [1].

Why risk is rising fast:

• Attack sophistication is increasing, while regulators and plaintiffs’ attorneys use violations of privacy and security obligations as a basis for large settlements.

• Use of third‑party SaaS, cloud platforms, and data brokers means many organizations have limited visibility into where sensitive data resides.

4. Cross-cutting enforcement and litigation risk

• Multi‑state AG coalitions and privacy authorities:

• Joint investigations (e.g., Global Privacy Control compliance sweeps) create national‑scale exposure for issues previously handled state‑by‑state [1].

• Sector‑agnostic focus areas:

• Children’s data, dark patterns, location/geolocation, sensitive health and financial data, and AI‑driven profiling are high‑priority areas across consumer‑facing industries.

• Emerging AI‑related case theories:

• Use of biased or opaque AI in high‑stakes decisions can implicate anti‑discrimination, unfair practices, and data‑protection laws even where “AI” is not explicitly named.

Strategic implications

Organizations across industries should:

• Map and minimize data:

• Conduct data mapping with specific attention to children’s data, sensitive categories, and cross‑border/bulk transfers.

• Implement strict purpose limitation and minimization.

• Build AI governance programs:

• Maintain AI and ADMT inventories.

• Establish model risk classifications, documentation, and bias/fairness monitoring workflows.

• Integrate AI risk assessments into existing privacy and security impact assessments.

• Elevate cybersecurity and vendor oversight:

• Align controls with the expectations of both privacy statutes and Bulk Data Rule‑style obligations, including third‑party risk management and incident response drills.

• Anticipate enforcement themes:

• Prioritize remediation in areas where regulators have already brought actions (children’s services, streaming/gaming, EdTech, location data, dark patterns).