The Federal Trade Commission recently convened stakeholders, including researchers, academics, industry representatives, consumer advocates, and government regulators, for a public workshop to discuss age verification, a concept implemented in regulations worldwide as a tool to advance online safe

Will the United Kingdom Ban Social Media for Children Under 16? 

On February 5, 2026, South Carolina’s governor signed House Bill 3431, the Age-Appropriate Code Design, into law. The law took effect immediately, with no cure period, and imposes expansive new design, data, and governance obligations on online services reasonably likely to be accessed by minors.  

While 2025 saw no new state comprehensive privacy laws enacted, state enforcement activity accelerated—individually and collaboratively—reflecting trends likely to intensify in 2026. 

Key enforcement focus areas included youth privacy and online safety, consumer rights, and data brokers/data sales. This post discusses highlights from 2025 and looks at expected trends in 2026.

This past year saw significant change at the Federal Trade Commission, as Andrew Ferguson was appointed chairman by President Donald Trump, replacing Lina Khan, who served as chair during the Biden administration. 

The state privacy law landscape in 2025 remained highly dynamic, even though no new states enacted omnibus privacy laws for the first time in years. 

The financial toll of cyberattacks is continuing to rise, with global cybercrime costs projected to hit $10.8 trillion annually by the end of 2026, up from $3 trillion a decade ago. 

2025 saw a range of activity at the intersection of privacy, data security, and national security, including new types of threats, significant U.S. regulatory actions by multiple agencies, legislative lapses and new priorities, and judicial approval (at least for now) of the EU-U.S. Data Privacy Framework. 

Earlier this month an appellate court in New Jersey issued an opinion in State v. Bryant, holding that tower dumps are Fourth Amendment searches that require particularized warrants supported by probable cause. 

Key Takeaways

• New York now requires businesses to disclose when they use personal data to generate individualized, algorithmically determined prices for consumers in New York.
• Several exceptions apply, including entities subject to insurance law, certain financial institutions, and certain subscription pricing practices.

On November 24, 2025, trade association NetChoice secured a win in its constitutional challenge to Maryland's Age-Appropriate Design Code Act (Kids Code or Act) when the U.S. District Court for the District of Maryland denied a motion to dismiss. 

Key Takeaways

• The SEC’s agreement with defendants to dismiss, with prejudice, its case against SolarWinds Corporation (SolarWinds) and its chief information security officer (CISO) signals a retreat from aggressive, novel enforcement theories in cybersecurity disclosure cases.
• Although technical cybersecurity violations without investor harm

The wave of online safety regulation is continuing to surge, with Brazil’s recent enactment of Law No. 15,211/2025—the Digital Statute for Children and Adolescents (Digital ECA)—as the latest addition. 

The Federal Trade Commission and Utah Attorney General recently announced a settlement with Aylo Group Ltd.

Congress included in the appropriations bill of November 12, 2025, an extension of the Cybersecurity Information Sharing Act of 2015 (CISA 2015), 6 U.S.C. §§ 1501–10, through January 30, 2026.