Where Privacy Is Headed Next: Key Takeaways From the 2026 IAPP Global Privacy Summit

Privacy law doesn’t stand still, and neither do the regulators shaping it. 

The 2026 International Association of Privacy Professionals (IAPP) Global Privacy Summit brought thousands of privacy and data governance professionals, including industry leaders, privacy scholars, and representatives from 22 data protection authorities around the world, to Washington, D.C., for discussions about technological developments, regulatory changes, and business developments shaping the privacy landscape. A few themes emerged:

• Global and domestic collaboration is a growing trend. Regulatory collaboration was a common thread at the summit. Domestically, state regulators highlighted the Consortium of Privacy Regulators, a multistate group launched in 2025 to pool investigative efforts and share expertise. The California Privacy Protection Agency also indicated that it initiated talks with other state regulators to extend its Delete Request and Opt-Out Platform (DROP) to other states. Internationally, sessions focused on cross-border coordination, including the EU-U.S. Data Privacy Framework and the EU's evolving digital regulatory landscape.
• AI regulation remains a priority. As in prior years, AI was a focal point of the summit. State regulators, for example, discussed active investigations and upcoming AI disclosure requirements. FTC Commissioner Mark Meador argued in favor of a case-by-case approach to addressing AI-related harms, emphasizing enforcement around AI-facilitated fraud, deepfakes, and obligations to remove nonconsensual intimate images (including those generated by deepfakes) under the TAKE IT DOWN Act. Keynote speaker Professor Woodrow Hartzog argued that AI regulation is necessary to preserve democratic values and social institutions, like public debate, and he emphasized the insufficiency of relying on user consent, which is the foundation for most privacy laws.
• Operational readiness is necessary to turn regulatory uncertainty into strategic clarity. Although the regulatory landscape remains complex and fragmented, the summit reinforced that companies can succeed by covering the fundamentals: controls that actually work, documentation that reflects real practices, and technical systems that match legal commitments. In California, regulators are moving toward audit-style oversight, making proactive auditing of suppression lists, matching logic, and cookie configuration potentially important to demonstrate compliance.
• Individual narratives illustrate the importance of protective privacy measures. Many keynotes explored privacy as a deeply human experience. Salman Rushdie recounted the aftermath of the 2022 stabbing attack that nearly took his life and the trade-offs between privacy and survival, drawing parallels to the digital world. Prince Harry, the Duke of Sussex, spoke about children's online safety through the lens of his advocacy work with The Parents' Network, which connects parents and caregivers affected by social media harms. Alyson Stoner described the impact of invasive media coverage to advocate for trauma-informed policymaking that integrates developmental psychology into product design. Together, these keynotes underscored the human dimension of privacy.

For more information on the conference, including several noteworthy panels, please see the following companion blog posts:

State Privacy Enforcers Discuss Collaboration and Enforcement Priorities: Key Takeaways From IAPP Global Summit 2026 | Perkins Coie