As we enter 2026, a new year provides an opportunity to reassess your legal and compliance priorities. From building accountable artificial intelligence to mitigating data security threats and current litigation trends, organizations are looking ahead to determine their key challenges for the year. To assist, ZwillGen is pleased to share our recommended New Year’s resolutions for businesses in 2026, highlighting where companies should focus their efforts in the months ahead.
2026 Recommended Resolutions
Artificial Intelligence: Move beyond the AI hype and focus on real accountability, issues of fiduciary duty for AI agents, practical AI system assessments (not myths), and rigorous testing for agentic systems.
Auto-Renewals & Subscriptions: Evaluate your subscription price increase practices as well as point of sale consent and cancellation mechanisms.
Children’s Privacy: Consider how upcoming minors’ laws likely will apply to your business even if you historically have not known whether you had minor users.
Data Broker Laws: Assess applicability of data broker registration laws in California and Texas and prepare for new obligations under the DROP regulations.
Data Security: Mitigate liability stemming from third-party data security incidents and breaches by focusing on close monitoring of high-risk vendors and requiring clear security and breach-notification obligations in contracts.
Gaming: Pause and check with gaming regulatory counsel before rolling out gaming, sweepstakes, or prediction-market products in legally uncertain territory.
Law Enforcement: Train teams to spot illegitimate legal requests, assess obligations and policies pertaining to requests related to reproductive health and gender-affirming care, and consider ways to push back on concerning administrative subpoenas.
Litigation: Become a less attractive litigation target by one or more of: litigating cases, implementing mitigation measures, and reviewing your marketing compliance.
Sensitive Data: Evaluate what sensitive data you process and assess whether you need consent for any uses of such sensitive data beyond providing the services requested by a consumer.
TAKE IT DOWN Act: Commit to swift takedowns of user-reported nonconsensual intimate imagery.
Web Scraping: Monitor the AI-driven evolution of web scraping as courts and stakeholders redefine the rules governing data access and use.
Artificial Intelligence
By Brenda Leong, Andrew Eichen, Setu Loomba, and Blair Robinson
We expect the following to drive meaningful technological and legislative AI developments in the year ahead.
- AI accountability is moving to the forefront. After years of emphasizing speed and capability, providers are now facing growing pressure from users, regulators, insurers, boards, and courts to demonstrate how AI systems work and why their outputs can be trusted. Review how your business is building transparency and accountability around AI operations and output.
- Fiduciary obligations, grounded in duties of care and loyalty, are well established for professionals like lawyers, doctors, and investment advisers. This year, as AI systems take on increasingly autonomous roles with limited human oversight, consider how fiduciary duty obligations may need to change in regard to the deployment of AI agents.
- Avoid persistent myths regarding silver bullet solutions to AI oversight, such as oversimplified ideas about benchmarking and evaluation practices, and adopt more holistic, architectural approaches grounded in engineering rigor.
- Adopt effective red teaming of agentic AI that simulates not only the model itself, but the full ecosystem it operates within, including databases, APIs, external tools, and permission structures. Unlike prompt-based chatbots, agentic AI pursues goals autonomously, makes multi-step decisions, integrates with external tools, and retains memory. This allows for errors to compound and cascade across systems, introducing new safety and testing challenges that require more complex, ecosystem-level evaluation strategies. These dynamics raise new issues for AI safety testing, particularly red teaming, which will require more deliberate planning and increasingly complex scenarios.
Auto-Renewals & Subscriptions
By Emma Bourgeois and Zach Lerner
Businesses looking to increase prices for their subscription offerings should not simply follow the same playbook they have used in years past. November 2025 amendments to New York’s auto-renewal laws impose novel requirements that require a new approach or state-by-state customization. Now, when unilaterally increasing a subscription price for New York consumers, businesses must either (i) obtain consumers’ affirmative consent to the price increase or (ii) allow consumers to cancel and obtain a pro rata refund within 14 days after their first charge at the increased price.
At a practical level, implementing this can be thorny, requiring changes to frontend and backend processes, and legal and business teams must work together to determine the best path forward—e.g., whether to offer New York subscribers cancelling in that window the option of a more typical cancellation (i.e., at the end of the current term) as an alternative to the legally required option of immediate cancellation for a pro-rata refund; how to facilitate and message the ability to cancel immediately for a pro-rata refund; and how to calculate the pro-rata refund).
Separately, companies offering subscriptions and other renewing revenue models must assess how they obtain consent at the point of sale and permit consumers to cancel. Despite the vacatur of the FTC’s Negative Option Rule, the FTC remains aggressive (tallying several significant settlements under the long-standing ROSCA framework) and the patchwork of state obligations continues to evolve. In particular, several state auto-renewal laws either arguably or expressly require a separate consent mechanism (e.g., an unchecked checkbox) either across the board or in certain limited contexts. Additionally, several state laws that recently took effect restrict cancellation-related practices, including embedding save offers and information regarding the effects of cancellation.
Children’s Privacy
By Rushil Mehta and Kandi Parsons
As legislatures grapple with how to protect children and teens online – brute force prevails. With few exceptions, state children and teen privacy laws have been contested in the courts, and while many have been enjoined, more than a handful have become effective. And though COPPA remains the primary vehicle under which regulators are bringing cases to protect children online, we anticipate that 2026 will bring a slew of state regulators enforcing their recently enacted children and teen privacy laws. Notably, while some requirements are in child-specific laws that receive significant press (such as the now effective NY CDPA that limits processing of minors’ data), other requirements are baked into comprehensive privacy laws (such as limitations on targeted advertising to minors). Businesses should continue to assess whether or not they are subject to these obligations for child and teen users and undertake measures to mitigate risks.
Businesses should also prepare for app store involvement in children’s privacy. Upcoming laws in Texas, Utah, Louisiana, and California, if such laws survive legal challenge, require app stores to collect and share age category with app developers. If these go into effect (Texas’ is currently enjoined), app developers will have knowledge of the age of some of their users—maybe for the first time. Businesses will need to implement measures to comply with these laws AND other laws (like COPPA or state privacy laws) that will apply when you gain age information about your users.
Finally, we anticipate significant Congressional and state legislative efforts to regulate privacy and design of services for minors will continue. Businesses with strong interest in these laws should monitor proposals for potential impacts.
Data Broker Laws
By Lucia Martinez and Marci Rozen
Data broker laws continued to evolve in 2025. In California, the California Privacy Protection Agency finalized regulations to the state’s data broker registration law, which (among other changes) expanded the scope of entities that are considered “data brokers.” Specifically, businesses that maintain information about consumers who have not interacted with them in more than three years, as well as businesses that have direct relationships with consumers but also sell personal information they did not collect directly from the consumer, may now be considered data brokers. Texas amended its Data Broker Act to remove a provision limiting the definition of “data broker” to only those entities whose “principal source of revenue” was data brokering. As a result, more companies may now be “data brokers” under these laws, and companies should review these changes to determine whether their business is now required to register as a data broker and comply with other broker obligations.
On January 1, 2026, California’s Data Broker Requests and Opt-Out Platform (“DROP”) opened to consumers. DROP is a centralized system that allows consumers to submit a single request to remove their personal information from all registered data brokers. By January 31, data brokers must register with DROP, and on August 1, they must begin processing and reporting the status of deletion requests.
Data Security
By Jamie Elbert
Companies can mitigate third-party data security incident and breach risk by consistently evaluating, contracting with, and monitoring vendors over time. An effective risk management program begins by identifying which vendors pose the greatest exposure based on the type and volume of data they handle, the criticality of the service provided, and the degree of system access involved. By focusing resources on higher-risk vendors, companies can better prioritize and scale their risk management efforts.
Clear contractual requirements are an important risk control. Agreements should set baseline security expectations, restrict data use, require prompt notification and cooperation in the event of a security incident, and address how costs and liability will be allocated should a breach occur. Well-crafted provisions help limit liability by reducing uncertainty during an incident and supporting faster containment, investigation, and compliance with legal obligations.
After onboarding, it can be helpful for companies to periodically reassess high-risk vendors, particularly when services change, new data is introduced, or subprocessors are added. Internally, maintaining data minimization and access controls can further limit the impact of a third-party breach by reducing unnecessary data sharing. For high-risk vendors providing critical services, companies can manage risk by putting protocols in place to reduce operational harm if services are disrupted.
While no program can eliminate vendor risk entirely, a focused and tailored approach can materially reduce both the likelihood and impact of third-party data security incidents and breaches.
Gaming
By Nick Jackson, Melanie laCour, and Whitney Fore
In 2026, companies operating in and around the online gaming space should make it a priority to consider legal questions earlier in the planning and launch process, especially when exploring areas—such as sweepstakes gaming or event contracts—where the law may be quickly evolving. States are increasingly taking clear positions in areas that were previously more ambiguous, and those positions can carry both near- and long-term legal and regulatory implications. As one of many examples, California’s recent sweepstakes platforms law, which makes dual currency social casinos illegal (and also expands liability to vendors), shows how rapidly the regulatory landscape is shifting.
Regulated gaming operators already know that new products and customer engagement features can implicate gaming, lottery, and/or contest rules. Courts and agencies continue to review and define the limits of new forms of online gaming, including social casinos and prediction markets, and to evolve regulatory requirements around already-established forms of online gaming. But these issues can have ramifications as well for vendors that support the industry. B2B service providers, technology platforms, payment and marketing partners, and other vendors should be mindful that regulators may expect them to understand, at least at a high level, how their tools are being used when they partner with businesses in the gaming space. Such partnerships warrant proactive review, to ensure that as a vendor you have accounted for potential legal risks and compliance considerations, both under evolving state laws and jurisprudence, as well as gaming regulatory oversight and licensing regimes.
A sensible New Year’s resolution is to build in a pause before launching a new feature, entering a new gaming-related partnership, or expanding into a new jurisdiction. A brief conversation with experienced counsel can help you assess whether you are stepping into a potentially problematic space—and avoid the more difficult and costly task of unwinding a product or partnership later. Note that last year’s resolutions around gaming regulatory compliance more generally remain good reminders.
Law Enforcement
By Yiannis Vandris and Daniel de Zayas
As legal process volumes rise and requirements evolve, businesses responding to law enforcement requests and non-party civil discovery should take a proactive posture—scrutinizing each demand for legitimacy, validity, and lawfulness, and updating procedures to account for new trends and risks.
One such trend is the uptick in illegitimate legal requests submitted by bad actors masquerading as law enforcement or civil litigants. Teams reviewing legal process should be trained to spot illegitimate requests by looking for certain inconsistencies, outdated documents, and missing or irregular signatures, among other things.
Additionally, businesses need to understand their obligations (if any) and procedures for requests related to reproductive health or gender-affirming care. Nearly 25 states have enacted “shield laws” that limit compliance with, and enforcement of, out-of-state legal process related to an investigation or proceeding pertaining to reproductive health and, in certain states, also gender-affirming care. Businesses need to know whether they are subject to these laws, whether their intake processes adequately identify any covered legal requests, and how to respond to them, including how to leverage any applicable shield law(s) and other objections to push back on the requests.
Businesses should also remember that they have a range of tools—both indirect and direct—for pushing back on administrative subpoenas. For instance, the government recently withdrew an unmasking subpoena after the affected anonymous users moved to quash—highlighting how a user notice policy can serve as a privacy-forward, indirect tool for challenging requests. Several medical organizations have also directly, successfully challenged overbroad subpoenas seeking records related to gender-affirming care.
Litigation
By Sheri Pan and Oliver Kiefer
Plaintiffs and plaintiffs’ firms continue to threaten and file lawsuits under the California Invasion of Privacy Act’s (“CIPA”) for websites’ use of third-party advertising and marketing technology. Many new plaintiffs’ firms are joining the fray, however, and also threatening suits under other states’ wiretapping laws, in particular Florida’s.
This means businesses that settle with one firm may simply get hit with another demand from another firm the next month—so they will want to consider either litigating or implementing mitigation measures to make themselves a less attractive target. Fighting in the right forum and case can signal that the business will not be an easy target. On mitigation measures, businesses may consider implementing a cookie banner designed with counsel’s advice. Note that the cookie banner must be setup mindfully to be effective and comply with regulatory requirements—because there are also regulators and private litigants pursuing businesses for non-functioning banners and cookie settings tools.
Businesses should also take stock of their marketing practices. We are seeing consumer class action lawsuits for allegedly deceptive strikethrough pricing in California and misleading subject lines in marketing emails under California’s and Washington’s laws. In addition, we have seen a resurgence of TCPA lawsuits for marketing texts.
Sensitive Data
By Anna Hsia
Long gone are the days when companies could repurpose sensitive data about consumers and address compliance by simply noting such processing in its privacy policy. For processing of sensitive data—including race, ethnicity, health conditions and diagnoses, children’s data, and precise location—chances are that all compliance paths lead to the need to collect consent.
Given the heightened regulatory scrutiny (e.g., Jam City CCPA settlement alleging the business sold data of children 13 to 16 without affirmative consent, Mobilewalla order banning the business from selling sensitive location data, General Motors order banning the disclosure of geolocation and driver behavior data), coupled with increasing civil litigation risk in disclosing sensitive information such as health information without appropriate notice and consent, noncompliance creates material risks for businesses. Thus, this year businesses should evaluate what sensitive data you process and assess whether you need consent for any uses of such sensitive data beyond providing the services requested by a consumer.
Compliance requires a business to (1) take stock of the types of sensitive data it processes; (2) understanding the laws applicable to such processing; and (3) adjusting practices to align with legal requirements which, in many cases, involves collecting opt-in consent. Compliance requirements may be dictated by an omnibus privacy law like the EU’s GDPR, while processing of sensitive data in the U.S. could be subject to HIPAA, COPPA, or state privacy laws like the CCPA or Washington’s My Health, My Data Act. And with businesses increasingly adopting AI tools, compliance will likely extend to the growing list of laws specific to AI, including whether businesses may use AI to analyze sensitive data like health information.
TAKE IT DOWN Act
On May 19, 2026, the TAKE IT DOWN Act’s compliance obligations will come into effect. Broadly, the law prohibits the non-consensual publication of intimate images (NCII)—whether real or digitally manipulated (e.g., deepfakes)—and requires “covered platforms” to remove them within 48 hours of a valid takedown request. This means that by May 19, any public-facing website, social media app, online service, or mobile application that primarily hosts user-generated content will be required to remove NCII within 48 hours of a valid takedown request.
In the new year, covered platforms should:
- Establish a clear, conspicuous mechanism for users to submit takedown requests.
- Design a verification process for requesters (identity, depiction identification, good-faith belief of non-consent, contact info).
- Commit to removing reported content—including any identifiable copies—within 48 hours of a valid request.
- Maintain documentation and processes to minimize liability; the Federal Trade Commission (FTC) will enforce compliance, and the law shields good-faith removals even if the removed content turns out to be lawful.
If your service lets users post content, the TAKE IT DOWN Act is likely in your future. Treat compliance like your new-year workout plan—start now before May shows up and calls your bluff.
Web Scraping
By Ahmed Eissa
For years, legal and technical norms surrounding web scraping were generally stable: scrapers knew how to “respectfully” collect data from a target website, and website owners and operators knew how to push back, such as through cease-and-desist letters and various technical barriers. And even if a dispute over scraping ended up in court, the narratives and claims were pretty familiar, even if the courts were still figuring out how to apply the law. As we begin 2026, it’s clear that the catapulting of artificial intelligence to the forefront of society has changed, and is still changing, web scraping and it will be important to monitor as the year progresses.
In 2025, we witnessed a growing tension between artificial intelligence developers that need a lot of data for their models, and the data owners (like website hosts and their users) that don’t want to simply hand over their data while receiving nothing in exchange. The latter half of 2025 saw an uptick in web scraping lawsuits against AI developers focused on DMCA claims, which has not been a common cause of action in recent years. Cases include Reddit v. Anthropic, Reddit v. SerpApi and Perplexity AI, et al., Ted Entertainment v. Nvidia, and Google v. SerpApi.
But traditional claims, like violations of the Computer Fraud and Abuse Act (CFAA), haven’t entirely gone away, as is evidenced by Amazon’s complaint in Amazon v. Perplexity AI, where Amazon alleged that the developer violated the terms dedicated to AI agents in the Amazon Store’s Conditions of Use. Courts are looking at long-standing norms with fresh eyes to see whether certain practices help or hinder a scraper’s cause, such as the court’s discussion in Ziff Davis et al. v. OpenAI et al. as to whether robots.txt files are binding.
Both scrapers and hosts will have a lot to learn from the coming development in these cases and the many others that will certainly appear in the near future. Early motions practice and out-of-court agreements will shed light on which claims, and who, holds the upper in hand in scraping.
Wrap-Up
As 2026 unfolds, businesses that take a deliberate and informed approach to compliance will be best positioned to manage risk and adapt to what comes next. The months ahead offer an opportunity to move from reactive responses to more durable, strategic programs and we welcome the opportunity to help organizations assess priorities and prepare for the year ahead.