State Laws

Vermont’s Stringent Privacy Law and Louisiana’s Fast Compliance Timeline Amplify Enforcement Risk


The AGs in Baton Rouge and Burlington have obtained comprehensive state privacy laws to enforce, bringing the total to 23 such laws. Since Oklahoma and Alabama also joined the privacy law fray in early 2026, the state-law mosaic continues to expand. Of the latest entrants, “Louisiana is a bit easier, and Vermont is more challenging because of its specific requirements,” Red Clover Advisors CEO Jodi Daniels told the Cybersecurity Law Report.

The Louisiana Data Privacy Act (LDPA) largely follows a familiar template with a few divergences, while Vermont’s Data Privacy and Online Surveillance Act (VDPOSA) joins the elite group of strict states that impose several stringent requirements.

The VDPOSA, signed June 16, 2026, and effective January 1, 2028, stands out for an unusual applicability trigger, an expanded definition of PI, an explicit disclosure requirement for use of data in AI training, heightened protections for health and location data, and a right for consumers to request the specific third parties to whom their data has been sold. Louisiana’s law, signed May 29, 2026, and effective January 1, 2027, is more conventional but still presents distinct compliance considerations, including a flat revenue cutoff not seen since the CCPA. “Louisiana’s applicability thresholds, broad definition of ‘sale,’ prescriptive sensitive and biometric data notices, and sunsetting cure period are features that require companies’ specific attention,” Billee Elliott McAuliffe, data protection practice leader at Lewis Rice, told the Cybersecurity Law Report.

This article provides perspective on the distinctive aspects of these two laws and the compliance challenges that they pose, and offers practical compliance steps that companies should prioritize, with commentary from Daniels, Elliott McAuliffe and experts at Hinshaw & Culbertson, Kean Miller, and McDermott Will & Schulte.

See “Alabama and Oklahoma Introduce Virginia-Style Privacy Laws” (May 6, 2026).

Distinctive Louisiana Privacy Provisions

The LDPA deploys a business-friendly light touch while adopting some Texas toughness. Notably, the Pelican State “did not give as long a runway as most have in the past” for companies to get ready, Elliott McAuliffe highlighted.

Three California-Style Applicability Thresholds

The LDPA applies to any company “doing business in Louisiana” that collects more than $25 million, a flat-revenue cutoff otherwise seen only in California. It also covers entities that process the personal data of at least 75,000 consumers, households or devices annually, or derive at least 50 percent of revenue from selling individuals’ data.

The law’s thresholds may bring into scope regional and business-to-business companies not subject to many other state privacy laws. With the Mississippi River and port of New Orleans anchoring the state’s industry, many companies maintain small offices and pay taxes in state, Elliott McAuliffe pointed out.

Texas-Style Provisions on Notice and Sale

Borrowing from Texas, the LDPA mandates exact wording when companies sell a person’s sensitive or biometric data, such as “NOTICE: We may sell your sensitive personal data.”

The Pelican State also adopts Texas’ strict definition of consent, excluding passive interactions like “hovering over” or closing content, dismissing a dialogue box or accepting general terms of use. Like Texas’ privacy law, but unlike earlier ones in conservative-lawmaker states such as Utah and Iowa, the LDPA defines sale to include “valuable consideration.”

Global Opt-Out and Profiling Nuances

The LDPA requires recognition of universal opt-out signals from consumers’ browsers or devices to stop sales of one’s data and targeted advertising, but excuses controllers lacking “the ability to process the request,” an undefined standard.

That ambiguity carries over into the LDPA’s seemingly inconsistent treatment of “automated profiling” as it relates to Louisianians’ right to opt out under the law. The LDPA provides that Louisianians may opt out of profiling that contributes to legal or similarly significant decisions, yet the law defines profiling far more broadly to include routine assessments of personal preferences, interests, behavior and locations, triggering impact assessments even for lower-risk activities.

Business-Friendly Restraints

“Louisiana is a very business-friendly state,” and the legislators made clear they wanted to avoid mandates “that would be significantly different or substantially different from what businesses already had to contend with,” Kean Miller partner Jessica Engler told the Cybersecurity Law Report. The LDPA includes the following business-leaning provisions that buck recent trends in state privacy laws:

  • children’s protections that extend only to age 13, not into teen years;
  • omission of AI-specific provisions (though a separate healthcare AI transparency law now exists);
  • sweeping entity-level exemptions for financial institutions, nonprofits and healthcare organizations;
  • the exclusion of pseudonymous data from its classification of personal data when companies can show identifying information is separate and guarded; and
  • the exemption of personal data shared in M&A transactions.

Eager for Enforcement

“Companies should not assume that existing programs satisfy all of Louisiana’s requirements,” particularly regarding the privacy notice mandates, consent needs, and the nuanced approach to universal opt-out signals, Engler cautioned.

Louisiana legislators seem eager for enforcement to begin. Companies can have a 30‑day period to cure alleged violations, but only for the first seven months of enforcement. The AG will be the first to enforce a law in the deep south, beating out Alabama, Engler noted.

The LDPA grants companies a grace period to cure AG-alleged violations without penalty within 30 days but limits that accommodation to only the first seven months the law is in effect.

The Louisiana AG’s enforcement activities show a strong interest in securing children’s privacy, Engler noted, but scrutiny of health or other sensitive data may be a focus, too, reflecting predecessors’ prior participation in multistate actions.

See “State Privacy Regulators Describe Collaboration and Priorities” (Apr. 8, 2026).

Vermont’s Distinctive Provisions

In 2024, Vermont Governor Phil Scott, a Republican, vetoed the legislature’s prior privacy bill, which included a private right of action and age-appropriate design obligations. For the VDPOSA, lawmakers cut those elements and Scott signed the bill. Unlike the 2024 version, the VDPOSA “at least comes from the same family tree as the other states,” McDermott Will & Schulte partner David Saunders told the Cybersecurity Law Report.

“The consumer rights are a mix of the traditional Connecticut rights, plus the Vermont law has Minnesota’s ADMT rights and Oregon’s disclosure of third parties requirement,” he elaborated. Only the AG may enforce the law.

See our two-part series on revised privacy laws in Connecticut and Oregon: “Broader Scope and Enhanced Consumer Protections” (Jul. 23, 2025), and “Impact Assessments, Minors and More” (Jul. 30, 2025).

Two Outlier Cutoffs for Applicability

The VDPOSA applies to entities that, during the prior calendar year:

  • processed the personal data of 35,000 residents (5.4 percent of the population);
  • processed sensitive data of at least 3,000 residents; or
  • offered for sale the data of at least 3,000 residents.

The inclusion of thresholds tied to offers to sell and sensitive data processing is unusual but could influence future legislation. They “just add to the mosaic of how you have to evaluate applicability of state laws,” Saunders said. California’s regulation for cyber audits has the only other trigger tied to sensitive data processing, he added.

Unlike the LDPA, the VDPOSA exempts a specified and limited set of financial entities and nonprofit organizations.

Broader Definition of Personal Data

The VDPOSA significantly expands the concept of personal data to include “derived data,” covering predictions, conclusions from facts and device-linked insights. “This goes beyond traditional inferences,” said Cathy Mulrow-Peattie, a partner at Hinshaw & Culbertson. “Complying with that definition will create some compliance burden for companies,” especially those that have not systematically focused on tracking inferential analytics, she told the Cybersecurity Law Report.

The shift from the use of “inferences” to “derived data” is a distinction without difference, according to Saunders. The AG hopefully will issue guidance, he said, opining that “this seems like a classic example of overcomplicating.”

Vermont, the first state with a data broker law, also defines publicly available information to exclude information “collated and combined to create a consumer profile,” which could inhibit data brokers.

See “Assistant AG Highlights Colorado’s Next Phase of Privacy Regulation” (Mar. 4, 2026).

Geofencing Protections and Expansive Definition of Sensitive Data

The VDPOSA adopts an expansive definition of sensitive data, including neural data, and imposes heightened protections for “consumer health data.” The law’s requirements around consumer health data apply to any entity that collects such data and targets Vermont residents to sell products or services, regardless of whether those entities meet the VDPOSA’s other covered entity thresholds. The VDPOSA also requires covered entities to obtain explicit consent for processing consumer health data and imposes added confidentiality obligations and restrictions on geofencing within 1,850 feet of healthcare locations.

“A lot of secondary groups that use health information for other purposes are going to need to take a look at [the VDPOSA],” Elliott McAuliffe said, noting the growing complexity for companies using wearable or location-based technologies. “They should ensure that they have the appropriate restrictions on their apps,” she advised.

Vermont’s definition of biometric data also is broader than most states – it does not require an intent to identify the consumer. As a result, even voice or facial scans used for quality assurance could fall within the definition.

See “Navigating an Increasingly Risky Health Data Landscape: Why the NAI’s Factor Analysis Matters” (Apr. 29, 2026).

Third-Party Disclosure Requirement

The VDPOSA grants consumers the right to request a list of third parties to whom their data has been sold. If the company cannot generate a list specific to the person, it must provide a general one listing all entities to whom it sells individuals’ data.

“The third-party disclosure requirement sticks in the craw” of many companies, Saunders observed. “We have seen competitors sending their employees to make a request to figure out who their competitor is working with,” he said.

As part of companies’ concern about competition, Elliott McAuliffe noted, they do not want to reveal relationships with suppliers of cutting-edge products, particularly with AI innovations.

AI Transparency

The VDPOSA requires disclosure of whether personal data is used to train large language models, aligning with Connecticut’s 2025 amendment. “I wouldn’t be surprised to see amendments come from other states soon to match it,” Daniels said. “AI and privacy are getting intertwined” as public interest grows, she noted.

A practical challenge with third-party disclosure is “the flurry of companies and businesses adding AI models to their products and services,” Elliott McAuliffe observed. “Unless someone has taken the time to thoroughly read all of those contracts, to learn what data is being used in the model and the terms, the company might not have all the information needed to make these disclosures by January 1, 2028,” she cautioned.

Targeted Ad Restrictions for All Minors

The VDPOSA prohibits targeted advertising using data from individuals under 18 where the controller has actual knowledge of or willful disregard for age. This reflects a broader regulatory trend toward heightened protections for teenagers.

Many companies may not yet have adequate age-identification practices in place. Some organizations “did not work very hard at figuring out whether they had teenagers on their sites” following earlier laws, Elliott McAuliffe observed.

Profiling and Automated Decision Appeals

Vermonters, like Minnesotans, have the right to appeal automated decisions that produce legal or similarly significant effects. Individuals who ask must be informed of the reasoning and data inputs, and have a human reevaluate the decision, “if feasible.”

The VDPOSA also mandates separate impact assessments for such profiling. In the assessment, companies should describe data inputs, outputs, safeguards and monitoring, and probe for risks beyond the most obvious ones.

While risk assessments are valuable for companies and consumers alike, increasing complexity may reduce compliance rates. “Every time we add a new one, it becomes another way in which organizations are not fully compliant,” Elliott McAuliffe cautioned.

Practical Compliance Steps for Companies

“We are almost at the halfway point, with 23 laws in effect,” and companies are oriented to the most stringent requirements as they seek to be compliant across the board, Elliott McAuliffe reported. Vermont blends several of these stricter provisions, and Louisiana highlights important considerations, as well.

Update Privacy Notices and Consent Banners

Both the VDPOSA and LDPA add to companies’ challenges with privacy notices. Vermont’s AI disclosure and Louisiana’s prescriptive language requirements obligate companies to supplement already lengthy policies. “Every one of these laws says, ‘we want you to put this in,’” Saunders noted, even as regulators criticize excessive policy length.

Companies must also navigate timing issues, such as complying with mid-year effective dates. Alabama’s privacy law goes in effect May 1, 2027, for example. “Under certain state laws, companies must notify people when they materially change the policy,” so they must weigh the prospect of multiple emails to consumers about the privacy policy, Saunders lamented.

Privacy policy updates can align with other compliance tasks for efficiency. When updating privacy policies, many organizations wisely reset cookie banners and reobtain consent, Elliott McAuliffe observed.

To streamline privacy obligations, Daniels recommended, organizations can align compliance updates with annual review cycles for:

  • updating data inventories;
  • conducting risk assessments;
  • reviewing vendor agreements; and
  • testing consumer rights processes and cookie consent managers.

The VDPOSA additionally requires privacy policies to appear in mobile app settings and on download pages. This is a longstanding best practice, supported by app stores, and generally considered a manageable implementation step, “though each app might have different development requirements,” Daniels noted.

See “Cookie Compliance Strategies for 2026” (Apr. 15, 2026).

Inventory Third-Party Sharing for Vermont Disclosure

With Vermont’s requirements elevating the importance of third-party data inventories, organizations should enhance systemwide tracking of data flows to prepare for necessary disclosures in 2028, Mulrow-Peattie emphasized. That task is often complicated by organizational structure. “Many companies have grown up as subsidiaries or in a diversified structure, and so they do not have a central repository for the data,” she observed.

As a result, inventories may require deeper analysis of data resources and processing. This includes scrutinizing enhanced analytics because they may be valuable enough to constitute a sale under state laws, Mulrow-Peattie advised.

See “Checklist for Framing and Assessing Third-Party Risk” (Aug. 16, 2023).

Enhance Engineering and Governance Across Multiple Areas

The VDPOSA will require improved coordination between legal, compliance and engineering teams. Organizations must refine governance and tracking regarding:

  • creation and spread of derived data and analytics;
  • personal data in AI model inputs;
  • teen user identification;
  • personal data flows to third parties;
  • use of geolocation features in apps across the enterprise; and
  • geofencing of health-related sites.

These areas now pose expanded risks that many companies have not fully addressed with tracking and controls.

With widespread use of fitness trackers and smart watches, some companies may face compliance struggles around the interplay of geofenced locations and data types, Elliott McAuliffe posited.

Comparable governance gaps exist in how companies track and manage inferred data. Companies’ existing monitoring of inferences may need to be adjusted for identifying and managing derived data under the VDPOSA. Many still lack visibility into how inferences are created or used, Elliott McAuliffe observed.

Even companies that already monitor inferences may need time to comply with the VDPOSA’s requirements around derived data to be ready for Vermonters’ requests, Mulrow-Peattie advised. Previous enforcement in California flags one area of focus, however. “Typically, inferential data has been raised in the healthcare context,” so Vermont enforcers probably would first invoke derived data in matters related to sensitive data, she predicted.

Impact assessments also may require governance attention. Elliott McAuliffe noted that at a 2026 panel discussion where she and colleagues informally polled attendees on who conducted all obligatory data protection assessments, “maybe a fourth of them said they did it regularly.”

Decide How to Deal With the Frustration of Outlier Provisions

The addition of privacy laws in Louisiana and Vermont underscores the fragmentation across states, thanks to both new players and amendments in states like Virginia, Montana, Oregon and Connecticut. “There’s just no one version of a state privacy law on which they can set a standard and say, ‘if we do this, we comply with all the other states,’” Saunders noted.

Many organizations now operate multiple compliance frameworks simultaneously. Some have “15 different approaches to compliance,” Saunders observed. A decisive point for some companies becomes the optics of offering different rights in different states.

See “Tips From Big Tech Leaders on Navigating Global Privacy Regulations” (Dec. 3, 2025).

Maintain Fundamental Privacy Practices

Despite growing complexity, core compliance fundamentals, including the following, should remain consistent, Engler and Mulrow-Peattie urged:

  • maintaining accurate, transparent privacy policies;
  • updating data maps alongside policy changes;
  • ensuring robust consumer rights processes;
  • strengthening vendor contract controls; and
  • tracking third-party data sharing comprehensively.

Monitor the Intersection With AI Laws

Companies must track evolving AI regulations, which introduce even greater variability in parallel to privacy legislation. Saunders cautioned that AI laws differ widely in scope and applicability depending on sector, use case and functional role. “When privacy law looks like something that came before it, there’s a sigh of relief,” he said. “But the AI quilt has applicability all over the map.”

Expect Growing Regional Risks

State-level enforcement increasingly will affect mid-sized and regional companies, Mulrow-Peattie pointed out. Organizations previously below regulators’ radar must now recognize that “we are in a regulated privacy market in the United States for everyone,” she cautioned.

See “Strengthening the Business Case for Privacy Investment” (Jun. 3, 2026).

GDPR

Ten Developments Reshaping Compliance Obligations As the GDPR Rounds Out Its First Decade


As the GDPR marks its 10th anniversary, it is entering a new phase of regulatory change that demands renewed attention from privacy teams. Proposed amendments, evolving guidance and heightened enforcement are reshaping how organizations must approach compliance.

Many people thought the law was set in stone and would never be changed, observed Cooley partner Patrick Van Eecke during a firm presentation, though, under pressure from Member States and other stakeholders, E.U. authorities have been working on potential revisions to the regime. “Do not put GDPR on the back burner,” he cautioned. There has been “an avalanche” of technology regulation over the course of 2025 and 2026, including proposed amendments to the GDPR.

This article examines 10 important developments concerning the GDPR, distilling insights shared by Van Eecke, along with Cooley special counsel Enrique Gallego Capdevila and associate Bartholomäus Regenhardt.

See “What the E.U. Data Act Means for IoT Businesses Operating in Europe” (Apr. 15, 2026).

1) Digital Omnibus

In November 2025, the European Commission (EC) announced its intention to update the GDPR and several other regimes, including, for example, the Digital Operational Resilience Act, NIS2 cybersecurity directive, Cyber Resilience Act and ePrivacy Directive (EPD), according to Capdevila. The EC proposal has two workstreams, a Digital Omnibus on AI and one for the GDPR and the other regimes, usually referred to simply as the “Digital Omnibus.”

The Digital Omnibus is still in the proposal stage, continued Capdevila. Following the initial proposal, the Council of Europe (Council) issued a new version that it is discussing with representatives of the Member States. There will undoubtedly be further revisions before final adoption by the European Parliament (Parliament). A final version is anticipated by the end of 2026. Until then, however, the AI digital omnibus is a bigger priority for the E.U., he said.

“Just take a deep breath. The GDPR is not open for a full reform,” advised Capdevila. Only a few provisions are going to be amended, but those provisions will be relevant to most organizations. The provisions that the Digital Omnibus does amend could have a “massive impact” on organizations’ compliance obligations, Van Eecke posited.

See “Recent Developments and Upcoming Obligations Under the E.U. AI Act” (Feb. 4, 2026).

2) Definition of “Personal Data”

One of the significant proposed GDPR amendments is an updated definition of personal data, noted Capdevila. “As we all know, a good piece of legislation starts with a good definition. Because if you don’t have a good definition of the concepts, you don’t know what is in scope [and] what is not in scope,” said Van Eecke. Surprisingly, almost a decade after the GDPR’s adoption, people are still discussing that definition.

The GDPR defines personal data as data that “allows you to identify a person directly or indirectly,” explained Regenhardt. Over the years, many “borderline” cases have been determined to constitute personal data, including:

  • technical identifiers like IP addresses, device data and cookies;
  • vehicle information; and
  • inferred data from profiles, scoring and predictions.

Judicial decisions have played a key role in interpreting the definition. In 2025, in European Data Protection Supervisor v. Single Resolution Board, the Court of Justice of the E.U. (CJEU) held that pseudonymized data is not personal data if the recipient is not realistically in a position to re‑identify someone from the data, recounted Regenhardt. The decision established a “relative” approach to the definition, which requires considering whether the entity that receives the data – with the means available – can identify someone from it. In contrast, under an “absolute” approach, if anyone could identify the individual from the data, then the data is personal data.

Surprisingly, seeking to roll back the scope of the definition, the EC adopted a relative approach in the Digital Omnibus draft, continued Regenhardt. However, the European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) have pushed back against the EC draft because it would make it impossible to have “clear, predictable interpretations,” he said. As a result, the presidency’s revised proposal deleted the proposed change, and the EC, Council and Parliament are in “heavy discussions” over the definition, which goes to “the core of the GDPR,” added Van Eecke.

See “New Duties Around Pseudonymized Data After E.U. Court Decision” (Oct. 15, 2025).

3) Legal Basis

The Digital Omnibus may provide greater legal certainty and a higher comfort level for organizations that want to process personal data for AI development and/or training, explained Capdevila. In late 2025, the EDPB issued guidelines confirming that organizations may rely on the “legitimate interest” basis for such purposes. The Digital Omnibus would codify those guidelines. Of course, organizations must still do a legitimate interest assessment, comply with transparency obligations, inform data subjects and comply with other relevant requirements.

The current draft Digital Omnibus also would permit incidental processing of special categories of data, which requires an additional legal basis under GDPR Article 9(2), for AI development and/or training under the legitimate interest basis. Such permission would not, however, allow the controller to repurpose special categories of data – for that, the controller would need consent. The EC and Council have not yet provided guidance on what would constitute “incidental” processing.

See our two-part series “AI Meets GDPR”: EDPB Weighs In on AI Models (Feb. 5, 2025), and Mitigating Risks and Scaling Compliance in the Development and Deployment of AI Models (Feb. 19, 2025).

4) Automated Decision-Making

Article 22 of the GDPR concerns automated decision-making (ADM), but there has been considerable debate and litigation over what constitutes an automated decision or a significant effect on an individual, said Van Eecke. The EC’s intent was to make Article 22, as well as the definitions for “legal basis” and “personal data,” more business-friendly, but there has been pushback from Parliament and some Member States.

EDPB guidance on ADM and the SCHUFA Holding decision by the CJEU provide that decisions made without “meaningful human involvement” should be considered automated, explained Regenhardt. Thus, for example, an AI chatbot that interacts with a customer without any human involvement and takes actions affecting credit decisions, insurance pricing or employment would be considered automated.

If an organization uses ADM, it must have a justification for doing so, said Regenhardt. One justification is consent, which may be difficult to obtain. Another is the need to use ADM for entering or performing a contract – but data protection authorities (DPAs) have interpreted “necessity” very narrowly. Some DPAs have asked organizations to prove that there is no reasonable way a human could make the decision.

The Digital Omnibus would lower the bar for using ADM, continued Regenhardt. It would provide that ADM may be employed “if there is no proof that a human could perform the decision process as well [as ADM].” It would change Article 22 “from a right not to be subject to something to a permission process,” where ADM is permitted under specified conditions, he added. There has also been pushback on this proposal from the EDPB and EDPS. The presidency is also advocating for a more restrictive approach than in the original proposal.

See “Managing Legal Issues Arising From Use of ChatGPT and Generative AI: E.U. and U.S. Privacy Law Considerations” (Mar. 15, 2023).

5) Cookies

Cookies, popups and similar website features are covered by the EPD, noted Van Eecke. The Digital Omnibus would integrate those rules into the GDPR and make some changes to them. Cookies rules will not be eliminated, but they will be more harmonized and, potentially, more practical.

This is “the never-ending story,” observed Capdevila. The E.U. Legislature has been trying unsuccessfully over the past decade to amend the EPD – which covers confidentiality of communications, electronic marketing, consent to pop-ups and spam – to address both users’ “consent fatigue” and complaints from industry about the rules’ ambiguity. A significant issue is that the EPD has not been transposed uniformly by Member States. The Digital Omnibus would seek to impose the same standards and results across the E.U.

Under the Digital Omnibus, processing data via cookies would still require consent in most scenarios, with limited exceptions including for security purposes, continued Capdevila. One significant change would be to exempt analytic cookies from the consent requirement under certain conditions – including data collected both by the controller or a third party acting as a processor.

The Digital Omnibus would also codify certain rules for obtaining consent, added Capdevila. These include, for example, opting out of cookies and making it as easy to withdraw consent as it is to give consent.

See “Tracking Technologies: Privacy Regulation, Enforcement and Risk” (Jan. 17, 2024).

6) EDPB Guidelines

In 2025, the EDPB issued guidance on the e-commerce sector and e-commerce websites. It recommended that the GDPR should be interpreted to require a guest checkout option in addition to a checkout for registered users. It also issued guidance on harmonizing the Digital Services Act and the GDPR. In 2026, it issued draft guidance on consent requirements and secondary use of personal data for scientific research.

See “The (Im)Possibilities of Scientific Research Under the GDPR” (Jun. 17, 2020).

7) Data Transfers

Article 5 of the GDPR governs data transfers, explained Van Eecke. The underlying principle is that personal data should be stored within the European Economic Area (EEA) and not transferred out of the area unless certain conditions are met. Countries that receive an adequacy decision from the EC are eligible to receive data from the EEA without further safeguards. In June 2025, the EC renewed the U.K.’s adequacy decision, noted Capdevila, and Brazil obtained an adequacy decision in 2026 as part of a trade deal with the E.U.

To transfer data to a country that does not benefit from an adequacy decision, an organization must rely on an approved data transfer mechanism, continued Capdevila. The most common mechanism is standard contractual clauses. Additionally, prior to transferring data, an organization must conduct a transfer impact assessment. The EDPB has issued guidelines for protecting personal data in connection with data transfers, and there has been increasing regulatory focus on them. For example, Ireland’s data protection authority has been regularly scrutinizing companies that transfer data to China.

See “Managing Data Transfers After Latombe” (Oct. 8, 2025).

8) Fines Under the GDPR

After a few years of testing the waters, DPAs have “become much more fluent in issuing fines and sanctioning companies,” observed Van Eecke. There were more than 400 fines issued during 2025, a record number. DPAs have fined not only large corporations, but also small proprietors and other entities like hospitals and schools.

There has been growing coordination among E.U. DPAs, noted Regenhardt. Their increasingly sophisticated approach has led to more fines being upheld when challenged. They have technical experts who understand the details of processing activities and conduct more advanced reviews. DPAs are also acting more proactively. In addition to responding to data subject complaints, they are taking a more structured approach to enforcing the GDPR.

Cookies and data transfers have been keeping DPAs busy, continued Regenhardt. For example, Ireland’s DPA issued a €530-million (approximately $607.5-million) fine to TikTok for transfers to China. France’s Commission Nationale de l’Informatique et des Libertés (CNIL) issued a €325-million (approximately $372.5-million) fine to Google for alleged violations relating to cookies and advertising placement. Although Ireland, Luxembourg and the CNIL have been issuing record-high fines, Spain has been issuing the most fines. Fines are “getting bigger and bigger, and the enforcement gets stricter and stricter,” he cautioned.

Typically, companies can appeal a fine or sanction issued by a DPA, explained Van Eecke, so they should review the decision carefully to assess whether an appeal is advisable. Notably, about two-thirds of such challenges have been successful. Often, successful appeals are based more on procedural mistakes than substantive GDPR issues. For example, in 2026, Amazon successfully challenged a fine by Luxembourg, and the matter is back before the DPA.

See our two-part series on GDPR enforcement’s new phase: “More Predictability, and New Rules on the Way” (Nov. 6, 2024), and “Navigating Privacy Investigations in Europe” (Nov. 13, 2024).

9) Children’s Privacy

There is intense worldwide focus on children’s privacy and protection of children on the internet, observed Van Eecke. Protecting children online has become one of the highest priorities of both the E.U., through the DSA, and the U.K., through its Online Safety Act, Capdevila concurred.

Traditionally, regulators focused on removing illegal content, according to Capdevila. They are now scrutinizing platform design, recommendations, whether sites are addictive to children, whether they implement age-verification mechanisms and use of so-called dark patterns. There is greater scrutiny of both online platforms directed to minors and those directed to adults, he cautioned.

The EC has been targeting the largest online platforms and assessing whether they have implemented robust mechanisms to ensure minors cannot access illegal or harmful content, added Capdevila. In 2025, the EC issued Article 28 guidelines for organizations in the online ecosystem, which require them to conduct risk assessments when choosing mechanisms for protecting minors. The guidelines confirm that a self-declaration is insufficient to comply with the DSA. Consequently, companies have been deploying age-verification mechanisms, often through third-party service providers. Such mechanisms implicate the GDPR because some collect information like biometric data, photos and copies of identification documents.

See our three-part series “Children’s Privacy Grows Up”: Examining New Laws That Now Protect Older Teens (Jan. 15, 2025), FTC Amends COPPA Rule and Targets Data Sharing (Jan. 29, 2025), and Seven Compliance Areas for Protecting Teens (Feb. 12, 2025).

10) Breach Notification

The GDPR and other E.U. laws impose breach notification duties, noted Van Eecke. Those other laws have even stricter requirements than the GDPR, added Regenhardt. The GDPR typically requires notice within 72 hours of an incident, while the new cybersecurity laws typically require an “early notice” within 24 hours, followed by a further notice within 72 hours. Organizations should review their incident response plans and ensure that, if they are subject to one or more of these other acts, they incorporate the additional requirements into their plans and verify they function in a streamlined way across the organization.

The original Digital Omnibus proposal would have extended the notification deadline from 72 hours to 96 hours – but that has since been returned to 72 hours, noted Regenhardt. The Digital Omnibus also includes a higher notification threshold, which might remain. As proposed, organizations would only have to notify DPAs and data subjects of high-risk breaches. Additionally, the Digital Omnibus proposes to introduce a harmonized notification template to address disparate notification requirements.

See “Comparing U.S. and E.U. Approaches to Incident Response and Breach Notification” (Nov. 4, 2020).

Artificial Intelligence

ACA Study Finds Widespread, but Limited, Implementation of AI


Although it may seem that AI is being deployed and embedded across the entire economy, uptake by financial services firms has been modest. “While most firms have begun to engage with AI, relatively few have translated that engagement into structured, scalable deployment,” according to a report by ACA Group (ACA), State of AI in Compliance and Operations (Report), which is based on a study it conducted in March 2026. Most firms in the study are using AI to some extent, more often in compliance workflows than in operations. This article synthesizes the key findings from the Report and the insights from a related presentation by ACA on navigating agentic AI use, AI-related risks and a framework for developing robust AI governance.

See “Benchmarking AI Uptake by Compliance Functions” (Dec. 3, 2025).

Survey Methodology

ACA surveyed 201 investment management firms, including asset managers (31%), private market firms (31%), wealth managers (20%), hedge funds (16%) and broker-dealers (2%). More than three-quarters of respondents were CCOs. The rest included GCs (11%), operations heads (9%) and chief risk officers (3%).

ACA assessed respondents’ current and anticipated adoption of AI in the following 20 compliance and operations workflows.

Compliance Workflows

  • compliance program administration;
  • compliance testing;
  • electronic communications surveillance (eComm surveillance);
  • employee compliance monitoring;
  • expert network chaperoning;
  • know your customer/investor lifecycle (KYC);
  • market abuse surveillance;
  • marketing material reviews;
  • material nonpublic information (MNPI) monitoring;
  • regulatory filings; and
  • representative management.

Operations Functions

  • cash reconciliation;
  • market data quality control;
  • net asset value validation/publication;
  • performance composite maintenance;
  • position reconciliation;
  • pricing quality control;
  • trade confirmation;
  • trade notification; and
  • trade reconciliation.

The survey distinguished AI that is embedded in a firm’s internal systems or a third-party application from what it terms “desktop AI” like Claude or ChatGPT, explained Joseph Kochansky, head of product and engineering at ACA.

Wide, but Limited, Use

AI adoption “has moved beyond experimentation, but not yet into broad operational integration,” notes the Report. Adoption is “a mile wide, but an inch deep,” according to Kochansky. More than four-fifths of respondents’ firms use AI in some capacity. Additionally, nearly two-thirds use it in at least one of the 20 compliance or operations workflows covered by the study. Conversely, more than one-third still have not deployed any function-specific AI. On average, firms deploy AI in just 1.8 of the 20 workflows. Most say they use AI in either one, two or three compliance functions.

Just a handful of respondents said their firms deploy AI across multiple compliance workflows and at least one operations workflow. Such firms are “establishing governance frameworks to support scale and moving beyond isolated use cases toward more integrated, enterprise-level capability,” explained ACA. “Success in using AI is less about technology selection and more about operating discipline. Firms making measurable progress are focused on high-impact workflows, disciplined governance, and incremental execution,” according to the Report.

Adoption Corresponds to Firm Size

AI adoption rates generally correlate with assets under management (AUM) and headcount. At the high end of the spectrum, more than four-fifths of respondents with at least $50 billion in AUM or 1,000 employees are using AI. At the other end, just 45% and 52%, respectively, of respondents whose firms have less than $1 billion in AUM or 10 employees are using it.

Widespread Use of Desktop AI

“Many firms remain in a hybrid state where AI usage is personal rather than institutional,” which limits the potential benefits of AI to productivity gains, notes the Report. In that regard, a majority of respondents use desktop AI, including 32% that use it exclusively and 29% that use it alongside third-party (20%) or internal software (9%). The most common desktop tools are ChatGPT and Copilot, which are used by more than half of respondents. Fewer use Claude (38%) or Gemini (16%).

The remaining respondents exclusively use either third-party software (30%) or internal software (9%). Notably, more than two-thirds of respondents using desktop tools also use AI in one of their compliance or operations workflows, versus just one-third of those that do not use any desktop tools. “Governance, system integration, data readiness, and workflow prioritization remain the primary barriers to scaling AI beyond isolated use cases,” said ACA.

See “Benchmarking Fund Managers’ Adoption and Governance of Generative AI” (Nov. 19, 2025).

AI in Compliance Workflows

On average, across all 11 compliance functions, just 18% of respondents presently use AI in at least one of them, and an additional 15% plan to deploy it in the coming year, noted Kochansky.

AI primarily has been deployed in “documentation-heavy, text-driven, or review-oriented” workflows, according to the Report. Of the respondents that have adopted AI in connection with a compliance function, the predominant uses have been for compliance program administration, eComm surveillance and/or marketing material reviews, and compliance testing. Most of those are also areas where the greatest number of respondents said they are planning to deploy AI.

Approximately one-fifth of respondents said they use AI for employee compliance monitoring, market abuse surveillance, KYC and/or regulatory filings.

See our two-part series “The Algorithmic CCO”: AI’s Role in Shaping the Future of Hedge Fund Governance (Mar. 5, 2025), and Practical Steps for Implementing AI in Compliance (Mar. 12, 2025).

AI in Operations Workflows

There was significantly lower uptake of AI in the nine operations workflows covered by the study.

At the high end, just 14% of respondents’ firms are using AI for market data quality control. About 10% are using it for cash reconciliation and/or position reconciliation. Of the respondent firms that are not yet using AI in those workflows, just over one-tenth of them are planning to deploy it.

At the low end, just 4% and 5%, respectively, use AI for trade notification and/or pricing quality control. One explanation for the lower uptake of AI in operations is the significant cost and risk of integrating it with existing order and portfolio management systems, accounting systems and data infrastructure, according to the Report.

See “Survey Results Reveal How Alternative Data and AI Are Transforming Investment Processes” (Jun. 10, 2026).

Emerging AI Use Priorities

Asked for their “AI wish list,” just over half of respondents said they want to deploy AI for compliance testing, which reflects the “high manual burden [of compliance testing] and its perceived suitability for AI-assisted analysis,” notes the Report. Roughly one-fifth also desire to deploy AI for eComm surveillance and/or marketing material review, which could “improve coverage and consistency without increasing headcount” or disrupting core systems, states the Report.

Other wish list items cited by at least one-tenth of respondents include tools for data analytics and reporting (17%), automating repetitive and/or manual tasks (17%), document review and policy drafting (13%), and due diligence and research (11%).

Navigating Agentic AI Use

Understanding Functionality and Exposure

Agentic AI inverts the model of using AI to take the first crack at a task, explained Kochansky. The AI agent itself is not actually AI. It is more of a loop. It takes a request, sends it to the user’s AI system and asks, “What’s the next step?” When the AI responds to the agent, the agent takes the action, collects the output, sends the output to AI and asks what to do next. The loop continues until the AI deems the task completed. So-called “connectors” or “model context protocols” enable AI assistants to connect to various systems and data sources. For example, a connector could give an AI model access to surveillance systems, eComm archives and trading data for purposes of compliance reviews.

A desktop agent could create information security and compliance risks, observed Kochansky, noting it is difficult to control how and for what purpose they are used. For example, the agent may have access to the internet, or the user might download so-called “skills” for the agent that are of unknown origin.

Strengthening Controls

To mitigate risks, agentic AI may also be embedded in an organization’s systems, which gives the organization greater control over it, suggested Kochansky. A system can provide a list of agents that can be created by the system provider or user. It allows organizations to set permissions for users authorized to manage the agents and to maintain an audit trail of each agent’s activities and system actions.

AI agents are not just “running around everywhere,” remarked Kochansky. They have a user ID, just as humans do, and are subject to each application’s permissions and access controls. In addition to setting permissions, the organization can control the connectors to which the agent has access. Each agent is tailored for a specific task and triggered by specified events within the system. The agent will complete the assigned task and exit the relevant application. An agent may also have a “chaperoning” mode, in which the user can watch how the agent is approaching the task, correct and redirect it, if necessary, and then fine-tune the prompt.

See our two-part series on AI agent security: “Companies See Rogue Incidents but Lag on Controls” (Mar. 18, 2026), and “What CISOs and GCs Need to Know to Defend the Enterprise” (Mar. 25, 2026).

Six Key Risk Areas in the Rapid Adoption of AI

AI was first seen as a replacement for Google, noted Kochansky. Soon, it was being used as an assistant for drafting documents, translating and other tasks. Since the beginning of 2026, AI has increasingly been embedded directly into everyday business applications.

Firms must address the following unique AI-related risks, according to Joshua Broaded, co-head of global regulatory compliance at ACA.

1) Overreliance on AI

A firm may use AI for sensitive tasks – such as fee calculations – without validating the results. Consequently, sensitive functions should have a “human in the loop” and extensive human checking.

2) Shadow AI

Employees may be using AI without their firms’ knowledge or in ways the firms did not contemplate. For example, employees may upload sensitive documents into AI tools, creating the risk of data leakage.

3) AI Note-Takers

AI-driven note-takers are ubiquitous. They create concerns about preserving attorney-client privilege, capturing and storing PI, managing MNPI and consent requirements for recording conversations.

4) Vendor Risk

Many vendors are embedding AI into existing tools. Such applications give rise to risks from data handling, model changes, hallucinations and incident response protocols.

See “Checklist for Contracting With AI Vendors to Mitigate Risks” (Jun. 10, 2026).

5) Data Governance

The current data control environment was set up for humans and is good at protecting against the most egregious violations. However, an organization may hold sensitive information in remote or overlooked places that AI could access or surface. Consequently, tightly controlled data governance is critical.

See “Former NIST Leader Discusses Data Governance As Master Key to a Trio of Frameworks” (Feb. 26, 2025).

6) Disclosure

Organizations must be careful to avoid both overstating their use of AI – so-called “AI washing” – and failing to disclose material facts about how they are using it. AI is moving so fast that organizations should review their disclosures frequently. An annual review is no longer sufficient.

See “SEC Enforcement Actions Target ‘AI Washing’” (May 22, 2024).

A Framework for Developing AI Governance

Regulators worldwide “are paying attention” to AI, cautioned Broaded. If a regulator asks, a firm must be prepared to respond. “I think the strongest response is going to center around culture, which is to say the CCO is at the table and shaping governance,” he said. Organizations can use the following framework to establish AI-related governance processes over a 90‑day period, he suggested.

See “A Baker’s Dozen AI Governance Resolutions for 2026” (Jan. 7, 2026).

First 30 Days

Use AI

A CCO must understand what AI can do. Consequently, the CCO must use AI and learn about how it functions.

Create an Inventory

An organization should create an inventory of AI uses and tools. This involves, for example, talking to people, conducting surveys, and reviewing IT and procurement records.

Identify Risk Areas

An organization should identify AI “hot spots,” especially applications involving both agentic AI and sensitive data. Hot spots may include, for example, AI-generated client communications, note-taking in meetings involving MNPI, creating marketing materials and decision-making by tools without human review.

Next 30 Days

Establish a Governance Team

An organization should establish a cross-functional governance team. The team should probably include the CCO, the CISO, the CTO, the GC, HR, a data analytics leader and a senior business leader. Using the AI inventory, the organization should determine who owns what hot spot, who can make AI decisions independently, and when an AI committee or team must make an AI-related decision.

Conduct Vendor Due Diligence

Organizations should ensure thorough vendor due diligence. For example, they should ask about data handling, training opt-outs, output provenance, including citations for outputs, model change notifications, transparency about hallucination error rates and incident response plans.

See “Contracting With Vendors to Mitigate Third-Party AI Risk” (Feb. 18, 2026).

Create a Note-Taking Policy

Note-taking is the most common shadow AI use. Consequently, organizations should establish a clear note-taking policy.

Last 30 Days

Track Metrics and Fine-Tune Policies

Organizations should track key metrics, including adoption trends, rates of errors and overrides, and vendor performance. They should also ensure policies and procedures are up to date and develop written processes for approving new tools and reviewing tools when there are model changes.

Conduct Training

Training is critical. “Policies and procedures are not much good if nobody knows about them,” said Broaded.

See “AI Governance: Striking the Balance Between Innovation, Ethics and Accountability” (Feb. 12, 2025).

Help the Business

A CCO should try to position compliance as an “AI enabler” and “the department that helps your firm be ready for AI tools as they become available,” advised Broaded. One approach is to hold “AI office hours” to make it easy for people to ask questions about AI issues and, when appropriate, get answers on the spot.

See “How Under Armour and People Inc. Took AI Governance From Crawl to Walk to Run” (Sep. 24, 2025).