By now, the dust has settled on the January 1, 2026 deadline. You likely updated your privacy policy to reference the new laws in Indiana, Kentucky, and Rhode Island. You might have even tweaked your cookie banner.
But writing a policy is different from operationalizing it.
As we close out Q1, legal teams are shifting from “implementation” to “enforcement.” Regulators are already testing websites to see if the new tech requirements—specifically around AI and Opt-Out signals—are actually working.
Here are the three specific compliance gaps we are seeing most often in late February.
1. The “Universal Opt-Out” Signal (GPC)
The Change: As of January 1, mandatory recognition of Universal Opt-Out Mechanisms (like the Global Privacy Control or GPC) expanded to additional states. The Trap: Your cookie banner might say “Do Not Sell My Info,” but does it automatically respect a browser’s GPC signal? The Test: Download a GPC-enabled browser (like Brave or Firefox with the extension). Visit your company’s website in Incognito mode. Did your cookie banner automatically switch to “Opted Out”? If not, you are non-compliant in California, Colorado, Connecticut, and potentially others.
2. The New “AI Transparency” Requirements
The Change: California’s new regulations regarding Automated Decision-Making Technology (ADMT) are live. If you use AI to make “significant decisions” about a consumer (hiring, lending, housing, or insurance), you must disclose it. The Trap: Marketing teams often turn on “AI Optimization” features in ad platforms without telling Legal. The Fix: Audit your hiring and marketing tools. If an algorithm is rejecting resumes or deciding who sees a housing ad, you need a specific disclosure in your privacy policy explaining the logic of that decision-making.
3. “Sensitive Data” Drift
The Change: The definition of “Sensitive Data” has expanded in several states to now explicitly include neural data and widely generated biometric data. The Trap: Collecting voiceprints for customer service or using “attention tracking” software in apps. The Fix: Review your data map. If you collect biometric inputs, you almost certainly need explicit, opt-in consent (not just a banner) before collection begins.
Summary Checklist for Q2
- Test GPC: Verify your website honors browser-based opt-out signals.
- Audit AI Tools: List every tool making “decisions” about customers or employees.
- Check Expiry: Ensure any “data retention” limits you set in your policy are actually deleting data in your database.
Discussion
- Has your marketing team started using AI tools that “optimize” audiences automatically?
- Do you manually test your own cookie banner, or do you trust the vendor’s dashboard?
Sources
Leave a Reply