Hot Privacy and Data Security Issues on the Hill for 2026

As summer temperatures rise, so too does the heat around federal privacy and cybersecurity enforcement. US Congress may still be struggling to pass a comprehensive federal privacy law, but businesses should not mistake legislative gridlock for regulatory inactivity.

From the Federal Trade Commission’s (FTC’s) aggressive focus on children’s privacy and artificial intelligence (AI)-related data practices to the Federal Communications Commission’s (FCC’s) evolving Telephone Consumer Protection Act (TCPA) enforcement landscape to the US Securities and Exchange Commission’s (SEC’s) expanding cybersecurity disclosure expectations, federal regulators continue to turn up the temperature on companies handling consumer data, deploying emerging technologies, and responding to cyber incidents. The result is a fast-changing patchwork of overlapping federal and state expectations that requires businesses to stay alert, adaptable, and prepared.

This Insight, based on a recent Morgan Lewis Technology Marathon webinar, examines the key enforcement priorities, rule changes, litigation trends, and disclosure expectations shaping the federal privacy and cybersecurity landscape in 2026.

KEY TAKEAWAYS

• The FTC is smaller but not quieter. With only two commissioners currently seated, recent action has reflected a more aligned and efficient agency focused on children’s privacy, cybersecurity, deceptive data practices, and health-related claims.
• Children’s privacy remains a top federal privacy priority. Enforcement of the Children’s Online Privacy Protection Act (COPPA) is accelerating, penalties are increasing, and the FTC’s 2025 COPPA changes impose more prescriptive security, retention, parental consent, and biometric data requirements.
• TCPA compliance remains a moving target. New revocation rules, reduced judicial deference to FCC interpretations, and a potential shift away from prior express written consent requirements in some jurisdictions may create more variability in outcomes.
• Federal privacy legislation remains unlikely in the near term. The proposed Securing and Establishing Consumer Uniform Rights and Enforcement Over Data (SECURE Data) Act signals partisan single-party priorities around preemption and agency enforcement, but it does not resolve the long-standing impasse over preemption of state laws and private rights of action. Its chances of becoming law are low.
• SEC cybersecurity disclosure practice is maturing. Public companies are moving away from reflexive Item 1.05 filings and toward more calibrated materiality assessments, while board oversight, ransom payments, service provider risk, and national security remain key focus areas.

FTC PRIORITIES

The FTC’s current priorities are reflected not only in public statements and strategic plans but also in investigations, enforcement actions, settlements, and penalties. The agency’s 2026–2030 strategic plan emphasizes vigorous enforcement “without unduly burdening legitimate business activity,” while reaffirming that privacy and cybersecurity remain core consumer protection issues.

Children’s Privacy and COPPA

With broad bipartisan support, children’s privacy remains the FTC’s leading privacy priority. In April 2025, the FTC finalized significant changes to COPPA that impose more detailed compliance requirements on businesses, including written information security programs for children’s data, annual risk assessments, ongoing monitoring of safeguards, retention limits, and expanded coverage of biometric information.

Recent enforcement activity highlights the agency’s continued focus on parental consent failures, targeted advertising to minors, retention of children’s personal information, and misleading platform design choices, or “dark patterns,” directed at younger users. The FTC is also encouraging companies to use age estimation and verification tools rather than relying solely on self-designated labeling systems.

Meanwhile, COPPA 2.0 legislation continues to advance in Congress. The latest proposal would expand protections to minors up to age 16, increase consent and deletion obligations, limit targeted advertising aimed at users under 17, and potentially expand enforcement mechanisms and penalties.

Cybersecurity as Reasonable Security

The FTC continues to treat reasonable cybersecurity as a baseline expectation, with more than 90 cybersecurity enforcement actions since 2023. Recent matters have focused on issues such as weak vulnerability management, outdated credentials, and inadequate incident response preparedness.

The FTC has also made clear that companies are expected to maintain documented incident response plans and active response teams before an incident occurs and that failing to prepare for foreseeable cyber events may itself be viewed as unreasonable security.

Deceptive Data Practices and AI Inputs

The FTC continues to focus on the gap between privacy promises and operational reality, particularly in the context of AI development and model training. As businesses increasingly rely on large datasets to train AI systems, the agency is scrutinizing whether those uses were adequately disclosed and supported by appropriate consent.

The FTC has also signaled a willingness to pursue so-called algorithmic disgorgement, seeking not only deletion of improperly collected data but also deletion of AI models, tools, outputs, or products derived from that data.

Health-Related Claims and Other Tools

As technology becomes more integrated into health, wellness, wearables, and consumer health tools, the FTC is likely to continue scrutinizing unsubstantiated health-related claims. The Health Breach Notification Rule, which now applies to many direct-to-consumer health apps and wearables not covered by HIPAA, treats unauthorized data sharing, not just hacking incidents, as potential breaches requiring notice to consumers and the FTC.

The agency also continues to rely on the Safeguards Rule, the Telemarketing Sales Rule, TCPA-related theories, and AI-related deception frameworks involving vulnerable populations.

FCC PRIORITIES

Revocation of Consent

One of the most significant recent developments is the FCC’s April 2025 revocation of consent rules, which formalize the principle that consumers may revoke consent through any reasonable means, including the following:

• Replying “stop,” “cancel,” or “unsubscribe” to marketing texts
• Using interactive voice or keypress opt-out systems
• Submitting revocation requests through websites or phone numbers provided by the sender

The rules also require companies to honor revocation requests within 10 business days and clarify that revocation extends across communication channels, not merely the channel through which the consumer submitted the request.

Early litigation is already emerging around these rules, with plaintiffs challenging whether companies handled revocation requests appropriately and whether particular methods of revocation were reasonable under the circumstances.

TCPA Litigation Trends and Evolving Standards

Recent litigation developments may produce greater variability across jurisdictions as courts take a more independent role in interpreting Telephone Consumer Protection Act (TCPA) requirements around consent and revocation rather than deferring automatically to FCC guidance.

A recent Fifth Circuit decision signaled a possible move away from the long-standing prior express written consent requirement for certain autodialed telemarketing calls to cellphones, concluding that oral consent may, in some circumstances, suffice. The ruling may foreshadow broader challenges to existing FCC interpretations and create more fragmented compliance expectations nationwide.

Robocalls, AI-Generated Voices, and Disruptive Remedies

Robocalls remain the FCC’s top enforcement priority. In 2025, the FCC removed more than 1,200 providers from its Robocall Mitigation Database for noncompliance, effectively cutting those providers off from the US telecommunications network.

The FCC is also increasingly focused on AI-generated robocalls and impersonation scams. Beyond monetary penalties, the agency is relying more heavily on disruptive remedies such as network blocking, database removal, and cease-and-desist letters.

Section 230 and Platform Design Claims

Section 230 of the Communications Decency Act continues to attract bipartisan criticism, although significant reform remains uncertain. In the meantime, plaintiffs are increasingly reframing internet-related claims to focus on platform design, recommendation systems, and operational conduct rather than third-party content itself, in an effort to work around Section 230 immunity protections.

SEC

Cybersecurity Disclosure Requirements

The SEC has become an increasingly important cybersecurity regulator for public companies and for vendors supporting them.

Since December 2023, public companies have been required to disclose material cybersecurity incidents under Item 1.05 of Form 8-K within four business days after determining that an incident is material. Public companies must also provide annual disclosures regarding cybersecurity governance, risk management processes, management oversight, and board involvement.

Ransomware and Materiality Assessments

The SEC has issued additional guidance clarifying that ransom payments do not eliminate disclosure obligations. If a company experiences a ransomware incident and pays ransom before making a materiality determination, it must still assess whether the incident was material. Insurance coverage does not automatically make an incident immaterial, and ransom payments themselves may weigh in favor of materiality, particularly where the amount is significant relative to the company’s operations.

National Security and Public Safety Delays

One of the more notable recent developments involves the increased use of national security and public safety disclosure delays under Item 1.05(c). Companies, often working through the FBI, may request the US Department of Justice authorization to delay cybersecurity disclosures where immediate disclosure would pose a substantial risk to national security or public safety. The FBI has reportedly become a more active intermediary in helping companies navigate that process during significant cyber incidents.

A Maturing 8-K Disclosure Environment

The SEC disclosure environment has evolved considerably over the past two years. Early after the rules took effect, many companies filed Item 1.05 disclosures even when incidents had not yet been deemed material. The SEC later clarified that Item 1.05 should be reserved for material cybersecurity incidents, while Item 8.01 may be used for voluntary disclosures regarding incidents that are not yet material or have not been determined to be material.

Companies are now taking a more measured approach to materiality assessments, recognizing that “without undue delay” does not require rushed disclosures before sufficient facts are available.

CONGRESSIONAL ACTIVITY: THE SECURE DATA ACT

Introduced by House Republicans in April 2026, the SECURE Data Act would establish federal consumer rights to access, delete, and opt out of certain data processing activities while also preempting state privacy laws and centralizing enforcement authority at the federal level. Notably, the proposal does not include a private right of action.

The legislation provides insight into the current Congress’s priorities around federal preemption and agency-driven enforcement, but given longstanding disagreement about issues that have repeatedly stalled federal privacy legislation, namely whether federal law should override state privacy laws and whether private litigants should be able to sue directly, businesses should not expect a comprehensive federal privacy law in the near term. In the meantime, state regulators and state privacy statutes will continue filling the gap.

LOOKING AHEAD

For companies, the practical challenge is understanding where the business risk lies across various overlapping federal and state enforcement regimes. In 2026, the most defensible compliance programs will be those that align privacy disclosures with actual operational practices, build incident response readiness before an event occurs, integrate children’s privacy protections into product design decisions, and treat cybersecurity governance as both an operational and board-level responsibility.