At this year’s IAPP Privacy. Security. Risk. 2025 conference in San Diego, privacy regulators from California, Colorado, Delaware, and Indiana offered a rare window into how enforcement is likely to evolve across the U.S. Over the past few years, state privacy laws have matured rapidly, and now so have the enforcers behind them. What began as scattered, state-level oversight has grown into a coordinated effort to refine privacy accountability through both collaboration and technical rigor. The discussion also comes on the heels of California’s recent enforcement actions against Sling TV and Healthline Media.  

Much of what is triggering investigations today is what consumers themselves can see. Clearly visible Do Not Sell links, opt-out buttons, and privacy-policy clarity all ensure that it is easier for users to exercise their rights without being redirected to confusing interfaces. Regulators seem to no longer be satisfied with policy statements and want proof that compliance actually works in practice. 

If you look closely, there are six clear hints revealing how regulators plan to enforce privacy laws in 2026 and beyond. 

Hint #1 — Enforcement Is Now Collaborative 

The days of isolated state enforcement are over. Through the Consortium of Privacy Regulators, states like California, Colorado, Delaware, and Indiana are actively coordinating investigations, sharing learnings, and dividing areas of expertise. California is refining technical validation of compliance systems, Colorado is prioritizing children’s data protections, Indiana is emphasizing medical and consumer transparency, and Delaware is watching connected devices. The goal is simple: strengthen enforcement by sharing intelligence and closing cross-state gaps. 

What should businesses do about it? 

• Treat privacy readiness as a national standard, not a state-by-state exercise. 
• Map your obligations across overlapping state laws to ensure consistency in rights, consent, and deletion mechanisms. 
• Anticipate cross-state precedent—if one regulator flags an issue, others may follow. 
• Create a unified compliance framework that scales horizontally across jurisdictions rather than reinventing controls for each state. 

Hint #2 — “Soft Law” Is the New Hard Line 

State regulators are evolving from reactive litigators into proactive collaborators. The first contact from an Attorney General’s office is often an invitation to fix an issue, not a lawsuit. Delaware and Colorado regulators stressed that these early-stage inquiries are meant to start a dialogue and resolve compliance gaps before formal orders are issued. Yet, when businesses ignore or take a defensive posture, regulators interpret that silence as resistance—and the tone quickly shifts from cooperation to enforcement. 

What should businesses do about it? 

• Respond promptly and professionally to any regulatory inquiry; treat it as an opportunity to demonstrate good faith. 
• Document all communications with regulators and maintain transparency about remediation steps. 
• Train legal and compliance teams to adopt an engagement mindset rather than a litigation posture. 
• If an issue is identified, provide evidence of corrective action quickly—it’s far more persuasive than argument. 

Hint #3 — Design Is Now Evidence of Compliance 

Recent California enforcement actions, most notably against Sling TV and Healthline Media, demonstrate that regulators no longer need a data breach to take action. Instead, they’re inspecting how privacy works in practice with questions like “are opt-outs easy to find?”, “Can users withdraw consent without friction?”, or “Are interfaces misleading or inaccessible?” This enforcement pattern is rooted in a simple truth that regulators start where consumers start. If the DNS link goes to a cookie banner or the opt-out form is buried or the privacy policy is outdated, basically, if a request mechanism requires unnecessary steps, enforcement teams see that instantly. The message is that your UX is your compliance. If consumers can’t exercise their rights easily, the business is functionally non-compliant, regardless of its intentions. 

What should businesses do about it? 

• Conduct UX compliance audits to assess how data rights are operationalized in customer journeys. 
• Ensure the “Do Not Sell or Share My Personal Information” link leads to an actual opt-out, not a cookie panel. Regulators flagged this specifically as misleading and noncompliant. 
• Ensure every consent, deletion, or access mechanism is intuitive, minimal-step, and mobile-friendly. 
• Test your designs with real users; if they can’t complete an opt-out in under a minute, neither will regulators. 

Hint #4 — Clarity Is the New Currency 

Across states, regulators are scrutinizing what consumers encounter first and how clearly rights are presented. Indiana’s privacy enforcers are zeroing in on readability and transparency in privacy notices. Regulators want to know if an average consumer can genuinely understand how their data is collected and used. Dense legal text, opaque language, and endless links now count against businesses. Privacy notices that confuse or overwhelm users are being treated as a lack of transparency, not a compliance detail. If a regular person can’t find or understand the mechanism, regulators treat it as noncompliance, regardless of intent. 

What should businesses do about it? 

• Rewrite privacy notices in plain language that communicate value exchange (“what you give, what you get”). 
• Use formatting, headers, bullet points, and summaries to make notices navigable. 
• Perform readability testing to ensure policies score well on consumer comprehension metrics (Flesch-Kincaid, etc.). 
• Provide short, contextual disclosures where decisions are made, not buried at the bottom of a webpage. 

Hint #5 — Children’s and Sensitive Data Are Enforcement Hot Zones 

With new amendments to the Colorado Privacy Act taking effect, regulators are prioritizing children’s privacy and sensitive data handling. States are aligning closer to the spirit of COPPA and GDPR, requiring opt-in verification for minors and imposing stricter controls on sensitive data categories such as health, biometrics, and geolocation. Expect more investigations into how businesses handle advertising, targeting, and consent for minors, especially in digital entertainment, retail, and gaming sectors. 

What should businesses do about it? 

• Classify children’s and sensitive data as distinct categories in your data inventory. 
• Implement verified opt-in parental consent for minors and enable opt-out defaults in child accounts. 
• Limit tracking and ad personalization in child-facing interfaces. 
• Review your adtech and analytics vendors to ensure their systems don’t undermine these safeguards. 

Hint #6 — Compliance Must Be Technically Verifiable 

Perhaps the most significant shift comes from California’s Michael Macko: regulators want to see the system work. It’s no longer enough to promise compliance through policy; businesses must be able to technically demonstrate that deletion, opt-out, and data-sharing restrictions function as intended. Enforcement teams are increasingly equipped with technologists and forensic experts who can test a company’s privacy controls firsthand. Compliance by documentation is giving way to compliance by validation. 

What should businesses do about it? 

• Develop technical evidence plans that document how privacy features operate in real time. 
• Run internal “mock audits” to verify opt-outs, deletion workflows, and global privacy controls function across devices. 
• Maintain verifiable logs of user requests and responses. 
• Treat privacy engineering as part of governance; legal compliance is only as strong as its technical execution. 

The New Rules of Privacy Readiness 

Taken together, these six hints mark a turning point in how privacy enforcement will operate in the U.S. Most enforcement now begins with what is directly visible and accessible to consumers. The unmistakable message is that compliance is now continuous, collaborative, and demonstrable, and the era of one-and-done privacy policies is over. For businesses, this shift is as much an opportunity as it is a challenge. Those who move early to make privacy understandable, user-friendly, and technically verifiable will not only stay ahead of enforcement but also strengthen consumer trust at a time when it matters most.