January 2026

Data Privacy Day is January 28
This annual observance highlights the growing importance of protecting personal data in an increasingly AI-driven and interconnected world. From evolving U.S. state privacy laws to the EU AI Act and sector-specific cybersecurity obligations, organizations face a complex risk landscape. Data Privacy Day serves as a reminder that strong governance, defensible security practices, and lawful AI deployment are critical not only for compliance but also for maintaining customer trust and enterprise value.

Insights

Was this email forwarded to you?

Legislative & Regulatory

New State Laws Effective January 1, 2026

Indiana, Kentucky, Rhode Island: These states implemented broad, comprehensive consumer data privacy laws, bringing the total number of states with such laws to 19. 

Global Privacy Controls and Universal Opt-Out Mechanisms

In 2026, 12 states will now require recognition of such mechanisms, with Delaware, Oregon, and Texas joining the list in recent months. 

California Consumer Privacy Act (CCPA)

Seven critical CCPA compliance changes took effect January 1, 2026, including expanded risk assessment requirements. These assessments are no longer optional exercises; they’re mandatory compliance obligations with significant strategic value. Opt-Out verification and status confirmation, extended timeline for requests to know, enhanced requirements for requests to correct, specific rights related to health data, and the new requirement to classify youth data as sensitive Personally Identifiable Information (PII).

California's Delete Act and DROP System

Beginning in 2026, California residents can submit a single request through a state-run portal to demand the deletion of their information from all registered data brokers. 

Enforcement Actions

California Privacy Protection Agency (CPPA) Issues Enforcement Advisory Highlighting Data Broker Registration

CalPrivacy has issued Enforcement Advisory No. 2025-01, addressing data broker registration requirements related to trade names, websites, and parent or subsidiary relationships. According to the advisory, some data brokers may be making it difficult for consumers to identify them by using trade names or websites that do not appear on their annual registration. The advisory highlights the requirement that data brokers disclose all trade names and website addresses through which they provide services. It also emphasizes that data brokers must register independently, rather than pointing to a parent company’s or affiliated entity’s registration. 

CPPA adv. ROR Partners

Required ROR Partners LLC, a Nevada-based marketing firm catering to fitness and wellness brands, to pay $56,600 in fines and past-due fees for failing to register as a data broker.

Expanded Enforcement Capacity

California’s amendments to Civil Code §§ 1798.155 and 1798.160 fundamentally restructure how privacy enforcement is financed. The prior model diverted 91 percent of fine revenue into a state investment fund, leaving limited resources available for privacy operations. The new model eliminates that investment structure and creates three dedicated subfunds:

1. Consumer Privacy Subfund (CalPrivacy)
2. Attorney General Consumer Privacy Enforcement Subfund
3. Consumer Privacy Grant Subfund

This creates a compounding feedback loop: more enforcement generates more penalties; more penalties fund more enforcement. In combination with DROP and the one-time fiscal year 2025–2026 fund infusion, California now has the most robust privacy enforcement framework in the U.S. 

Belgium Data Protection Authority (DPA)

The DPA issued a reprimand to a hospital for failing to implement sufficient measures for managing access to electronic health records after a physiotherapist accessed information on the sex of an unborn child.

A private text conversation between a pregnant woman (the data subject) and her physiotherapist revealed the sex of the data subject’s unborn child. The data subject intended on waiting until the birth of the child to find out this information.

The data subject submitted an access request to the hospital where the pregnancy tests had been performed. The request revealed that the physiotherapist accessed the electronic health record (EHR) of the data subject and her unborn child three times.

The data subject and the child’s father, representing the interests of the child, filed a complaint with the Belgian DPA. While this is in Belgium, similar issues continue to occur in the U.S. under Health Insurance Portability and Accountability Act (HIPAA), but movement from reporting to HIPAA has shifted to reporting to Attorney Generals and other data protection authorities in the U.S. 

Notable Data Breaches

TriZetto Provider Solutions

The Cognizant-owned provider of revenue management services to physicians, hospitals, and health systems, has started notifying certain healthcare clients about a recently identified cybersecurity incident on October 2, 2025, when suspicious activity was identified within a web portal used by some of its healthcare provider customers to access TriZetto systems. It is currently unclear how many of its healthcare provider clients have been affected or the scale of the data breach. 

University of Hawaii Cancer Center

August 2025 ransomware attack involving the acquisition of the sensitive data of study participants occurred.

University of Hawaii Cancer Center, part of the University of Hawaii (UH) System, is located in the Kakaʻako district of Honolulu and is the only National Cancer Institute-designated center in the state. According to the cancer center’s press release and breach reports to state attorneys general, unauthorized access to its computer network was discovered on or around August 31, 2025.

The affected servers were isolated, and an investigation was launched to determine

the nature and scope of the unauthorized activity. University of Hawaii Cancer Center confirmed that a ransomware group had breached its network, encrypted files, and exfiltrated research files containing patient information. University of Hawaii Cancer Center said its electronic medical record system was unaffected; however, files were obtained that contained patients’ protected health information.

The majority of the stolen files related to a single research project. The review of those files revealed that some contained the Social Security numbers of research participants dating back to the 1990s. The University of Hawaii Cancer Center said that in the 1990s, Social Security numbers were used as patient identifiers; however, that practice has since been halted, and alternative identifiers are now used.

Due to the highly sensitive nature of the stolen data, UH made the difficult decision to engage with the threat actor. University of Hawaii Cancer Center said it worked with third-party cybersecurity experts to obtain a decryption tool to recover the encrypted data, and paid a ransom to prevent the publication of the stolen data. Assurances have been received that all of the stolen data has been deleted.

Petco

The pet product retailer revealed that an incorrect configuration of a software application allowed for accessibility without adequate restrictions. The company resolved the issue, but there was still data exposure. 

University of Pheonix: 3.5M Individuals Impacted

The organization disclosed unauthorized access, affecting over 3.5 million, including students, applicants, and employees.

Breach cause: The Clop ransomware gang exploited a third-party provider’s system. 

Learn more about Shumaker's Technology, Data Privacy,

Cybersecurity & AI Service Line