Privacy and AI Heatmap for 2026: What Device & Drug Makers Should Watch in 2026

By Paul Rothermel

Privacy and artificial intelligence (AI) regulation and enforcement have been heating up in the U.S. and around the world. What should device and drug makers expect in 2026? 

At Gardner Law, we continuously monitor regulatory, legislative, and enforcement developments that shape privacy, data use, and AI risk for FDA-regulated companies. In the year ahead, we are watching potentially sweeping changes in data and AI regulations in Europe, ongoing U.S. privacy enforcement trends, states leading the way in privacy and AI, litigation and enforcement related to online tracking technologies, and a growing clash between federal and state-level AI policymaking.

Big Changes to GDPR, AI Act, and Other EU Data Regulations?

In November, the European Commission proposed a package of reforms, or “Digital Omnibus,” to better align and simplify the European Union’s General Data Protection Regulation (GDPR), AI Act, Data Act, NIS2, and ePrivacy Directive. The intention behind the proposal is to reduce the cost of compliance by harmonizing and streamlining these rules. The proposal will next be considered by the European Parliament and the Council of the European Union, where it is likely to be revised through the legislative process. Some of the key changes proposed include: 

• Revisions to the definition of personal data
• Longer breach notification timelines with narrower notification triggers 
• Single-entry point breach reporting
• Reduced obligations for certain high-risk AI developers
• Adjusted applicability timelines for various high-risk AI systems tied to other major regulatory frameworks 
• Incorporation of cookie regulation into GDPR.

Where is U.S. Privacy Enforcement Headed?

U.S. privacy enforcement has prioritized two things in recent years: sharing of personal data with third parties without adequate consent or notice and data breaches caused by security lapses. This is not likely to change in 2026. We are also seeing several new state laws and regulations take effect this year:

• California’s new regulations on automated decision-making, cybersecurity audit, and risk assessment are beginning to take effect, with some provisions effective Jan. 1, 2026
• Laws in Indiana, Rhode Island, and Kentucky become effective for companies that meet personal data processing thresholds
• Oregon’s comprehensive privacy law will require companies covered by the law to honor universal opt-out mechanisms (such as global privacy control signals) and remove its 30-day cure period on Jan. 1, 2026
• The Colorado AI Act, which was postponed until June 30, 2026,  becomes effective barring further amendments
• The Texas Responsible Artificial Intelligence Governance Act (“TRAIGA”) took effect on Jan. 1, 2026

State Privacy Laws Continue to Lead the Way

We expect to see state legislatures continue addressing new or emerging privacy issues. For example, going back as far as 2024, several states including California, Connecticut, and Montana tailored existing laws to protect “neural data” (definitions vary) to establish further protections covering identifiable information about the brain and nervous system. Each of these states has taken its own approach to regulating this data, requiring careful comparison of the data at issue with the relevant laws to determine applicability and compliance requirements. While it is not surprising that states are defining identifiable data about brain and central nervous system activity as sensitive personal data, these developments, together with the emergence of additional AI legislation, signal that many state legislatures are sensitive to the implications of new technologies and are likely to continue legislative efforts to keep pace.

Online Tracking Technologies

Enforcement of online tracking technologies, including cookies, pixels, scripts, and other tools which collect and share personal information online, is a point of emphasis at both the state and federal level. We do not see this changing in 2026, especially with more state laws coming into effect in 2026. We also expect enforcement of the numerous state privacy laws passed in recent years will ramp up as those laws ripen.

Federal AI Policymaking

A recent executive order proposes withholding federal funds and threatens potential litigation if state AI legislation is found to be counter to federal AI policy as laid out in the order. The order particularly calls out the Colorado AI Act's algorithmic discrimination provisions. Given that state-level legislation is likely to be the primary driver of AI regulation for now, this is a notable development in national AI policy.
Naturally, with this recent order and the attempt to include a 10-year state AI law moratorium in the One Big Beautiful Bill Act (which was ultimately struck from the bill by a near unanimous Senate vote, despite passing the House), we do not anticipate federal AI regulation to be implemented any time soon.

What Can Drug and Device Makers Do to Prepare?

Drug and device makers should prepare by engaging with privacy and AI experts and building a strong privacy, cybersecurity, and AI governance program that can support compliance and mitigate risk during a time of changing standards and enforcement trends. If you have an existing program, conduct audits and other monitoring to ensure it addresses the latest requirements. Review your website configurations and tools to ensure alignment with the latest online tracking technology regulations. Evaluate your AI governance policies for consistency with applicable laws and best practices.

Companies with strong data and AI governance strategies will see their efforts pay off not only in mitigating critical risks including litigation, data breaches, and enforcement actions, but through better positioning with both customers and strategic partners in the marketplace.
-- Paul Rothermel, Managing Attorney

If you have questions about these updates or are looking for experienced counsel and guidance in enhancing or implementing privacy and AI governance programs, contact Gardner Law. Our attorneys have deep experience advising drug and device makers of all sizes on privacy and AI matters.