As remote and hybrid organizations continue to accelerate their use of AI, automation, analytics, and digital engagement tools, the privacy and regulatory landscape is becoming more complex—and more consequential for customer experience, HR, and compliance leaders.

To help WFH Alliance members stay ahead of what’s coming, we asked a leading privacy and AI attorney to outline the most important trends and risks to be aware of as we enter 2026. Below are five high-level areas every organization using AI, digital tracking, and third-party platforms should be actively reviewing.

While these issues apply broadly across industries, they are especially relevant for contact centers and distributed workforces where AI, monitoring tools, and third-party platforms are deeply embedded in daily operations.

WFH Alliance will continue bringing members expert perspectives on the evolving legal, regulatory, and technology landscape shaping the future of remote and contact center work. If you’d like to see more guest insights like this, let us know.

Five Privacy & AI Trends to Watch in 2026

As we get into 2026, the privacy landscape continues to evolve quickly. This is driven by an expanding patchwork of state laws, enhanced rules in California on automated decision-making tools, and increased enforcement activity by regulators.

Below are five high-level privacy items to keep in mind for 2026.

1. AI Governance

Organizations are adopting AI systems at a rapid pace for various purposes. As AI adoption continues to outpace governing frameworks, state governments are increasingly taking the lead in AI regulation (e.g., updated CA regulations regarding automated decision-making technology, proposed IL rules requiring notice to employees/applicants when AI is used to influence or facilitate employment decisions).

Developing a robust AI governance framework—which includes conducting risk assessments, implementing transparency measures, and maintaining proper documentation—will be critical to ensure compliance with existing and future regulations.

2. Website Tracking

Website tracking technologies can provide enormous value to the organizations that utilize them. That said, there has been a recent surge in litigation targeting organizations that use website tracking technologies like session replay, cookies, and pixels.

Indeed, hundreds of lawsuits have been filed over the past few years alleging that the use of website tracking technologies violates wiretap and video privacy laws and constitutes a tortious invasion of privacy. Since non-compliance is public—anyone can visit your site, review your privacy disclosures (or lack thereof), check what features your site offers that may involve the automatic collection of data, and even run scans to determine what tracking technologies are in use—organizations that do not take proactive steps to ensure their websites are compliant risk becoming low-hanging fruit for claims.

3. Privacy Policies

As a company continues to grow, evolve, adopt new technologies (like AI), or otherwise make online and offline changes in its business practices, and/or operations, privacy policies may no longer accurately or completely reflect how personal information is collected and processed.

The company may also have service providers that collect and process personal information on behalf of the organization in ways that are different than they did when they began providing services to the business. Consider updating your privacy policy at least once every 12 months, which is a best practice even when not explicitly required by applicable law.

4. Data Minimization

Data minimization is the idea that you should only collect and use the minimum amount of data needed to do a particular task. 

With AI tools, it can be very quick and easy to process vast amounts of data and create new documents that store this data, which will inevitably result in the organization collecting and using much more data than actually needed. So, absent policies, procedures, and training that enforce data minimization, the natural trend as organizations increase their use of AI will be for them to increase their processing of data, which, in turn, increases data privacy and security risk. 

5. Vendor Management

Vendor oversight is a critical part of a data security program. This includes, for example, requiring vendors to complete a risk assessment with pointed data privacy and security questions (which would be evaluated by your IT team and/or legal counsel) and ensuring that the contract with the vendor contains reasonable safeguards to protect the organization's sensitive data. 

If a vendor has a data breach that impacts your organization’s sensitive data, the organization will be responsible for managing the fallout and complying with any applicable legal and contractual obligations. 

About the Author

This article was contributed by Gregory C. Brown, Jr., an associate in the New York City office of Jackson Lewis P.C. It is published by WFH Alliance with permission and is provided for educational purposes only; it does not constitute legal advice.

A key focus of Greg’s practice involves assisting clients in navigating emerging issues related to data privacy. As a member of the firm’s Privacy, AI & Cybersecurity group, he has helped organizations investigate, remediate, and respond to a wide range of data breaches. Greg also regularly defends clients against individual and class-based claims involving data breaches, website tracking technologies, and other tools that collect or process personal information.