One hundred forty-five AI-related laws were enacted by state legislatures in 2025. More than 1,000 additional bills were introduced or revised. If your legal team isn’t tracking state AI legislation on a spreadsheet, you’re already behind.
The sharper cost is inside your SaaS stack. DataGrail’s Privacy and AI Trends Report 2026 audited 2,400 business software providers that advertise AI capabilities: 63.6% don’t disclose third-party AI subprocessors, and 32.8% of those AI systems already run high-risk activities including automated decision-making. Your vendors are routing customer data through models you never reviewed.
California publicly reported consent management settlements totaling $4.3 million in 2025 — that figure excludes non-public resolutions. Private law firm investigations into tracking pixels and session replay software drove more than 1,400 class action lawsuits last year. Sixty-three percent of websites still don’t honor browser opt-out signals, which is often what regulators check first before reviewing the privacy policy.
The operational math is brutal. A medium-sized company with 5 million annual visitors spends $1.5 million per year on manual data subject request management. Deletion requests jumped 398% in 2025. Privacy teams are absorbing headcount cuts of up to 33% while handling more volume than ever.
Forty-two percent of companies abandoned AI projects in 2025 because of data privacy concerns. California’s finalized CPPA regulations now require executives to personally attest to completed privacy risk assessments under penalty of perjury, with submissions due April 2028. Privacy just moved from counsel’s inbox to the CEO’s signature line. Monday-morning action: audit which vendors in your stack advertise AI and pull their DPAs to confirm subprocessors are disclosed.
— Nathan Zakhary