[[[SUMMARY_START]]]

Privacy is shifting from a simple idea of “keep my data secret” to a more complex set of controls, audits, and system-level design choices.
In 2026, California began offering a one-stop deletion request tool aimed at data brokers, while enforcement obligations phase in later this year.
In Europe, early-stage obligations under the EU AI Act are reshaping how general-purpose AI models document data practices and transparency.
At the same time, age checks and other “proof of identity” systems are expanding online, raising new questions about how to verify users without collecting more data.

[[[SUMMARY_END]]]

Privacy is no longer defined only by what people choose to share. It is increasingly shaped by modern systems that quietly collect, infer, and trade information, and by new rules that require companies to build privacy controls into products and data pipelines.

Across the United States and Europe, 2026 is bringing a practical shift: privacy is becoming something users exercise through standardized tools, and something regulators measure through repeatable processes. But the same period is also seeing growth in identity and age-assurance checks, and in AI systems that rely on large-scale data—two trends that can pull privacy in the opposite direction.

## A new kind of privacy tool: delete requests at system scale

One of the clearest examples of “privacy by system” is California’s Delete Request and Opt-out Platform, known as DROP.

The tool became available to California residents on January 1, 2026. It is designed to let a person submit a single request that reaches all data brokers registered with the state, rather than forcing consumers to contact firms one by one.

DROP was created under the 2023 Delete Act. The rollout is staged. While consumers can submit requests now, data brokers are required to begin processing those deletion requests starting August 1, 2026. After that date, brokers must check the platform on an ongoing basis and handle deletion requests within set timelines.

This approach reflects a shift in how privacy is being defined. For many users, the most persistent privacy exposure is not a social media post. It is the downstream market for personal data—where addresses, phone numbers, device identifiers, and other details can be bought, enriched, and resold.

## AI privacy is moving from policy promises to engineering choices

Another major shift is happening through generative AI.

Some consumer products are trying to reduce privacy risk by changing where processing happens. One widely discussed approach is on-device AI, where requests are handled locally when possible. Another is a “private cloud” model that aims to keep data protected even when more computing power is needed.

At the same time, regulators are pushing AI providers toward clearer documentation and transparency.

In the European Union, the EU AI Act is taking effect in phases. The European Commission has said some governance rules and obligations for general-purpose AI became applicable on August 2, 2025, ahead of broader application in 2026. The Commission has also highlighted transparency duties for certain interactive or generative AI systems, and documentation expectations for general-purpose model providers.

The impact is practical. Privacy is increasingly tied to questions such as: What data was used to train a model? What is logged when users interact with a system? Which parts of a request are processed locally versus remotely? And what controls exist to prevent sensitive data from being retained or reused?

## Age checks, safety rules, and the new “show your papers” problem

While deletion tools and AI transparency rules can strengthen user control, other modern systems expand data collection in the name of safety and compliance.

In parts of Europe, age verification requirements have been expanding for certain online services. The United Kingdom’s Online Safety Act has been linked to new age-check expectations for adult content providers, and France has also moved toward stronger age assurance in some contexts.

Age assurance can be implemented in privacy-preserving ways, but it can also create new data trails. The privacy challenge is not only whether a user is verified, but how. Systems that rely on document scans, facial analysis, or persistent identifiers can reduce anonymity and increase the consequences of data breaches.

## Privacy becomes a negotiation between convenience, control, and accountability

Taken together, these trends show how privacy is being redefined.

First, privacy is becoming more procedural. It is less about reading a policy and more about using standardized mechanisms—delete portals, universal opt-outs, and account-level controls.

Second, privacy is becoming more architectural. It depends on design choices like data minimization, short retention windows, and local processing.

Third, privacy is becoming more enforceable, at least in certain places. Instead of relying only on user awareness, regulators are pushing for repeatable compliance measures, registries, and penalties tied to operational behavior.

But privacy is also becoming more conditional. As platforms add AI features and governments add safety rules, more online activities may require verification, continuous monitoring, or expanded data collection.

For consumers, the new privacy landscape is likely to feel mixed: more tools to regain control, but also more moments where using a service requires sharing—or proving—something about who they are.

AI Perspective

Modern privacy is increasingly shaped by infrastructure, not individual choices. The most durable protections now tend to come from system design—what is collected, what is stored, and what can be deleted at scale. The next test will be whether new verification and AI rules can be met with methods that prove eligibility or safety without steadily expanding surveillance.