MINNEAPOLIS (February 2, 2026) — Lathrop GPM and The Minnesota Department of Employment and Economic Development (DEED) are proud to announce the release of the 2026 edition of A Legal Guide to Privacy and Data Security, a comprehensive resource designed to help businesses understand and manage the rapidly evolving landscape of privacy and data security laws in the United States and worldwide.
Prepared by counsel Michael Cohen with the assistance of other Lathrop GPM lawyers, the guide continues its mission of providing accessible, plain-language explanations of complex privacy obligations faced by businesses and organizations along with best practices. The 2026 guide is available free of charge through DEED’s Small Business Assistance Office website and Lathrop GPM.
This twelfth edition of the guide arrives as more U.S. states enact comprehensive privacy laws – 20 states as of January 1, 2026 – creating a patchwork system that requires businesses to comply simultaneously with varying definitions, consumer rights, thresholds and enforcement regimes. Minnesota’s own Minnesota Consumer Privacy Act (MCPA), which took effect July 31, 2025, introduced new requirements including mandatory data inventories, profiling transparency, retention limits and documentation obligations. Unlike many other state data privacy laws, the MCPA does not exempt and covers non-profit organizations.
Key Insights
The 2026 guide highlights several significant shifts in the privacy and data security landscape that directly affect U.S. businesses:
1. The United States remains without a single federal privacy law – leaving businesses to manage a growing multistate compliance burden.
Twenty states now have comprehensive privacy laws, each with different applicability thresholds, definitions of “personal data,” and obligations for businesses. This patchwork approach to privacy legislation could pose compliance and liability risks for companies that have multistate operations.
2. Regulation is intensifying around children’s data, AI systems and automated decision‑making.
The guide outlines strengthened children’s privacy protections, new AI‑governance expectations and consumer rights to understand and challenge algorithmic decisions.
3. Data security expectations are rising, with frameworks like the National Institute of Standards and Technology (NIST) becoming de facto standards.
Regulators increasingly view “reasonable security” as mandatory; inadequate safeguards may be deemed unfair or deceptive practices under the Federal Trade Commission (FTC) Act.
4. Businesses must operationalize privacy through data mapping, retention limits, documentation and vendor oversight.
The guide stresses that regulators now expect proof of compliance, not just policies – and Minnesota’s MCPA is the first in the United States to expressly require maintaining a data inventory.
“As privacy laws evolve at an unprecedented pace, businesses of every size must modernize their compliance programs,” said Michael Cohen. “This year’s edition underscores not only the expanding number of state privacy laws but also the new regulatory focus areas – particularly AI, children’s data and automated decision‑making – that will shape compliance strategies going forward.”
A Legal Guide to Privacy and Data Security 2026 is available for download at the DEED Small Business Assistance Office website and through Lathrop GPM.
For additional information, please contact Lathrop GPM’s Data Privacy & Cybersecurity Compliance team.