Skip to content
logo
How to Opt Out
For Members
Careers
Consumer Input & Feedback
Search
Contact
Home Policy & News Blog
Article
How to Opt Out

Inside the NAI Summit 2026: Key Takeaways for Moving Privacy Forward

May 28, 2026

The NAI Summit 2026 brought together industry leaders, state and federal regulators, congressional staff, and academics for two days of candid conversations about the future of data-driven advertising, data privacy, and the technologies reshaping both. From the Federal Trade Commission’s (FTC) focus on preventing concrete consumer harm and prioritizing enforcement, to the California Privacy Protection Agency’s (CalPrivacy) push to make privacy “easy” for consumers, the Summit made one thing clear: the rules of the road are being rewritten in real time, and the companies building thoughtful, well-documented privacy programs are best positioned to navigate what comes next.

Here are five key takeaways from this year’s discussions:

1. Enforcement Is Moving Toward Concrete Harm and “Showing Your Work”

The most consistent message across federal and state regulators was a shared shift in posture: away from theoretical risk and toward demonstrable, quantifiable consumer harm, paired with an expectation that companies can document and explain the privacy decisions they make.

At the federal level, FTC Principal Deputy Director, Bureau of Consumer Protection, Kate White laid out the Commission’s enforcement priorities in a wide-ranging conversation with the NAI’s Vice President of Public Policy, David LeDuc. Kids and teens lead the list, anchored by robust COPPA (Children’s Online Privacy Protection Act) enforcement. White emphasized that the commission has moved away from one-size-fits-all approaches and is focused on concrete, quantifiable harm rather than theoretical risk. She also confirmed a shift on enforcement of “dark patterns,” which is an evocative term but isn’t clearly rooted in FTC’s jurisdiction to dictate business practices. White highlighted that the commission will continue to strenuously enforce  any underlying deceptive or unfair practices in businesses provision of notice and consumer choice.

State enforcement is moving in a parallel direction, but with more granular scrutiny of specific user-interface choices. A state regulator panel featuring Alysa Hutnik from Kelley Drye, Dan Goldberg from Frankfurt Kurnit, Kashif Chand from the New Jersey Division of Law, and Michele Lucan from the Connecticut Office of the Attorney General highlighted that state attorneys general are staffing up, and the issues catching their attention are wide-ranging:

  • Cookie banner symmetry and functionality. If “accept” is one click, “reject” needs to be too. Endless scrolls, broken links, and unclear toggles are getting attention. Lucan emphasized that “clear and conspicuous” opt out links is a high bar under the Connecticut Data Privacy Act. Regulators also shared that they are closely examining the functionality of cookie banners and whether tags are firing before a choice is registered.
  • Opt Out Preference Signals (OOPS). Regulators are closely evaluating how businesses comply with their state’s respective OOPS provisions, and specifically criticized the use of banners that encourage consumers to disable Global Privacy Control (GPC) for a better experience, describing this practice as a potential dark pattern.
  • Sensitive data consents. States are focused on whether affirmative, meaningful consent is obtained for the processing of sensitive data, including downstream uses for advertising.
  • Children’s privacy. States are universally prioritizing the protection of children and their data. Lucan pointed to her own state’s law which was recently amended to ban the sale of data and targeted advertising for minors, representing another state that is expanding protections to those under the age of 18.
  • Privacy policies that ignore states. Conditional phrasing in privacy notices such as “you may have certain data rights under state privacy laws” continues to be scrutinized, as Lucan and Chand both emphasized that they expect consumers of their states to be declaratively informed of their privacy rights.

“Show your work” was a refrain echoed by both federal and state regulators. When state laws require risk assessments, data inventories, or vendor due diligence, regulators want proof that the company actually engaged with the analysis and can show a contemporaneous record of decision-making. Companies that can tell a coherent story about how they thought through a privacy decision fare considerably better than those that can’t. The panel was also blunt that underlying facts are not protected by privilege and that over-redacted reports invite skepticism.

2. Enacting a Federal Privacy Law is a Priority, and Congressional Leaders are Seeking to Build Consensus 

The recently introduced SECURE Data Act, and the outlook for advancing this legislation in the 119th Congress took center stage at the Summit.

Dante Cutrona (Chief of Staff to Rep. John Joyce), and Evangelos Razis (House Energy and Commerce Counsel) provided insights into the design philosophy behind the bill. The drafters described a deliberately bottom-up process: roughly 200 in-person stakeholder meetings and 250 RFI responses, with the goal of grounding the bill in language and concepts that have already proven workable in state law. The bill is structured around three buckets: (1) provisions drawn from the state consensus framework spanning red, blue, and purple states; (2) areas where the drafters believe the bill improves on state baselines; and (3) issues uniquely important at the federal level including data brokers and certain national security concerns.

Cutrona and Razis explained a few notable approaches:

  • Pseudonymous data is treated as a pragmatic middle ground, rewarding privacy-protective practices without forcing all data into a binary identifiable/not-identifiable framing.
  • No private right of action. The drafters pointed to the states and noted state privacy laws do not include a PRA.
  • The SECURE Act is not intended to be “the 51st state framework.” It is intended to function as a whole-economy bill.

Both panelists made the case that AI regulation and privacy regulation are inseparable: “You cannot regulate AI without regulating privacy,” but they also said that the first step is to establish a national data privacy law as a foundation.

3. Making Privacy “Easy” for Consumers Is the New Operational Frame in California

CalPrivacy Executive Director Tom Kemp emphasized his goal to make privacy easy for California consumers and businesses by promoting scalable solutions under the California Consumer Privacy Act (CCPA) and the California Delete Act. 

The agency’s tools to operationalize “easy privacy” include the DROP (Delete Request and Opt-out Platform), legislation enacted in 2025 to require browser vendors to provide opt-out preference signals by January 1, 2027; an ongoing assessment of updates to the CCPA and Delete Act regulations in key areas, and an aggressive public education effort that includes outreach to groups that need special protection.

On the legislative front, Kemp highlighted the agency’s unique, active role in promoting legislation to increase privacy protections, including legislation to amend the CCPA to ban the sale and sharing of sensitive personal information, and to align the law’s right to delete with other states. He also highlighted CalPrivacy’s support for legislation to increase protections under the Delete Act, including the fast-track deletion of elected officials’ personal information.

Comparing it to “radioactive material” that demands regulatory oversight, Kemp argued that personal data is driving much of our economy and that its misuse risks having significant negative impacts on consumers. On the long-running debate over whether notice-and-choice is dead, Kemp acknowledged Daniel Solove’s critique that consumers face a never-ending set of privacy chores but argued that opt-out preference signals and the DROP are the path to scaling consumer rights, not abandoning them. His closing characterization of the agency’s trajectory borrowed from Hemingway: “Gradually and then suddenly.”

CalPrivacy attorney Liz Allen, followed with an operational deep-dive on the DROP that practitioners will want to revisit:

  • The production pipeline is launching. Roughly 290,000 deletion requests will be flowing through the DROP on August 1 the deadline for data brokers to access the DROP, at which point the 45-day status reporting clock begins.
  • “Direct relationship” is a business question, not a technical one. It turns on contracts and data flows. A pixel on a page is not a direct relationship. Interaction with a CMP is not a direct interaction.
  • Suppression lists must be maintained in perpetuity. The model is the Do Not Call registry. Companies don’t need to retain the list in the format delivered, but the obligation to suppress is ongoing including against newly acquired lists.
  • Be careful with geofencing. The obligation attaches to California residents as defined in the tax code, and geofencing alone is unlikely to be a complete answer.
  • Hashed identifiers (name/DOB/ZIP) are combined and hashed jointly, not individually. The agency plans to update its guidance to clarify this.
  • The audits division is being built out. Allen’s advice: “Keep careful tabs on what we’re doing in the audit world.”

4. Agentic AI Doesn’t Need a New Rulebook — Yet

While the FTC’s Kate White made it clear that “the FTC is not an AI regulator,” a later panel discussed the privacy implications of agentic AI and surfaced a tension that ran throughout the Summit: how much of the existing privacy framework actually needs to change for AI, and how much can be extended? The panel consensus was that AI, agentic or otherwise, does not operate outside of existing privacy laws. Rather, the same considerations still apply: Why did you make these decisions? What was the purpose? Can you demonstrate the reasoning?

The conversation distinguished two categories of agentic deployments: (1) layering agents on top of existing architectures, that can largely be governed by current privacy principles because the data types and relationships aren’t fundamentally new; and (2) entirely new architectures involving vectorized user tokens and novel attribution mechanisms, that may require new ways of thinking. One clear conclusion: the panel was firmly against blowing up the existing framework prematurely.

Practical themes from the panel included:

  • Logging and auditability. Practitioners need to be able to answer a regulator’s “how did this decision get made?” question which means logging instructions, intermediate steps, and outcomes, not just final actions.
  • Multi-agent authentication. When agents from multiple companies are working together on a user’s behalf, the challenges around identity, authorization, and accountability multiply.
  • Competing protocols. The variation between various standards approaches, such as Universal Commercial Protocol (UCP), Ad Context Protocol (AdCP), and the Agentic Advertising Management Protocol (AAMP) are being watched closely; and the consensus was that they’re more complementary than in conflict.
  • Privacy by design from day one. Privacy considerations need to be built into the architecture, not bolted on after a product is shipped.

The panel also floated the idea of an NAI AI policy working group, an idea that earned unanimous support from the panelists. Members interested in shaping that work should reach out.

A parallel theme came up on the health audience targeting panel, which tackled head-on the misconception that has led to criticism of DTC health advertising: targeted health ads imply the advertiser knows the individual consumer. The panelists pushed back firmly on this misconception. We work really hard to know as little as possible about people,” one panelist noted. Swoop’s entire product model, for example, is built around avoiding individual identification while still delivering condition-relevant information to communities of patients. Privacy-enhancing technologies (PETs) like de-identification, noise injection, and other techniques were described as the floor, not the ceiling, of responsible health targeting.

5. Self-Regulation Has a Renewed Mandate

A throughline that crossed nearly every panel was that the role of industry self-regulation has never been more important.

Kate White, drawing on Chairman Ferguson’s “neighborhood watch” framing at the 2025 NAI Summit, affirmed that the FTC takes self-regulatory commitments seriously and sees real value in industry programs that help members comply with the growing patchwork of state laws. White was clear that to the extent companies make representations about their commitments to self-regulation, the commission will hold them to those representations, reflecting a baseline level of trust in the model.

The panel on geopolitics, cross-border data restrictions, and PADFAA enforcement made the self-regulatory point even more concretely. The FTC has sent 13 warning letters to data brokers in connection with potential PADFAA violations, citing advertised availability of Americans’ data to countries of concern. The recommended posture for practitioners: treat this as a know-your-client function on steroids: classify data, map flows, conduct customer due diligence, document everything, and be prepared to walk a regulator through the process step by step. The panel emphasized that the NAI can play an important role in setting reasonableness standards specific to digital advertising. Standards that can’t be conclusive but can establish industry-specific benchmarks and reduce uncertainty for members.

State enforcers echoed the point. Both Lucan and Chand gave the NAI an explicit nod, noting that events like the Summit are exactly the kind of forum where productive dialogue between regulators and industry can happen. As Lucan put it: industry associations should keep doing this. On the data broker front, Lucan suggested that Connecticut intends to align its forthcoming data broker registry and deletion mechanism with California’s framework, promoting interoperability that aligns directly with what self-regulatory bodies have long argued for.

Even the Summit’s opening First Amendment panel reinforced the theme from a different angle. With the courts under strain and state legislatures testing the limits of commercial speech doctrine, credible industry standard-setting becomes more important, not less, as a counterweight and a reference point for regulators trying to draw reasonable lines.

Looking Ahead

If there was a single throughline from the NAI Summit 2026, it was convergence: federal and state regulators are aligning on concrete harm and documentation expectations; federal and state legislators agree on much of the substantive baseline of privacy legislation; agentic AI is being implemented under existing privacy frameworks, rather than triggering a wholesale rewrite; and self-regulation is being asked to do more, not less, of the work of operationalizing privacy at scale.

The conversations in the room among NAI members, industry leaders, regulators, congressional staff, and academics modeled the kind of collaboration the moment requires. We’re grateful to every speaker, panelist, and attendee who made the Summit what it was, and we’re already thinking about how to make 2027 even better. A special thanks goes out to Kelley Drye, Swoop, Davis+Gilbert, Google, OptimizeRx, HealthLink Dimensions, Squire Patton Boggs & ZwillGen for their generous sponsorships that helped make this event happen!

Have feedback on the Summit? Want to get involved in NAI working groups — including the proposed AI policy working group? Reach out to the NAI team.