145 AI laws passed in 2025 and privacy teams aren’t catching a break
145 AI laws passed in 2025 and privacy teams aren’t catching a break
https://www.helpnetsecurity.com/2026/06/01/datagrail-ai-privacy-risks-report/
Publish Date: 2026-06-01 00:00:00
Source Domain: www.helpnetsecurity.com
145 AI-related laws were enacted by state legislatures in 2025, and more than 1,000 additional bills were introduced or revised, according to DataGrail’s Privacy and AI Trends Report 2026.
Average cost of manual data subject request management (Source: DataGrail)
Shadow AI risks
Of the 2,400 popular business software providers that advertised AI capabilities, 63.6% did not disclose third-party AI subprocessors in their legal documentation, exposing businesses to shadow AI risks they may not be aware of.
AI risk management requires visibility into how AI is used and what data it processes. DataGrail found that 32.8% of AI systems participate in at least one high-risk activity, including sensitive data processing and automated decision-making.
AI capabilities are not always disclosed in legal documentation, limiting visibility into how personal data is accessed and processed. The flexibility of AI applications can make it difficult to anticipate higher-risk use cases.
Opt-out compliance
During 2025, California publicly reported consent management settlements totaling $4.3 million. This figure does not include non-public settlements.
Investigations by private law firms into tracking pixels and session replay software contributed to more than 1,400 class action lawsuits in 2025. This count excludes the thousands of cases estimated to have been settled out of court, making consent enforcement too costly to treat as an acceptable risk.
Organizations continue to overlook one of the simplest compliance measures: browser opt-out signals. This consent check often provides regulators with an initial view of a company’s privacy compliance posture before they review the privacy policy.
Privacy laws in more than 10 U.S. states require businesses to honor universal opt-out mechanisms, including Global Privacy Control. Despite those requirements, 63% of websites fail to honor opt-out signals.
Fewer than 15% of users make an explicit choice to opt out of some or…
