Skip to Main Content

Parker Poe

Keeping you informed

What 2025's Privacy and Consumer Protection Developments Mean for Your Company's Website in 2026

    Client Alerts
  • December 30, 2025

Regulators, plaintiffs' attorneys, and courts spent 2025 zeroing in on the user experience: how visitors opt out, give consent, cancel subscriptions, and access content. New state privacy mandates, browser-level opt-out requirements, shifting Telephone Consumer Protection Act (TCPA) and Federal Trade Commission (FTC) standards, and persistent accessibility litigation all lead to one conclusion: updating policies is not enough. Businesses must implement real, functional changes to their websites.

Federal rules may be delayed or scaled back, but states are stepping in to fill the gap. If your website is accessible to residents in any state, you should plan for compliance with state and local laws rather than relying solely on federal guidance. In addition to legal requirements, regulatory guidance continues to shape best practices that reduce litigation risk and strengthen user trust.

Universal Opt-Out Signals Are Now Expected

State regulators made clear that honoring universal opt-out mechanisms is not optional. California, Colorado, and Connecticut led enforcement sweeps requiring recognition of Global Privacy Control (GPC) and similar signals. California’s assembly bill 566 amended the California Consumer Privacy Act (CCPA) to require major browsers to include built-in, user-configurable opt-out preference signals by 2027. Once implemented, consumers will set an opt-out once at the browser level, and that choice will automatically communicate to websites.

Combined with existing universal opt-out requirements in at least a dozen states, browser signals are becoming the primary vehicle for "do not sell/share" and targeted advertising opt-outs for national businesses.

What this means for 2026: Treat browser-level signals as the default way consumers will exercise opt-out rights. Ensure your websites and consent tools can reliably detect and honor these signals across properties and vendors.

Consent and Subscription User Experience Remain Under the Microscope

In early 2025, the Eleventh Circuit, which covers Georgia, Florida, and Alabama, vacated the FCC’s "one-to-one consent" rule, and the FCC repealed it, restoring prior TCPA consent language. The one-to-one consent rule would have required companies engaged in telephone marketing to obtain consent from consumers for each individual seller (eliminating the ability to get broad-based consent for affiliated entities and products). While this halts a burdensome requirement, it does not eliminate risk and future rulemaking. State "mini-TCPA" laws in Florida, Texas, Georgia, and others impose stricter consent requirements and create significant litigation exposure, including private rights of action and uncapped damages.

The FCC and industry groups continue to recommend best practices:

  • Obtain clear, conspicuous, and unbundled consent for each marketing channel.
     
  • Avoid pre-checked boxes or blanket language.
     
  • Maintain detailed records of consent and honor revocation by any reasonable method, consistent with the FCC’s April 2025 revocation rule.

Separately, the FTC’s "click-to-cancel" rule was vacated, but regulators continue to bring cases alleging deceptive subscription practices and "dark pattern" interfaces under existing statutes.

What this means for 2026: Website forms, consent checkboxes, and subscription flows will remain a focus of TCPA and unfair/deceptive practices scrutiny. Assume regulators will use current laws to police confusing sign-up and cancellation flows, even if new rules are in flux.

Pixels, Video, and Privacy Litigation

Courts continued to grapple with lawsuits challenging tracking pixels and session-replay tools. California legislators proposed SB 690 to narrow certain claims under the California Invasion of Privacy Act (CIPA) by carving out routine commercial tracking that complies with the California Consumer Privacy Act (CCPA), but that bill will not be reconsidered until 2026 and would not take effect until at least 2027. The plaintiffs' bar and individuals continue to pursue claims under CIPA’s current language.

Federal courts issued mixed decisions in Video Privacy Protection Act (VPPA) cases involving website video content and third-party analytics tools. Some appellate decisions narrowed what counts as "personally identifiable information," while others allowed claims to proceed where logged-in status or contact information was shared with viewing data.

What this means for 2026: Websites that embed video, use pixels, or rely heavily on third-party analytics should expect continued litigation risk. Review what information is transmitted from your pages and how it is disclosed.

Accessibility: WCAG 2.1 AA Is the Benchmark

In 2024, the Department of Justice issued a final rule requiring state and local governments to make websites and mobile apps accessibility consistent with Web Content Accessibility Guidelines (WCAG) 2.1 AA. Although this Title II rule applies to public entities, it effectively sets WCAG 2.1 AA as the technical benchmark for accessibility and is already being cited in private enforcement and settlement discussions. Website accessibility lawsuits against private businesses, particularly retailers and service providers, continue to be filed in high volumes in federal courts.

What this means for 2026: Businesses that have not yet undertaken a structured accessibility remediation program should anticipate increased pressure from plaintiffs, regulators, or business partners to align public-facing sites with WCAG 2.1 AA.

Key Website Updates for 2026

Against this backdrop, businesses should:

  • Implement reliable universal opt-out handling. Detect and honor GPC and other signals for all states that require them, and confirm vendor tags respect those signals.
     
  • Tighten consent flows for calls, texts, and tracking. Maintain clear, unbundled consent language with separate checkboxes and records tied to specific channels and brands.
     
  • Re-evaluate subscription and cancellation processes. Ensure consumers can cancel online easily and that key price and renewal terms are clearly disclosed before submission.
     
  • Audit pixels, session-replay tools, and video pages. Inventory tracking technologies, map what data each tool sends to third parties, and consider limiting or reconfiguring pixels on pages with video or logged-in users.
     
  • Accelerate accessibility remediation. Treat WCAG 2.1 AA as the baseline and build accessibility into design systems, development checklists, and vendor requirements.

For more information, please contact us or your regular Parker Poe contact. Click here to subscribe to our latest alerts and insights.

×
By using this website, you agree to our use of cookies.