The Privacy Landscape Is Shifting Faster Than Most People Realize

The first half of 2026 has delivered more privacy-related regulatory, technical, and legal developments than any comparable period in US history. California's DELETE Act (SB 362) is approaching its August 2026 implementation deadline. State privacy laws now cover more than half the US population. The EU's AI Act enforcement began in earnest. And the data broker industry is consolidating under regulatory and legal pressure.

These are not isolated events. They are leading indicators of a fundamental shift in how personal data is collected, brokered, and regulated. Here is what we expect heading into 2027.

Prediction 1: A Federal Privacy Bill Will Pass — But It Will Be Weak

The American Privacy Rights Act (APRA) stalled in 2024. A revised version circulated in early 2026 with bipartisan support, but disagreements over private right of action, state law preemption, and enforcement mechanisms have continued to block passage.

We predict that a federal privacy bill will pass by mid-2027, but it will be substantially weaker than what privacy advocates have sought:

State preemption: The bill will likely preempt some state laws but carve out exceptions for California (CCPA/CPRA) and possibly Illinois (BIPA). This creates a two-tier system rather than a uniform national standard.
Limited private right of action: Enforcement will be primarily through the FTC and state attorneys general, not individual lawsuits. This dramatically reduces the deterrent effect.
Data broker registration: The bill will likely require federal registration for data brokers, similar to California's existing requirement but with lighter compliance obligations.
No meaningful data minimization: Industry lobbying will weaken data minimization requirements to the point of ineffectiveness.

The practical impact for consumers: marginal improvement over the status quo. Comprehensive protection will continue to require active management of your data broker exposure.

Prediction 2: Five More States Will Pass Comprehensive Privacy Laws

As of mid-2026, 20 states have enacted comprehensive consumer privacy laws. We predict that at least five more will pass legislation effective by 2027, bringing the total to 25 states covering approximately 65% of the US population.

The most likely states:

New York: The New York Privacy Act has been introduced in multiple legislative sessions. Growing momentum and constituent pressure make passage increasingly likely.
Massachusetts: A consistent privacy bill sponsor with a politically favorable environment.
Pennsylvania: The state's size and economic significance make it a high-impact candidate.
Michigan: Active legislative efforts through 2025-2026 suggest proximity to passage.
North Carolina: A growing tech sector is creating bipartisan interest in data governance.

The state-by-state patchwork creates compliance complexity for businesses but generally strengthens consumer rights. For data broker opt-outs, more state laws mean more legal leverage for deletion requests.

Prediction 3: California's DELETE Act Will Spark Copycat Legislation in Three States

California's DELETE Act (SB 362) requires the California Privacy Protection Agency (CPPA) to establish the Data Rights Online Portal (DROP) — a one-stop mechanism for California residents to request deletion from all registered data brokers simultaneously. The platform is required to be operational by August 2026.

If DROP launches successfully (and early testing suggests it will), we predict at least three states will introduce "DELETE Act" equivalents by late 2027:

Oregon: Already has strong privacy leanings and a data broker registration requirement
Colorado: The Colorado Privacy Act includes deletion rights that could be extended to a centralized mechanism
Connecticut: An early mover on comprehensive privacy that has shown willingness to go beyond baseline requirements

The DELETE Act model is attractive to legislators because it reduces the burden on consumers (one request vs. hundreds) and creates accountability through broker registration. The limitation remains coverage — DROP only reaches brokers that register with California, which excludes many smaller people-search sites and offshore operations.

Prediction 4: AI Regulation Will Create New Data Privacy Requirements

The EU's AI Act began phased enforcement in 2025, with full application for most AI systems by August 2026. The US is following a different path — no comprehensive AI regulation at the federal level, but a growing patchwork of state-level and sector-specific requirements.

By 2027, we expect:

AI training data transparency requirements: At least two states will require AI companies to disclose the sources of their training data, including whether personal information from data brokers is used. This creates a new privacy dimension — your broker data is not just being sold to marketers, it is training AI models that make decisions about you.

Automated decision-making disclosure: Several state privacy laws already include provisions around automated decision-making. By 2027, these provisions will be tested in enforcement actions, particularly around AI systems that use data broker information for credit decisions, hiring, and insurance underwriting.

Synthetic data requirements: As regulators tighten restrictions on using real personal data for AI training, the synthetic data industry will boom. However, "synthetic" data derived from real personal data profiles (which describes most of it) will face increasing scrutiny.

AI-powered data broker tools: Data brokers themselves will increasingly use AI to enrich profiles, predict behavior, and create more detailed consumer segments. This creates a feedback loop — AI makes broker data more valuable, which incentivizes more collection, which feeds more AI training.

The bottom line: AI regulation will not replace the need for data broker removal. It will add new dimensions to the privacy problem and create new regulatory leverage for deletion requests.

Prediction 5: Data Broker Industry Consolidation Will Accelerate

The data broker industry is consolidating, driven by regulatory compliance costs, competition from first-party data (companies collecting their own data directly), and increasing consumer awareness.

By 2027, we predict:

At least two major acquisitions: Mid-tier brokers will be acquired by larger players seeking scale to absorb compliance costs. Acxiom's acquisition by IPG (now Kinesso), Oracle's exit from the advertising data business, and similar moves indicate the direction.

People-search site attrition: The long tail of small people-search sites will shrink as CCPA enforcement, DELETE Act compliance, and consumer opt-out volume make the business model less profitable for smaller operators. We expect 10-15% attrition in the number of active people-search sites by late 2027.

Enterprise broker pivot to "privacy-safe" branding: Major data brokers will rebrand around privacy-compliant data solutions, emphasizing consent-based data collection and "privacy-safe" targeting. The underlying data practices may not change as dramatically as the marketing suggests.

For consumers, consolidation is a mixed signal. Fewer brokers means fewer opt-out requests, but larger consolidated brokers hold deeper and harder-to-remove data profiles.

Prediction 6: Biometric and Neural Data Become the Next Privacy Frontier

Illinois BIPA (Biometric Information Privacy Act) demonstrated the legal and financial impact of biometric privacy regulation — with over $1 billion in settlements by 2025. We predict this trend will expand dramatically:

More states pass biometric laws: Texas and Washington already have biometric laws, but without private right of action. By 2027, at least two more states will enact BIPA-equivalent laws with private right of action.

Neural data protection emerges: Colorado passed the first law addressing neural data privacy in 2024, targeting brain-computer interface companies and neurotechnology. As consumer neurotechnology grows (meditation headbands, focus-enhancing devices, gaming interfaces), more states will follow with neural data protections.

Voice data from smart speakers and assistants: Amazon Alexa, Google Home, and Apple Siri recordings will face increasing regulatory scrutiny. FTC actions against voice data retention practices are likely by 2027.

Gait and behavioral biometrics: Retail stores and surveillance systems that use walking patterns, typing cadence, and behavioral characteristics for identification will face new legal challenges.

Prediction 7: Browser Privacy Will Fragment Further

The browser privacy landscape is splitting:

Chrome: Google's Privacy Sandbox continues evolving. Third-party cookies remain available but increasingly supplemented by Topics API and related mechanisms. Chrome's dominant market share means advertisers adapt to Google's timeline.

Safari and Firefox: Strong privacy defaults continue with enhanced tracking protection. Safari's Intelligent Tracking Prevention and Firefox's Enhanced Tracking Protection block most third-party trackers by default.

Privacy-focused browsers: Brave, DuckDuckGo Browser, and similar alternatives will gain market share but remain niche (estimated 5-8% combined by 2027).

The prediction: browser-level privacy improvements will continue reducing cross-site tracking but will not address the data broker problem. Data brokers source information from public records, commercial databases, and direct data purchases — not from browser tracking. Even perfect browser privacy leaves your public records, voter registration, property deeds, and court filings fully exposed.

Prediction 8: Identity Verification Will Replace Traditional Identity Proof

The shift from knowledge-based authentication ("What was your previous address?") to identity verification ("Scan your driver's license and take a selfie") will accelerate through 2027. This has a surprising privacy implication:

Knowledge-based authentication questions draw their answers from data broker databases. Your previous addresses, your relative's names, your past employers — these are all sourced from Acxiom, LexisNexis, and similar providers. As knowledge-based authentication declines, one major use case for data broker data weakens.

However, the shift to identity verification creates new risks — centralized repositories of government ID scans and biometric selfies become high-value targets for breach.

What This Means for You

The privacy landscape in 2027 will be more regulated, more complex, and more consequential than at any previous point. But regulation alone will not protect you. Laws create the right to request deletion; exercising that right at scale still requires tools and automation.

Key takeaways:

State privacy laws are your best tool today. Do not wait for federal legislation. Use CCPA, VCDPA, CPA, and other state laws to request deletion now.
AI training on personal data is a new exposure vector. Your data broker profiles may be feeding AI models you interact with daily.
The DELETE Act model will expand but will not cover everything. Centralized deletion portals will reach registered brokers only — the smaller, less compliant brokers require direct engagement.
Consolidation does not mean fewer exposures. Merged brokers consolidate data profiles, creating richer records that are more valuable and harder to fully remove.

Automate Your Privacy with GhostMyData

The regulatory environment is evolving in your favor, but it will not protect you automatically. GhostMyData scans 1,500+ data broker sites, submits removal requests using the strongest privacy law applicable to your state, and continuously monitors for new listings.

Whether the landscape in 2027 brings federal legislation, AI disclosure requirements, or DELETE Act expansion, your personal data remains exposed until someone requests its removal. We handle that — continuously.

Start your free privacy scan to see your current exposure level and begin reducing it today.

Frequently Asked Questions

Will a federal privacy law make state laws like CCPA irrelevant?

Unlikely. Most federal privacy bill proposals include some degree of state preemption, but California (CCPA/CPRA) is expected to receive a carve-out. Even with federal legislation, the strongest state laws will likely remain in effect, giving residents of those states more robust protections than the federal baseline.

How does AI regulation affect data brokers?

AI regulation creates new transparency and accountability requirements for companies that use personal data to train AI models or make automated decisions. Since data brokers are a primary source of training data and decisioning inputs, AI regulation indirectly increases regulatory pressure on the broker industry and may create new deletion rights tied to AI training data.

Should I wait for the DELETE Act to handle my removals?

No. The DELETE Act (DROP platform) applies only to California residents and only to brokers registered with the state. Many people-search sites and smaller brokers are not registered. Additionally, DROP processes deletions on a 45-day cycle, while individual removal requests can often be processed in 3-14 days. Use available tools now and supplement with DROP when it launches.

Will data brokers disappear if enough regulations pass?

The data broker industry will shrink and consolidate, but it will not disappear. Personal data is too valuable to too many industries. What will change is the regulatory cost of operating as a data broker, which will push out smaller operators and force larger ones toward more compliant practices. Active management of your data exposure will remain necessary.

Data Privacy Predictions: What's Coming in 2027