Jscrambler recently joined thousands of privacy and legal professionals at the IAPP Global Summit 2026 in Washington, D.C. It was an invaluable opportunity to connect with experts and leaders dedicated to the evolving landscape of data protection. As we look back, a few themes dominated the stage: the relentless march of AI, the need to challenge current data collection practices, the growing gap between policy and enforcement, and a big realization that the client-side "blind spots" are far larger than previously assumed.

1. Privacy Starts in the Browser: Confronting the Client-Side Blind Spot

A recurring topic throughout our discussions at the summit was the insufficiency of focusing solely on the network perimeter. Most organizations have spent years maturing programs designed to protect data once it passes into their network and lands in databases and servers. While this "systems of record" approach is effective for the traditional perimeter, it fundamentally ignores where data governance actually begins: the web browser.

While the industry acknowledges that data collection starts in the browser, a dangerous governance assumption persists. Most privacy frameworks assume collection begins only after a user clicks "submit." In reality, data collection begins the moment a user interacts with a page, typing into fields, submitting search queries, or simply navigating the website. If data cannot be governed at the precise moment it is formed, it cannot be fully protected.

The Loss of Control

Unlike servers and databases that operate on controlled infrastructure, code in the browser executes on the user’s device alongside dozens of third-party scripts. This environment is highly privileged but remains one of the least governed parts of the enterprise. 

Our discussions with the privacy experts at the summit highlighted several critical risks:

• Observation Before Submission: Analytics, advertising pixels, and AI assistants can observe and collect sensitive personal data as it is first typed. This means names, emails, and even health symptoms can be collected before a user officially submits the data.

• Scope Creep and Piggybacking: Many professionals were surprised by the prevalence of scope creep and "piggybacking." Third-party scripts can quietly update their own permission scopes or add "fourth-party" dependencies without oversight from the privacy team.

• The DPA Enforcement Gap: This lack of visibility quickly renders data processing agreements (DPAs) and privacy notices obsolete. If a script deployed for simple analytics begins observing form fields for ad targeting without approval, it creates a purpose-limitation violation that exists entirely outside traditional server-side controls.

• The Audit Record Deficit: Compliance is an evidence-based discipline. Most privacy programs rely on server-side logs, which only record what your servers received. They have no record of what a third-party script exfiltrated directly to an external server from the website, leaving legal teams without a complete audit trail for regulatory inquiries.

2. AI: The Dual-Edged Sword of Modern Privacy

AI was arguably the most ubiquitous topic at the summit, presenting both a transformative opportunity and a significant hurdle for privacy and legal teams. The conference featured a wealth of sessions focused on how to use AI tools to support privacy initiatives, ensuring sensitive data isn't fed to or surfaced by AI on the backend, and establishing robust strategies for vetting and onboarding new AI vendors.

However, amidst these deep dives into server-side security, one critical area remained largely unaddressed: AI running directly in the browser. While backend governance is essential, AI-powered tools like chatbots, assistants, and copilots increasingly operate client-side. These tools observe live page content and user interaction signals as input to provide real-time assistance. By doing so, they assemble context within the browser and transmit it to the outside world instantly, often falling under the vendor's privacy policy rather than your own.

Navigating evolving global mandates, such as the EU AI Act, requires a fundamental shift toward data traceability and a granular understanding of exactly where AI inputs originate. Because many AI systems are non-deterministic, data collection is no longer strictly bounded by static, predictable logic. This makes runtime governance an absolute necessity to prevent a strategic loss of control over the data being fed into these models at the point of origin.

3. The Reality of Ad Pixels and Personal Data Exposure

The backbone of many conversations Jscrambler had was our research into TikTok and Meta ad pixels, which was eye-opening for many. It sparked deep concern regarding the sheer volume of personal data harvested without clear oversight. While privacy teams knew these tags were active, they were often unaware of the extent: these pixels quietly ingest granular personal identifiers and interaction data directly from the browser.

When a pixel observes a user's behavior before they have even consented or submitted a form, it creates a massive "consent timing gap". This unauthorized collection of sensitive information, from health queries to shipping addresses, represents a major compliance risk under GDPR and CCPA. For privacy leaders, the takeaway was clear: relying on a static vendor list is no longer enough when ad tags can unilaterally expand their data-collection reach at the browser layer.

4. Data Minimization: Challenging the Status Quo

One of the most impactful sessions, "Less is More: Why Data Minimization Matters to Privacy Laws," emphasized that personal data should only be processed if it is reasonably necessary for a specific, lawful purpose. 

It wasn't just Jscrambler highlighting the issue of unchecked data collection by third parties on the web; speakers opened by challenging the status quo, noting that ad trackers like TikTok and Meta are collecting far too much data. They discussed the current "take it or leave it" reality where customers feel forced to either accept egregious over-collection or not use the service entirely.

Crucially, the session debunked the myth of the "check-the-box" privacy policy. Just because you disclose every data category you collect doesn't give you carte blanche to ignore minimization principles—a point made evident in the Healthline Media CCPA case. As more states pass regulations, the foundation of collection is shifting toward the customer's reasonable expectation. You must only collect what is expected and strictly necessary to deliver the specific product or service requested.

This shift represents a fundamental move away from "notice and choice" models that overwhelm consumers with endless pop-ups and fine print. Instead, we are entering an era of the "Burden Shift," where the responsibility is placed back on companies to align their technical practices with user expectations. 

Another key point covered by the panel was that keeping up with U.S. state regulations is becoming increasingly complicated, as seen in the diverging philosophies of different jurisdictions. Maryland, for instance, has adopted a "substantive" approach where collection is tied strictly to requested services. In contrast, California utilizes a "hybrid" model centered more on the context of the user interaction. This fragmented landscape underscores the importance of visibility into what data is being collected and why at the browser level, to simplify compliance with the varied requirements and philosophies across regional regulations.

5. The Governance Gap: Accountability Without Control

Another point of tension that Jscrambler discussed with attendees was the widening gap between written policy and actual enforcement. While privacy and legal professionals are not typically the ones deploying enforcement controls, they are ultimately the owners of their organization’s compliance posture.

In a traditional server-side environment, enforcement has become relatively straightforward – organizations have a litany of tools in place, including data security posture management (DSPM), data loss prevention (DLP), data governance tools, and endpoint protection, to enforce their governance and privacy policies.  

However, the client-side is a low-visibility environment that makes it nearly impossible for legal teams to verify compliance before it reaches their servers. Without client-side visibility, they cannot see if a script is capturing search queries before a user clicks "submit." Furthermore, most privacy programs rely on server-side logs, which have no record of what a third-party script observed and exfiltrated directly to an external server.

This leaves privacy and legal teams without the necessary audit trail to defend their practices during a regulatory inquiry. To close this gap, organizations must adopt technical controls that provide interaction-level awareness at the browser layer.

Is Your Technical Reality Aligned with Your Privacy Commitments?

To evaluate your current governance stack, we encourage you to ask these five critical questions:

1. Inventory: Do we have a complete inventory of all scripts executing in the browser—not just our server-side processors?

2. Data Access: Which of these scripts can observe and collect form field input before submission?

3. Contractual Review: Do our data processing agreements cover the data these scripts can technically access at all times, or only what we intend them to collect?

4. Consent Timing: Has our consent implementation been tested to confirm it captures user choice before other scripts begin observation?

5. AI Governance: Are browser-deployed AI tools included in our AI governance register?

Try Jscrambler

If you’re interested in learning more about how Jscrambler can help you extend data governance and privacy enforcement beyond the traditional perimeter into the browser, schedule a demo today!