How Many States Have Comprehensive Privacy Laws in 2026?
Twenty states now have comprehensive privacy laws on the books, though Florida’s law has a narrower scope than others. This evolving landscape requires organizations to navigate a complex and varied compliance environment as data privacy regulations continue to expand across the U.S.
Privacy Laws Taking Effect January 1, 2026
New comprehensive privacy laws in Indiana, Kentucky, and Rhode Island took effect on January 1, 2026. These laws largely mirror the template set in Virginia, though Rhode Island’s law has notably low applicability thresholds, covering entities that control or process the data of at least 35,000 consumers, or 10,000 consumers if more than 20 percent of revenue is derived from the sale of personal data. Kentucky’s law was amended before taking effect, with changes to health care data-level exemptions and clarified requirements for data protection assessments.
Oregon amended its privacy law to prohibit the sale of personal data when a controller has actual knowledge that a consumer is under 16 years of age. The amendment also prohibits the sale of precise geolocation data within a 1,750-foot radius. The 30-day right to cure expired on January 1, 2026.
California expanded its data broker registration law through SB 361, requiring data brokers to disclose more information about the personal data they collect, including details about sales to foreign actors, governments, or generative AI developers. The law also requires brokers to process opt-out requests using the California Privacy Protection Agency’s deletion mechanism within 45 days.
A new California consumer health data privacy law also took effect on January 1, 2026, prohibiting the collection, use, sale, sharing, or retention of personal data from individuals at or near family planning centers, except in limited circumstances. It also prohibits geofencing around in-person health care facilities for tracking or advertising purposes.
New California privacy regulations also came into force, requiring mandatory risk assessments for processing activities that present a significant risk to consumer privacy, with initial assessments due by April 1, 2028. Notice and opt-out rights for automated decision-making technology will take effect on January 1, 2027.
Nebraska’s Age-Appropriate Design Code also took effect at the beginning of the year, applying to online services with actual knowledge that data is from a minor, or when the service cannot reasonably conclude that fewer than 2 percent of its users are minors.
The Texas Responsible Artificial Intelligence Governance Act also took effect on January 1, 2026, prohibiting certain harmful uses of artificial intelligence and applying existing privacy requirements to data collected or processed for AI systems.
Mid-Year 2026 Privacy Law Implementation Timeline
Effective January 31, 2026
- Minnesota. The 30-day right to cure in Minnesota’s privacy law expires.
Effective June 1, 2026
- Kentucky. In Kentucky, data protection impact assessments are required for data processing activities created or generated after this date.
Effective July 1, 2026
- Connecticut. Amendments to the Connecticut Data Privacy Act take effect, lowering the applicability threshold to 35,000 Connecticut residents and extending coverage to entities that process sensitive data or sell personal data, regardless of volume.
- Arkansas. The Children and Teens’ Online Privacy Protection Act imposes privacy restrictions on operators of websites and online services directed at children or teens.
- Utah’s new law granting consumers the right to correct inaccuracies also goes into effect.
Effective August 1, 2026
- California will require data brokers to access the California Privacy Protection Agency deletion mechanism every 45 days and process deletion requests under the Delete Act.
Privacy Law Developments Beyond 2026
Effective January 1, 2027, California’s Age-Appropriate Design Code and the California Opt Me Out Act will take effect, as will Vermont’s Age-Appropriate Design Code. A New York Health Information Privacy Act proposal did not advance, reportedly due to concerns that the bill was overly broad and raised significant compliance challenges.
