All of the Comprehensive Privacy Laws That Take Effect in 2026

While no new comprehensive state privacy laws were passed in 2025, lawmakers were far from idle. Several states amended existing privacy frameworks last year, and a number of previously enacted laws and regulations are now coming into force in 2026 and beyond. What follows is a practical rundown of the most important effective dates and substantive changes privacy teams should have on their radar.

How Many States Have Comprehensive Privacy Laws in 2026?

Twenty states now have comprehensive privacy laws on the books (counting Florida, which has a narrower scope than other state privacy laws).

Privacy Laws Taking Effect January 1, 2026

New comprehensive privacy laws in Indiana (IN SB 5), Kentucky (KY HB 15), and Rhode Island (RI HB 7787/SB 2500) take effect. All three largely mirror the template set in Virginia, although Rhode Island’s law has notably low applicability thresholds, covering entities that control or process the data of at least 35,000 consumers, or 10,000 consumers if more than 20 percent of revenue is derived from the sale of personal data. Kentucky’s law was amended last year (KY HB 473) before ever taking effect, with targeted changes to health care data-level exemptions and clarified when data protection assessments are required for profiling.

Oregon lawmakers amended their privacy law (OR HB 2008) to prohibit the sale of personal data when a controller has actual knowledge, or willfully disregards knowledge, that a consumer is under 16 years of age. The amendment also prohibits the sale of precise geolocation data relating to an individual’s location within a 1,750-foot radius. The 30-day right to cure also expired on January 1.

California expanded the state’s data broker registration law through CA SB 361, which requires data brokers to disclose significantly more information about the personal data they collect, including whether such data is sold to certain entities such as foreign actors, federal or state governments, or generative AI developers. The law also requires brokers to process opt-out requests using the California Privacy Protection Agency’s accessible deletion mechanism within 45 days of receipt.

California also enacted a consumer health data privacy law that took effect on January 1. The bill (CA AB 45), passed last session, prohibits the collection, use, sale, sharing, or retention of personal data from individuals at or near a family planning center, except in limited circumstances. It further prohibits geofencing around in-person health care facilities to track individuals, collect data, send notifications, or advertise.

In addition, new California privacy regulations took effect, requiring mandatory risk assessments for processing activities that present a significant risk to consumer privacy, with initial assessments due by April 1, 2028. The regulations also establish notice and opt-out rights for consumers when automated decision-making technology is used to make significant decisions, although those provisions do not take effect until January 1, 2027.

Nebraska’s Age-Appropriate Design Code (NE LB 504) also took effect at the beginning of the year. The law generally applies only when a covered online service has actual knowledge that data is from a minor, or when the service cannot reasonably conclude that fewer than 2 percent of its users are minors, unlike similar laws in Maryland and Vermont that apply to services reasonably likely to be accessed by minors.

The Texas Responsible Artificial Intelligence Governance Act (TX HB 149) also took effect on January 1, prohibiting certain harmful uses of artificial intelligence. The law applies existing privacy requirements to data collected or processed for AI systems, clarifies when an individual is deemed to have consented to biometric capture, and creates limited exceptions for biometric data used to train AI models under specified conditions.

Mid-Year 2026 Privacy Law Implementation Timeline

Effective January 31, 2026

• Minnesota. The 30-day right to cure in Minnesota's privacy law expires.

Effective June 1, 2026

• Kentucky. In Kentucky, data protection impact assessments are required for data processing activities created or generated after this date.

Effective July 1, 2026

• Connecticut. Amendments to the Connecticut Data Privacy Act enacted last year (CT SB 1295) take effect this summer, significantly expanding the law’s reach and tightening substantive obligations. The bill lowers the applicability threshold from 100,000 to 35,000 Connecticut residents and extends coverage to entities that process sensitive data or sell personal data, regardless of volume. It replaces the broad GLBA entity-level exemption with a narrower data-level exemption and refines other financial services carve-outs. The definition of sensitive data is expanded to include disability-related treatment, nonbinary status, neural data, certain financial account information, and government-issued identification data. It also now encompasses data derived from genetic or biometric data, rather than only the underlying data itself. Controllers must obtain separate consent to sell sensitive data and must provide consumers with a list of third parties to whom their personal data has been sold. Data collection is limited to what is “reasonably necessary and proportionate” to disclosed purposes, and controllers must disclose when data is collected, used, or sold to train large language models. The amendments also add new protections for minors, including prohibitions on the sale of minors’ data, restrictions on targeted advertising, and limits on geolocation collection to what is strictly necessary.

• Arkansas. Arkansas lawmakers also passed the Children and Teens’ Online Privacy Protection Act (AR HB 1717), which imposes privacy restrictions on operators of websites, online services, and applications directed at children or teens, or that have actual knowledge a user is a teen. The law requires informed parental consent for the collection or disclosure of a minor’s personal information, grants parents the right to delete accounts or correct personal information, and prohibits the collection of personal data from known children for targeted advertising or purposes beyond the context of the requested service.
• Utah's new law (UT HB 418) that grants consumers the right to correct inaccuracies also goes into effect this summer.

Effective August 1, 2026

• California will require data brokers to access the California Privacy Protection Agency deletion mechanism every 45 days and process deletion requests under the Delete Act (CA SB 362).

Privacy Law Developments Beyond 2026 (Looking Ahead to 2027)

Finally, effective January 1, 2027, are California’s Age-Appropriate Design Code (CA AB 1043), the California Opt Me Out Act (CA AB 566), and Vermont’s Age-Appropriate Design Code (VT SB 69). Notably absent from this list is New York’s Health Information Privacy Act (NY A 2141/S 9292), a proposal similar to Washington’s consumer health data law. Governor Kathy Hochul vetoed the bill last month, expressing concerns that the bill was overly broad and raised significant compliance challenges.

Tracking State Technology and Privacy Legislation

MultiState’s team is actively identifying and tracking technology and privacy issues so that businesses and organizations have the information they need to navigate and effectively engage. If your organization would like to further track these or other related issues, please contact us.