Technology & Privacy
How AI-Generated Content Laws Are Changing Across the Country
February 12, 2026 | Max Rieper
Key Takeaways:
- In 2026, twenty states have comprehensive privacy laws in effect, with new laws in Indiana, Kentucky, and Rhode Island joining the landscape and several state privacy law amendments taking effect.
- Key comprehensive privacy law effective dates this year include January 1 for Indiana, Kentucky, and Rhode Island, July 1 for Connecticut, Arkansas, and Utah, and August 1 for new California data broker registration requirements.
- California expanded its data broker registration requirements, mandating more detailed disclosures and streamlined deletion request processing, while also enacting new consumer health data privacy protections.
- States like Connecticut and Arkansas have tightened privacy protections for minors, with new age-appropriate design code requirements and restrictions on the sale and use of minors’ personal data.
- Looking ahead, additional state privacy laws and age-appropriate design code measures are set to take effect in 2027, while some proposals, such as New York’s Health Information Privacy Act, did not advance.
While no new comprehensive state privacy laws were passed in 2025, lawmakers were far from idle. Several states amended existing privacy frameworks last year, and a number of previously enacted laws and regulations are now coming into force in 2026 and beyond. What follows is a practical rundown of the most important effective dates and substantive changes privacy teams should have on their radar.
How Many States Have Comprehensive Privacy Laws in 2026?
Twenty states now have comprehensive privacy laws on the books (counting Florida, which has a narrower scope than other state privacy laws).
Privacy Laws Taking Effect January 1, 2026
New comprehensive privacy laws in Indiana (IN SB 5), Kentucky (KY HB 15), and Rhode Island (RI HB 7787/SB 2500) take effect. All three largely mirror the template set in Virginia, although Rhode Island's law has notably low applicability thresholds, covering entities that control or process the data of at least 35,000 consumers, or 10,000 consumers if more than 20 percent of revenue is derived from the sale of personal data. Kentucky's law was amended last year (KY HB 473) before ever taking effect, with targeted changes to health care data-level exemptions and clarified when data protection assessments are required for profiling.
Oregon lawmakers amended their privacy law (OR HB 2008) to prohibit the sale of personal data when a controller has actual knowledge, or willfully disregards knowledge, that a consumer is under 16 years of age. The amendment also prohibits the sale of precise geolocation data relating to an individual's location within a 1,750-foot radius. The 30-day right to cure also expired on January 1.
Need guidance on how new state privacy laws affect your organization? MultiState's technology and privacy policy practice helps businesses navigate the evolving state privacy landscape and develop strategies that work across jurisdictions. Learn more about our tech policy practice →
California expanded the state's data broker registration law through CA SB 361, which requires data brokers to disclose significantly more information about the personal data they collect, including whether such data is sold to certain entities such as foreign actors, federal or state governments, or generative AI developers. The law also requires brokers to process opt-out requests using the California Privacy Protection Agency's accessible deletion mechanism within 45 days of receipt.
California also enacted a consumer health data privacy law that took effect on January 1. The bill (CA AB 45), passed last session, prohibits the collection, use, sale, sharing, or retention of personal data from individuals at or near a family planning center, except in limited circumstances. It further prohibits geofencing around in-person health care facilities to track individuals, collect data, send notifications, or advertise.
In addition, new California privacy regulations took effect, requiring mandatory risk assessments for processing activities that present a significant risk to consumer privacy, with initial assessments due by April 1, 2028. The regulations also establish notice and opt-out rights for consumers when automated decision-making technology is used to make significant decisions, although those provisions do not take effect until January 1, 2027.
Nebraska's Age-Appropriate Design Code (NE LB 504) also took effect at the beginning of the year. The law generally applies only when a covered online service has actual knowledge that data is from a minor, or when the service cannot reasonably conclude that fewer than 2 percent of its users are minors, unlike similar laws in Maryland and Vermont that apply to services reasonably likely to be accessed by minors.
The Texas Responsible Artificial Intelligence Governance Act (TX HB 149) also took effect on January 1, prohibiting certain harmful uses of artificial intelligence. The law applies existing privacy requirements to data collected or processed for AI systems, clarifies when an individual is deemed to have consented to biometric capture, and creates limited exceptions for biometric data used to train AI models under specified conditions.
