Countdown to Compliance: Navigating 2026 Privacy Laws and Regulations

Firm Publication

U.S. states continue to crank out consumer privacy laws and regulations. Although only three new comprehensive consumer privacy laws are currently slated to take effect in 2026 (compared to the eight that took effect in 2025), the year ahead will almost certainly feature additional and consequential developments as regulators introduce new rules and enforcement priorities that will significantly impact how companies handle personal data. Below is a summary of the updates that businesses should consider to update their compliance for the new year.

New State Consumer Privacy Laws

2026 will see Indiana, Kentucky, and Rhode Island’s comprehensive consumer privacy laws take effect. While each of these state’s new laws in many ways track the structure of existing data privacy laws (and should be a lighter compliance lift for organizations already in compliance with the Virginia Consumer Data Protection Act if adding compliance with Kentucky or Indiana’s law, and the Maryland Online Data Privacy Act if adding compliance with Rhode Island’s law), they contain nuances that even businesses already complying with other data privacy laws will want to evaluate.

To bring themselves into compliance with the new laws, businesses will want to give particular focus to:

  • Analyzing whether the business meets the criteria for the law to apply and ensuring it complies with obligations that apply to any company generally, such as Rhode Island’s privacy policy disclosure requirement.
  • Reviewing privacy notices to incorporate rights granted to consumers in each state under the new laws.
  • Updating data subject request and response mechanisms to accommodate any new rights and account for residents of the states with new laws, including providing appropriate appeal processes and opt-out rights.
  • Establishing consent collection mechanisms for sensitive data collected from consumers.
  • Evaluation (or implementation) of data processing agreements for inclusion of statutorily required elements.

The three states coming into effect in 2026 are listed below with links to further information.

New Regulations, Amendments, and Regulatory Enforcement

In addition to new state laws, 2026 will bring significant regulatory updates that expand compliance obligations under existing consumer privacy laws. These changes reflect growing attention to automated decision-making, artificial intelligence, and consumer protection. Businesses should anticipate increased scrutiny from regulators and update their privacy programs to address these developments.

California Consumer Privacy Act (CCPA) Regulations: The California Privacy Protection Agency (CPPA) has finalized regulations that became effective January 1, 2026. The regulations expand compliance requirements by introducing detailed requirements in three core areas: automated decision-making technology (technology that makes decisions without human involvement) (ADMT), privacy risk assessments, and recurring cybersecurity audits. While these regulations introduce new compliance obligations, not all requirements will apply to every business, and several provisions will phase in over time.

Businesses using ADMT will need to provide consumers with new rights, such as access to information about ADMT use and the ability to opt out of certain automated decisions, while also implementing Pre-Use Notices prior to deploying ADMT for “significant decisions”, and updating privacy policies. Compliance with the ADMT provisions will be required starting January 1, 2027.

Additionally, some organizations must conduct risk assessments for high-risk processing activities (such as sale or disclosure of personal information for targeted advertising, processing sensitive personal information, and using ADMT to make “significant decisions,” among other types of processing) and submit summaries annually to the CPPA. Businesses must comply with the risk assessment requirements for applicable processing activities as of January 1, 2026.

Finally, companies meeting certain thresholds related to processing volume or sale of personal information will be required to arrange for recurring independent cybersecurity audits and submit certification thereof to the CPPA. The timeline for completing the initial cybersecurity audit is dependent on the gross revenue of the business, with the earliest report being due by April 1, 2028.

Amendment to Connecticut Data Privacy Act (CTDPA): SB 1295 was signed into law by Governor Ned Lamont on June 24, 2025, with most of its changes taking effect on July 1, 2026. The Bill amends the CTDPA to lower the consumer threshold for applicability from 100,000 consumers to 35,000 consumers and to cover any entity that offers consumer personal data for sale. The amendment carves out a small exemption for entities processing consumer data solely for the purpose of completing a payment transaction. The amendment also introduces changes to certain consumer rights, data minimization requirements, provisions governing profiling and artificial intelligence, and expands the definition of sensitive data.

Amendments to Oregon Consumer Privacy Act (OCPA): Governor Tina Kotek signed two amendments to the OCPA, both of which took effect January 1, 2026. Provisions of the original OCPA requiring controllers to honor global privacy control signals for opting out of the sale of personal data or targeted advertising also come into effect July 1, 2026.

HB 2008 absolutely prohibits controllers from processing personal data of consumers when the controller has actual knowledge or willfully disregards that the consumer is under the age of 16 when the processing is for the purpose of targeted advertising, selling personal data, or profiling. The bill also amends the OCPA to prohibit controllers from selling precise geolocation data,

Additionally, HB 3875 amends the scope of the OCPA to cover all motor vehicle manufacturers that control or process personal data obtained from a consumer’s use of a vehicle. Prior to the amendment, there were exemptions for smaller manufacturers processing data for fewer than 100,000 consumers.

Kentucky AG Lawsuit Claiming AI Chatbot Violates the Kentucky Consumer Data Protection Act (KCDPA): On January 8, Kentucky’s attorney general announced a lawsuit against a company offering an AI chatbot. The suit alleges violations of the KCDPA, including that children’s personal information was collected without effective parental consent, verifiable age-gating, or identity verification mechanisms. This lawsuit is part of a larger trend of regulators focusing on AI tools and also shows the Kentucky Attorney General’s eagerness in enforcing the KCDPA, as this case comes a week after the law entered into effect.

Looking Forward

The privacy landscape in 2026 shows a clear trend: regulators are prioritizing transparency, consumer control, and accountability in data practices. Businesses should not only monitor compliance deadlines but also anticipate heightened enforcement and evolving standards around automated decision-making and AI.

Taking proactive steps, such as updating privacy notices, revisiting data processing agreements, and implementing robust risk assessment frameworks, will be critical to mitigating regulatory risk and maintaining consumer trust.

If you have any questions about preparing for the upcoming 2026 state privacy laws, new regulatory requirements, or how these developments may impact your organization’s data practices, please contact one of the authors.

Resource: Data Privacy Regulations by State

Data Privacy Regulations by State

The data privacy regulatory landscape continues to evolve rapidly across jurisdictions. Our privacy & data security attorneys are actively tracking new legislation and regulatory developments nationwide. We will continue to provide ongoing analysis as new regulations emerge. Access our interactive map to learn more about comprehensive state laws and consumer health data privacy requirements.

Related Professionals
Related Services
Firm Publication

U.S. states continue to crank out consumer privacy laws and regulations. Although only three new comprehensive consumer privacy laws are currently slated to take effect in 2026 (compared to the eight that took effect in 2025), the year ahead will almost certainly feature additional and consequential developments as regulators introduce new rules and enforcement priorities that will significantly impact how companies handle personal data. Below is a summary of the updates that businesses should consider to update their compliance for the new year.

New State Consumer Privacy Laws

2026 will see Indiana, Kentucky, and Rhode Island’s comprehensive consumer privacy laws take effect. While each of these state’s new laws in many ways track the structure of existing data privacy laws (and should be a lighter compliance lift for organizations already in compliance with the Virginia Consumer Data Protection Act if adding compliance with Kentucky or Indiana’s law, and the Maryland Online Data Privacy Act if adding compliance with Rhode Island’s law), they contain nuances that even businesses already complying with other data privacy laws will want to evaluate.

To bring themselves into compliance with the new laws, businesses will want to give particular focus to:

  • Analyzing whether the business meets the criteria for the law to apply and ensuring it complies with obligations that apply to any company generally, such as Rhode Island’s privacy policy disclosure requirement.
  • Reviewing privacy notices to incorporate rights granted to consumers in each state under the new laws.
  • Updating data subject request and response mechanisms to accommodate any new rights and account for residents of the states with new laws, including providing appropriate appeal processes and opt-out rights.
  • Establishing consent collection mechanisms for sensitive data collected from consumers.
  • Evaluation (or implementation) of data processing agreements for inclusion of statutorily required elements.

The three states coming into effect in 2026 are listed below with links to further information.

New Regulations, Amendments, and Regulatory Enforcement

In addition to new state laws, 2026 will bring significant regulatory updates that expand compliance obligations under existing consumer privacy laws. These changes reflect growing attention to automated decision-making, artificial intelligence, and consumer protection. Businesses should anticipate increased scrutiny from regulators and update their privacy programs to address these developments.

California Consumer Privacy Act (CCPA) Regulations: The California Privacy Protection Agency (CPPA) has finalized regulations that became effective January 1, 2026. The regulations expand compliance requirements by introducing detailed requirements in three core areas: automated decision-making technology (technology that makes decisions without human involvement) (ADMT), privacy risk assessments, and recurring cybersecurity audits. While these regulations introduce new compliance obligations, not all requirements will apply to every business, and several provisions will phase in over time.

Businesses using ADMT will need to provide consumers with new rights, such as access to information about ADMT use and the ability to opt out of certain automated decisions, while also implementing Pre-Use Notices prior to deploying ADMT for “significant decisions”, and updating privacy policies. Compliance with the ADMT provisions will be required starting January 1, 2027.

Additionally, some organizations must conduct risk assessments for high-risk processing activities (such as sale or disclosure of personal information for targeted advertising, processing sensitive personal information, and using ADMT to make “significant decisions,” among other types of processing) and submit summaries annually to the CPPA. Businesses must comply with the risk assessment requirements for applicable processing activities as of January 1, 2026.

Finally, companies meeting certain thresholds related to processing volume or sale of personal information will be required to arrange for recurring independent cybersecurity audits and submit certification thereof to the CPPA. The timeline for completing the initial cybersecurity audit is dependent on the gross revenue of the business, with the earliest report being due by April 1, 2028.

Amendment to Connecticut Data Privacy Act (CTDPA): SB 1295 was signed into law by Governor Ned Lamont on June 24, 2025, with most of its changes taking effect on July 1, 2026. The Bill amends the CTDPA to lower the consumer threshold for applicability from 100,000 consumers to 35,000 consumers and to cover any entity that offers consumer personal data for sale. The amendment carves out a small exemption for entities processing consumer data solely for the purpose of completing a payment transaction. The amendment also introduces changes to certain consumer rights, data minimization requirements, provisions governing profiling and artificial intelligence, and expands the definition of sensitive data.

Amendments to Oregon Consumer Privacy Act (OCPA): Governor Tina Kotek signed two amendments to the OCPA, both of which took effect January 1, 2026. Provisions of the original OCPA requiring controllers to honor global privacy control signals for opting out of the sale of personal data or targeted advertising also come into effect July 1, 2026.

HB 2008 absolutely prohibits controllers from processing personal data of consumers when the controller has actual knowledge or willfully disregards that the consumer is under the age of 16 when the processing is for the purpose of targeted advertising, selling personal data, or profiling. The bill also amends the OCPA to prohibit controllers from selling precise geolocation data,

Additionally, HB 3875 amends the scope of the OCPA to cover all motor vehicle manufacturers that control or process personal data obtained from a consumer’s use of a vehicle. Prior to the amendment, there were exemptions for smaller manufacturers processing data for fewer than 100,000 consumers.

Kentucky AG Lawsuit Claiming AI Chatbot Violates the Kentucky Consumer Data Protection Act (KCDPA): On January 8, Kentucky’s attorney general announced a lawsuit against a company offering an AI chatbot. The suit alleges violations of the KCDPA, including that children’s personal information was collected without effective parental consent, verifiable age-gating, or identity verification mechanisms. This lawsuit is part of a larger trend of regulators focusing on AI tools and also shows the Kentucky Attorney General’s eagerness in enforcing the KCDPA, as this case comes a week after the law entered into effect.

Looking Forward

The privacy landscape in 2026 shows a clear trend: regulators are prioritizing transparency, consumer control, and accountability in data practices. Businesses should not only monitor compliance deadlines but also anticipate heightened enforcement and evolving standards around automated decision-making and AI.

Taking proactive steps, such as updating privacy notices, revisiting data processing agreements, and implementing robust risk assessment frameworks, will be critical to mitigating regulatory risk and maintaining consumer trust.

If you have any questions about preparing for the upcoming 2026 state privacy laws, new regulatory requirements, or how these developments may impact your organization’s data practices, please contact one of the authors.

Resource: Data Privacy Regulations by State

Data Privacy Regulations by State

The data privacy regulatory landscape continues to evolve rapidly across jurisdictions. Our privacy & data security attorneys are actively tracking new legislation and regulatory developments nationwide. We will continue to provide ongoing analysis as new regulations emerge. Access our interactive map to learn more about comprehensive state laws and consumer health data privacy requirements.

In Case You Missed It: