MARK37 Resources

Privacy Bill Tracker

US Privacy Bill Tracker: Every Federal & State Law (2026)

The United States has no comprehensive federal data privacy law — and depending on who you ask, that may be more feature than bug. While privacy advocates frame the absence as a failure, others see federal “privacy” legislation as government standardizing its own access to your data, locking in surveillance infrastructure under the banner of consumer protection, and preempting stronger state laws that actually have teeth.

What follows is a complete tracker of every significant privacy law and bill at the federal and state level — enacted laws, sectoral laws covering health, biometrics, children, and data brokers, and everything pending right now. Read the details carefully. Not every bill called a “privacy” law is designed to protect yours.

Last Updated: July 3, 2026

Status key: ✅ Enacted & in effect  |  🔵 Enacted — future effective date  |  🟡 Pending / in progress  |  🔴 Stalled or failed  |  ⚫ Session closed without passing


Federal Privacy Bill Tracker: Legislation & Status

Comprehensive Consumer Privacy Bills

🟡 SECURE Data Act (HR 8413) — Pending, House Committee

House Republicans’ big federal privacy push, introduced April 2026. The goal is to replace every state privacy law with one federal standard — which sounds clean until you realize it would wipe out stronger state laws that actually have enforcement teeth. Gives you the right to see, fix, delete, and download your data, and lets you opt out of your data being sold or used for targeted ads. Companies would need parental consent before collecting data on anyone under 16. The FTC and state AGs would enforce it, but you can’t sue companies yourself.
HR 8413 · House Energy & Commerce Committee · Introduced Apr 22, 2026 · Subcommittee hearing held Jun 3, 2026

UPDATE Jun 2026: The House Subcommittee on Commerce, Manufacturing, and Trade held a formal hearing on HR 8413 on June 3, 2026 — the first significant movement since introduction. The same week, a bipartisan coalition of state attorneys general from 44 states sent a letter to Congressional leadership opposing the bill’s preemption provisions, arguing federal law must set a floor not a ceiling. A companion bill was also introduced: the GUARD Financial Data Act (HR 8398), which would update the Gramm-Leach-Bliley Act’s financial privacy rules alongside SECURE Data Act passage.

🟡 Online Privacy Act of 2026 (HR 8014) — Pending, House Committee

A Democratic proposal that would create an entirely new federal agency — the Digital Privacy Agency — dedicated solely to enforcing your data rights. Goes after “behavioral personalization,” which is the technical term for platforms using algorithms to build a profile on you and manipulate what you see. Still sitting in committee with little momentum.
HR 8014 · Mar 2026 · Rep. Lofgren

🟡 Consumer Data Privacy and Security Act of 2026 (S 4211) — Pending, Senate Committee

A Senate bill that gives you the right to know what data companies have on you, fix it if it’s wrong, and delete it. Also requires companies to actually secure your data and hold their vendors to the same standards. FTC enforces it. If the feds open a case against a company, states have to stand down — which is a red flag for anyone who thinks state enforcement is more reliable.
S 4211 · Mar 25, 2026 · Sen. Moran · Senate Commerce Committee

🔴 American Privacy Rights Act (APRA) — Failed, 118th Congress

A bipartisan bill that got further than most — it cleared committee in 2024 — but never made it to a floor vote. Killed by fights over whether it would override California’s tougher privacy law and whether regular people should be able to sue companies directly. Congress changed hands after the 2024 election and the whole thing reset from scratch.

🔴 American Data Privacy and Protection Act (ADPPA) — Failed, 117th Congress

The first comprehensive federal privacy bill to actually clear a full committee — passed unanimously in 2022. Then it died. California didn’t want its stronger state law wiped out, and neither Republicans nor Democrats could agree on whether individuals should have the right to sue. It never got a floor vote.

Children’s Privacy & Online Safety — Federal

TAKE IT DOWN Act — Signed into Law, May 2025

The only new federal privacy law passed in 2025. Makes it a crime to post or threaten to post intimate images of someone without their consent — including AI-generated fake images (deepfakes). Platforms have 48 hours to take down flagged content once someone reports it. Platforms had until May 19, 2026 to build and implement their removal systems — that deadline has now passed, meaning full enforcement is in effect.
Signed May 19, 2025 · Platform removal procedure compliance deadline: May 19, 2026 (now passed)

COPPA Rule Amendments (FTC Final Rule) — In Effect

An update to the 1998 children’s privacy law. Tightens the rules on what companies can collect from kids under 13 and gives parents more control over how that data gets used and shared. Companies had until April 2026 to fully comply.
Effective Jun 23, 2025 · Full compliance deadline Apr 22, 2026

🟡 Kids Online Safety Act (KOSA) — Pending, House Full Committee

Been bouncing around Congress since 2022. The Senate passed it 91–3 in 2024 — that’s about as bipartisan as it gets. The House version waters it down considerably: where the Senate said platforms have a legal “duty of care” to protect kids, the House version just says platforms need “reasonable policies.” Passed a House subcommittee in December 2025, but the Senate and House versions are still far apart.
House subcommittee advanced Dec 11, 2025 · 119th Congress active

🟡 COPPA 2.0 — Pending

Extends the existing children’s online privacy law to cover teens up to age 17, not just kids under 13. Would restrict how platforms collect and use teen data and limit targeted advertising aimed at minors. Passed the Senate as part of a package in 2024 but stalled in the House. A revised version is moving again as of late 2025.
Senate passed Jul 2024 · House subcommittee advanced Dec 2025

🟡 Don’t Sell Kids’ Data Act of 2025 (HR 6292) — Pending

Specifically targets data brokers — companies that buy and sell your information as a business. Would make it illegal for them to collect, use, or sell data on anyone under 18. If a data broker has a minor’s data, they have 10 days to delete it after a request.
HR 6292 · Dec 2, 2025 · House Energy & Commerce

🟡 KIDS Act — Kids Internet and Digital Safety Act (HR 7757) — Bipartisan Agreement Reached, Pending House Floor

The most significant development in federal children’s privacy this year. On June 22, 2026, Chairman Brett Guthrie (R-KY) and Ranking Member Frank Pallone (D-NJ) announced they had reached a bipartisan agreement on a single consolidated KIDS Act — a major shift from the partisan committee vote in March 2026. This is no longer a standalone bill; it now absorbs all 14 of the major child safety proposals from the December 2025 subcommittee package into one omnibus law. Component bills folded into the KIDS Act:

Notably absent from this list (still separate, standalone bills — see entries below): the App Store Accountability Act and Don’t Sell Kids’ Data Act of 2025, both of which remain controversial enough that they were not folded into the bipartisan deal. The bipartisan KIDS Act agreement significantly increases the odds of a House floor vote and eventual Senate consideration — something no children’s privacy package has achieved in the 119th Congress to date. 44 state attorneys general had filed a letter in May 2026 opposing the earlier partisan version over preemption concerns; it’s unclear whether the new bipartisan text addresses that objection.
Bipartisan agreement announced Jun 22, 2026 · House Energy & Commerce Committee · Pending floor vote

🟡 SAFE for Kids Act (S 4741) — Safety and Age Filtering Enforcement — Pending, Senate

Introduced June 10, 2026 by Sen. Jim Banks (R-IN). Requires commercial websites where more than one-third of the content is sexually explicit material harmful to minors to implement age verification before granting access. This is specifically an online pornography age verification bill, not a broad social media or general internet age verification law — the “commercial entities” language in the bill text is standard drafting, but the one-third-explicit-content threshold means it targets adult content sites, not social media platforms or general e-commerce. FTC enforcement through consumer protection law; DOJ may investigate knowing violations; private right of action for parents and guardians. Supported by Heritage Action, American Principles Project, Ethics and Religious Liberty Commission, and Concerned Women for America. The bill has significant legal tailwind: the Supreme Court upheld online pornography age verification requirements in Free Speech Coalition v. Paxton (2025), removing a major constitutional obstacle that had blocked earlier state versions of this type of law. Over 25 states have already enacted similar requirements at the state level. No House companion bill yet as of this update.
S 4741 · Introduced Jun 10, 2026 · Sen. Jim Banks (R-IN) · Referred to Senate Commerce Committee · No companion House bill yet

🟡 App Store Accountability Act (HR 3149) — Pending, Not Included in Bipartisan KIDS Act

Would require Apple and Google to verify a user’s age before letting minors download apps or make in-app purchases — putting the responsibility on the app store rather than individual apps. Advanced through subcommittee and full committee in late 2025/early 2026 but was deliberately excluded from the June 2026 bipartisan KIDS Act agreement. Some Democrats, including Rep. Jake Auchincloss, have called this proposal a “handout to Meta” since it shifts liability away from individual social media platforms onto Apple and Google. Several states (Texas, Utah, Louisiana) have already enacted similar laws — see the State Laws section below.
Passed House Energy & Commerce Committee · Excluded from bipartisan KIDS Act deal Jun 2026

🟡 Sammy’s Law (HR 2657) — Pending, Not Included in Bipartisan KIDS Act

Would require large social media platforms to build real-time APIs that parents can use to delegate monitoring of their child’s account to third-party safety software companies. Drew criticism from privacy advocates (including the Center for Democracy and Technology) who argue it would expose children’s sensitive data to third-party actors with insufficient privacy safeguards and enable 24/7 monitoring of children’s private communications. Not included in the bipartisan KIDS Act deal.
HR 2657 · Reps. Wasserman Schultz and Carter (GA)

Data Brokers — Federal

🟡 DELETE Act — Pending

Right now if you want data brokers to delete your information, you have to contact each one individually — and there are hundreds of them. This bill would force the FTC to build a single website where you submit one request and every registered data broker has to honor it. Also creates a permanent “do not track” list so they can’t collect your data going forward. Bipartisan bill reintroduced in 2025.
Reintroduced Apr 3, 2025 · Senate Commerce Committee

Federal AI Legislation — Privacy Implications

🟡 American Leadership in AI Act (HR 8516) — Pending

Introduced April 27, 2026 by Reps. Ted Lieu (D-CA) and Jay Obernolte (R-CA) — bipartisan legislation consolidating over 20 standalone AI proposals from the Bipartisan AI Task Force. Nearly 200 pages covering AI standards, federal AI adoption, workforce impacts, cybersecurity, and R&D funding. Addresses AI-enabled crimes including deepfakes and fraud. Referred to seven House committees. Distinct from the Great American AI Act (see below).
HR 8516 · Introduced Apr 27, 2026 · Multiple committees

🟡 Great American AI Act (GAAIA) — Discussion Draft, Not Yet Formally Introduced

Released as a discussion draft on June 4, 2026 by Reps. Jay Obernolte (R-CA) and Lori Trahan (D-MA). At 269 pages, the most comprehensive federal AI governance framework proposed to date. Key provisions: requires large frontier AI developers (over $500M revenue) to undergo semi-annual third-party audits; establishes disclosure requirements; addresses workforce impacts; and — most controversially — would preempt state AI development laws for three years. That preemption provision would effectively freeze California, New York, and Illinois AI transparency laws during the preemption window. Still a discussion draft soliciting public feedback; not yet formally introduced as a bill. Democratic opposition emerged within hours of release.
Discussion draft released Jun 4, 2026 · Obernolte/Trahan · Not yet formally introduced

🔴 AI Preemption Moratorium (10-year) — Dropped from Final Law

A 10-year moratorium on all state AI laws was inserted into the House version of the “One Big Beautiful Bill” budget reconciliation package (HR 1) and passed the House in a narrow 215-214 party-line vote on May 22, 2025. If enacted, it would have preempted every state AI law nationwide — California, Colorado, New York, Illinois, and 1,000+ pending state AI bills — for a decade. It faced fierce opposition including from some Senate Republicans (Sen. Blackburn argued states couldn’t stop protecting consumers while waiting for Congress to act) and faced a likely Byrd Rule challenge in the Senate. The moratorium was stripped from the bill before final passage. President Trump signed the final One Big Beautiful Bill into law on July 4, 2025 — without the AI moratorium. States remain free to regulate AI. The Great American AI Act (discussion draft, see above) now proposes a narrower 3-year preemption instead.
HR 1 · House passed May 22, 2025 · Stripped before Senate vote · Not enacted

Government Surveillance & Warrantless Data Access — Federal

This is the section of federal privacy law that matters most if you believe the biggest threat to your data isn’t corporations — it’s government. All four bills below would restrict the federal government’s ability to access your personal data without a warrant. Three specifically target the practice of law enforcement and intelligence agencies simply buying your data from data brokers, bypassing the Fourth Amendment entirely. The Supreme Court handed down a landmark ruling on geofence warrants on June 29, 2026, making this the most active area of federal privacy litigation right now.

Chatrie v. United States — Supreme Court Ruling, June 29, 2026

In one of the most significant Fourth Amendment rulings in years, the Supreme Court held that law enforcement accessing geofence warrant data from Google constitutes a “search” under the Fourth Amendment, requiring a warrant supported by probable cause. Geofence warrants allow law enforcement to demand that companies like Google hand over data on every device in a geographic area during a specific time window — sweeping in hundreds or thousands of people with no connection to the crime being investigated. The ruling directly limits government location data collection and gives the pending surveillance reform bills below significant legal tailwind.
Chatrie v. United States, No. 25-112 · Supreme Court · Decided Jun 29, 2026

🟡 Government Surveillance Reform Act of 2026 (S 4082) — Pending, Senate Judiciary

Introduced by Sen. Ron Wyden (D-OR) with bipartisan co-sponsors Sen. Mike Lee (R-UT), Sen. Elizabeth Warren (D-MA), and Sen. Cynthia Lummis (R-WY). The most comprehensive federal surveillance reform bill in the 119th Congress. Would require warrants before law enforcement can access your location information, web browsing records, and search query history. Critically, also bans federal law enforcement and intelligence agencies from simply buying your personal data from commercial data brokers to get around warrant requirements — a loophole the CIA’s former Deputy Director once said produced intelligence so sensitive “you would keep it Top Secret” if it had been collected through traditional methods. Includes protections for car data, metadata, and third-party service provider data.
S 4082 · Sen. Wyden, Lee, Warren, Lummis · Senate Judiciary Committee · Introduced Mar 2026

🟡 Protect Liberty and End Warrantless Surveillance Act of 2026 (HR 7816) — Pending, House Judiciary

The House companion to the Senate surveillance reform effort. Includes Title II, the “Fourth Amendment Is Not For Sale Act,” which specifically prohibits law enforcement and intelligence agencies from purchasing personal data from data brokers. The same provision passed the House Judiciary Committee unanimously in the previous Congress but stalled before a floor vote. Also includes FISA reform and geofence warrant restrictions.
HR 7816 · House Judiciary Committee · Referred Mar 2026

🟡 Surveillance Accountability Act (HR 8470) — Pending, House Judiciary

Introduced by Reps. Thomas Massie (R-KY) and Lauren Boebert (R-CO). Would require a warrant for any government search that significantly impinges on privacy — including accessing data, metadata, or personal information held by banks, telecoms, internet providers, cloud storage, or data brokers. Closes the “third-party doctrine” loophole that lets agencies argue data loses Fourth Amendment protection once it’s shared with any company. Creates a private right of action — you can sue the government directly for violations. The most expansive of the three surveillance bills; least likely to advance but sets a marker for what genuine surveillance reform would look like.
HR 8470 · Reps. Massie, Boebert · House Judiciary · Introduced Apr 2026

Facial Recognition & Biometric Surveillance — Federal

The federal government has no comprehensive law governing how it uses facial recognition technology. The Trump administration has been aggressively expanding biometric surveillance — DHS is consolidating facial recognition across CBP, ICE, USCIS, and TSA into a single centralized matching engine — while simultaneously removing internal oversight directives. A May 1, 2026 Congressional Research Service report documented the expansion without a single law in place governing it. Four bills are pending:

🟡 Facial Recognition Act of 2025 (HR 4695) — Pending, House Judiciary

Introduced by Rep. Ted Lieu with bipartisan cosponsors. Would regulate law enforcement use of facial recognition technology: requires annual accuracy and bias testing by NIST, training standards for human operators, and a prohibition on using facial recognition for mass “face surveillance” (tracking people without suspicion). A facial recognition match alone cannot establish probable cause — corroborating evidence is required. Does not ban law enforcement facial recognition outright; sets guardrails.
HR 4695 · Reps. Lieu, Clarke, Gomez · House Judiciary · Introduced Jul 2025

🟡 Traveler Privacy Protection Act of 2025 (S 1691) — Pending, Senate Commerce

Bipartisan bill introduced by Sens. Merkley, Kennedy, Markey, Marshall, Van Hollen, and Daines. Would ban TSA and DHS from capturing or storing biometric data from airline passengers without explicit congressional authorization. Allows limited opt-in use at Trusted Traveler checkpoints only, with mandatory opt-out option, clear signage, and zero penalty for passengers who decline. Bans passive surveillance and tracking outside the screening location.
S 1691 · Bipartisan · Senate Commerce, Science & Transportation · Introduced May 2025

🟡 Federal Government Facial Recognition Prohibition (HR 3782) — Pending, House

Would prohibit the federal government from using facial recognition as a means of identity verification for general purposes — a broader restriction than the Traveler Privacy Protection Act. In response to DHS’s removal of its internal facial recognition oversight directive in February 2025.
HR 3782 · House · Pending

🟡 ICE Out of Our Faces Act (S 3779) — Pending, Senate

Introduced February 2026. Would ban ICE and CBP from using biometric surveillance systems including facial recognition for monitoring individuals. Introduced in direct response to the Trump administration granting ICE expanded access to new facial recognition tools and extending some access to CBP officers assisting with removal operations.
S 3779 · Introduced Feb 2026 · Senate · Pending

🟡 Drone Surveillance Prohibition (HR 96) — Pending, House

Would prohibit federal agencies from using drones to conduct surveillance of US citizens. Introduced in the first days of the 119th Congress reflecting ongoing concerns about warrantless aerial surveillance.
HR 96 · House · Referred to committee · Jan 2025

Financial Privacy — Federal

🟡 GUARD Financial Data Act (HR 8398) — Pending, House Financial Services

Introduced alongside the SECURE Data Act on April 22, 2026. Would update the 1999 Gramm-Leach-Bliley Act (GLBA) — the foundational financial privacy law — to modernize how banks, insurance companies, and financial service firms handle your personal information. Designed to work in tandem with the SECURE Data Act as a unified federal privacy framework covering both general consumer data and financial data specifically. Faces the same state AG opposition as the SECURE Data Act due to preemption concerns.
HR 8398 · House Financial Services Committee · Introduced Apr 22, 2026

Government Privacy — Federal

🟡 Privacy Act Modernization Act of 2025 (S 1208) — Pending

Updates the 1974 law governing how the federal government handles your personal data. Currently only protects US citizens and green card holders — this expands it to everyone physically in the country. Limits what agencies can do with your data and stiffens the criminal penalties for misuse. One notable provision: it kicks in immediately for the Department of Government Efficiency (DOGE) and similar temporary government operations, rather than waiting the usual two years.
S 1208 · 119th Congress · Senate · Active

Existing Federal Sectoral Privacy Laws — In Effect

Law What It Covers Who Enforces
HIPAA (1996) Controls how doctors, hospitals, and insurance companies handle your medical records. They have to keep your health data private, secure it properly, and tell you if there’s a breach. Critically — it does NOT cover health apps, fitness trackers, or any company that isn’t a traditional healthcare provider. That’s a massive gap. HHS Office for Civil Rights
COPPA (1998) Websites and apps can’t collect personal information from kids under 13 without a parent’s permission. If a site knows it’s talking to a child, it has to get parental consent first. Updated by the FTC in 2025 with stricter rules. FTC
GLBA (1999) Banks and financial institutions have to tell you what data they collect and share, and give you a way to opt out of some of it. Also requires them to have real security programs protecting your financial data. Weak by modern standards but still the baseline for the finance industry. FTC and financial regulators
FCRA (1970) Governs credit reports, background checks, and tenant screening. You have the right to see what’s in your file, dispute errors, and know when it’s being used against you. One of the few federal privacy laws with real teeth for individuals. FTC and CFPB
FERPA (1974) Schools can’t share your kid’s education records without your permission. Parents can see their child’s records and challenge anything that’s wrong. Once a student turns 18, those rights transfer to them. Applies to any school that gets federal funding — so basically all of them. US Dept. of Education
VPPA (1988) Video services can’t share your viewing history without your consent. Passed in 1988 after a reporter published Supreme Court nominee Robert Bork’s video rental records. Has become surprisingly relevant again as streaming platforms and news sites embed Facebook/Google trackers that share what videos you watch. Private right of action — you can sue
ECPA (1986) Requires law enforcement to get a warrant before accessing your private electronic communications and stored data. Written in 1986 when email barely existed — widely considered dangerously outdated for the modern digital world. Reform efforts have been going nowhere for years. DOJ / Courts

State Privacy Bill Tracker: Comprehensive Laws (Enacted)

As of June 2026, 25 states have enacted comprehensive consumer privacy laws — 20 already in effect, plus five enacted this year alone (Oklahoma, Alabama, Louisiana, Georgia, and Vermont) that take effect between 2027 and 2028. Most of these laws look similar on paper — they give you the right to see, correct, delete, and download your data, and to opt out of your data being sold. The real differences are in how aggressive the enforcement is, whether you can sue companies yourself, and how many businesses the law actually covers.

Currently In Effect

State & Law Plain English Summary Effective Date
California
CCPA / CPRA
The strongest state privacy law in the country. California has its own dedicated privacy enforcement agency (CPPA) that can go after companies independently. Covers not just consumers but also employees and job applicants. Includes rules on automated decision-making, data brokers, and sensitive data. Sets the standard everything else gets compared to. CCPA: Jan 1, 2020
CPRA: Jan 1, 2023
Virginia
Consumer Data Protection Act (VCDPA)
The template most other states copied. Basic consumer rights to access, fix, delete, and opt out of data sales. Only the Attorney General can enforce it — you can’t sue a company yourself. Applies to businesses that handle data on 100,000+ Virginians, or 25,000+ if selling data is a major revenue source. 2026 update: Governor Spanberger signed SB 338 on April 13, 2026, adding a hard ban on the sale of precise geolocation data — effective July 1, 2026. Virginia becomes the third state with this prohibition (after Maryland and Oregon). Jan 1, 2023
Colorado
Colorado Privacy Act (CPA)
Similar to Virginia but with a notable addition: companies must honor the Global Privacy Control signal — a browser setting that automatically tells sites not to sell your data. One of a handful of states requiring this. AG enforces it; same 100,000 consumer threshold as Virginia. 2025 update: A June 2025 amendment added precise geolocation data (pinpointing you within roughly 1,850 feet) to the law’s definition of sensitive data — meaning companies now need your explicit consent before processing or selling it. Jul 1, 2023
Connecticut
Data Privacy Act (CTDPA)
Closely follows Virginia and Colorado. Also requires honoring the Global Privacy Control signal. Updated in 2025 to expand what counts as “sensitive” data. Connecticut also joined the mandatory universal opt-out mechanism group in January 2026, requiring all covered businesses to honor opt-out signals. SB 4 (2026) added data broker registration and deletion mechanism rules — signed May 27, 2026. Jul 1, 2023
Utah
Consumer Privacy Act (UCPA)
The most business-friendly of the first batch of state laws. Does not require honoring browser opt-out signals. No requirement for companies to conduct privacy risk assessments. Applies only to businesses making $25M+ per year. Light on obligations, light on enforcement. July 1, 2026 update: Amendments add a right to correction and new requirements for social media data portability and interoperability. Dec 31, 2023
Texas
Data Privacy and Security Act (TDPSA)
Unusually broad — applies to any business operating in Texas or targeting Texas consumers, with no minimum revenue requirement. The Texas AG has shown it means business: secured a $1.4B settlement against Meta (July 2024, biometric data) and a $1.375B settlement against Google (May 2025, geolocation/biometric data) — the two largest privacy settlements ever obtained by a single state AG. Small businesses mostly exempt. Jul 1, 2024
Florida
Digital Bill of Rights (FDBR)
Narrowly written to only hit the very biggest tech companies — those making over $1 billion a year with most of that from online ads. In practice, this means only a handful of companies like Google, Meta, and Amazon are affected. Everyone else is exempt. Jul 1, 2024
Montana
Consumer Data Privacy Act (MCDPA)
Virginia-style law adjusted for Montana’s smaller population — kicks in at 50,000 consumers instead of 100,000. Standard consumer rights to access, fix, delete, and opt out. The 60-day cure period expired April 1, 2026 — violations are now immediately enforceable. Oct 1, 2024
Oregon
Consumer Privacy Act (OCPA)
Covers more people than most states — includes employees and job applicants, not just customers. Oregon’s AG has been active: published a detailed report on enforcement actions in 2025. Nonprofit organizations were added to coverage in July 2025. Jan 1, 2026 updates (HB 2008): Oregon now prohibits the sale of personal data when a controller knows or willfully disregards that a consumer is under 16. Also bans the sale of precise geolocation data within a 1,750-foot radius — among the strictest geolocation protections of any state. Oregon joined the universal opt-out mechanism states (requiring businesses to honor Global Privacy Control) on Jan 1, 2026. Jul 1, 2024
Delaware
Personal Data Privacy Act (DPDPA)
Standard Virginia-model law with lower thresholds for a smaller state — covers businesses handling data on 35,000+ Delaware residents. A 2026 bill (HB 380) would significantly expand it; currently advancing through the legislature. Note: Delaware’s 60-day cure period ended December 31, 2025 — violations are now immediately enforceable without a grace period. Jan 1, 2025
Iowa
Consumer Data Protection Act (ICDPA)
One of the weakest state privacy laws on the books. Notably, it does not give you the right to delete or correct data that a company got from a third party — only data they collected directly from you. Very business-friendly; privacy advocates consider it mostly symbolic. Jan 1, 2025
New Hampshire
Privacy Act (NHPA)
Virginia-style law scaled to New Hampshire’s population. Covers businesses handling data on 35,000+ residents. 60-day cure period. A 2026 bill (HB 1687) is advancing to update it. Jan 1, 2025
New Jersey
Data Privacy Act (NJDPA)
Follows Virginia with some Connecticut-style additions. Covers businesses handling data on 100,000+ New Jersey residents. Jan 20, 2026: Outgoing Governor Phil Murphy signed A 5017, amending the law to add targeted new exemptions before leaving office. A separate 2026 bill (S 2316) is working through the legislature to add a ban on selling sensitive personal data. Jan 15, 2025
Nebraska
Data Privacy Act (NDPA)
Standard Virginia-model law. Covers businesses handling data on 100,000+ Nebraskans, or 25,000+ if at least a quarter of their revenue comes from selling data. Jan 1, 2025
Tennessee
Information Protection Act (TIPA)
Business-friendly law with one unique requirement: companies must align their security practices with recognized frameworks like NIST. Applies only to businesses making $25M+ per year with 175,000+ Tennessee customers. AG enforcement only. Jul 1, 2025
Maryland
Online Data Privacy Act (MODPA)
One of the toughest state laws passed so far. Companies can only collect data they actually need for the specific reason they stated — no hoarding for future use. Applies to businesses handling data on 35,000+ Maryland residents. Considered a significant step up from the Virginia template. Oct 1, 2025
Minnesota
Consumer Data Privacy Act (MCDPA)
Stronger than most Virginia-copy laws. You can request a list of every third party your data was shared with — that’s rare. Also requires honoring browser opt-out signals and has broader biometric data definitions (includes data pulled from photos and videos). Covers businesses handling data on 100,000+ Minnesotans. Jul 31, 2025
Indiana
Consumer Data Protection Act (INCDPA)
A close copy of Virginia’s law. Business-friendly with a short 30-day window for companies to fix violations before facing fines. Covers businesses handling data on 100,000+ Indiana residents. Jan 1, 2026
Kentucky
Consumer Data Protection Act (KCDPA)
Essentially the same as Virginia’s law. AG enforces it, no personal lawsuits allowed. A 2026 update (HB 692) made Kentucky the first state to specifically classify smart TV automatic content recognition — the technology that watches what you watch — as sensitive data requiring protection. Jan 1, 2026
Rhode Island
Data Transparency & Privacy Protection Act (RIDTPPA)
Virginia-style law with one standout difference: no grace period. Most state laws give companies 30–60 days to fix violations before being fined. Rhode Island doesn’t. Get caught, get fined immediately. Covers businesses handling data on 35,000+ Rhode Island residents. Jan 1, 2026

Enacted — Effective 2027

State & Law Plain English Summary Effective Date
🔵 Oklahoma
Consumer Data Privacy Act — SB 546
Oklahoma tried and failed to pass a privacy law for nearly a decade. Signed in March 2026. Business-friendly version that mirrors Virginia and Texas — companies get a chance to fix violations before being fined. Covers businesses handling data on 100,000+ Oklahomans, or 25,000+ if selling data is a major revenue source. Jan 1, 2027
🔵 Alabama
Personal Data Protection Act — HB 351
Passed both chambers without a single no vote (104-0 in the House, 34-0 in the Senate). Signed in April 2026. Has one of the lowest coverage thresholds in the country — applies to any company with data on more than 25,000 Alabamians, or any company that makes more than 25% of its money selling data regardless of how many people it affects. AG enforces it with fines up to $15,000 per violation. No private lawsuits allowed. May 1, 2027
🔵 Louisiana
Louisiana Data Privacy Act — SB 386 (Act No. 502)
Signed into law by Governor Jeff Landry on May 29, 2026 — making Louisiana the 22nd state with a comprehensive privacy law and the third to enact one in 2026 (following Oklahoma and Alabama). Largely tracks Texas’s TDPSA framework but with a freestanding $25M annual revenue threshold as an alternative applicability trigger. Requires consent before processing sensitive data. Note: a version that would have named AI systems in processor-duty language was stripped before signing — Louisiana nearly became the second state (after Texas) to explicitly regulate AI in a privacy law’s processor obligations. ✅ Signed May 29, 2026 · Effective Jan 1, 2027
Vermont
Vermont Data Privacy and Online Surveillance Act
Signed by Governor Phil Scott on June 16, 2026 — Vermont’s fourth comprehensive privacy state of 2026, after Oklahoma, Alabama, and Louisiana. This is Vermont’s second attempt: a 2024 version (H.121) was vetoed by Scott and the Senate couldn’t override it. This year’s bill is more business-friendly and closely tracks the 2025 Connecticut model. Unusually low thresholds — applies to businesses processing data of 35,000+ Vermont consumers, OR the sensitive data of just 3,000+ consumers, OR offering for sale the data of 3,000+ consumers. Consumer health data provisions apply even more broadly than the general thresholds. ✅ Signed Jun 16, 2026 · Effective Jan 1, 2028
Georgia
Georgia Consumer Privacy Protection Act — SB 111
After failing twice in prior sessions, Governor Brian Kemp signed SB 111 on May 11, 2026 — Georgia is the 23rd state with a comprehensive privacy law. Passed the House 162-1, closely follows Virginia’s VCDPA model. Consumer advocates at EPIC scored it just 6/100, calling it one of the weakest state privacy laws — no private right of action, inadequate thresholds, weak enforcement. Georgia also signed SB 540 the same month, a separate chatbot disclosure law requiring AI chatbots to identify themselves as non-human at the start of every conversation and every 3 hours (every hour for known minors). ✅ SB 111 signed May 11, 2026 · Effective Jul 1, 2027
✅ SB 540 signed May 2026 · Effective Jul 1, 2027

State Laws — Sectoral & Specialized (Enacted)

Biometric Privacy Laws

State & Law Plain English Summary Status
Illinois
Biometric Information Privacy Act (BIPA)
The most powerful privacy law in the US for individual lawsuits. If a company scans your fingerprint, face, or iris without written consent, you can sue them directly — $1,000 per accident, $5,000 if they did it on purpose. Facebook/Meta paid $650M (2020), TikTok paid $92M (2021), BNSF Railway faced a $228M jury verdict (first BIPA jury trial). Companies are terrified of this law. Illinois softened it slightly in 2024 after the potential exposure became enormous, but it still has teeth no other law matches. ✅ Enacted 2008, amended 2024. Actively enforced.
Texas
Capture or Use of Biometric Identifier (CUBI)
Companies must tell you and get your consent before capturing your biometrics for commercial purposes. Can’t sell your biometric data without permission. Only the AG can enforce it — you can’t sue on your own. Texas AG has brought enforcement actions. ✅ Enacted 2009. Actively enforced by AG.
Washington
Biometric Identifiers (RCW 19.375)
Requires consent before enrolling your biometric data in a commercial database. No selling or sharing without permission. No private lawsuits — only state enforcement. ✅ Enacted 2017.
Arkansas
Biometric Data Privacy Act
Written consent required before collecting your biometric data. Restricts how it’s used, stored, and shared. AG enforcement only. ✅ Enacted 2023.
Montana
Biometric Information Privacy Act
Modeled on Illinois BIPA but without the private right to sue. Written notice and consent required before collecting biometrics. ✅ Effective Oct 1, 2024.
Colorado
Biometric Privacy Amendments (HB 24-1130)
2024 update to Colorado’s privacy law that extended biometric protections to more types of businesses and added protections for employee biometric data — not just customer data. ✅ Effective 2024.

Consumer Health Data Laws & Other State Privacy Statutes

Washington — My Health MY Data Act (MHMDA)

This one gets called “BIPA 2.0” for a reason. It covers health data that HIPAA misses entirely — your fitness tracker, your period app, your mental health app, any website that detects you’re near a healthcare facility. If a company processes health-related data about Washington residents and they’re not a traditional healthcare provider, this law applies to them. You can sue companies directly for violations, which is rare and makes this law genuinely feared by tech companies. First class-action lawsuit was filed in 2025.
Effective Mar 31, 2024 · Private right of action

Nevada — Consumer Health Data Privacy Law

Similar to Washington’s law — covers health data that falls through HIPAA’s cracks, like apps and wellness platforms. Requires consent before collecting or sharing your health data. Unlike Washington, you can’t sue companies yourself here — only state enforcement. No public enforcement actions have happened yet as of 2025.
Effective Mar 31, 2024

Connecticut — Health and Online Safety Provisions (Public Act 23-56)

Added health data protections and children’s online safety rules on top of Connecticut’s existing privacy law. Prohibits geofencing around health facilities, requires consent for consumer health data, and adds children’s social media protections.
Effective Oct 1, 2023

California — Consumer Health Data Privacy Law (AB 45)

Specifically protects data collected from people at or near reproductive health clinics and family planning centers. Passed after the Dobbs decision raised real concerns about location data being used to identify and prosecute people seeking certain medical services.
Effective Jan 1, 2026

Nevada — Revised Statutes Chapter 603A

Nevada’s older, separate online privacy law that predates the wave of comprehensive state laws. Gives you the right to tell websites not to sell your personal information and requires them to respond within 60 days. Narrower than a full privacy law but still applies to any business with Nevada customers.
Enacted 2017, expanded 2019 and 2023

Data Broker Registration Laws

California — Delete Act (SB 362)

Data brokers — companies whose entire business is buying and selling your personal information — are required to register with California’s privacy agency. The bigger deal: California is building a single website where you can opt out of every registered data broker at once, instead of hunting them down individually. The DROP portal (Delete Request and Opt-out Platform) launched January 1, 2026 — over 285,000 California residents are already using it. Data brokers must begin honoring those deletion requests by August 1, 2026. A 2025 expansion law (CA SB 361) requires data brokers to disclose significantly more about what they collect and who they sell to — including whether data is sold to foreign actors, federal or state governments, or generative AI developers.
Enacted 2023 · DROP portal live Jan 1, 2026 · Brokers must honor requests Aug 1, 2026 · SB 361 disclosures also effective 2026

Vermont — Data Broker Law (Act 171)

The first data broker registration law in the US, passed in 2018. Data brokers have to register annually with the state and disclose what they collect and who they sell it to. Doesn’t give you a way to opt out, but at least makes the industry visible. A 2026 bill is adding more requirements.
Enacted 2018 · In effect

Texas — Data Broker Registration (HB 4)

Data brokers operating in Texas must register with the AG and give Texans a way to opt out of having their data collected, shared, and sold. Part of the same 2023 package as Texas’s comprehensive privacy law.
Effective Sept 1, 2023

Montana — SB 282, Law Enforcement Data Broker Prohibition — In Effect

Signed into law in May 2025, Montana became the first state in the US to close the loophole that lets law enforcement buy citizens’ personal data from data brokers — getting around the warrant requirement. Under this law, Montana law enforcement must obtain a warrant before accessing personal data that data brokers have collected about Montana citizens, even if the broker is willing to sell it voluntarily. Directly addresses the same loophole that the federal Government Surveillance Reform Act (S 4082) is trying to close at the national level.
Signed May 2025 · In Effect · Montana

Oregon — Data Broker Registration (HB 2052)

Requires data brokers to register with Oregon’s Department of Consumer and Business Services and disclose what data they collect and sell. Part of Oregon’s broader privacy law package.
Effective Jan 1, 2024

Children’s Privacy — State Laws

Alabama — App Store Accountability Act

Requires app stores (Apple, Google) to verify a user’s age and get parental consent before anyone under 18 can download an app. Passed in early 2026, separate from Alabama’s main privacy law. Alabama is one of four states (alongside Utah, Texas, and Louisiana) with this type of app store age verification requirement.
Enacted early 2026

Utah — App Store Accountability Act (SB 142) — In Effect

Utah was the first state in the US to pass an app store age verification law. Requires app stores to verify user ages and get parental consent before minors can download apps or make purchases. Penalties up to $1,000 per violation plus a private right of action — consumers can sue directly. Google has built a Play Age Signals API specifically to help Android developers comply with Utah, Texas, and Louisiana simultaneously.
Enacted Mar 2025 · Effective 2026

Texas — App Store Accountability Act (SB 2420) — In Effect (litigation ongoing)

Signed by Governor Greg Abbott in May 2025. Requires app stores to verify every user’s age and obtain parental consent before anyone under 18 can download apps, make in-app purchases, or receive significant app updates. Violations are treated as deceptive trade practices with a private right of action — parents can sue directly for injunctive relief, actual and punitive damages.

The law was supposed to take effect January 1, 2026, but a federal judge blocked it on December 23, 2025 — comparing mandatory age checks to requiring every bookstore to card customers at the door and calling it likely unconstitutional under the First Amendment. Texas appealed. The Fifth Circuit lifted the injunction on June 4, 2026 via a stay pending appeal. Apple activated enforcement the same day — new Apple Accounts in Texas now require age verification before downloading any app. Google activated its Play Age Signals API simultaneously. The constitutional case continues; the Fifth Circuit has not yet ruled on the merits and the industry group CCIA believes the law will ultimately be struck down.
Signed May 2025 · Blocked Dec 23, 2025 · Injunction lifted Jun 4, 2026 · Fifth Circuit appeal pending

Louisiana — App Store Accountability Act (HB 977)

Signed in May 2026. Louisiana’s version of the app store age verification law. Similar scope to Texas and Utah — requires parental consent before minors can download apps or make purchases. Faces the same First Amendment litigation risk as Texas and Utah. The Fifth Circuit’s eventual ruling on Texas SB 2420 will determine whether Louisiana’s law survives.
Signed May 2026

Minnesota — Social Media Warning Labels Law (MN Stat. 325M.335) — In Effect

Social media platforms must display mental health warning labels to their users — similar to the warnings on cigarette packs. First such state law to actually take effect.
Effective Jul 1, 2026

🔵 California — Social Media Warning Labels (AB 56)

California’s version of the social media mental health warning label requirement — signed by Governor Newsom on October 13, 2025. Requires platforms to display warning labels to users under 18 each time they access the platform and after 3 hours of use. Takes effect at the start of 2027.
Signed Oct 13, 2025 · Effective Jan 1, 2027

🔴 Colorado — Social Media Warning Labels (HB 24-1136) — Blocked by Court

Colorado was actually the first state to pass a social media warning label law (signed June 2024). A federal judge blocked enforcement in November 2025 (NetChoice v. Weiser), ruling it likely violated the First Amendment as compelled speech. Colorado AG Phil Weiser appealed to the Tenth Circuit in December 2025. A separate 2026 bill (HB 26-1148) takes a different approach, focusing on privacy settings and data protections for young users rather than warning labels.
Signed Jun 2024 · Blocked Nov 2025 · Appeal pending at 10th Circuit

🟡 California — Age-Appropriate Design Code Act (CAADCA, AB 2273) — Litigation Pending

Requires any online service that kids might use to design with children’s best interests in mind — no dark patterns, privacy on by default, no profiling of minors. Courts initially blocked it, but the Supreme Court’s 2025 ruling upholding age verification laws in Texas may change the legal picture.
Signed 2022 · Enforcement paused by litigation

Children’s Privacy — Additional Sectoral Laws

Arkansas — Children and Teens’ Online Privacy Protection Act (HB 1717) — In Effect

Signed by Governor Sarah Huckabee Sanders on April 21, 2025. Modeled directly on the stalled federal COPPA 2.0 bill — Arkansas essentially passed at the state level what Congress couldn’t agree on federally. Extends COPPA-style protections beyond children under 13 to teens aged 13-16, banning targeted advertising and requiring data minimization, consent, and deletion rights for both age groups. Arkansas joins New York as one of only two states with privacy protections specifically covering this teen age bracket in the absence of a broader comprehensive privacy law. AG-only enforcement; no private right of action; no proactive age verification requirement. Important: Arkansas still has no comprehensive privacy law for adults — residents over 16 have no state-level right to access, delete, or correct their own data.
Signed Apr 21, 2025 · Effective Jul 1, 2026 — NOW IN EFFECT

Automated Decision-Making & AI Privacy

California — Automated Decision-Making Rules (CPPA)

When a company uses an algorithm to make a significant decision about you — whether you get a loan, see a job posting, or get flagged for review — California now requires them to tell you that’s happening and give you the right to opt out. Also requires annual security audits. California’s privacy agency finalized these rules in 2025 and they’re considered the most far-reaching AI privacy rules in the US.
CPPA rules finalized 2025

Texas — Responsible AI Governance Act (TX HB 149)

Applies Texas’s existing privacy rules to data used by AI systems. Also clarifies when companies need your consent before using your biometrics to train AI models.
Effective Jan 1, 2026

Colorado — AI Act Replacement (SB 26-189) — Signed into Law

Colorado Gov. Jared Polis signed SB 26-189 on May 14, 2026, repealing and replacing the original Colorado AI Act (SB 24-205) — the first-in-the-nation comprehensive AI law. The replacement is significantly narrower: it drops the original law’s broad “high-risk AI” and algorithmic discrimination framework in favor of a transparency-based regime focused on “automated decision-making technology” (ADMT) used in consequential decisions. Companies must now disclose when ADMT is used to make or materially influence decisions affecting you (employment, credit, housing, healthcare), provide explanations after adverse decisions, and give you correction rights. Annual third-party audits are NOT required — a major retreat from the original law.
Signed May 14, 2026 · Effective Jan 1, 2027

AI Companion Chatbots & Therapy Bot Laws — A New Category Entirely

This is one of the fastest-moving and least-noticed areas of privacy regulation right now. Following the suicides of multiple teenagers linked to relationships with AI companion chatbots — and a January 2026 settlement between Google, Character.AI, and the family of a Florida teen — states have moved with extraordinary speed to regulate AI systems designed to simulate human relationships. As of mid-2026, there are an estimated 98 active chatbot-specific bills across 34 states. Here are the laws that have actually been signed:

California — SB 243, Companion Chatbots — In Effect

The first law in the country to specifically regulate AI companion chatbots, and the only one with a private right of action — meaning you can sue directly rather than waiting for the state to act. Signed by Governor Newsom on October 13, 2025 after the case of 14-year-old Sewell Setzer, who died by suicide after an emotional and romantic relationship with a Character.AI chatbot that told him to “come home” minutes before he died. Requires chatbots to clearly disclose they’re AI, not human, if a reasonable person could be misled. For known minors, requires repeated reminders every three hours, a break reminder, and bans on sexually explicit content. Requires a published protocol for handling suicidal ideation and self-harm.
Signed Oct 13, 2025 · Effective Jan 1, 2026 · Private right of action

New York — AI Companion Models Law (General Business Law Article 47) — In Effect

The first state law to actually take effect regulating AI companions — November 5, 2025, two months before California’s. Requires recurring disclosure every three hours (regardless of the user’s age) that the AI is a computer program, not human. Requires self-harm and suicidal ideation detection with referral to the 988 crisis line. AG-only enforcement; no private right of action, unlike California.
Effective Nov 5, 2025

Oregon — SB 1546, AI Companion Regulation — Signed, Pending Effective Date

Signed by Governor Kotek on March 31, 2026 after passing 26-1 in the Senate and 52-0 in the House. Requires disclosure that a chatbot is AI, with reminders every hour for known minors. Bans sexual content for minors and an extensive list of manipulative techniques — including simulating distress when a user tries to leave the conversation, encouraging kids to keep secrets from parents, and soliciting in-app purchases framed as necessary to “maintain the relationship.” Includes a private right of action with $1,000 statutory damages per violation.
Signed Mar 31, 2026 · Effective Jan 1, 2027 · Private right of action

Washington — HB 2225, AI Companion Chatbot Regulation — Signed, Pending Effective Date

Signed by Governor Bob Ferguson on March 24, 2026, the same month as Oregon’s law — creating a coordinated Pacific Northwest framework. Requires disclosure every three hours for all users (stricter than California or Oregon, which use a “reasonable person” standard for adults). For minors, disclosure required every hour. Enforced through the state Consumer Protection Act by the AG, with a private right of action available in certain contexts.
Signed Mar 24, 2026 · Effective Jan 1, 2027

Illinois — Wellness and Oversight for Psychological Resources Act (HB 1806) — In Effect

Illinois was the first state to explicitly prohibit autonomous AI therapy. Prohibits AI from making independent therapeutic decisions, directly engaging in therapeutic communication with clients, or generating treatment plans without licensed review. Penalties reach $10,000 per incident.
Enacted Aug 4, 2025

Nevada — AB 406, AI Mental Health Restrictions — In Effect

Bans offering AI systems that provide or claim to provide professional mental or behavioral healthcare services. Prohibits AI from performing the functions of a school counselor, psychologist, or social worker in public schools. Restricts licensed professionals to administrative/supportive AI use only, with oversight required. Civil penalties up to $15,000 per incident.
Signed by Gov. Lombardo Jun 2025 · Effective Jul 1, 2025

Colorado — HB 26-1195, Psychotherapy Artificial Intelligence Restrictions — Signed

Signed by Governor Polis on June 3, 2026. Prohibits AI from directly engaging in therapeutic communication with clients, generating unsupervised treatment recommendations, or detecting emotions/mental states without human oversight. Applies to all licensed, certified, or registered psychotherapy providers. Bans advertising or offering psychotherapy via AI unless conducted by a regulated professional. Enforced by DORA licensing boards and the Colorado Consumer Protection Act, separate from the state’s broader AI Act (SB 26-189).
Signed Jun 3, 2026 · Effective Aug 12, 2026

Vermont — Act 156 (H.816), AI in Mental Health Services — Signed

One of the strictest of the bunch — a categorical ban, not a harm-based liability standard. Makes it unprofessional conduct for a licensed mental health provider to let AI independently make therapeutic decisions or deliver treatment. Carves out room for administrative AI use (note-taking, transcription, scheduling) but draws a hard line once AI crosses into diagnosis or treatment planning. Consumer Protection Act enforcement available to both the AG and private plaintiffs. Long legislative journey: introduced January 2026, passed House in March, went through a conference committee after the House rejected a Senate amendment, and was finally signed by Governor Phil Scott on June 17, 2026.
Signed Jun 17, 2026 · Effective immediately upon enactment · Private right of action

Maine — LD 2082, Regulation of AI in Mental Health Services — Signed

Prohibits the clinical use of AI in mental health therapy while allowing administrative use. Signed by the Governor on April 13, 2026.
Signed Apr 13, 2026

🟡 Missouri — HB 2372 (Therapy Chatbot Ban Provisions) — Pending Senate

An omnibus health care bill that includes a ban on AI providing “therapy services, psychotherapy services, or a mental health diagnosis.” First-violation penalty of $10,000, enforced by the state AG. Passed the full House April 2, 2026; pending in Senate Committee on Families, Seniors and Health.
Passed House Apr 2, 2026 · Pending Senate

🟡 Nebraska — LB 525, Conversational AI Safety Act (part of Agricultural Data Privacy Act) — Passed Legislature

An unusual pairing — the first half of the bill is an Agricultural Data Privacy Act, the second half regulates conversational AI aimed at minors. Requires disclosure that a service is AI, not human, and bars services from claiming to provide professional mental or behavioral health care. Passed Nebraska’s unicameral legislature; pending the Governor’s signature.
Passed legislature Apr 2026 · Pending signature

Enforcement Actions & Litigation Worth Watching

Even without a specific law, several states are using existing consumer protection and medical licensing statutes against AI chatbot companies right now:

Pennsylvania v. Character.AI — Filed May 1, 2026 in Commonwealth Court. Pennsylvania’s Department of State sued Character.AI after an investigator found a chatbot character named “Emilie” — described as “Doctor of psychiatry” with roughly 45,500 user interactions — offered to assess the investigator for antidepressant medication and provided a fake Pennsylvania medical license number when asked. The suit alleges this violates Pennsylvania’s Medical Practice Act, which bans practicing medicine without a license. The first known case of a state medical licensing authority suing an AI platform directly over chatbot conduct.

Texas AG Investigation into Meta and Character.AI — Opened December 2024, expanded August 18, 2025. Attorney General Ken Paxton is investigating both companies for marketing AI chatbots as mental health tools without medical credentials, under the Texas SCOPE Act and TDPSA. Part of a broader Texas investigation into 15 companies (including Reddit, Instagram, and Discord) over children’s privacy practices.

Kentucky v. Character Technologies — Filed January 8, 2026 in Franklin Circuit Court, the first state lawsuit (not just investigation) against Character.AI. Attorney General Russell Coleman’s complaint alleges violations of the Kentucky Consumer Protection Act and Kentucky’s new Consumer Data Protection Act, citing two deaths linked to the platform and seeking $2,000 penalties per willful violation.

44 State AGs Joint Warning Letters — August 25, 2025, attorneys general from 44 states sent coordinated warning letters to major AI companies (including Anthropic, Apple, Google, Meta, Microsoft, OpenAI, and xAI), citing internal Meta documents that allegedly authorized AI assistants to “flirt and engage in romantic roleplay with children” as young as eight.

FTC Safety Report Orders — September 10, 2025, the FTC voted 3-0 to order seven companies (Alphabet, Character Technologies, Instagram, Meta, OpenAI, Snap, and X.AI) to submit detailed reports on chatbot safety, monetization, and child-impact monitoring within 45 days.

Florida v. OpenAI — Filed June 1, 2026 in the 10th Judicial Circuit Court (Highlands County, Florida). Attorney General James Uthmeier sued OpenAI and Sam Altman personally, alleging the company prioritized speed to market over safety, deployed a product that facilitates self-harm and violence, collects data from minors without meaningful parental oversight, and causes behavioral addiction. The first state-led lawsuit of its kind against OpenAI.


State Bills — 2026 Legislative Activity

This section tracks bills that began the 2026 session as pending. Several were signed into law during the session and are marked ✅ — they appear here because they originated as pending bills this cycle. Bills marked 🟡 are still active. Bills marked ⚫ failed or had their session close without passage.

State & Bill What It Would Do Status
Connecticut — SB 4 (Public Act 26-64) Signed by Governor Lamont on May 27, 2026. Significantly amends Connecticut’s privacy law and creates a new California Delete Act-style data broker registration and deletion program, run through the Department of Consumer Protection rather than the AG’s office. Also adds a hard ban on selling precise geolocation data, facial recognition signage/policy rules, direct-to-consumer genetic testing protections, and surveillance pricing disclosure rules. Connecticut joins Maryland, Oregon, and Virginia in banning the sale of precise geolocation data — the fourth state to do so. Note: this is layered on top of separate 2025 CTDPA amendments (Public Act 25-153) that take effect July 1, 2026, so Connecticut businesses face two overlapping compliance deadlines this year. ✅ Signed May 27, 2026 · Most provisions effective Oct 1, 2026 · Data broker registration Jan 1, 2027 · Consumer deletion mechanism Jul 1, 2028
Delaware — HB 380 Would significantly strengthen Delaware’s existing privacy law. Passed the full Delaware House (30-9) in May 2026. Now pending in the Senate Banking, Insurance & Technology Committee. 🟡 Passed House May 2026 · Pending Senate committee
New York — Multiple bills

SAFE For Kids Act (S7694A) — enacted 2024
Child Data Protection Act (S7695B) — enacted 2024
RAISE Act — AI Safety & Transparency (S6953B) — signed Dec 2025
🟡 NY Health Information Privacy Act (S9269) — active 2026
🟡 AI Training Data Transparency Act (S6955) — active 2026
🟡 Safe by Design Act — included in FY 2027 budget

SAFE For Kids Act: Requires social media platforms to turn off algorithmic “addictive feeds” for users under 18 unless a parent specifically opts in. New York was the first state to restrict algorithmic feeds for minors.

Child Data Protection Act: Prohibits any website or app from collecting, using, sharing, or selling personal data of anyone under 18 without informed consent — or without parental consent for kids under 13. AG enforces with fines up to $5,000 per violation.

RAISE Act (AI Safety & Transparency): Requires AI companies with $500M+ in revenue to publicly disclose how their frontier AI models work, what safety testing they’ve done, and to report critical safety incidents to the government. Takes effect Jan 1, 2027.

NY Health Information Privacy Act (S9269): Would create Washington My Health MY Data-style protections for New Yorkers — requiring consent before any entity collects or sells health data not covered by HIPAA, including data from apps, wearables, and location tracking near healthcare facilities.

AI Training Data Transparency Act (S6955): Would require AI companies to disclose what data they used to train their models. Passed the Assembly; Senate floor vote pending before the legislature closes in June 2026.

Safe by Design Act: Included in the FY 2027 state budget signed May 2026. Expands age verification requirements to gaming platforms, sets kids to maximum privacy settings by default, disables AI chatbot features for minors, and requires parental controls on financial transactions.

✅ SAFE For Kids Act: enacted Jun 2024
✅ Child Data Protection Act: enacted Jun 2024
✅ RAISE Act: signed Dec 2025 · Effective Jan 1, 2027
✅ Safe by Design Act: signed into budget May 2026
🟡 Health privacy & AI transparency bills: advancing Jun 2026
New Jersey — S 2316 / S 4109 Would add a hard ban on selling sensitive personal data under New Jersey’s existing privacy law. 🟡 Senate Appropriations Committee
New Hampshire — HB 1687 Updates and strengthens New Hampshire’s existing privacy law. 🟡 Advancing 2026
Minnesota — HF 2700 Adds health data protections to Minnesota’s existing privacy law — covering the health apps and wellness platforms that fall outside HIPAA. 🟡 Advancing
California — AB 2246 Would ban social media platforms from allowing anyone under 16 to create or keep an account. 🟡 Passed Assembly Judiciary Committee · Advancing
California — SB 1106 Tightens the Delete Act — data brokers would have to check the opt-out deletion list every 30 days instead of every 45 days. 🟡 Passed Senate · In Assembly
Colorado — SB 51, Age Attestation on Computing Devices Requires operating system developers to build age checks into new device accounts, sorting users into age brackets that restrict app access — meant to help apps comply with the Colorado Privacy Act’s stricter rules for minors’ data. Critics (including the Independence Institute) call it largely symbolic since the same content remains accessible through a web browser, school laptop, or library computer that isn’t covered by the law. Status update: the General Assembly adjourned May 13, 2026, and this bill was enacted — last action recorded June 3, 2026. ✅ Enacted Jun 3, 2026 · Takes effect Aug 12, 2026
Wisconsin — AB 172 / SB 166, Consumer Data Privacy Act Wisconsin’s most advanced comprehensive privacy bill attempt. AB 172 passed the Assembly State Affairs Committee unanimously on January 28, 2026, then moved to the Rules Committee. Its Senate companion SB 166 had a public hearing the same week. A prior Wisconsin privacy bill passed the full Assembly four years ago but stalled in the Senate. Key provisions follow the Virginia model; business-friendly. Notable: Wisconsin has a divided government which has complicated passage historically. 🟡 Passed Assembly committee Jan 2026 · Advancing
Massachusetts — S 9 / H 135, Massachusetts Information Privacy and Security Act (MIPSA) Massachusetts has been trying to pass a comprehensive privacy law since 2019. MIPSA is the current vehicle — considered one of the stronger proposed state laws, with a private right of action and opt-in consent requirements that exceed most other state frameworks. Passed one chamber in 2025. Massachusetts Legislature has no set adjournment deadline, meaning it could advance at any point through 2026. 🟡 Passed one chamber · Active 2026
Pennsylvania — HB 78, Consumer Data Privacy Act Pennsylvania’s comprehensive privacy bill has passed one chamber and carries over to 2026. Was amended in April 2025 to expand the definition of sensitive data to include SSNs, driver’s license numbers, and financial credentials. Follows the Virginia model. Pennsylvania is one of the largest states still without a comprehensive privacy law — would cover a population comparable to Virginia, Colorado, and Connecticut combined. 🟡 Passed one chamber · Active 2026
Michigan — Kids Code Act (SB 231) Would create age-appropriate design code requirements similar to California’s CAADCA — requiring online services likely to be accessed by minors to default to privacy-protective settings and avoid manipulative design patterns aimed at kids. 🟡 Passed Senate 20-17 (May 2026) · Pending Republican-controlled House · Divided government makes passage uncertain
North Carolina — SB 1022 A new comprehensive consumer data privacy bill introduced by two Democratic state senators in North Carolina’s Republican-controlled Senate. Would give North Carolinians standard rights to access, correct, delete, and opt out of sale of personal data, following the now-common Virginia-model framework. 🟡 Introduced May 2026 · Early stage, Republican Senate control makes passage uncertain
South Carolina — S 896 Comprehensive consumer privacy bill that would give South Carolinians data rights for the first time. 🟡 Passed committee May 2026
Hawaii — SB 3001, the Artificial Intelligence Disclosure and Safety Act Correction: this is not a “chatbot disclosures and geolocation” bill — it specifically regulates AI companion chatbots. Requires operators to disclose they are not human, build protocols to respond to suicidal ideation or self-harm, and add extra protections for minors (no sexual content, no claiming to be a licensed mental health professional). Annual reports to the Department of Health begin in 2028. Enrolled and sent to the Governor on May 8, 2026. 🟡 Enrolled to Governor May 8, 2026 · Awaiting signature as of Jun 22, 2026
Iowa — SF 2417 Requires AI chatbots to disclose that they’re not human when asked. ✅ Signed into law May 2026
Louisiana — HB 977 Replaces Louisiana’s previous app store law with updated age verification and parental consent requirements. ✅ Signed into law May 2026
Illinois — SB 340 (Illinois Consumer Data Privacy Act) and SB 315

🟡 SB 315 — AI Safety Measures Act
🟡 SB 2691 — AI in Employment
🟡 HB 3506 — AI in Healthcare

SB 340 — Illinois Consumer Data Privacy Act: Passed the Illinois Senate 54-3 and both chambers by the May 31, 2026 adjournment deadline. Gives Illinois residents rights to access, correct, delete, and opt out of data sales and targeted advertising. Prohibits the outright sale of sensitive personal data. Modeled largely on Minnesota’s 2025 law. Applies to businesses processing data of 100,000+ Illinois consumers, or 25,000+ if data sales account for more than 25% of revenue. Governor Pritzker has not yet indicated whether he will sign it; his office signed SB 315 but has been silent on SB 340 as of this update.

SB 315 — AI Safety Measures Act: The most stringent AI transparency bill in the US if enacted — and the first in the country to mandate annual independent third-party audits of frontier AI safety practices, going beyond California and New York’s frontier laws, which only require companies to publish their own safety frameworks. Passed the Illinois Senate 52-5 and House 110-0 on May 27, 2026. Governor Pritzker publicly committed to signing it (“Illinois is leading the nation in holding Big Tech accountable”), and both OpenAI and Anthropic have publicly supported the bill. Covers “frontier developers” with $500M+ revenue and models trained above a defined compute threshold — covering companies like OpenAI, Anthropic, Google, Meta, and xAI. Takes effect January 1, 2027 once signed.

SB 2691 — AI in Employment: Would regulate the use of automated decision-making tools in hiring, firing, promotions, and compensation decisions. Employers would have to disclose when AI is being used to evaluate workers and provide a mechanism to challenge those decisions.

HB 3506 — AI in Healthcare: Would impose safeguards on AI tools used in clinical settings — including diagnostic aids, treatment recommendations, and patient triage systems. Requires transparency about when AI is involved in a healthcare decision affecting a patient.

🟡 SB 315 passed legislature May 27, 2026 · Awaiting Governor (committed to signing)
🟡 SB 2691 and HB 3506 advancing
Maine — LD 1822 A comprehensive privacy bill that passed the Senate narrowly but then died on the House floor in April 2026 when five Democrats who had previously supported it switched their votes. Maine’s business community ran a hard campaign against it. The legislature closed April 15 — it’s dead for this session. ⚫ Failed Apr 2026 · Session closed
Connecticut — SB 5 (Public Act 26-15), An Act Concerning Online Safety Correction: this is Public Act 26-15, not 26-65. Signed by Governor Lamont alongside SB 4 in a joint announcement with AG William Tong. A sweeping AI/online safety package, not just a chatbot/employment bill — it creates a new state Artificial Intelligence Policy Office and Director, requires AI chatbot operators to make reasonable efforts to detect suicidal ideation or self-harm and respond with appropriate resources, requires subscription AI providers to make consumer disclosures, requires frontier model developers to implement internal risk processes, mandates synthetic content be detectable as such, and adds employment AI disclosure requirements. Also establishes an AI regulatory sandbox program and workforce AI-literacy initiatives. ✅ Signed Jun 2026
New Mexico — Health Data Privacy Act (HB 430) Would have required entities handling health data — including apps, wellness platforms, and consumer health tools — to obtain consent before using, sharing, or selling it, beyond what HIPAA already covers. A Washington My Health MY Data-style bill. Failed to progress out of committee before New Mexico’s legislature adjourned March 22, 2025. ⚫ Failed — session closed Mar 22, 2025
Colorado — HB 26-1263, Chatbot Safety Bill Passed the Colorado legislature and signed by Governor Polis alongside HB 26-1195 (the psychotherapy AI restrictions bill). Requires AI chatbot operators to disclose they are not human, maintain crisis response protocols for self-harm and suicidal ideation, and adds protections for minor users. ✅ Signed Jun 3, 2026
New Jersey — A 4733 Would prohibit advertising or marketing AI as capable of practicing a regulated profession or occupation (medicine, law, mental health therapy, etc.) without holding the appropriate license. Voted out of the Assembly Appropriations Committee. 🟡 Passed Assembly Appropriations · Advancing 2026
Rhode Island — S 2197 Would establish regulations regarding the use of AI in mental health care treatments, including restrictions on AI independently providing therapeutic services without licensed human supervision. 🟡 Passed Rhode Island Senate · Advancing 2026
South Dakota No comprehensive privacy bill passed this session. ⚫ Session closed 2026

Data Breach Notification Laws

✅ All 50 States + DC, Puerto Rico, Guam, and the US Virgin Islands

Every state in the country has a law requiring companies to tell you when your personal data has been exposed in a breach. This is the one area of privacy law where there’s universal agreement — though the details vary considerably. California requires notification within 72 hours for certain breaches. New York says “as soon as possible.” Most states give companies 30–90 days. Several require companies to notify the state AG in addition to the affected individuals. If you’ve ever gotten a “we take your privacy seriously” letter in the mail, this is why.


International Privacy Laws Affecting US Businesses

Law Region What It Means For You
GDPR
General Data Protection Regulation
European Union The most comprehensive privacy law in the world. If your website has European visitors, this applies to you — regardless of where your business is. Maximum fines are 4% of your global revenue or €20 million, whichever is larger. Gives EU residents the right to access, correct, delete, and move their data. Requires breach notification within 72 hours. The standard every other privacy law gets compared to.
ePrivacy Directive
(“Cookie Law”)
European Union The reason every website on the internet has a cookie consent popup. EU law requires genuine opt-in consent before placing tracking or advertising cookies on someone’s device. “Continuing to browse means you accept” does not count as consent. A replacement regulation is stuck in EU legislative limbo as of 2026.
UK GDPR + Data Protection Act 2018 United Kingdom After Brexit, the UK kept its own version of GDPR rather than staying under EU rules. Works essentially the same way for UK residents. Enforced by the Information Commissioner’s Office (ICO).
PIPEDA Canada (Federal) Canada’s national privacy law for businesses. Requires consent for collecting, using, or sharing personal information commercially. If you have Canadian customers, this applies to you.
Quebec Law 25 (Bill 64) Canada (Quebec) Canada’s toughest privacy law and the closest thing Canada has to GDPR. Requires privacy impact assessments, breach notification, and gives Quebec residents the right to have their data deleted or moved. Any business with Quebec customers needs to be aware of this.
Privacy Act 1988 (amended) Australia Australia’s foundational privacy law. Governs how businesses and government agencies handle personal information through a set of Australian Privacy Principles. Undergoing significant reform through a 2024 amendment package.

🟡 AI Accountability and Personal Data Protection Act (S 2367) — Pending, Senate Judiciary

Introduced by Sen. Josh Hawley (R-MO) and Sen. Richard Blumenthal (D-CT) — an unusual right-left pairing that reflects genuine bipartisan anger at Big Tech. This is the only federal bill in the 119th Congress that would create a direct federal tort — a legal cause of action — against any company that collects, processes, sells, or exploits your personal data without your express, prior consent. Unlike most privacy bills that rely on the FTC to enforce rules, this one lets you sue directly. Consent buried in a privacy policy or user agreement does not count — it must be specific, affirmative, and informed. Does not preempt existing state privacy laws.
S 2367 · Sen. Hawley, Blumenthal · Referred to Senate Judiciary · 119th Congress

For privacy tools, de-Googled phones, and practical steps to protect your data today, visit the MARK37 Resources page or schedule a free consultation.


Change Log

This tracker is updated as bills move through legislatures and are signed into law. Most recent changes appear first.

July 3, 2026

  • NEW SECTION: Facial Recognition & Biometric Surveillance. Added five entirely missing federal bills: Facial Recognition Act of 2025 (HR 4695), Traveler Privacy Protection Act (S 1691, bipartisan), HR 3782 (federal facial recognition prohibition), ICE Out of Our Faces Act (S 3779), and Drone Surveillance Prohibition (HR 96).
  • Montana SB 282 — new entry; first state to ban law enforcement from buying citizens’ data from data brokers without a warrant. Signed May 2025.
  • Oregon HB 2008 (Jan 1, 2026) — added to Oregon’s entry: prohibits sale of personal data for known-under-16 users; bans sale of precise geolocation within 1,750-foot radius; joined universal opt-out mechanism states.
  • Connecticut — updated: joined mandatory universal opt-out mechanism states in January 2026; SB 4 noted as signed.
  • New Jersey A 5017 — added: signed by Gov. Murphy Jan 20, 2026, amending NJ privacy law with new exemptions.
  • California SB 361 — added to California data broker entry: expands disclosure requirements to include whether data is sold to foreign actors, federal government, or generative AI developers.
  • Wisconsin AB 172 / SB 166 — new pending entry: passed Assembly committee unanimously Jan 2026.
  • Massachusetts MIPSA (S 9 / H 135) — new pending entry: passed one chamber; active 2026.
  • Pennsylvania HB 78 — new pending entry: passed one chamber; active 2026.
  • Minnesota Social Media Warning Labels — status corrected 🟡 → ✅; in effect July 1, 2026.
  • Arkansas HB 1717 — status corrected 🔵 → ✅; in effect July 1, 2026.
  • Don’t Sell Kids’ Data Act (HR 6292) — removed duplicate entry.
  • Chatrie v. United States — added Supreme Court opinion link.
  • ICE Out of Our Faces Act (S 3779), Rhode Island S 2197 — added missing links.
  • State Bills section — renamed to “2026 Legislative Activity” with clarifying note for ✅ entries.

July 2, 2026

  • NEW SECTION: Government Surveillance & Warrantless Data Access. Added four entirely missing federal entries: Chatrie v. United States (Supreme Court ruled Jun 29, 2026 that geofence warrants require Fourth Amendment warrant protection), Government Surveillance Reform Act of 2026 (S 4082, Wyden/Lee/Warren/Lummis), Protect Liberty and End Warrantless Surveillance Act (HR 7816, includes “Fourth Amendment Is Not For Sale Act”), and Surveillance Accountability Act (HR 8470, Massie/Boebert).
  • GUARD Financial Data Act (HR 8398) — added as its own entry with description under new Financial Privacy section.
  • AI Accountability and Personal Data Protection Act (S 2367) — new entry; Hawley/Blumenthal; creates a federal tort for data exploitation without consent. Only federal bill in 119th Congress with a private right of action for data misuse.
  • SAFE for Kids Act (S 4741) — new entry; Sen. Banks; online pornography age verification bill. Note: not a general social media/internet age verification bill despite “commercial entities” framing.
  • Arkansas HB 1717 — now in effect as of July 1, 2026.
  • California Delete Act DROP portal — launched January 1, 2026; over 285,000 Californians already using it. Data brokers must begin processing requests August 1, 2026.
  • Utah UCPA — July 1, 2026 amendments add right to correction and social media data portability requirements.
  • Montana MCDPA — 60-day cure period expired April 1, 2026; violations now immediately enforceable.
  • Delaware DPDPA — 60-day cure period ended December 31, 2025; violations now immediately enforceable.
  • Oregon OCPA — January 1, 2026 amendments add stricter precise geolocation limits and expanded youth data protections.
  • Connecticut SB 4 — correction: consumer deletion mechanism launches July 1, 2028, not January 1, 2027.
  • Illinois SB 340 — passed both chambers by May 31, 2026 adjournment; awaiting Governor Pritzker. Added official ILGA link.
  • Colorado HB 26-1263 (Chatbot Safety Bill) — new entry; signed by Governor Polis June 3, 2026 alongside HB 26-1195.
  • New Jersey A 4733 — new entry; prohibits marketing AI as licensed professional. Passed Assembly Appropriations.
  • Rhode Island S 2197 — new entry; mental health AI restrictions bill; passed Senate.
  • New Mexico HB 430 — new entry; health data privacy bill failed committee March 22, 2025; marked ⚫.

June 23, 2026

  • New section added: AI Companion Chatbots & Therapy Bot Laws — covering enacted laws in California, New York, Oregon, Washington, Illinois, Nevada, Colorado, and Vermont, plus pending bills in Maine, Missouri, and Nebraska, and related litigation against AI chatbot companies.
  • KIDS Act (HR 7757) — Guthrie and Pallone announced bipartisan agreement (Jun 22), consolidating 14 child safety bills. App Store Accountability Act, Don’t Sell Kids’ Data Act, and Sammy’s Law remain separate.
  • Vermont — comprehensive privacy law signed June 16, 2026; moved from pending to enacted.
  • Georgia SB 111 — moved from pending table to enacted (signed May 11, 2026). State count updated to 25.
  • Connecticut SB 4 — signed May 27, 2026.
  • Connecticut SB 5 — correction: actual citation is Public Act 26-15, not 26-65.
  • Illinois SB 315 — correction: passed legislature May 27, 2026, not June 1.
  • Hawaii SB 3001 — correction: AI Disclosure and Safety Act (AI companion chatbots, minor self-harm protocols), not a “geolocation” bill.
  • Colorado SB 51 — correction: enacted (last action Jun 3, 2026), not pending a House floor vote.
  • Colorado Privacy Act — added June 2025 amendment adding precise geolocation to sensitive data definition.
  • Maine LD 2082 — correction: signed April 13, 2026, not “sent to Governor.”
  • Illinois HB 1806 — correction: enacted August 4, 2025, not just “2025.”
  • Arkansas HB 1717 — new entry; note that Arkansas has no comprehensive adult privacy law.
  • Sammy’s Law (HR 2657) — new federal entry, previously missing.
  • Florida v. OpenAI — new litigation entry (filed Jun 1, 2026).
  • Michigan Kids Code Act, North Carolina SB 1022 — new pending entries.
  • Missing links added — California CAADCA, Colorado biometric amendments (HB 24-1130), Louisiana app store law, Nevada AB 406, Colorado HB 26-1195, Pennsylvania v. Character.AI, Texas AG investigation, Maine LD 2082, Missouri HB 2372, Nebraska LB 525, Kentucky v. Character Technologies, 44 State AGs Joint Warning Letters, FTC Safety Report Orders, Florida v. OpenAI.
  • Kentucky v. Character Technologies — correction: filed January 8, 2026, not just “January 2026.”

June 10, 2026

  • KIDS Act (HR 7757) — New federal entry added. Passed full House Energy and Commerce Committee March 6, 2026. Omnibus children’s safety package. 44 state AGs filed opposition letter May 26, 2026.
  • GUARD Financial Data Act (HR 8398) — Promoted from footnote to standalone entry in new Financial Privacy section.
  • American Leadership in AI Act (HR 8516) — New federal AI entry added. Introduced April 27, 2026.
  • Great American AI Act (GAAIA) — New entry added. Discussion draft released June 4, 2026 by Obernolte/Trahan. Would preempt state AI laws for 3 years.
  • Virginia SB 338 — Added to Virginia’s state entry. Signed April 13, 2026; bans sale of precise geolocation data effective July 1, 2026.
  • Vermont comprehensive privacy bill — New entry added. Passed legislature May 2026; awaiting Governor Scott (veto risk).
  • Vermont S 71 — Description updated to clarify it adds California Delete Act-style single opt-out mechanism.
  • Illinois SB 340 — New entry added. Comprehensive privacy bill with Maryland-style data minimization; passed Senate 54-3 and legislature May 31, 2026; awaiting Governor Pritzker.
  • Delaware HB 380 — Status updated. Passed full House (30-9) May 2026; now pending Senate committee.
  • SECURE Data Act (HR 8413) — House Subcommittee on Commerce, Manufacturing, and Trade held a formal hearing June 3, 2026. Coalition of 44 state AGs filed letter opposing preemption provisions June 2. Companion bill GUARD Financial Data Act (HR 8398) added to tracker.
  • Louisiana Data Privacy Act (SB 386) — Signed into law by Governor Jeff Landry on May 29, 2026 as Act No. 502. Status updated from “awaiting signature” to enacted. Louisiana is the 22nd state with a comprehensive privacy law.
  • Georgia — Major correction: previously listed as “session closed without passing.” Governor Brian Kemp signed SB 111 (Georgia Consumer Privacy Protection Act) on May 11, 2026. Georgia is now the 23rd state. Also signed SB 540 (chatbot disclosure law) same month. Both added to tracker.
  • Connecticut SB 4 — Signed into law as Public Act 26-64. Status updated from “awaiting Governor” to enacted. Effective October 1, 2026. Adds data broker registration, geolocation sale ban, facial recognition protections, and surveillance pricing rules.
  • Connecticut SB 5 — New entry added. Signed into law as Public Act 26-65 alongside SB 4. Covers AI companion chatbots and employment AI disclosure requirements.
  • Colorado AI Act (SB 26-189) — Signed into law by Governor Polis on May 14, 2026. Status updated from “awaiting signature” to enacted. Replaces original SB 24-205 with narrower transparency-based framework. Effective January 1, 2027.
  • Illinois SB 315 — Passed legislature June 1, 2026. Governor Pritzker indicated he will sign. Status updated; joins California and New York as states with a frontier AI model safety bill.
  • Vermont S 71 — Conference committee report adopted by both chambers. Awaiting Governor’s signature. Status updated.
  • New York Safe by Design Act — Confirmed signed by Governor Hochul as part of FY 2027 budget. Status updated to enacted in New York section.
  • TAKE IT DOWN Act — Signed date corrected to May 19, 2025. Platform compliance deadline (May 19, 2026) noted as now passed — full enforcement in effect.
  • Texas TDPSA — Corrected vague “major tech company” reference. Now correctly identifies two separate record-setting settlements: $1.4B against Meta (July 2024, biometrics) and $1.375B against Google (May 2025, geolocation/biometric data).
  • Illinois BIPA — BNSF $228M corrected from “settlement” to “jury verdict.” Meta/Facebook $650M correctly attributed to Facebook (2020 settlement).
  • AI Preemption Moratorium (10-year) — Corrected: entry previously said “Passed House, Pending Senate” — the moratorium was actually stripped from the final One Big Beautiful Bill before Senate passage. President Trump signed the bill July 4, 2025 WITHOUT the moratorium. States remain free to regulate AI. Entry updated to reflect this. Status changed to 🔴.
  • Texas SB 2420 (App Store Accountability Act) — New entry added. Fifth Circuit lifted injunction on June 4, 2026 via stay pending appeal; Apple and Google activated enforcement same day — first time in US history a new app store account in any state requires identity verification before downloading apps. Utah SB 142, Louisiana app store law also added. Alabama description corrected (Utah was actually first, not Alabama).

May 28, 2026 — Initial publication. Tracker launched covering federal bills, 22 state comprehensive laws, biometric laws, health data laws, data broker laws, children’s privacy laws, AI/automated decision-making laws, pending state bills, breach notification laws, and international laws.

Sources: IAPP US State & Federal Privacy Legislation Trackers · Troutman Pepper Privacy + Cyber + AI weekly state updates (Jan–May 2026) · DLA Piper Privacy Matters · Hunton Privacy Blog · WilmerHale Privacy Blog · Lexology · MultiState.us · Congress.gov · Termageddon Coverage Page · Secure Privacy · Last updated May 28, 2026.

Privacy legislation moves fast. Several bills tracked here are in active state sessions closing May–June 2026. Verify current status with primary sources before relying on any specific bill for compliance purposes.

Connect on Social Media

Shopping cart0
There are no products in the cart!
Continue shopping