US Privacy Bill Tracker: Every Federal & State Law (2026)
The United States has no comprehensive federal data privacy law — and depending on who you ask, that may be more feature than bug. While privacy advocates frame the absence as a failure, others see federal “privacy” legislation as government standardizing its own access to your data, locking in surveillance infrastructure under the banner of consumer protection, and preempting stronger state laws that actually have teeth.
What follows is a complete tracker of every significant privacy law and bill at the federal and state level — enacted laws, sectoral laws covering health, biometrics, children, and data brokers, and everything pending right now. Read the details carefully. Not every bill called a “privacy” law is designed to protect yours.
Status key: ✅ Enacted & in effect | 🔵 Enacted — future effective date | 🟡 Pending / in progress | 🔴 Stalled or failed | ⚫ Session closed without passing
Federal Privacy Bill Tracker: Legislation & Status
Comprehensive Consumer Privacy Bills
🟡 SECURE Data Act (HR 8413) — Pending, House Committee
House Republicans’ big federal privacy push, introduced April 2026. The goal is to replace every state privacy law with one federal standard — which sounds clean until you realize it would wipe out stronger state laws that actually have enforcement teeth. Gives you the right to see, fix, delete, and download your data, and lets you opt out of your data being sold or used for targeted ads. Companies would need parental consent before collecting data on anyone under 16. The FTC and state AGs would enforce it, but you can’t sue companies yourself.
HR 8413 · House Energy & Commerce Committee · Introduced Apr 22, 2026
🟡 Online Privacy Act of 2026 (HR 8014) — Pending, House Committee
A Democratic proposal that would create an entirely new federal agency — the Digital Privacy Agency — dedicated solely to enforcing your data rights. Goes after “behavioral personalization,” which is the technical term for platforms using algorithms to build a profile on you and manipulate what you see. Still sitting in committee with little momentum.
HR 8014 · Mar 2026 · Rep. Lofgren
🟡 Consumer Data Privacy and Security Act of 2026 (S 4211) — Pending, Senate Committee
A Senate bill that gives you the right to know what data companies have on you, fix it if it’s wrong, and delete it. Also requires companies to actually secure your data and hold their vendors to the same standards. FTC enforces it. If the feds open a case against a company, states have to stand down — which is a red flag for anyone who thinks state enforcement is more reliable.
S 4211 · Mar 25, 2026 · Sen. Moran · Senate Commerce Committee
🔴 American Privacy Rights Act (APRA) — Failed, 118th Congress
A bipartisan bill that got further than most — it cleared committee in 2024 — but never made it to a floor vote. Killed by fights over whether it would override California’s tougher privacy law and whether regular people should be able to sue companies directly. Congress changed hands after the 2024 election and the whole thing reset from scratch.
🔴 American Data Privacy and Protection Act (ADPPA) — Failed, 117th Congress
The first comprehensive federal privacy bill to actually clear a full committee — passed unanimously in 2022. Then it died. California didn’t want its stronger state law wiped out, and neither Republicans nor Democrats could agree on whether individuals should have the right to sue. It never got a floor vote.
Children’s Privacy & Online Safety — Federal
✅ TAKE IT DOWN Act — Signed into Law, May 2025
The only new federal privacy law passed in 2025. Makes it a crime to post or threaten to post intimate images of someone without their consent — including AI-generated fake images (deepfakes). Platforms have 48 hours to take down flagged content once someone reports it.
Signed May 2025
✅ COPPA Rule Amendments (FTC Final Rule) — In Effect
An update to the 1998 children’s privacy law. Tightens the rules on what companies can collect from kids under 13 and gives parents more control over how that data gets used and shared. Companies had until April 2026 to fully comply.
Effective Jun 23, 2025 · Full compliance deadline Apr 22, 2026
🟡 Kids Online Safety Act (KOSA) — Pending, House Full Committee
Been bouncing around Congress since 2022. The Senate passed it 91–3 in 2024 — that’s about as bipartisan as it gets. The House version waters it down considerably: where the Senate said platforms have a legal “duty of care” to protect kids, the House version just says platforms need “reasonable policies.” Passed a House subcommittee in December 2025, but the Senate and House versions are still far apart.
House subcommittee advanced Dec 11, 2025 · 119th Congress active
🟡 COPPA 2.0 — Pending
Extends the existing children’s online privacy law to cover teens up to age 17, not just kids under 13. Would restrict how platforms collect and use teen data and limit targeted advertising aimed at minors. Passed the Senate as part of a package in 2024 but stalled in the House. A revised version is moving again as of late 2025.
Senate passed Jul 2024 · House subcommittee advanced Dec 2025
🟡 Don’t Sell Kids’ Data Act of 2025 (HR 6292) — Pending
Specifically targets data brokers — companies that buy and sell your information as a business. Would make it illegal for them to collect, use, or sell data on anyone under 18. If a data broker has a minor’s data, they have 10 days to delete it after a request.
HR 6292 · Dec 2, 2025 · House Energy & Commerce
🟡 App Store Accountability Act — Pending
Would require Apple and Google to verify a user’s age before letting minors download apps or make in-app purchases — putting the responsibility on the app store rather than individual apps. Part of a package of 18 kids’ safety bills that cleared a House subcommittee in December 2025.
House subcommittee advanced Dec 11, 2025 · Full committee pending
🟡 Minor Social Media Account Prohibition — Pending
Would ban social media platforms from letting anyone under 16 create an account. Platforms would have to identify and shut down existing minor accounts within six months. Faces serious First Amendment legal challenges — courts have been skeptical of these blanket age bans. Part of the December 2025 package.
House subcommittee advanced Dec 11, 2025 · Full committee pending
Data Brokers — Federal
🟡 DELETE Act — Pending
Right now if you want data brokers to delete your information, you have to contact each one individually — and there are hundreds of them. This bill would force the FTC to build a single website where you submit one request and every registered data broker has to honor it. Also creates a permanent “do not track” list so they can’t collect your data going forward. Bipartisan bill reintroduced in 2025.
Reintroduced Apr 3, 2025 · Senate Commerce Committee
Government Privacy — Federal
🟡 Privacy Act Modernization Act of 2025 (S 1208) — Pending
Updates the 1974 law governing how the federal government handles your personal data. Currently only protects US citizens and green card holders — this expands it to everyone physically in the country. Limits what agencies can do with your data and stiffens the criminal penalties for misuse. One notable provision: it kicks in immediately for the Department of Government Efficiency (DOGE) and similar temporary government operations, rather than waiting the usual two years.
S 1208 · 119th Congress · Senate · Active
Existing Federal Sectoral Privacy Laws — In Effect
| Law | What It Covers | Who Enforces |
|---|---|---|
| HIPAA (1996) | Controls how doctors, hospitals, and insurance companies handle your medical records. They have to keep your health data private, secure it properly, and tell you if there’s a breach. Critically — it does NOT cover health apps, fitness trackers, or any company that isn’t a traditional healthcare provider. That’s a massive gap. | HHS Office for Civil Rights |
| COPPA (1998) | Websites and apps can’t collect personal information from kids under 13 without a parent’s permission. If a site knows it’s talking to a child, it has to get parental consent first. Updated by the FTC in 2025 with stricter rules. | FTC |
| GLBA (1999) | Banks and financial institutions have to tell you what data they collect and share, and give you a way to opt out of some of it. Also requires them to have real security programs protecting your financial data. Weak by modern standards but still the baseline for the finance industry. | FTC and financial regulators |
| FCRA (1970) | Governs credit reports, background checks, and tenant screening. You have the right to see what’s in your file, dispute errors, and know when it’s being used against you. One of the few federal privacy laws with real teeth for individuals. | FTC and CFPB |
| FERPA (1974) | Schools can’t share your kid’s education records without your permission. Parents can see their child’s records and challenge anything that’s wrong. Once a student turns 18, those rights transfer to them. Applies to any school that gets federal funding — so basically all of them. | US Dept. of Education |
| VPPA (1988) | Video services can’t share your viewing history without your consent. Passed in 1988 after a reporter published Supreme Court nominee Robert Bork’s video rental records. Has become surprisingly relevant again as streaming platforms and news sites embed Facebook/Google trackers that share what videos you watch. | Private right of action — you can sue |
| ECPA (1986) | Requires law enforcement to get a warrant before accessing your private electronic communications and stored data. Written in 1986 when email barely existed — widely considered dangerously outdated for the modern digital world. Reform efforts have been going nowhere for years. | DOJ / Courts |
State Privacy Bill Tracker: Comprehensive Laws (Enacted)
As of May 2026, 23 states have enacted comprehensive consumer privacy laws. Two more (Louisiana awaiting the Governor’s signature) would bring that to 24. Most of these laws look similar on paper — they give you the right to see, correct, delete, and download your data, and to opt out of your data being sold. The real differences are in how aggressive the enforcement is, whether you can sue companies yourself, and how many businesses the law actually covers.
Currently In Effect
| State & Law | Plain English Summary | Effective Date |
|---|---|---|
| California CCPA / CPRA |
The strongest state privacy law in the country. California has its own dedicated privacy enforcement agency (CPPA) that can go after companies independently. Covers not just consumers but also employees and job applicants. Includes rules on automated decision-making, data brokers, and sensitive data. Sets the standard everything else gets compared to. | CCPA: Jan 1, 2020 CPRA: Jan 1, 2023 |
| Virginia Consumer Data Protection Act (VCDPA) |
The template most other states copied. Basic consumer rights to access, fix, delete, and opt out of data sales. Only the Attorney General can enforce it — you can’t sue a company yourself. Applies to businesses that handle data on 100,000+ Virginians, or 25,000+ if selling data is a major revenue source. | Jan 1, 2023 |
| Colorado Colorado Privacy Act (CPA) |
Similar to Virginia but with a notable addition: companies must honor the Global Privacy Control signal — a browser setting that automatically tells sites not to sell your data. One of a handful of states requiring this. AG enforces it; same 100,000 consumer threshold as Virginia. | Jul 1, 2023 |
| Connecticut Data Privacy Act (CTDPA) |
Closely follows Virginia and Colorado. Also requires honoring the Global Privacy Control signal. Updated in 2025 to expand what counts as “sensitive” data. A new 2026 bill (SB 4) would add data broker registration rules similar to California’s. | Jul 1, 2023 |
| Utah Consumer Privacy Act (UCPA) |
The most business-friendly of the first batch of state laws. Does not require honoring browser opt-out signals. No requirement for companies to conduct privacy risk assessments. Applies only to businesses making $25M+ per year. Light on obligations, light on enforcement. | Dec 31, 2023 |
| Texas Data Privacy and Security Act (TDPSA) |
Unusually broad — applies to any business operating in Texas or targeting Texas consumers, with no minimum revenue requirement. The Texas AG has shown it means business: secured a $1.4B+ settlement against a major tech company in 2025. Small businesses mostly exempt. | Jul 1, 2024 |
| Florida Digital Bill of Rights (FDBR) |
Narrowly written to only hit the very biggest tech companies — those making over $1 billion a year with most of that from online ads. In practice, this means only a handful of companies like Google, Meta, and Amazon are affected. Everyone else is exempt. | Jul 1, 2024 |
| Montana Consumer Data Privacy Act (MCDPA) |
Virginia-style law adjusted for Montana’s smaller population — kicks in at 50,000 consumers instead of 100,000. Standard consumer rights to access, fix, delete, and opt out. 60-day window for companies to fix violations before being fined. | Oct 1, 2024 |
| Oregon Consumer Privacy Act (OCPA) |
Covers more people than most states — includes employees and job applicants, not just customers. Oregon’s AG has been active: published a detailed report on enforcement actions in 2025. Nonprofit organizations were added to coverage in July 2025. | Jul 1, 2024 |
| Delaware Personal Data Privacy Act (DPDPA) |
Standard Virginia-model law with lower thresholds for a smaller state — covers businesses handling data on 35,000+ Delaware residents. A 2026 bill (HB 380) would significantly expand it; currently advancing through the legislature. | Jan 1, 2025 |
| Iowa Consumer Data Protection Act (ICDPA) |
One of the weakest state privacy laws on the books. Notably, it does not give you the right to delete or correct data that a company got from a third party — only data they collected directly from you. Very business-friendly; privacy advocates consider it mostly symbolic. | Jan 1, 2025 |
| New Hampshire Privacy Act (NHPA) |
Virginia-style law scaled to New Hampshire’s population. Covers businesses handling data on 35,000+ residents. 60-day cure period. A 2026 bill (HB 1687) is advancing to update it. | Jan 1, 2025 |
| New Jersey Data Privacy Act (NJDPA) |
Follows Virginia with some Connecticut-style additions. Covers businesses handling data on 100,000+ New Jersey residents. A 2026 bill is working through the legislature to add a ban on selling sensitive personal data. | Jan 15, 2025 |
| Nebraska Data Privacy Act (NDPA) |
Standard Virginia-model law. Covers businesses handling data on 100,000+ Nebraskans, or 25,000+ if at least a quarter of their revenue comes from selling data. | Jan 1, 2025 |
| Tennessee Information Protection Act (TIPA) |
Business-friendly law with one unique requirement: companies must align their security practices with recognized frameworks like NIST. Applies only to businesses making $25M+ per year with 175,000+ Tennessee customers. AG enforcement only. | Jul 1, 2025 |
| Maryland Online Data Privacy Act (MODPA) |
One of the toughest state laws passed so far. Companies can only collect data they actually need for the specific reason they stated — no hoarding for future use. Applies to businesses handling data on 35,000+ Maryland residents. Considered a significant step up from the Virginia template. | Oct 1, 2025 |
| Minnesota Consumer Data Privacy Act (MCDPA) |
Stronger than most Virginia-copy laws. You can request a list of every third party your data was shared with — that’s rare. Also requires honoring browser opt-out signals and has broader biometric data definitions (includes data pulled from photos and videos). Covers businesses handling data on 100,000+ Minnesotans. | Jul 31, 2025 |
| Indiana Consumer Data Protection Act (INCDPA) |
A close copy of Virginia’s law. Business-friendly with a short 30-day window for companies to fix violations before facing fines. Covers businesses handling data on 100,000+ Indiana residents. | Jan 1, 2026 |
| Kentucky Consumer Data Protection Act (KCDPA) |
Essentially the same as Virginia’s law. AG enforces it, no personal lawsuits allowed. A 2026 update (HB 692) made Kentucky the first state to specifically classify smart TV automatic content recognition — the technology that watches what you watch — as sensitive data requiring protection. | Jan 1, 2026 |
| Rhode Island Data Transparency & Privacy Protection Act (RIDTPPA) |
Virginia-style law with one standout difference: no grace period. Most state laws give companies 30–60 days to fix violations before being fined. Rhode Island doesn’t. Get caught, get fined immediately. Covers businesses handling data on 35,000+ Rhode Island residents. | Jan 1, 2026 |
Enacted — Effective 2027
| State & Law | Plain English Summary | Effective Date |
|---|---|---|
| 🔵 Oklahoma Consumer Data Privacy Act — SB 546 |
Oklahoma tried and failed to pass a privacy law for nearly a decade. Signed in March 2026. Business-friendly version that mirrors Virginia and Texas — companies get a chance to fix violations before being fined. Covers businesses handling data on 100,000+ Oklahomans, or 25,000+ if selling data is a major revenue source. | Jan 1, 2027 |
| 🔵 Alabama Personal Data Protection Act — HB 351 |
Passed both chambers without a single no vote (104-0 in the House, 34-0 in the Senate). Signed in April 2026. Has one of the lowest coverage thresholds in the country — applies to any company with data on more than 25,000 Alabamians, or any company that makes more than 25% of its money selling data regardless of how many people it affects. AG enforces it with fines up to $15,000 per violation. No private lawsuits allowed. | May 1, 2027 |
| 🔵 Louisiana Louisiana Data Privacy Act — SB 386 |
Passed the Louisiana legislature unanimously in May 2026, awaiting the Governor’s signature. Based on Texas’s approach but adds a revenue trigger: companies making over $25 million a year are automatically covered, regardless of how many Louisiana customers they have. Requires consent before processing sensitive data. | Jan 1, 2027 (if signed) |
State Laws — Sectoral & Specialized (Enacted)
Biometric Privacy Laws
| State & Law | Plain English Summary | Status |
|---|---|---|
| Illinois Biometric Information Privacy Act (BIPA) |
The most powerful privacy law in the US for individual lawsuits. If a company scans your fingerprint, face, or iris without written consent, you can sue them directly — $1,000 per accident, $5,000 if they did it on purpose. Meta paid $650M, TikTok paid $92M, BNSF Railway paid $228M. Companies are terrified of this law. Illinois softened it slightly in 2024 after the potential exposure became enormous, but it still has teeth no other law matches. | ✅ Enacted 2008, amended 2024. Actively enforced. |
| Texas Capture or Use of Biometric Identifier (CUBI) |
Companies must tell you and get your consent before capturing your biometrics for commercial purposes. Can’t sell your biometric data without permission. Only the AG can enforce it — you can’t sue on your own. Texas AG has brought enforcement actions. | ✅ Enacted 2009. Actively enforced by AG. |
| Washington Biometric Identifiers (RCW 19.375) |
Requires consent before enrolling your biometric data in a commercial database. No selling or sharing without permission. No private lawsuits — only state enforcement. | ✅ Enacted 2017. |
| Arkansas Biometric Data Privacy Act |
Written consent required before collecting your biometric data. Restricts how it’s used, stored, and shared. AG enforcement only. | ✅ Enacted 2023. |
| Montana Biometric Information Privacy Act |
Modeled on Illinois BIPA but without the private right to sue. Written notice and consent required before collecting biometrics. | ✅ Effective Oct 1, 2024. |
| Colorado Biometric Privacy Amendments |
2024 update to Colorado’s privacy law that extended biometric protections to more types of businesses and added protections for employee biometric data — not just customer data. | ✅ Effective 2024. |
Consumer Health Data Laws
✅ Washington — My Health MY Data Act (MHMDA)
This one gets called “BIPA 2.0” for a reason. It covers health data that HIPAA misses entirely — your fitness tracker, your period app, your mental health app, any website that detects you’re near a healthcare facility. If a company processes health-related data about Washington residents and they’re not a traditional healthcare provider, this law applies to them. You can sue companies directly for violations, which is rare and makes this law genuinely feared by tech companies. First class-action lawsuit was filed in 2025.
Effective Mar 31, 2024 · Private right of action
✅ Nevada — Consumer Health Data Privacy Law
Similar to Washington’s law — covers health data that falls through HIPAA’s cracks, like apps and wellness platforms. Requires consent before collecting or sharing your health data. Unlike Washington, you can’t sue companies yourself here — only state enforcement. No public enforcement actions have happened yet as of 2025.
Effective Mar 31, 2024
✅ Connecticut — Health and Online Safety Provisions
Added health data protections and children’s online safety rules on top of Connecticut’s existing privacy law.
Effective Oct 1, 2023
✅ California — Consumer Health Data Privacy Law (AB 45)
Specifically protects data collected from people at or near reproductive health clinics and family planning centers. Passed after the Dobbs decision raised real concerns about location data being used to identify and prosecute people seeking certain medical services.
Effective Jan 1, 2026
Nevada Online Privacy Law
✅ Nevada — Revised Statutes Chapter 603A
Nevada’s older, separate online privacy law that predates the wave of comprehensive state laws. Gives you the right to tell websites not to sell your personal information and requires them to respond within 60 days. Narrower than a full privacy law but still applies to any business with Nevada customers.
Enacted 2017, expanded 2019 and 2023
Data Broker Registration Laws
✅ California — Delete Act (SB 362)
Data brokers — companies whose entire business is buying and selling your personal information — are required to register with California’s privacy agency. The bigger deal: California is building a single website where you can opt out of every registered data broker at once, instead of hunting them down individually. That portal goes live August 1, 2026. A pending 2026 bill would tighten how often brokers have to check and honor those requests.
Enacted 2023 · Deletion portal launches Aug 1, 2026
✅ Vermont — Data Broker Law (Act 171)
The first data broker registration law in the US, passed in 2018. Data brokers have to register annually with the state and disclose what they collect and who they sell it to. Doesn’t give you a way to opt out, but at least makes the industry visible. A 2026 bill is adding more requirements.
Enacted 2018 · In effect
✅ Texas — Data Broker Registration (HB 4)
Data brokers operating in Texas must register with the AG and give Texans a way to opt out of having their data collected, shared, and sold. Part of the same 2023 package as Texas’s comprehensive privacy law.
Effective Sept 1, 2023
✅ Oregon — Data Broker Registration
Requires data brokers to register with Oregon’s AG and disclose their data practices. Part of Oregon’s broader privacy law package.
Effective 2024
Children’s Privacy — State Laws
✅ Alabama — App Store Accountability Act
The first state law specifically requiring app stores (Apple, Google) to verify a user’s age and get parental consent before anyone under 18 can download an app. Passed in early 2026, separate from Alabama’s main privacy law.
Enacted early 2026
✅ Minnesota — Social Media Warning Labels Law
Social media platforms must display mental health warning labels to their users — similar to the warnings on cigarette packs. First such state law to actually take effect.
Effective Jul 1, 2026
🔵 California — Social Media Warning Labels (AB 3216)
California’s version of the same warning label requirement. Takes effect at the start of 2027.
Effective Jan 1, 2027
🔴 Colorado — Social Media Warning Labels — Blocked by Court
Colorado passed a similar warning label law but a federal court put it on hold in November 2025. Legal fight ongoing — outcome uncertain.
Enacted 2025 · Temporarily blocked Nov 2025
🟡 California — Age-Appropriate Design Code Act (CAADCA) — Litigation Pending
Requires any online service that kids might use to design with children’s best interests in mind — no dark patterns, privacy on by default, no profiling of minors. Courts initially blocked it, but the Supreme Court’s 2025 ruling upholding age verification laws in Texas may change the legal picture.
Signed 2022 · Enforcement paused by litigation
Automated Decision-Making & AI Privacy
✅ California — Automated Decision-Making Rules (CPPA)
When a company uses an algorithm to make a significant decision about you — whether you get a loan, see a job posting, or get flagged for review — California now requires them to tell you that’s happening and give you the right to opt out. Also requires annual security audits. California’s privacy agency finalized these rules in 2025 and they’re considered the most far-reaching AI privacy rules in the US.
CPPA rules finalized 2025
✅ Texas — Responsible AI Governance Act (TX HB 149)
Applies Texas’s existing privacy rules to data used by AI systems. Also clarifies when companies need your consent before using your biometrics to train AI models.
Effective Jan 1, 2026
🟡 Colorado — AI Act — Repeal & Replace Advancing
Colorado was the first state to pass a comprehensive AI law in 2024. Then the legislature passed a bill in May 2026 to replace it with a revised version that adjusts liability rules and who the law actually applies to. Awaiting the Governor’s signature — the original law was supposed to kick in February 2026, making this timeline complicated.
Replacement bill passed legislature May 2026 · Awaiting signature
State Bills — Pending or Recently Failed (2026)
| State & Bill | What It Would Do | Status |
|---|---|---|
| Connecticut — SB 4 | Updates Connecticut’s privacy law and adds a California-style data broker registration system so residents can see who’s selling their data. | 🟡 Passed legislature May 2026 · Awaiting Governor |
| Delaware — HB 380 | Would significantly strengthen Delaware’s existing privacy law. Specifics still being worked out in the legislature. | 🟡 Passed House committee Apr 2026 · Floor vote pending |
| New York — Multiple bills | Several bills moving at once: a comprehensive privacy law, health data protections, and an AI transparency bill (requiring companies to disclose what data they used to train AI) that already passed the Assembly. Legislature closes early June 2026. | 🟡 Multiple bills advancing · Legislature closes Jun 2026 |
| New Jersey — S 2316 / S 4109 | Would add a hard ban on selling sensitive personal data under New Jersey’s existing privacy law. | 🟡 Senate Appropriations Committee |
| New Hampshire — HB 1687 | Updates and strengthens New Hampshire’s existing privacy law. | 🟡 Advancing 2026 |
| Minnesota — HF 2700 | Adds health data protections to Minnesota’s existing privacy law — covering the health apps and wellness platforms that fall outside HIPAA. | 🟡 Advancing |
| California — AB 2246 | Would ban social media platforms from allowing anyone under 16 to create or keep an account. | 🟡 Passed Assembly Judiciary Committee · Advancing |
| California — SB 1106 | Tightens the Delete Act — data brokers would have to check the opt-out deletion list every 30 days instead of every 45 days. | 🟡 Passed Senate · In Assembly |
| Colorado — SB 51 | Would require phones and computers sold in Colorado to have age verification built in at the device level — not just in apps or browsers. | 🟡 Referred to House floor |
| Vermont — S 71 | Adds more teeth to Vermont’s existing data broker registration law. | 🟡 Passed House committee May 2026 |
| South Carolina — S 896 | Comprehensive consumer privacy bill that would give South Carolinians data rights for the first time. | 🟡 Passed committee May 2026 |
| Hawaii — SB 3001 | Addresses chatbot disclosures and geolocation data protections. Passed the legislature before it closed for the session. | 🟡 Passed legislature May 2026 · Awaiting Governor |
| Iowa — SF 2417 | Requires AI chatbots to disclose that they’re not human when asked. | ✅ Signed into law May 2026 |
| Louisiana — HB 977 | Replaces Louisiana’s previous app store law with updated age verification and parental consent requirements. | ✅ Signed into law May 2026 |
| Illinois — SB 315 and others | SB 315 would create an AI Safety Measures Act. Several other privacy and AI bills are moving through the legislature simultaneously. | 🟡 Multiple bills advancing May 2026 |
| Maine — LD 1822 | A comprehensive privacy bill that passed the Senate narrowly but then died on the House floor in April 2026 when five Democrats who had previously supported it switched their votes. Maine’s business community ran a hard campaign against it. The legislature closed April 15 — it’s dead for this session. | ⚫ Failed Apr 2026 · Session closed |
| Georgia | No comprehensive privacy bill passed this session. | ⚫ Session closed 2026 |
| South Dakota | No comprehensive privacy bill passed this session. | ⚫ Session closed 2026 |
Data Breach Notification Laws
✅ All 50 States + DC, Puerto Rico, Guam, and the US Virgin Islands
Every state in the country has a law requiring companies to tell you when your personal data has been exposed in a breach. This is the one area of privacy law where there’s universal agreement — though the details vary considerably. California requires notification within 72 hours for certain breaches. New York says “as soon as possible.” Most states give companies 30–90 days. Several require companies to notify the state AG in addition to the affected individuals. If you’ve ever gotten a “we take your privacy seriously” letter in the mail, this is why.
International Privacy Laws Affecting US Businesses
| Law | Region | What It Means For You |
|---|---|---|
| GDPR General Data Protection Regulation |
European Union | The most comprehensive privacy law in the world. If your website has European visitors, this applies to you — regardless of where your business is. Maximum fines are 4% of your global revenue or €20 million, whichever is larger. Gives EU residents the right to access, correct, delete, and move their data. Requires breach notification within 72 hours. The standard every other privacy law gets compared to. |
| ePrivacy Directive (“Cookie Law”) |
European Union | The reason every website on the internet has a cookie consent popup. EU law requires genuine opt-in consent before placing tracking or advertising cookies on someone’s device. “Continuing to browse means you accept” does not count as consent. A replacement regulation is stuck in EU legislative limbo as of 2026. |
| UK GDPR + Data Protection Act 2018 | United Kingdom | After Brexit, the UK kept its own version of GDPR rather than staying under EU rules. Works essentially the same way for UK residents. Enforced by the Information Commissioner’s Office (ICO). |
| PIPEDA | Canada (Federal) | Canada’s national privacy law for businesses. Requires consent for collecting, using, or sharing personal information commercially. If you have Canadian customers, this applies to you. |
| Quebec Law 25 (Bill 64) | Canada (Quebec) | Canada’s toughest privacy law and the closest thing Canada has to GDPR. Requires privacy impact assessments, breach notification, and gives Quebec residents the right to have their data deleted or moved. Any business with Quebec customers needs to be aware of this. |
| Privacy Act 1988 (amended) | Australia | Australia’s foundational privacy law. Governs how businesses and government agencies handle personal information through a set of Australian Privacy Principles. Undergoing significant reform through a 2024 amendment package. |
For privacy tools, de-Googled phones, and practical steps to protect your data today, visit the MARK37 Resources page or schedule a free consultation.
Sources: IAPP US State & Federal Privacy Legislation Trackers · Troutman Pepper Privacy + Cyber + AI weekly state updates (Jan–May 2026) · DLA Piper Privacy Matters · Hunton Privacy Blog · WilmerHale Privacy Blog · Lexology · MultiState.us · Congress.gov · Termageddon Coverage Page · Secure Privacy · Last updated May 28, 2026.
Privacy legislation moves fast. Several bills tracked here are in active state sessions closing May–June 2026. Verify current status with primary sources before relying on any specific bill for compliance purposes.