US Privacy Bill Tracker: Every Federal & State Law (2026)
The United States has no comprehensive federal data privacy law — and depending on who you ask, that may be more feature than bug. While privacy advocates frame the absence as a failure, others see federal “privacy” legislation as government standardizing its own access to your data, locking in surveillance infrastructure under the banner of consumer protection, and preempting stronger state laws that actually have teeth.
What follows is a complete tracker of every significant privacy law and bill at the federal and state level — enacted laws, sectoral laws covering health, biometrics, children, and data brokers, and everything pending right now. Read the details carefully. Not every bill called a “privacy” law is designed to protect yours.
Last Updated: June 10, 2026
Status key: ✅ Enacted & in effect | 🔵 Enacted — future effective date | 🟡 Pending / in progress | 🔴 Stalled or failed | ⚫ Session closed without passing
Federal Privacy Bill Tracker: Legislation & Status
Comprehensive Consumer Privacy Bills
🟡 SECURE Data Act (HR 8413) — Pending, House Committee
House Republicans’ big federal privacy push, introduced April 2026. The goal is to replace every state privacy law with one federal standard — which sounds clean until you realize it would wipe out stronger state laws that actually have enforcement teeth. Gives you the right to see, fix, delete, and download your data, and lets you opt out of your data being sold or used for targeted ads. Companies would need parental consent before collecting data on anyone under 16. The FTC and state AGs would enforce it, but you can’t sue companies yourself.
HR 8413 · House Energy & Commerce Committee · Introduced Apr 22, 2026 · Subcommittee hearing held Jun 3, 2026
UPDATE Jun 2026: The House Subcommittee on Commerce, Manufacturing, and Trade held a formal hearing on HR 8413 on June 3, 2026 — the first significant movement since introduction. The same week, a bipartisan coalition of state attorneys general from 44 states sent a letter to Congressional leadership opposing the bill’s preemption provisions, arguing federal law must set a floor not a ceiling. A companion bill was also introduced: the GUARD Financial Data Act (HR 8398), which would update the Gramm-Leach-Bliley Act’s financial privacy rules alongside SECURE Data Act passage.
🟡 Online Privacy Act of 2026 (HR 8014) — Pending, House Committee
A Democratic proposal that would create an entirely new federal agency — the Digital Privacy Agency — dedicated solely to enforcing your data rights. Goes after “behavioral personalization,” which is the technical term for platforms using algorithms to build a profile on you and manipulate what you see. Still sitting in committee with little momentum.
HR 8014 · Mar 2026 · Rep. Lofgren
🟡 Consumer Data Privacy and Security Act of 2026 (S 4211) — Pending, Senate Committee
A Senate bill that gives you the right to know what data companies have on you, fix it if it’s wrong, and delete it. Also requires companies to actually secure your data and hold their vendors to the same standards. FTC enforces it. If the feds open a case against a company, states have to stand down — which is a red flag for anyone who thinks state enforcement is more reliable.
S 4211 · Mar 25, 2026 · Sen. Moran · Senate Commerce Committee
🔴 American Privacy Rights Act (APRA) — Failed, 118th Congress
A bipartisan bill that got further than most — it cleared committee in 2024 — but never made it to a floor vote. Killed by fights over whether it would override California’s tougher privacy law and whether regular people should be able to sue companies directly. Congress changed hands after the 2024 election and the whole thing reset from scratch.
🔴 American Data Privacy and Protection Act (ADPPA) — Failed, 117th Congress
The first comprehensive federal privacy bill to actually clear a full committee — passed unanimously in 2022. Then it died. California didn’t want its stronger state law wiped out, and neither Republicans nor Democrats could agree on whether individuals should have the right to sue. It never got a floor vote.
Children’s Privacy & Online Safety — Federal
✅ TAKE IT DOWN Act — Signed into Law, May 2025
The only new federal privacy law passed in 2025. Makes it a crime to post or threaten to post intimate images of someone without their consent — including AI-generated fake images (deepfakes). Platforms have 48 hours to take down flagged content once someone reports it. Platforms had until May 19, 2026 to build and implement their removal systems — that deadline has now passed, meaning full enforcement is in effect.
Signed May 19, 2025 · Platform removal procedure compliance deadline: May 19, 2026 (now passed)
✅ COPPA Rule Amendments (FTC Final Rule) — In Effect
An update to the 1998 children’s privacy law. Tightens the rules on what companies can collect from kids under 13 and gives parents more control over how that data gets used and shared. Companies had until April 2026 to fully comply.
Effective Jun 23, 2025 · Full compliance deadline Apr 22, 2026
🟡 Kids Online Safety Act (KOSA) — Pending, House Full Committee
Been bouncing around Congress since 2022. The Senate passed it 91–3 in 2024 — that’s about as bipartisan as it gets. The House version waters it down considerably: where the Senate said platforms have a legal “duty of care” to protect kids, the House version just says platforms need “reasonable policies.” Passed a House subcommittee in December 2025, but the Senate and House versions are still far apart.
House subcommittee advanced Dec 11, 2025 · 119th Congress active
🟡 COPPA 2.0 — Pending
Extends the existing children’s online privacy law to cover teens up to age 17, not just kids under 13. Would restrict how platforms collect and use teen data and limit targeted advertising aimed at minors. Passed the Senate as part of a package in 2024 but stalled in the House. A revised version is moving again as of late 2025.
Senate passed Jul 2024 · House subcommittee advanced Dec 2025
🟡 Don’t Sell Kids’ Data Act of 2025 (HR 6292) — Pending
Specifically targets data brokers — companies that buy and sell your information as a business. Would make it illegal for them to collect, use, or sell data on anyone under 18. If a data broker has a minor’s data, they have 10 days to delete it after a request.
HR 6292 · Dec 2, 2025 · House Energy & Commerce
🟡 KIDS Act — Kids Internet and Digital Safety Act (HR 7757) — Passed Full Committee, Pending House Floor
A sweeping omnibus children’s online safety package introduced by Chairman Brett Guthrie. Passed the full House Energy and Commerce Committee on March 6, 2026 — a significant step beyond the 18 bills that cleared subcommittee in December 2025. Consolidates multiple children’s safety bills including the AWARE Act (AI warnings for children) and SAFEBOTs Act (safeguards against AI chatbots exploiting children). Opposed by a bipartisan coalition of 44 state attorneys general who filed a letter on May 26, 2026 arguing it would preempt their ability to enforce state-level child online safety laws. Pending House floor vote.
HR 7757 · Passed House Energy & Commerce Committee Mar 6, 2026 · Pending House floor vote
🟡 App Store Accountability Act — Pending
Would require Apple and Google to verify a user’s age before letting minors download apps or make in-app purchases — putting the responsibility on the app store rather than individual apps. Part of a package of 18 kids’ safety bills that cleared a House subcommittee in December 2025.
House subcommittee advanced Dec 11, 2025 · Full committee pending
🟡 Minor Social Media Account Prohibition — Pending
Would ban social media platforms from letting anyone under 16 create an account. Platforms would have to identify and shut down existing minor accounts within six months. Faces serious First Amendment legal challenges — courts have been skeptical of these blanket age bans. Part of the December 2025 package.
House subcommittee advanced Dec 11, 2025 · Full committee pending
Financial Privacy — Federal
🟡 GUARD Financial Data Act (HR 8398) — Pending, House Committee
Introduced alongside the SECURE Data Act on April 22, 2026 by the House Financial Services Committee. Would update the 1999 Gramm-Leach-Bliley Act (GLBA) — the foundational financial privacy law — to modernize how banks, insurance companies, and financial service firms handle your nonpublic personal information. Designed to work in tandem with the SECURE Data Act: together they would create a unified federal privacy framework covering both general consumer data and financial data specifically. Currently in committee; faces the same opposition as the SECURE Data Act from state AGs and privacy advocates concerned about preemption.
HR 8398 · Introduced Apr 22, 2026 · House Financial Services Committee
Data Brokers — Federal
🟡 DELETE Act — Pending
Right now if you want data brokers to delete your information, you have to contact each one individually — and there are hundreds of them. This bill would force the FTC to build a single website where you submit one request and every registered data broker has to honor it. Also creates a permanent “do not track” list so they can’t collect your data going forward. Bipartisan bill reintroduced in 2025.
Reintroduced Apr 3, 2025 · Senate Commerce Committee
Federal AI Legislation — Privacy Implications
🟡 American Leadership in AI Act (HR 8516) — Pending
Introduced April 27, 2026 by Reps. Ted Lieu (D-CA) and Jay Obernolte (R-CA) — bipartisan legislation consolidating over 20 standalone AI proposals from the Bipartisan AI Task Force. Nearly 200 pages covering AI standards, federal AI adoption, workforce impacts, cybersecurity, and R&D funding. Addresses AI-enabled crimes including deepfakes and fraud. Referred to seven House committees. Distinct from the Great American AI Act (see below).
HR 8516 · Introduced Apr 27, 2026 · Multiple committees
🟡 Great American AI Act (GAAIA) — Discussion Draft, Not Yet Formally Introduced
Released as a discussion draft on June 4, 2026 by Reps. Jay Obernolte (R-CA) and Lori Trahan (D-MA). At 269 pages, the most comprehensive federal AI governance framework proposed to date. Key provisions: requires large frontier AI developers (over $500M revenue) to undergo semi-annual third-party audits; establishes disclosure requirements; addresses workforce impacts; and — most controversially — would preempt state AI development laws for three years. That preemption provision would effectively freeze California, New York, and Illinois AI transparency laws during the preemption window. Still a discussion draft soliciting public feedback; not yet formally introduced as a bill. Democratic opposition emerged within hours of release.
Discussion draft released Jun 4, 2026 · Obernolte/Trahan · Not yet formally introduced
🔴 AI Preemption Moratorium (10-year) — Dropped from Final Law
A 10-year moratorium on all state AI laws was inserted into the House version of the “One Big Beautiful Bill” budget reconciliation package (HR 1) and passed the House in a narrow 215-214 party-line vote on May 22, 2025. If enacted, it would have preempted every state AI law nationwide — California, Colorado, New York, Illinois, and 1,000+ pending state AI bills — for a decade. It faced fierce opposition including from some Senate Republicans (Sen. Blackburn argued states couldn’t stop protecting consumers while waiting for Congress to act) and faced a likely Byrd Rule challenge in the Senate. The moratorium was stripped from the bill before final passage. President Trump signed the final One Big Beautiful Bill into law on July 4, 2025 — without the AI moratorium. States remain free to regulate AI. The Great American AI Act (discussion draft, see above) now proposes a narrower 3-year preemption instead.
HR 1 · House passed May 22, 2025 · Stripped before Senate vote · Not enacted
Government Privacy — Federal
🟡 Privacy Act Modernization Act of 2025 (S 1208) — Pending
Updates the 1974 law governing how the federal government handles your personal data. Currently only protects US citizens and green card holders — this expands it to everyone physically in the country. Limits what agencies can do with your data and stiffens the criminal penalties for misuse. One notable provision: it kicks in immediately for the Department of Government Efficiency (DOGE) and similar temporary government operations, rather than waiting the usual two years.
S 1208 · 119th Congress · Senate · Active
Existing Federal Sectoral Privacy Laws — In Effect
| Law | What It Covers | Who Enforces |
|---|---|---|
| HIPAA (1996) | Controls how doctors, hospitals, and insurance companies handle your medical records. They have to keep your health data private, secure it properly, and tell you if there’s a breach. Critically — it does NOT cover health apps, fitness trackers, or any company that isn’t a traditional healthcare provider. That’s a massive gap. | HHS Office for Civil Rights |
| COPPA (1998) | Websites and apps can’t collect personal information from kids under 13 without a parent’s permission. If a site knows it’s talking to a child, it has to get parental consent first. Updated by the FTC in 2025 with stricter rules. | FTC |
| GLBA (1999) | Banks and financial institutions have to tell you what data they collect and share, and give you a way to opt out of some of it. Also requires them to have real security programs protecting your financial data. Weak by modern standards but still the baseline for the finance industry. | FTC and financial regulators |
| FCRA (1970) | Governs credit reports, background checks, and tenant screening. You have the right to see what’s in your file, dispute errors, and know when it’s being used against you. One of the few federal privacy laws with real teeth for individuals. | FTC and CFPB |
| FERPA (1974) | Schools can’t share your kid’s education records without your permission. Parents can see their child’s records and challenge anything that’s wrong. Once a student turns 18, those rights transfer to them. Applies to any school that gets federal funding — so basically all of them. | US Dept. of Education |
| VPPA (1988) | Video services can’t share your viewing history without your consent. Passed in 1988 after a reporter published Supreme Court nominee Robert Bork’s video rental records. Has become surprisingly relevant again as streaming platforms and news sites embed Facebook/Google trackers that share what videos you watch. | Private right of action — you can sue |
| ECPA (1986) | Requires law enforcement to get a warrant before accessing your private electronic communications and stored data. Written in 1986 when email barely existed — widely considered dangerously outdated for the modern digital world. Reform efforts have been going nowhere for years. | DOJ / Courts |
State Privacy Bill Tracker: Comprehensive Laws (Enacted)
As of May 2026, 23 states have enacted comprehensive consumer privacy laws. Two more (Louisiana awaiting the Governor’s signature) would bring that to 24. Most of these laws look similar on paper — they give you the right to see, correct, delete, and download your data, and to opt out of your data being sold. The real differences are in how aggressive the enforcement is, whether you can sue companies yourself, and how many businesses the law actually covers.
Currently In Effect
| State & Law | Plain English Summary | Effective Date |
|---|---|---|
| California CCPA / CPRA |
The strongest state privacy law in the country. California has its own dedicated privacy enforcement agency (CPPA) that can go after companies independently. Covers not just consumers but also employees and job applicants. Includes rules on automated decision-making, data brokers, and sensitive data. Sets the standard everything else gets compared to. | CCPA: Jan 1, 2020 CPRA: Jan 1, 2023 |
| Virginia Consumer Data Protection Act (VCDPA) |
The template most other states copied. Basic consumer rights to access, fix, delete, and opt out of data sales. Only the Attorney General can enforce it — you can’t sue a company yourself. Applies to businesses that handle data on 100,000+ Virginians, or 25,000+ if selling data is a major revenue source. 2026 update: Governor Spanberger signed SB 338 on April 13, 2026, adding a hard ban on the sale of precise geolocation data — effective July 1, 2026. Virginia becomes the third state with this prohibition (after Maryland and Oregon). | Jan 1, 2023 |
| Colorado Colorado Privacy Act (CPA) |
Similar to Virginia but with a notable addition: companies must honor the Global Privacy Control signal — a browser setting that automatically tells sites not to sell your data. One of a handful of states requiring this. AG enforces it; same 100,000 consumer threshold as Virginia. | Jul 1, 2023 |
| Connecticut Data Privacy Act (CTDPA) |
Closely follows Virginia and Colorado. Also requires honoring the Global Privacy Control signal. Updated in 2025 to expand what counts as “sensitive” data. A new 2026 bill (SB 4) would add data broker registration rules similar to California’s. | Jul 1, 2023 |
| Utah Consumer Privacy Act (UCPA) |
The most business-friendly of the first batch of state laws. Does not require honoring browser opt-out signals. No requirement for companies to conduct privacy risk assessments. Applies only to businesses making $25M+ per year. Light on obligations, light on enforcement. | Dec 31, 2023 |
| Texas Data Privacy and Security Act (TDPSA) |
Unusually broad — applies to any business operating in Texas or targeting Texas consumers, with no minimum revenue requirement. The Texas AG has shown it means business: secured a $1.4B settlement against Meta (July 2024, biometric data) and a $1.375B settlement against Google (May 2025, geolocation/biometric data) — the two largest privacy settlements ever obtained by a single state AG. Small businesses mostly exempt. | Jul 1, 2024 |
| Florida Digital Bill of Rights (FDBR) |
Narrowly written to only hit the very biggest tech companies — those making over $1 billion a year with most of that from online ads. In practice, this means only a handful of companies like Google, Meta, and Amazon are affected. Everyone else is exempt. | Jul 1, 2024 |
| Montana Consumer Data Privacy Act (MCDPA) |
Virginia-style law adjusted for Montana’s smaller population — kicks in at 50,000 consumers instead of 100,000. Standard consumer rights to access, fix, delete, and opt out. 60-day window for companies to fix violations before being fined. | Oct 1, 2024 |
| Oregon Consumer Privacy Act (OCPA) |
Covers more people than most states — includes employees and job applicants, not just customers. Oregon’s AG has been active: published a detailed report on enforcement actions in 2025. Nonprofit organizations were added to coverage in July 2025. | Jul 1, 2024 |
| Delaware Personal Data Privacy Act (DPDPA) |
Standard Virginia-model law with lower thresholds for a smaller state — covers businesses handling data on 35,000+ Delaware residents. A 2026 bill (HB 380) would significantly expand it; currently advancing through the legislature. | Jan 1, 2025 |
| Iowa Consumer Data Protection Act (ICDPA) |
One of the weakest state privacy laws on the books. Notably, it does not give you the right to delete or correct data that a company got from a third party — only data they collected directly from you. Very business-friendly; privacy advocates consider it mostly symbolic. | Jan 1, 2025 |
| New Hampshire Privacy Act (NHPA) |
Virginia-style law scaled to New Hampshire’s population. Covers businesses handling data on 35,000+ residents. 60-day cure period. A 2026 bill (HB 1687) is advancing to update it. | Jan 1, 2025 |
| New Jersey Data Privacy Act (NJDPA) |
Follows Virginia with some Connecticut-style additions. Covers businesses handling data on 100,000+ New Jersey residents. A 2026 bill is working through the legislature to add a ban on selling sensitive personal data. | Jan 15, 2025 |
| Nebraska Data Privacy Act (NDPA) |
Standard Virginia-model law. Covers businesses handling data on 100,000+ Nebraskans, or 25,000+ if at least a quarter of their revenue comes from selling data. | Jan 1, 2025 |
| Tennessee Information Protection Act (TIPA) |
Business-friendly law with one unique requirement: companies must align their security practices with recognized frameworks like NIST. Applies only to businesses making $25M+ per year with 175,000+ Tennessee customers. AG enforcement only. | Jul 1, 2025 |
| Maryland Online Data Privacy Act (MODPA) |
One of the toughest state laws passed so far. Companies can only collect data they actually need for the specific reason they stated — no hoarding for future use. Applies to businesses handling data on 35,000+ Maryland residents. Considered a significant step up from the Virginia template. | Oct 1, 2025 |
| Minnesota Consumer Data Privacy Act (MCDPA) |
Stronger than most Virginia-copy laws. You can request a list of every third party your data was shared with — that’s rare. Also requires honoring browser opt-out signals and has broader biometric data definitions (includes data pulled from photos and videos). Covers businesses handling data on 100,000+ Minnesotans. | Jul 31, 2025 |
| Indiana Consumer Data Protection Act (INCDPA) |
A close copy of Virginia’s law. Business-friendly with a short 30-day window for companies to fix violations before facing fines. Covers businesses handling data on 100,000+ Indiana residents. | Jan 1, 2026 |
| Kentucky Consumer Data Protection Act (KCDPA) |
Essentially the same as Virginia’s law. AG enforces it, no personal lawsuits allowed. A 2026 update (HB 692) made Kentucky the first state to specifically classify smart TV automatic content recognition — the technology that watches what you watch — as sensitive data requiring protection. | Jan 1, 2026 |
| Rhode Island Data Transparency & Privacy Protection Act (RIDTPPA) |
Virginia-style law with one standout difference: no grace period. Most state laws give companies 30–60 days to fix violations before being fined. Rhode Island doesn’t. Get caught, get fined immediately. Covers businesses handling data on 35,000+ Rhode Island residents. | Jan 1, 2026 |
Enacted — Effective 2027
| State & Law | Plain English Summary | Effective Date |
|---|---|---|
| 🔵 Oklahoma Consumer Data Privacy Act — SB 546 |
Oklahoma tried and failed to pass a privacy law for nearly a decade. Signed in March 2026. Business-friendly version that mirrors Virginia and Texas — companies get a chance to fix violations before being fined. Covers businesses handling data on 100,000+ Oklahomans, or 25,000+ if selling data is a major revenue source. | Jan 1, 2027 |
| 🔵 Alabama Personal Data Protection Act — HB 351 |
Passed both chambers without a single no vote (104-0 in the House, 34-0 in the Senate). Signed in April 2026. Has one of the lowest coverage thresholds in the country — applies to any company with data on more than 25,000 Alabamians, or any company that makes more than 25% of its money selling data regardless of how many people it affects. AG enforces it with fines up to $15,000 per violation. No private lawsuits allowed. | May 1, 2027 |
| 🔵 Louisiana Louisiana Data Privacy Act — SB 386 (Act No. 502) |
Signed into law by Governor Jeff Landry on May 29, 2026 — making Louisiana the 22nd state with a comprehensive privacy law and the third to enact one in 2026 (following Oklahoma and Alabama). Largely tracks Texas’s TDPSA framework but with a freestanding $25M annual revenue threshold as an alternative applicability trigger. Requires consent before processing sensitive data. Note: a version that would have named AI systems in processor-duty language was stripped before signing — Louisiana nearly became the second state (after Texas) to explicitly regulate AI in a privacy law’s processor obligations. | ✅ Signed May 29, 2026 · Effective Jan 1, 2027 |
State Laws — Sectoral & Specialized (Enacted)
Biometric Privacy Laws
| State & Law | Plain English Summary | Status |
|---|---|---|
| Illinois Biometric Information Privacy Act (BIPA) |
The most powerful privacy law in the US for individual lawsuits. If a company scans your fingerprint, face, or iris without written consent, you can sue them directly — $1,000 per accident, $5,000 if they did it on purpose. Facebook/Meta paid $650M (2020), TikTok paid $92M (2021), BNSF Railway faced a $228M jury verdict (first BIPA jury trial). Companies are terrified of this law. Illinois softened it slightly in 2024 after the potential exposure became enormous, but it still has teeth no other law matches. | ✅ Enacted 2008, amended 2024. Actively enforced. |
| Texas Capture or Use of Biometric Identifier (CUBI) |
Companies must tell you and get your consent before capturing your biometrics for commercial purposes. Can’t sell your biometric data without permission. Only the AG can enforce it — you can’t sue on your own. Texas AG has brought enforcement actions. | ✅ Enacted 2009. Actively enforced by AG. |
| Washington Biometric Identifiers (RCW 19.375) |
Requires consent before enrolling your biometric data in a commercial database. No selling or sharing without permission. No private lawsuits — only state enforcement. | ✅ Enacted 2017. |
| Arkansas Biometric Data Privacy Act |
Written consent required before collecting your biometric data. Restricts how it’s used, stored, and shared. AG enforcement only. | ✅ Enacted 2023. |
| Montana Biometric Information Privacy Act |
Modeled on Illinois BIPA but without the private right to sue. Written notice and consent required before collecting biometrics. | ✅ Effective Oct 1, 2024. |
| Colorado Biometric Privacy Amendments |
2024 update to Colorado’s privacy law that extended biometric protections to more types of businesses and added protections for employee biometric data — not just customer data. | ✅ Effective 2024. |
Consumer Health Data Laws
✅ Washington — My Health MY Data Act (MHMDA)
This one gets called “BIPA 2.0” for a reason. It covers health data that HIPAA misses entirely — your fitness tracker, your period app, your mental health app, any website that detects you’re near a healthcare facility. If a company processes health-related data about Washington residents and they’re not a traditional healthcare provider, this law applies to them. You can sue companies directly for violations, which is rare and makes this law genuinely feared by tech companies. First class-action lawsuit was filed in 2025.
Effective Mar 31, 2024 · Private right of action
✅ Nevada — Consumer Health Data Privacy Law
Similar to Washington’s law — covers health data that falls through HIPAA’s cracks, like apps and wellness platforms. Requires consent before collecting or sharing your health data. Unlike Washington, you can’t sue companies yourself here — only state enforcement. No public enforcement actions have happened yet as of 2025.
Effective Mar 31, 2024
✅ Connecticut — Health and Online Safety Provisions (Public Act 23-56)
Added health data protections and children’s online safety rules on top of Connecticut’s existing privacy law. Prohibits geofencing around health facilities, requires consent for consumer health data, and adds children’s social media protections.
Effective Oct 1, 2023
✅ California — Consumer Health Data Privacy Law (AB 45)
Specifically protects data collected from people at or near reproductive health clinics and family planning centers. Passed after the Dobbs decision raised real concerns about location data being used to identify and prosecute people seeking certain medical services.
Effective Jan 1, 2026
Nevada Online Privacy Law
✅ Nevada — Revised Statutes Chapter 603A
Nevada’s older, separate online privacy law that predates the wave of comprehensive state laws. Gives you the right to tell websites not to sell your personal information and requires them to respond within 60 days. Narrower than a full privacy law but still applies to any business with Nevada customers.
Enacted 2017, expanded 2019 and 2023
Data Broker Registration Laws
✅ California — Delete Act (SB 362)
Data brokers — companies whose entire business is buying and selling your personal information — are required to register with California’s privacy agency. The bigger deal: California is building a single website where you can opt out of every registered data broker at once, instead of hunting them down individually. That portal goes live August 1, 2026. A pending 2026 bill would tighten how often brokers have to check and honor those requests.
Enacted 2023 · Deletion portal launches Aug 1, 2026
✅ Vermont — Data Broker Law (Act 171)
The first data broker registration law in the US, passed in 2018. Data brokers have to register annually with the state and disclose what they collect and who they sell it to. Doesn’t give you a way to opt out, but at least makes the industry visible. A 2026 bill is adding more requirements.
Enacted 2018 · In effect
✅ Texas — Data Broker Registration (HB 4)
Data brokers operating in Texas must register with the AG and give Texans a way to opt out of having their data collected, shared, and sold. Part of the same 2023 package as Texas’s comprehensive privacy law.
Effective Sept 1, 2023
✅ Oregon — Data Broker Registration (HB 2052)
Requires data brokers to register with Oregon’s Department of Consumer and Business Services and disclose what data they collect and sell. Part of Oregon’s broader privacy law package.
Effective Jan 1, 2024
Children’s Privacy — State Laws
✅ Alabama — App Store Accountability Act
Requires app stores (Apple, Google) to verify a user’s age and get parental consent before anyone under 18 can download an app. Passed in early 2026, separate from Alabama’s main privacy law. Alabama is one of four states (alongside Utah, Texas, and Louisiana) with this type of app store age verification requirement.
Enacted early 2026
✅ Utah — App Store Accountability Act (SB 142) — In Effect
Utah was the first state in the US to pass an app store age verification law. Requires app stores to verify user ages and get parental consent before minors can download apps or make purchases. Penalties up to $1,000 per violation plus a private right of action — consumers can sue directly. Google has built a Play Age Signals API specifically to help Android developers comply with Utah, Texas, and Louisiana simultaneously.
Enacted Mar 2025 · Effective 2026
✅ Texas — App Store Accountability Act (SB 2420) — In Effect (litigation ongoing)
Signed by Governor Greg Abbott in May 2025. Requires app stores to verify every user’s age and obtain parental consent before anyone under 18 can download apps, make in-app purchases, or receive significant app updates. Violations are treated as deceptive trade practices with a private right of action — parents can sue directly for injunctive relief, actual and punitive damages.
The law was supposed to take effect January 1, 2026, but a federal judge blocked it on December 23, 2025 — comparing mandatory age checks to requiring every bookstore to card customers at the door and calling it likely unconstitutional under the First Amendment. Texas appealed. The Fifth Circuit lifted the injunction on June 4, 2026 via a stay pending appeal. Apple activated enforcement the same day — new Apple Accounts in Texas now require age verification before downloading any app. Google activated its Play Age Signals API simultaneously. The constitutional case continues; the Fifth Circuit has not yet ruled on the merits and the industry group CCIA believes the law will ultimately be struck down.
Signed May 2025 · Blocked Dec 23, 2025 · Injunction lifted Jun 4, 2026 · Fifth Circuit appeal pending
✅ Louisiana — App Store Accountability Act (HB 977)
Signed in May 2026. Louisiana’s version of the app store age verification law. Similar scope to Texas and Utah — requires parental consent before minors can download apps or make purchases. Faces the same First Amendment litigation risk as Texas and Utah. The Fifth Circuit’s eventual ruling on Texas SB 2420 will determine whether Louisiana’s law survives.
Signed May 2026
🟡 Minnesota — Social Media Warning Labels Law (MN Stat. 325M.335)
Social media platforms must display mental health warning labels to their users — similar to the warnings on cigarette packs. First such state law to actually take effect.
Effective Jul 1, 2026
🔵 California — Social Media Warning Labels (AB 56)
California’s version of the social media mental health warning label requirement — signed by Governor Newsom on October 13, 2025. Requires platforms to display warning labels to users under 18 each time they access the platform and after 3 hours of use. Takes effect at the start of 2027.
Signed Oct 13, 2025 · Effective Jan 1, 2027
🔴 Colorado — Social Media Warning Labels (HB 24-1136) — Blocked by Court
Colorado was actually the first state to pass a social media warning label law (signed June 2024). A federal judge blocked enforcement in November 2025 (NetChoice v. Weiser), ruling it likely violated the First Amendment as compelled speech. Colorado AG Phil Weiser appealed to the Tenth Circuit in December 2025. A separate 2026 bill (HB 26-1148) takes a different approach, focusing on privacy settings and data protections for young users rather than warning labels.
Signed Jun 2024 · Blocked Nov 2025 · Appeal pending at 10th Circuit
🟡 California — Age-Appropriate Design Code Act (CAADCA) — Litigation Pending
Requires any online service that kids might use to design with children’s best interests in mind — no dark patterns, privacy on by default, no profiling of minors. Courts initially blocked it, but the Supreme Court’s 2025 ruling upholding age verification laws in Texas may change the legal picture.
Signed 2022 · Enforcement paused by litigation
Automated Decision-Making & AI Privacy
✅ California — Automated Decision-Making Rules (CPPA)
When a company uses an algorithm to make a significant decision about you — whether you get a loan, see a job posting, or get flagged for review — California now requires them to tell you that’s happening and give you the right to opt out. Also requires annual security audits. California’s privacy agency finalized these rules in 2025 and they’re considered the most far-reaching AI privacy rules in the US.
CPPA rules finalized 2025
✅ Texas — Responsible AI Governance Act (TX HB 149)
Applies Texas’s existing privacy rules to data used by AI systems. Also clarifies when companies need your consent before using your biometrics to train AI models.
Effective Jan 1, 2026
✅ Colorado — AI Act Replacement (SB 26-189) — Signed into Law
Colorado Gov. Jared Polis signed SB 26-189 on May 14, 2026, repealing and replacing the original Colorado AI Act (SB 24-205) — the first-in-the-nation comprehensive AI law. The replacement is significantly narrower: it drops the original law’s broad “high-risk AI” and algorithmic discrimination framework in favor of a transparency-based regime focused on “automated decision-making technology” (ADMT) used in consequential decisions. Companies must now disclose when ADMT is used to make or materially influence decisions affecting you (employment, credit, housing, healthcare), provide explanations after adverse decisions, and give you correction rights. Annual third-party audits are NOT required — a major retreat from the original law.
Signed May 14, 2026 · Effective Jan 1, 2027
State Bills — Pending or Recently Failed (2026)
| State & Bill | What It Would Do | Status |
|---|---|---|
| Connecticut — SB 4 (Public Act 26-64) | Signed into law. Significantly amends Connecticut’s privacy law and creates a new California-style data broker registration law. Also adds a hard ban on selling precise geolocation data, facial recognition protections, direct-to-consumer genetic testing data protections, and surveillance pricing rules. Connecticut is now the fourth state with a hard prohibition on selling precise location data. | ✅ Signed · Most provisions effective Oct 1, 2026 |
| Delaware — HB 380 | Would significantly strengthen Delaware’s existing privacy law. Passed the full Delaware House (30-9) in May 2026. Now pending in the Senate Banking, Insurance & Technology Committee. | 🟡 Passed House May 2026 · Pending Senate committee |
| New York — Multiple bills
✅ SAFE For Kids Act (S7694A) — enacted 2024 |
SAFE For Kids Act: Requires social media platforms to turn off algorithmic “addictive feeds” for users under 18 unless a parent specifically opts in. New York was the first state to restrict algorithmic feeds for minors.
Child Data Protection Act: Prohibits any website or app from collecting, using, sharing, or selling personal data of anyone under 18 without informed consent — or without parental consent for kids under 13. AG enforces with fines up to $5,000 per violation. RAISE Act (AI Safety & Transparency): Requires AI companies with $500M+ in revenue to publicly disclose how their frontier AI models work, what safety testing they’ve done, and to report critical safety incidents to the government. Takes effect Jan 1, 2027. NY Health Information Privacy Act (S9269): Would create Washington My Health MY Data-style protections for New Yorkers — requiring consent before any entity collects or sells health data not covered by HIPAA, including data from apps, wearables, and location tracking near healthcare facilities. AI Training Data Transparency Act (S6955): Would require AI companies to disclose what data they used to train their models. Passed the Assembly; Senate floor vote pending before the legislature closes in June 2026. Safe by Design Act: Included in the FY 2027 state budget signed May 2026. Expands age verification requirements to gaming platforms, sets kids to maximum privacy settings by default, disables AI chatbot features for minors, and requires parental controls on financial transactions. |
✅ SAFE For Kids Act: enacted Jun 2024 ✅ Child Data Protection Act: enacted Jun 2024 ✅ RAISE Act: signed Dec 2025 · Effective Jan 1, 2027 ✅ Safe by Design Act: signed into budget May 2026 🟡 Health privacy & AI transparency bills: advancing Jun 2026 |
| New Jersey — S 2316 / S 4109 | Would add a hard ban on selling sensitive personal data under New Jersey’s existing privacy law. | 🟡 Senate Appropriations Committee |
| New Hampshire — HB 1687 | Updates and strengthens New Hampshire’s existing privacy law. | 🟡 Advancing 2026 |
| Minnesota — HF 2700 | Adds health data protections to Minnesota’s existing privacy law — covering the health apps and wellness platforms that fall outside HIPAA. | 🟡 Advancing |
| California — AB 2246 | Would ban social media platforms from allowing anyone under 16 to create or keep an account. | 🟡 Passed Assembly Judiciary Committee · Advancing |
| California — SB 1106 | Tightens the Delete Act — data brokers would have to check the opt-out deletion list every 30 days instead of every 45 days. | 🟡 Passed Senate · In Assembly |
| Colorado — SB 51 | Would require phones and computers sold in Colorado to have age verification built in at the device level — not just in apps or browsers. | 🟡 Referred to House floor |
| Vermont — Comprehensive Consumer Data Privacy Bill (2026) | Vermont’s legislature passed a comprehensive consumer data privacy bill in late May 2026 — only the second time in three years (Vermont’s legislature passed H.121 in 2024, but Governor Phil Scott vetoed it and the Senate could not override). This year’s bill is more business-friendly than H.121 and largely tracks Connecticut’s 2025 privacy law framework. Sent to Governor Phil Scott for consideration. Scott vetoed the last attempt; the outcome this time is uncertain. | 🟡 Passed legislature late May 2026 · Awaiting Governor (veto risk) |
| Vermont — S 71 (Data Broker Amendments) | Amends Vermont’s existing data broker registration law to add California Delete Act-style requirements — creating a single opt-out mechanism for consumers to remove their data from all registered brokers at once. Conference committee report adopted by both chambers as of early June 2026 — awaiting Governor’s signature. | 🟡 Passed both chambers · Awaiting Governor |
| South Carolina — S 896 | Comprehensive consumer privacy bill that would give South Carolinians data rights for the first time. | 🟡 Passed committee May 2026 |
| Hawaii — SB 3001 | Addresses chatbot disclosures and geolocation data protections. Passed the legislature before it closed for the session. | 🟡 Passed legislature May 2026 · Awaiting Governor |
| Iowa — SF 2417 | Requires AI chatbots to disclose that they’re not human when asked. | ✅ Signed into law May 2026 |
| Louisiana — HB 977 | Replaces Louisiana’s previous app store law with updated age verification and parental consent requirements. | ✅ Signed into law May 2026 |
| Illinois — SB 340 (Illinois Consumer Data Privacy Act) and SB 315
🟡 SB 315 — AI Safety Measures Act |
SB 340 — Illinois Consumer Data Privacy Act: A comprehensive privacy bill that passed the Illinois Senate 54-3 in May 2026 — notably with Maryland-style strong data minimization requirements, meaning companies can only collect data strictly necessary for the stated purpose. Also includes a hard prohibition on selling sensitive personal data. Passed the Illinois legislature before it closed on May 31, 2026. Headed to Governor Pritzker who has not yet indicated whether he will sign it.
SB 315 — AI Safety Measures Act: The most stringent AI transparency bill in the US if enacted. Requires annual independent third-party audits of AI systems — going further than California or New York, which only require internal assessments. Also mandates pre-deployment risk reports, governance frameworks, and cybersecurity measures. Passed the Illinois legislature on June 1, 2026 and sent to Governor J.B. Pritzker, who has publicly indicated he will sign it. If signed, Illinois joins California and New York as the only states with a frontier model safety bill — and its audit requirement makes it the strongest of the three. SB 2691 — AI in Employment: Would regulate the use of automated decision-making tools in hiring, firing, promotions, and compensation decisions. Employers would have to disclose when AI is being used to evaluate workers and provide a mechanism to challenge those decisions. HB 3506 — AI in Healthcare: Would impose safeguards on AI tools used in clinical settings — including diagnostic aids, treatment recommendations, and patient triage systems. Requires transparency about when AI is involved in a healthcare decision affecting a patient. |
🟡 SB 315 passed legislature Jun 1, 2026 · Awaiting Governor (expected to sign) 🟡 SB 2691 and HB 3506 advancing |
| Maine — LD 1822 | A comprehensive privacy bill that passed the Senate narrowly but then died on the House floor in April 2026 when five Democrats who had previously supported it switched their votes. Maine’s business community ran a hard campaign against it. The legislature closed April 15 — it’s dead for this session. | ⚫ Failed Apr 2026 · Session closed |
| Connecticut — SB 5 (Public Act 26-65) | Signed into law alongside SB 4. Connecticut’s AI companion chatbot and employment law. Requires AI companion chatbots to disclose they’re not human. Regulates the use of AI in employment decisions — employers must disclose when AI is used to evaluate workers and provide a way to challenge those decisions. | ✅ Signed May 2026 · Effective Oct 1, 2026 |
| Georgia — SB 111 (Consumer Privacy Protection Act) | After failing twice in prior sessions, Governor Brian Kemp signed SB 111 into law on May 11, 2026 — making Georgia the 23rd state with a comprehensive privacy law. Passed the House 162-1. Closely follows Virginia’s VCDPA model. Consumer advocates at EPIC gave it a score of 6/100, calling it one of the weakest laws in the country — weak enforcement, inadequate thresholds, no private right of action. Also signed: SB 540, a chatbot disclosure law requiring AI chatbots to proactively disclose they’re not human at the start of every conversation and every 3 hours (every hour for minors). | 🔵 SB 111 signed May 11, 2026 · Effective Jul 1, 2027 ✅ SB 540 (chatbot disclosure) signed May 2026 · Effective Jul 1, 2027 |
| South Dakota | No comprehensive privacy bill passed this session. | ⚫ Session closed 2026 |
Data Breach Notification Laws
✅ All 50 States + DC, Puerto Rico, Guam, and the US Virgin Islands
Every state in the country has a law requiring companies to tell you when your personal data has been exposed in a breach. This is the one area of privacy law where there’s universal agreement — though the details vary considerably. California requires notification within 72 hours for certain breaches. New York says “as soon as possible.” Most states give companies 30–90 days. Several require companies to notify the state AG in addition to the affected individuals. If you’ve ever gotten a “we take your privacy seriously” letter in the mail, this is why.
International Privacy Laws Affecting US Businesses
| Law | Region | What It Means For You |
|---|---|---|
| GDPR General Data Protection Regulation |
European Union | The most comprehensive privacy law in the world. If your website has European visitors, this applies to you — regardless of where your business is. Maximum fines are 4% of your global revenue or €20 million, whichever is larger. Gives EU residents the right to access, correct, delete, and move their data. Requires breach notification within 72 hours. The standard every other privacy law gets compared to. |
| ePrivacy Directive (“Cookie Law”) |
European Union | The reason every website on the internet has a cookie consent popup. EU law requires genuine opt-in consent before placing tracking or advertising cookies on someone’s device. “Continuing to browse means you accept” does not count as consent. A replacement regulation is stuck in EU legislative limbo as of 2026. |
| UK GDPR + Data Protection Act 2018 | United Kingdom | After Brexit, the UK kept its own version of GDPR rather than staying under EU rules. Works essentially the same way for UK residents. Enforced by the Information Commissioner’s Office (ICO). |
| PIPEDA | Canada (Federal) | Canada’s national privacy law for businesses. Requires consent for collecting, using, or sharing personal information commercially. If you have Canadian customers, this applies to you. |
| Quebec Law 25 (Bill 64) | Canada (Quebec) | Canada’s toughest privacy law and the closest thing Canada has to GDPR. Requires privacy impact assessments, breach notification, and gives Quebec residents the right to have their data deleted or moved. Any business with Quebec customers needs to be aware of this. |
| Privacy Act 1988 (amended) | Australia | Australia’s foundational privacy law. Governs how businesses and government agencies handle personal information through a set of Australian Privacy Principles. Undergoing significant reform through a 2024 amendment package. |
For privacy tools, de-Googled phones, and practical steps to protect your data today, visit the MARK37 Resources page or schedule a free consultation.
Change Log
This tracker is updated as bills move through legislatures and are signed into law. Most recent changes appear first.
June 10, 2026
- KIDS Act (HR 7757) — New federal entry added. Passed full House Energy and Commerce Committee March 6, 2026. Omnibus children’s safety package. 44 state AGs filed opposition letter May 26, 2026.
- GUARD Financial Data Act (HR 8398) — Promoted from footnote to standalone entry in new Financial Privacy section.
- American Leadership in AI Act (HR 8516) — New federal AI entry added. Introduced April 27, 2026.
- Great American AI Act (GAAIA) — New entry added. Discussion draft released June 4, 2026 by Obernolte/Trahan. Would preempt state AI laws for 3 years.
- Virginia SB 338 — Added to Virginia’s state entry. Signed April 13, 2026; bans sale of precise geolocation data effective July 1, 2026.
- Vermont comprehensive privacy bill — New entry added. Passed legislature May 2026; awaiting Governor Scott (veto risk).
- Vermont S 71 — Description updated to clarify it adds California Delete Act-style single opt-out mechanism.
- Illinois SB 340 — New entry added. Comprehensive privacy bill with Maryland-style data minimization; passed Senate 54-3 and legislature May 31, 2026; awaiting Governor Pritzker.
- Delaware HB 380 — Status updated. Passed full House (30-9) May 2026; now pending Senate committee.
- SECURE Data Act (HR 8413) — House Subcommittee on Commerce, Manufacturing, and Trade held a formal hearing June 3, 2026. Coalition of 44 state AGs filed letter opposing preemption provisions June 2. Companion bill GUARD Financial Data Act (HR 8398) added to tracker.
- Louisiana Data Privacy Act (SB 386) — Signed into law by Governor Jeff Landry on May 29, 2026 as Act No. 502. Status updated from “awaiting signature” to enacted. Louisiana is the 22nd state with a comprehensive privacy law.
- Georgia — Major correction: previously listed as “session closed without passing.” Governor Brian Kemp signed SB 111 (Georgia Consumer Privacy Protection Act) on May 11, 2026. Georgia is now the 23rd state. Also signed SB 540 (chatbot disclosure law) same month. Both added to tracker.
- Connecticut SB 4 — Signed into law as Public Act 26-64. Status updated from “awaiting Governor” to enacted. Effective October 1, 2026. Adds data broker registration, geolocation sale ban, facial recognition protections, and surveillance pricing rules.
- Connecticut SB 5 — New entry added. Signed into law as Public Act 26-65 alongside SB 4. Covers AI companion chatbots and employment AI disclosure requirements.
- Colorado AI Act (SB 26-189) — Signed into law by Governor Polis on May 14, 2026. Status updated from “awaiting signature” to enacted. Replaces original SB 24-205 with narrower transparency-based framework. Effective January 1, 2027.
- Illinois SB 315 — Passed legislature June 1, 2026. Governor Pritzker indicated he will sign. Status updated; joins California and New York as states with a frontier AI model safety bill.
- Vermont S 71 — Conference committee report adopted by both chambers. Awaiting Governor’s signature. Status updated.
- New York Safe by Design Act — Confirmed signed by Governor Hochul as part of FY 2027 budget. Status updated to enacted in New York section.
- TAKE IT DOWN Act — Signed date corrected to May 19, 2025. Platform compliance deadline (May 19, 2026) noted as now passed — full enforcement in effect.
- Texas TDPSA — Corrected vague “major tech company” reference. Now correctly identifies two separate record-setting settlements: $1.4B against Meta (July 2024, biometrics) and $1.375B against Google (May 2025, geolocation/biometric data).
- Illinois BIPA — BNSF $228M corrected from “settlement” to “jury verdict.” Meta/Facebook $650M correctly attributed to Facebook (2020 settlement).
- AI Preemption Moratorium (10-year) — Corrected: entry previously said “Passed House, Pending Senate” — the moratorium was actually stripped from the final One Big Beautiful Bill before Senate passage. President Trump signed the bill July 4, 2025 WITHOUT the moratorium. States remain free to regulate AI. Entry updated to reflect this. Status changed to 🔴.
- Texas SB 2420 (App Store Accountability Act) — New entry added. Fifth Circuit lifted injunction on June 4, 2026 via stay pending appeal; Apple and Google activated enforcement same day — first time in US history a new app store account in any state requires identity verification before downloading apps. Utah SB 142, Louisiana app store law also added. Alabama description corrected (Utah was actually first, not Alabama).
May 28, 2026 — Initial publication. Tracker launched covering federal bills, 22 state comprehensive laws, biometric laws, health data laws, data broker laws, children’s privacy laws, AI/automated decision-making laws, pending state bills, breach notification laws, and international laws.
Sources: IAPP US State & Federal Privacy Legislation Trackers · Troutman Pepper Privacy + Cyber + AI weekly state updates (Jan–May 2026) · DLA Piper Privacy Matters · Hunton Privacy Blog · WilmerHale Privacy Blog · Lexology · MultiState.us · Congress.gov · Termageddon Coverage Page · Secure Privacy · Last updated May 28, 2026.
Privacy legislation moves fast. Several bills tracked here are in active state sessions closing May–June 2026. Verify current status with primary sources before relying on any specific bill for compliance purposes.