Although another year has passed without the implementation of a comprehensive overarching federal privacy law in the United States, more states continued to enact their own privacy legislation or amend existing state statutes. We expect this trend to continue into 2026. Additionally, this area of the law, while already evolving rapidly, has taken on a new dimension recently as artificial intelligence enters the picture, with continued significant developments in AI regulation.
State Privacy Laws
New privacy laws in Delaware, Iowa, Maryland, Minnesota, Nebraska, New Hampshire, and New Jersey took effect in January 2025, followed by Tennessee in July 2025. As of January 2026, privacy laws also became effective in Indiana, Kentucky, and Rhode Island. The thresholds for businesses to be subject to these laws are similar to previously-enacted laws, e.g., Virginia, by tying coverage to the number of consumers whose personal information is processed. Nebraska, however, follows Texas in applying its law to businesses that are not defined as a small business under federal law. Generally speaking, the obligations under these laws are similar to those already in effect in other states in that consumers have a right to access, to delete, to opt out of sales, among other rights, and businesses have notice obligations and certain restrictions on how personal information is processed. Viewed from a high level, businesses should be sensitive to any sharing or selling of personal information and have strong oversight over relationships with vendors and other third parties regarding the handling of any personal information. Of course, the laws in each state have their own nuances and should be considered in greater detail when compliance with those laws is determined to be necessary.
Existing privacy laws saw amendments in 2025, with more changes expected in 2026. In Colorado, businesses must now have a policy regarding biometric data whenever biometric data is handled. Further, the treatment of “sensitive data,” now including precise geolocation information, has changed in that it may not be sold without consumer consent. In Oregon, its privacy law is now applicable to non-profits, and among other requirements, businesses cannot sell precise geolocation data and must honor opt-out requests, such as those made through preference signals(e.g., via web browser settings). In Montana, a noteworthy change was the reduced threshold for the law’s applicability, now applying when personal information of 25,000 residents is affected rather than 50,000. Other changes in Montana include, as in Oregon, applicability to non-profits and broadened applicability of the right to opt out of profiling. Changes also went into effect in Virginia, Utah, and Texas.
There was also widespread adoption of stricter requirements for handling personal information of minors in 2025. In Colorado, consent of parents is required for handling personal information for purposes of targeted advertising or for any purpose not disclosed at the time of collection. In Oregon, businesses that have actual knowledge that a consumer is 13 to 15 years old are now prohibited from targeted advertising, profiling and selling personal information of such consumers. In Montana, amended provisions respecting consumers under 18 are applicable to businesses regardless of the general thresholds for applicability of its privacy law. Businesses must exercise a duty of “reasonable care” to avoid a “heightened risk of harm” when the business has knowledge that a consumer is under 18. This “harm” may include, for example, financial or reputational injury, unfair or deceptive treatment or disparate impact. Additionally, prior consent must be obtained to process a minor’s personal information for targeted advertising, selling or automated profiling, among other requirements.
Notable changes to existing privacy laws are also set to take effect in 2026. In both Connecticut and Oregon, the amended laws will require businesses to allow consumers to opt out of the sale of personal information via preference signals. Connecticut will also lower the threshold for applicability of its law, making 35,000 residents rather than the previous 100,000 residents the new threshold. The applicability of the law is also changed based on the handling of “sensitive data,” where it will now apply whenever sensitive data is handled for purposes other than a payment transaction. The right to opt-out is expanded to apply whenever profiling of consumers is based in any part on automated decisions. Businesses must also disclose targeted advertising and the use of AI training, the latter being a new type of requirement not previously found in U.S. state privacy laws.
Yet another update for 2026 is that California’s CCPA regulations went into effect on January 1, 2026. With requirements set to be phased in over time, these requirements include the recognition and honoring of preference signals for opt-out and further clarity on cookie banners and what constitutes consent for the sale or sharing of information, namely, that the choice must be clear and that an affirmative selection by a consumer must be received to be considered as consent. Additionally, the regulations include a requirement to conduct risk assessments for “high risk activities.” Further clarity is provided on the obligations of businesses that use automated decision making technology, namely, that such obligations only apply when automated decisions replace human decisions. When applicable, the automated decision making rules require that businesses provide a pre-use notice to explain the purpose for using such decision making and must provide the ability to opt-out with an appropriate explanation of the process.
Artificial Intelligence
In the currently evolving technological landscape, artificial intelligence (AI) is becoming more ubiquitous, and many areas of law have incorporated AI considerations. Looking at specific state law developments, California, Colorado and Texas all have new AI laws that went into effect in 2026. In Utah, amendments to an existing AI law went into effect in 2025.
In Colorado, the AI law requires those who develop and use AI systems that are “high-risk” to use reasonable care to avoid algorithmic discrimination and to perform impact assessments. Requirements also apply when AI is used for profiling. The laws in California and Texas have more tailored applicability. In California, the law is directed toward large companies implementing AI, i.e., over 1 million monthly visitors, while in Texas, the law is primarily for government applications. As to the amendments in Utah, the law there now requires disclosures when consumers interact with generative AI under certain circumstances and requires that businesses refrain from use of mental health chatbots to advertise products or services during a conversation unless the advertisement is clear and conspicuous.
While developments in AI laws at the state level are moving quickly, businesses should remain attentive to developments at the federal level. For example, an executive order issued in December 2025 may preempt aspects of one or more state laws or may cause states to change course on legislation in the future.
Author: Daniel Laine
Edited by: Thomas Palisi, April Capati, and Craig Drachtman