Data Privacy in 2026: State Enforcement Takes Center Stage

Alert
By David Senter and Hunter Bruton

Data privacy risk is increasing in 2026, even as the pace of new legislation slows. While no new comprehensive state privacy laws were enacted in 2025, state regulators are shifting their focus to refining and enforcing the laws already on the books.

Key takeaways for businesses include:

  • Nineteen states now have comprehensive consumer privacy laws in effect.
  • State attorneys general are increasingly active in enforcement.
  • Operational compliance failures are drawing regulatory scrutiny.
  • Privacy compliance should be treated as an ongoing risk-management function.

The State Privacy Landscape Shifts from Legislation to Enforcement

In 2025, for the first time in five years, the United States saw a leveling out of state comprehensive privacy laws. While laws in eight states took effect in 2025 and laws in three more states took effect on January 1, 2026, state legislatures failed to enact any new comprehensive privacy legislation. Despite there not being any net-new laws on the immediate horizon, businesses should still take note – states now turn their focus to refining and enforcing existing laws.

In the Absence of a Comprehensive Federal Privacy Law – States Continue to Lead

Unlike 2024, there were no significant efforts in 2025 around the proposal or passage of federal comprehensive privacy legislation. Based on the priorities of the current administration, it appears unlikely that we will see such efforts in Congress in the near future. States, and specifically, state attorneys general, will continue to lead efforts to address data privacy consumer protection at the state level. 

Three New State Privacy Laws in 2026

On January 1, 2026, Indiana, Kentucky and Rhode Island joined the ranks of states with effective comprehensive consumer privacy laws. While these laws, which were enacted in 2023 and 2024, should not have come as a surprise to businesses headquartered in these states, businesses with a national footprint should examine the applicability of the newly effective laws to their operations.

The addition of these state laws brings the number of states with comprehensive privacy laws to 19, including:

  • California
  • Nebraska
  • Colorado
  • New Hampshire
  • Connecticut
  • New Jersey
  • Delaware
  • Oregon
  • Iowa
  • Texas
  • Maryland
  • Tennessee
  • Minnesota
  • Utah
  • Montana
  • Virginia

This count excludes sector-specific laws, like Washington’s My Health My Data Act, or those with limited applicability, such as Florida’s Digital Bill of Rights. 

What This Means for Your Business 

If your business operates in these states or has customers or employees there, this is an appropriate time to reassess your data privacy practices, including the following areas:

  • Data collection: Have you provided notice or obtained consent for the data you are collecting? Are you collecting only what is necessary?
  • Data retention: How long do you keep personal data?
  • Data protection: Are your security measures robust and up to date? When was your last security risk assessment?
  • Individual rights: Are you equipped to honor individual rights under these laws?

While many of these state laws exempt businesses under certain revenue and consumer thresholds, others, such as the Texas Data Privacy and Security Act, have little or no minimum threshold for compliance. In addition, businesses operating in the healthcare and financial industries should determine whether such state laws offer an entity or data-level exemption for businesses regulated by a sector-specific privacy law such as the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act (GLBA).

Business must also recognize that a compliance review under these laws is not a one-time effort. Nine of the states listed above with existing comprehensive privacy laws on the books amended their laws in 2025 to include different and additional provisions. The start of a new year is the perfect opportunity to examine the impact of existing, new and amended privacy laws to your business operations.

State Enforcement: A Growing Priority

We expect oversight and enforcement by state regulators to continue to grow as state regulators become increasingly familiar and comfortable with protecting individuals’ privacy rights.

As an example, in July 2025, the California Attorney General’s Office entered into the largest settlement to date under the CCPA ($1.55 million), California’s comprehensive privacy law, with an online health information publisher. The AG’s office alleged that the company’s website, among other things, failed to honor consumer opt-out requests, improperly shared personal data collected on the website with third parties, and maintained an ineffective cookie banner. In addition, perhaps even more impactful than the settlement amount, the company was required to implement a number of corrective action measures that required additional time and resources. 

Similarly, Connecticut’s Attorney General entered into an $85,000 settlement in 2025 with an online ticket provider for alleged violations of the CTDPA, Connecticut’s comprehensive privacy law. Central to Connecticut’s enforcement action was the company’s inadequate website privacy notice. Specifically, the AG’s office alleged that the privacy notice was “largely unreadable,” failed to contain necessary data subject rights, and contained “misconfigured or inoperable” opt-out mechanisms. Importantly, the AG’s office noted that it previously sent the company a notice of deficiency regarding these issues, but that the company failed to adequately address the alleged violations.

Elsewhere in the United States, Texas has remained active in enforcing the Texas Data Privacy and Security Act, securing another settlement with a big-tech company for over $1 billion and continuing to signal a strong and active enforcement landscape in the Lone Star State.

Mitigating Heightened Risk for Businesses Nationwide

Businesses, even in states without comprehensive privacy laws, face increased compliance risks. To mitigate these risks, companies should assess the data they collect, understand applicable laws and ensure their consumer representations align with their data practices. With a leveling off of the enactment of new comprehensive privacy laws, businesses should turn their attention to the enforcement priorities of state regulators under existing laws.

Smith Anderson’s Data Privacy team has extensive experience guiding businesses through complex privacy and security compliance challenges. Contact David Senter, Hunter Bruton or your regular Smith Anderson attorney for tailored assistance.

Professionals

Jump to Page

This website uses cookies to enhance your browsing experience and improve functionality. To learn more, you may view our Privacy Policy. By continuing to browse Smith Anderson's website, you are accepting our use of cookies in accordance with our privacy policy.