This article takes the next step and focuses on what businesses can do before an incident to structure their vendor relationships and IR plans in alignment with these key legal lessons. We focus on four core IR vendor types: digital forensics vendors, restoration vendors, public relations (PR)/communications firms, and data mining/data review vendors.
Key point: Last week, chatbot bills crossed chambers in four states and advanced out of committees in four other states, Utah’s provenance bill crossed chambers, and Florida’s AI Bill of Rights moved out of a second Senate committee.
Below is the sixth update on the status of proposed state AI legislation in 2026. These posts track state AI bills that can directly or indirectly affect private-sector AI developers and deployers. These posts do not track AI bills that focus on government use of AI; insurance; workgroups; education; legal settings; name, image, and likeness; deepfakes; CSAM and sexual material; and election interference. As always, the content provided below is time-sensitive and subject to change.
Key point: Oklahoma is on the cusp of becoming the 20th state to pass a consumer data privacy law while Alabama’s app store bill was signed into law and app store bills crossed chambers in Kansas, South Dakota, and Wisconsin.
Below is the sixth update on the status of proposed state privacy legislation in 2026. This post covers updates on proposed bills dealing with consumer data privacy, children’s privacy, biometric privacy, data brokers, and consumer health data privacy. As always, the contents provided below are time-sensitive and subject to change.
In this special joint episode of The Consumer Finance Podcast and Payments Pros, Taylor Gess and Kim Phan discuss key privacy and data security risks in point-of-sale finance. They dive into regulators’ growing view that every player in the payments chain shares responsibility for protecting data, highlighting best practices for vendor management, PCI DSS oversight, and incident response planning. The episode also touches on the shifting patchwork of state privacy and breach notification laws, GLBA exemptions, and the risks of data monetization, including when packaging and selling transaction data can trigger Fair Credit Reporting Act obligations.
Key point: Alabama joins the growing list of states that have enacted app store laws.
On February 17, 2026, Alabama Governor Kay Ivey signed HB 161 into law. In doing so, Alabama joins Texas, Utah, and Louisiana as states having passed app store laws. California passed a similar-in-concept Digital Age
With state legislatures reconvening for 2026, numerous states are considering privacy and AI bills on a broad range of topics. In the AI space, these bills cover high-risk activities, chatbots, pricing, disclosures, provenance, employment, and health, among other topics. In the privacy space, these bills cover consumer data privacy, teen’s privacy, biometric privacy, consumer health data privacy, and data brokers.
Key point: Last week, chatbot bills crossed chambers in Virginia and Washington, Tennessee’s Senate passed a health care-related AI bill, a Utah bill drew the attention of the Trump administration, and a new bill was introduced to amend California’s AI Transparency Act.
Below is the fifth update on the status
Key point: Last week, the Alabama legislature passed an app store bill while Maine’s consumer data privacy bill crossed chambers.
Below is the fifth update on the status of proposed state privacy legislation in 2026. This post covers updates on proposed bills dealing with consumer data privacy, children’s privacy, biometric privacy, data brokers, and consumer health data privacy. As always, the contents provided below are time-sensitive and subject to change.
Reprinted with permission from the February 9, 2026 edition of The Legal Intelligencer. © 2026 ALM Global Properties, LLC. All rights reserved. Further duplication without permission is prohibited. For permission to reprint or license this article, please contact 877-256-2472 or asset-and-logo-licensing@alm.com.
Investigations led by counsel, triggered by legal risk, and designed to elicit legal advice remain protected, even if their findings later inform business decisions. For cyber incidents, FirstEnergy outlines how to structure IR investigations to maximize privilege and work product protection while supporting an effective technical and business response.
Key point: The California attorney general announced a $2.75 million fine against a company for CCPA violations for failing to honor requests to opt out of the sale or sharing of personal information across all devices and services associated with consumer accounts.
On February 11, 2026, the California attorney general (AG) announced a settlement with a multiplatform entertainment company, resolving alleged California Consumer Privacy Act (CCPA) violations based on gaps in the company’s opt-out procedures. This is the second public CCPA enforcement settlement arising from the California Department of Justice’s 2024 investigative sweep of streaming services. This also is the largest CCPA settlement amount to date, and is roughly five times the amount of the first enforcement action and more than $1 million more than the prior largest settlement by the AG. These actions reflect an escalating enforcement trajectory as the AG and the California Privacy Protection Agency develop a body of precedent that increasingly functions as operational compliance guidance for businesses. Notably, every CCPA enforcement action to date has involved, in some way, the right to opt out and demonstrates that the AG’s expectations for what constitutes compliant opt-out implementation are becoming both more granular and more demanding with each successive action.