Key point: Oklahoma is on the cusp of becoming the twentieth state to pass a consumer data privacy law while Alabama’s App Store bill was signed into law and App Store bills crossed chambers in Kansas, South Dakota, and Wisconsin.

Below is the sixth update on the status of proposed state privacy legislation in 2026. This post covers updates on proposed bills dealing with consumer data privacy, kid’s privacy, biometric privacy, data brokers, and consumer health data privacy. As always, the contents provided below are time-sensitive and subject to change.

What’s New

The big news last week was Oklahoma’s House passing a consumer data privacy bill (SB 546) by an 84-4 vote. The bill previously passed the Senate; however, it was amended in the House so it will need to go back to the Senate for concurrence. By all accounts, the concurrence vote is just a formality. After concurrence, the bill will head to Governor Kevin Stitt who has five days to sign or veto the bill.

Passage of a consumer data privacy law in Oklahoma has been a multi-year process. The Oklahoma House first passed a consumer data privacy bill authored by then-Representative Collin Walke in 2021, but the bill stalled in the Senate. The House again passed a bill in 2022, and it again stalled in the Senate.

The current bill largely tracks Virginia’s consumer data privacy law as it was amended in 2022 to add political organization exemptions and an exemption to the request to delete for indirect data collection. Among other provisions, the bill defines “sale” to only include monetary consideration, contains entity-level exemptions for GLBA financial institutions, HIPAA covered entities, and non-profits, and does not require recognition of universal opt-out mechanisms. The bill contains a 30-day right to cure that does not sunset.

The other big news last week was Alabama enacting an App Store law. You can read our analysis of the law here. Meanwhile, App Store bills crossed chambers in Kansas, South Dakota, and Wisconsin.

In New York, Senator Krueger introduced the New York Health Information Privacy Act (S 9269). Senator Krueger’s bill passed last year but was vetoed by Governor Hochul.

In Virginia and Washington, the deadline to pass bills out of their chamber of origin passed on February 17. Two of the eight Virginia bills we are tracking survived the deadline – SB 85 (amends VCDPA relating to social media) and SB 338 (amends VCDPA to prohibit sale of precise geolocation data). In Washington, SB 5708 passed the Senate last year but was then returned to Senate for a third reading. The bill has not moved this year. It is unclear whether it is still alive, so we will continue to monitor it for now.    

Last week also was the deadline for lawmakers to introduce bills in California. We track two new bills in the below article.

Finally, New Mexico’s session ended without the legislature passing any bills we are tracking, including the consumer data privacy bill (SB 53).

More details on those bills plus updates on all bill movements last week in the below post.

Consumer Data Privacy

Oklahoma’s House passed a consumer data privacy bill (SB 546) by an 84-4 vote. The bill previously passed the Senate. The bill was amended in the House so it will need to go back to the Senate for concurrence.

Meanwhile, California’s AB 2021 amends the CCPA to add whistleblower protections and creates a fund to provide awards to whistleblowers.

Kid’s Privacy

Alabama’s Governor signed the state’s App Store bill into law (HB 161). You can read our analysis of the law here.

Meanwhile, Kansas’ App Store bill (SB 372) passed the Senate by a 34-6 vote, South Dakota’s App Store bill (HB 1275) passed the House by a 50-17 vote, and Wisconsin’s App Store bill (AB 962) passed the Assembly by a 58-37 vote.

Utah’s App Store amendment bill (HB 498) passed out of committee as amended. It is now on floor readings.

Biometric Privacy

New biometric privacy bills were introduced in Idaho (H 744) and West Virginia (HB 5567).

Data Broker

There were no developments last week for this category.

Consumer Health Data Privacy

In New York, Senator Krueger introduced the New York Health Information Privacy Act (S 9269).

Other

California’s AB 2561 requires an operating system or an application to configure a user’s default privacy setting to be the most privacy protective setting offered by the operating system or application and would prohibit an operating system or an application from changing a user’s privacy setting without the user’s explicit consent.