March 2026

Key point: Last week, consumer data privacy bills advanced in Alabama and Kentucky, Vermont’s data broker amendment bill passed a committee vote, and Hawaii’s Senate passed a bill prohibiting the sale of geolocation information and internet browser information without consent.

Below is the ninth update on the status of proposed state privacy legislation in 2026. This post covers updates on proposed bills dealing with consumer data privacy, kid’s privacy, biometric privacy, data brokers, and consumer health data privacy. As always, the contents provided below are time-sensitive and subject to change.

Key point: If enacted, the bill will require GenAI systems to provide a conspicuous warning that GenAI outputs may be inaccurate.

On March 9, 2026, the New York legislature passed A 3411, which requires generative artificial intelligence (GenAI) systems to notify users that the system’s outputs may be inaccurate. The bill will next move to Governor Kathy Hochul for consideration. If it becomes law, the bill will go into effect 90 days from enactment. The bill is short (it contains only 30 lines of text) but has broad implications.

In the article below, we provide background on the bill, an overview of its requirements, and potential implications should it become law.

Blogs_PrivacyCyberAI_OG_PrivacyLitigationReport

Key point: (1) Courts grapple with nonstatutory damage claims in “broken banner” cases; (2) Courts dismiss CIPA claims where plaintiffs failed to explain delays; (3) New privacy litigation trend takes off as two courts deny motions to dismiss under Washington’s Commercial Electronic Mail Act; (4) Motion to transfer based on forum selection clause in terms of use denied, highlighting risks for cookie banners; (5) VPPA circuit split deepens: as two more courts reject “ordinary observer” test but SCOTUS again refuses to resolve.

Welcome to our monthly update on how courts across the U.S. have handled privacy litigation involving website tools such as cookies, pixels, session replay, and similar technologies. In this post, we cover decisions from February 2026.

This five-part series provides an introductory roadmap to the California Consumer Privacy Act’s (CCPA) new cybersecurity audit requirement and the California Privacy Protection Agency’s (CalPrivacy) implementing regulations.

Oregon State (USA) Flag

Key point: With a private right of action, statutory damages, and ambiguous and undefined terms, businesses deploying consumer-facing interactive AI will want to make sure they are not unintentionally triggering the bill’s provisions.

On March 5, 2026, Oregon’s legislature passed a consumer-facing interactive artificial intelligence (AI) bill focused on AI companions (SB 1546). The bill will next head to Governor Tina Kotek who will have 30 full weekdays to sign, veto, or allow the bill to become law without her signature. According to Oregon’s legislative website, no one publicly testified in opposition to the bill and it passed both chambers with only two no votes. If the bill becomes law, it will go into effect January 1, 2027.

Although the bill is directed at AI companions, as discussed below, the bill contains ambiguous and undefined terms that could lead to businesses unintentionally triggering its provisions. This is particularly concerning given that the bill contains a private right of action with statutory damages of $1,000 for each violation.

The following article provides an overview of the Oregon bill, its applicability, obligations, and potential implications for businesses.

Key point: Last week, Oregon’s legislature passed a chatbot bill, Utah’s legislature passed a provenance bill, Washington’s legislature is on the cusp of passing both a chatbot and provenance bill, and Arizona’s Senate passed a provenance bill.

Below is the eighth update on the status of proposed state AI legislation in 2026. These posts track state AI bills that can directly or indirectly affect private-sector AI developers and deployers. These posts do not track AI bills that focus on government use of AI; insurance; workgroups; education; legal settings; name, image, and likeness; deepfakes; CSAM and sexual material; and election interference. As always, the contents provided below are time-sensitive and subject to change.

Key point: Last week, Maine’s Senate passed a consumer data privacy bill while the Virginia and Utah legislatures passed bills amending their existing consumer data privacy laws.

Below is the eighth update on the status of proposed state privacy legislation in 2026. This post covers updates on proposed bills dealing with consumer data privacy, children’s privacy, biometric privacy, data brokers, and consumer health data privacy. As always, the content provided below is time-sensitive and subject to change.

istock_102344703_og_cybersecurity-privacy

Key Point: Under the revised NYDFS Cybersecurity Regulation, covered entities must implement and enforce MFA for all access to all information systems — not just adopt MFA tools — and carefully document any CISO-approved compensating controls. Given the November 1, 2025 effective date of the new, expanded MFA requirement, and the annual certification of compliance for 2025 due April 15, 2026, now is the time for covered entities to review carefully their compliance in view of the NYDFS interpretations and guidance.

Key point: Last week, chatbot bills crossed chambers in Arizona and Iowa and advanced out of committees in five states, a health care-related AI bill crossed chambers in Kentucky, and provenance bills advanced out of committees in Utah and New York.

Below is the seventh update on the status of proposed state AI legislation in 2026. These posts track state AI bills that can directly or indirectly affect private-sector AI developers and deployers. These posts do not track AI bills that focus on government use of AI; insurance; workgroups; education; legal settings; name, image, and likeness; deepfakes; CSAM and sexual material; and election interference. As always, the contents provided below are time-sensitive and subject to change.