Key point: The final law is much narrower than when the bill was first introduced and applies only to food retailers and third-party food delivery services.
On April 28, 2026, Maryland Governor Wes Moore signed the Protection From Predatory Pricing Act (HB 895) into law. The law regulates
On April 13, 2026, Virginia Governor Abigail Spanberger signed SB338 into law, amending Virginia’s Consumer Data Protection Act (VCDPA) to prohibit controllers of personal data from selling consumers’ precise geolocation data. This ban, which takes effect on July 1, 2026, makes Virginia the third state in recent years to prohibit the sale of such data and reflects a trend that is likely to continue. Somewhat surprisingly, Virginia was the second state, behind California, to enact a comprehensive consumer privacy law and is continuing within that vein with this early expansion of privacy rights.
Welcome to Part Two of our series that examines the ECPA as a private right of action for privacy policy inaccuracies. In Part One of this series, we examined how a wave of state-law wiretapping litigation — predominantly under California’s Invasion of Privacy Act (CIPA) — set the stage for a new and more expansive federal class action litigation threat. After years of plaintiffs targeting websites that deploy tracking technologies such as pixels and cookies, a series of defense wins in 2025 (and pending legislative action) encouraged plaintiffs’ firms to seek alternative theories. They found one in the Electronic Communications Privacy Act (ECPA).
Key point: In a court filing, the Colorado attorney general states it will only enforce the law after the office finishes rulemaking on the existing law or any law the Colorado legislature passes this year amending or replacing the law.
In early April, a lawsuit was filed against the state
Key point: Bills advanced last week in Connecticut, Colorado, and California while Florida lawmakers will return for a special session this week and consider an AI Bill of Rights.
Below is the fifteenth update on the status of proposed state AI legislation in 2026. These posts track state AI bills that can directly or indirectly affect private-sector AI developers and deployers. These posts do not track AI bills that focus on government use of AI; insurance; workgroups; education; legal settings; name, image, and likeness; deepfakes; CSAM and sexual material; and election interference. As always, the contents provided below are time-sensitive and subject to change.
Key point: Connecticut’s Senate passed a bill to amend the state’s consumer data privacy law and create a new data broker registration law while bills advanced in California, Colorado, Delaware, and Louisianna.
Below is the fifteenth update on the status of proposed state privacy legislation in 2026. This post covers updates on proposed bills dealing with consumer data privacy, kid’s privacy, biometric privacy, data brokers, and consumer health data privacy. As always, the contents provided below are time-sensitive and subject to change.
With the influx of new state AI laws making compliance more complicated, we have created a new state AI law tracker map.
The map focuses on laws that can directly or indirectly affect private-sector AI development and deployment. As such, the map tracks the AI laws most likely to
Key point: The amendment significantly expands the existing law’s applicability, redefines “covered design feature,” creates two new prohibitions, and adds a new deletion right.
On April 17, 2026, Nebraska Governor Jim Pillen signed LB 838 into law. The omnibus bill addresses several different topics but, as is relevant here, it amends Nebraska’s Age-Appropriate Online Design Code Act, Neb. Rev. Stats. § 87-1301, et seq, which only went into effect on January 1, 2026. We provided an overview of the existing law here. The amendment goes into effect three months after the legislature’s April 17 adjournment date, on July 17, 2026.
The article below provides a summary of the changes.
In Parts 1-3 of this series, we covered the mechanics of the CCPA’s new cybersecurity audit requirement: who is covered, when audits are required, what must be audited, who can perform the audit, how it fits with existing security frameworks, and what needs to be documented.
Key point: Nebraska (chatbot) and Maine (health) enacted laws last week, while more than a dozen bills advanced in other states.
Below is the 14th update on the status of proposed state AI legislation in 2026. These posts track state AI bills that can directly or indirectly affect private-sector AI developers and deployers. These posts do not track AI bills that focus on government use of AI; insurance; workgroups; education; legal settings; name, image, and likeness; deepfakes; CSAM and sexual material; and election interference. As always, the contents provided below are time-sensitive and subject to change.