Key point: Alabama became the twenty-first state to enact a broader consumer data privacy law, Kentucky and Virginia finalized amendments to their consumer data privacy laws, and Nebraska amended its Age-Appropriate Design Code Act.
Below is the fourteenth update on the status of proposed state privacy legislation in 2026. This post covers updates on proposed bills dealing with consumer data privacy, kid’s privacy, biometric privacy, data brokers, and consumer health data privacy. As always, the contents provided below are time-sensitive and subject to change.
What’s New
The big news last week was Alabama becoming the twenty-first state to enact a broader consumer data privacy law. Alabama is the second state – following Oklahoma – to enact a consumer data privacy law this year. Earlier this year, it enacted an app store law. You can read our analysis of the new Alabama law here.
In other news, two states – Virginia and Kentucky – finalized amendments to their existing consumer data privacy laws. Virginia’s amendment prohibits a controller from selling or offering for sale precise geolocation data. Kentucky’s amendment adds “automatic content recognition” as a category of sensitive data.
Meanwhile, Maryland’s legislature closed for the year but not before passing a bill to amend its consumer data privacy law. Among other things, the bill modifies the definition of sensitive data to include “data inferred by a controller based on personal data that, alone or in combination with other data, is used to indicate” any category of sensitive data. The bill also restricts the sale of personal data to governmental entities that, within the last six months, engaged in or supported immigration enforcement.
In other consumer data privacy law news, Delaware lawmakers are now considering a bill to significantly amend the state’s law, California advanced a bill to amend the CCPA to prohibit the selling or sharing of sensitive personal information, and Maine’s legislature closed without passing a consumer data privacy bill.
Finally, in kid’s privacy news, Nebraska’s governor signed a bill to amend the state’s Age-Appropriate Design Code Act, including broadening the law’s applicability standard.
More details on those bills plus updates on all bill movements last week in the below post.
Consumer Data Privacy
Alabama Governor Kay Ivey signed the Alabama Personal Data Protection Act (HB 351) into law, making Alabama the twenty-first state to pass a broad consumer data privacy law and the second state to do so this year. You can read our analysis of the new law here.
In Kentucky, HB 692 was signed into law. The bill amends Kentucky’s consumer data privacy law to add “automatic content recognition” as a category of sensitive data.
In Virginia, SB 338 was signed into law. The bill prohibits a controller from selling or offering for sale precise geolocation data.
Maryland’s HB 711 passed before the legislature closed for the year. Among other things, the bill amends Maryland’s consumer data privacy law relating to immigration enforcement.
California’s AB 1542 passed out of the Assembly Privacy and Consumer Protection Committee by a 9-5 vote. The bill amends the CCPA to prohibit a business, service provider, or contractor from selling or sharing sensitive personal information to a third party.
Finally, thirty-two Delaware Democrat lawmakers introduced a bill (HB 380) to amend the state’s consumer data privacy law.
Kid’s Privacy
Nebraska Governor Jim Pillen signed LB 838 into law. Among other things, the bill amends Nebraska’s Age-Appropriate Design Code Act, including broadening the law’s applicability.
California’s AB 2246 unanimously passed out of the Assembly Privacy and Consumer Protection Committee. The bill adds Age-Appropriate Design Code Act provisions to California’s business code.
Biometric Privacy
There were no updates for this category last week.
Data Broker
There were no updates for this category last week.
Consumer Health Data Privacy
There were no updates for this category last week.