Key point: Louisiana’s legislature passed a consumer data privacy bill, five bills crossed chambers in Illinois, nine bills crossed chambers in California, and Delaware’s House passed a bill to significantly amend the state’s consumer data privacy law.
Below is the nineteenth update on the status of proposed state privacy and AI legislation in 2026.
Key point: Colorado repealed and replaced the Colorado AI Act, Georgia enacted a chatbot law, and California and New York advanced numerous bills.
Below is the 18th update on the status of proposed state privacy and AI legislation in 2026. With the state legislative activity slowing, we have combined our weekly privacy and AI posts.
On May 12, the Colorado legislature passed a bill to replace Colorado’s existing artificial intelligence (AI) law with a more business-friendly regulatory regime focused on disclosures and limited consumer rights but, in doing so, added to the growing complexity of state AI regulation.
On May 18, 2026, from 12:00-1:00 ET
Key point: (1) Plaintiffs who expand their class definition beyond the complaint risk losing both certification and their class representative on limitations grounds; (2) Banners that require users to interact before accessing website may be sufficient to establish consent; (3) What makes tracking “highly offensive” is becoming clearer; (4) the “in transit” requirement continues to divide courts; (5) Courts demand more than labels to survive a standing challenge.
As lawsuits and regulatory scrutiny targeting “data brokers” continue to accelerate, understanding whether your organization fits within this increasingly broad industry space is a critical risk management priority. The stakes have never been higher for entities that collect, enrich, or license data to understand the evolving causes of action, damages theories, and defense strategies shaping this space.
This article was republished on IAPP on May 12, 2026.
Key point: The Colorado legislature passed a bill to replace Colorado’s existing artificial intelligence (AI) law with a more business-friendly regulatory regime focused on disclosures and limited consumer rights but, in doing so, added to the growing complexity of state AI regulation.
On May 12, the Colorado legislature passed SB 189, which repeals and replaces the Colorado AI Act. The bill will next head to Colorado Governor Jared Polis, who is expected to sign it, having been a driving force in the drafting of the bill.
SB 189 removes many of the hallmarks of the Colorado AI Act — such as a duty of care, risk management programs, and impact assessments — in favor of a disclosure-based framework with limited rights in narrow circumstances. That said, the bill’s January 1, 2027, effective date means that it will go into effect — the legislature will not reconvene until January 11, 2027 — thereby ending the uncertainty as to whether a Colorado AI law will go into effect.
The bill is complex, with many intertwined definitions and numerous exceptions. The article below provides an overview of the bill, digging into its many nuances. In addition, on May 18 from 12-1 p.m. ET, David Stauss will be hosting a webinar analyzing the bill. Click here to register.
Although the bill removes and narrows obligations under the existing law, Colorado still will have the most far-reaching legislatively enacted deployer/private sector AI law of any state. Further, the bill’s passage only adds to an increasingly complex state regulatory regime for businesses to navigate when deploying AI systems, including the California Consumer Privacy Act’s risk assessment and automated decision-making technology (ADMT) regulations and, in the employment context, laws in Illinois, New York City, and soon-to-be Connecticut.
Key point: Last week, Connecticut’s legislature passed a bill to amend the state’s consumer data privacy law and establish a data broker registration law, Iowa’s governor signed a chatbot bill into law, Colorado’s legislature passed a pricing bill and is poised to pass a bill to repeal and replace the Colorado AI Act, and Vermont’s legislature passed a health care AI bill.
Below is the 17th update on the status of proposed state privacy and AI legislation in 2026. With the state legislative activity slowing, we have combined our weekly privacy and AI posts.
Key Point: With the June 3, 2026, compliance deadline fast approaching, small firms subject to amended Regulation S‑P under the Gramm-Leach-Bliley Act (GLBA) should be in the final stages of updating their privacy and safeguards programs. In January 2026, the Securities and Exchange Commission (SEC) held an outreach event to help small firms comply with the amendments to Regulation S-P. This webinar was geared toward small firms in advance of the June 3, 2026, compliance deadline. The SEC highlighted new Regulation S-P compliance obligations, SEC exam team approaches moving forward, and held an examination workshop, which included an incident response tabletop discussion, review of a sample document request list, and a mock examination session.
On April 22, the U.S. House of Representatives Financial Services Committee and the Energy and Commerce Committee jointly unveiled a paired privacy package that, taken together, would substantially recast the federal obligations for the treatment of consumer data. The “Guidelines for Use, Access, and Responsible Disclosure of Financial Data Act” (the GUARD Financial Data Act) would update and enhance Title V of the Gramm‑Leach‑Bliley Act (GLBA) for financial institutions. The “Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act” (the SECURE Data Act) would create a national, cross‑sector privacy framework that would have applicability and features similar to the current patchwork of state comprehensive privacy laws, with strong entity-level and data-level exemptions for financial institutions and financial data subject to GLBA (and for HIPAA-covered entities and business associates, certain nonprofits, and institutions of higher education).
