Key point: Alabama’s House passed a consumer data privacy bill, amendments advanced in Utah and Virginia, and the text of the latest CTDPA amendment was filed.

Below is the seventh update on the status of proposed state privacy legislation in 2026. This post covers updates on proposed bills dealing with consumer data privacy, kid’s privacy, biometric privacy, data brokers, and consumer health data privacy. As always, the contents provided below are time-sensitive and subject to change.

What’s New

Before we get to our updates, if you have not already registered for our March 3 webinar on the status of proposed state privacy and AI bills, please consider doing so. You can find more information here. The recording and slide deck will be sent to all registrants, including those who cannot attend the webinar.

The lead story last week was the Alabama House passing a consumer data privacy bill. Alabama has become a hotbed of privacy legislation activity this year with the state enacting an App Store bill last month.

At a high level, the engrossed version of the bill follows the traditional Washington Privacy Act model. It has a 25,000-consumer applicability trigger, entity level exemptions for GLBA regulated financial institutions and HIPAA covered entities, and a small business exemption (provided the small business does not sell personal data). The bill contains the customary consumer rights, including requiring consent for targeted advertising and sale of personal data of teens 13-15 years of age and requiring recognition of opt-out preference signals. Notably, it does not require data protection impact assessments. The bill would be enforced by the state attorney general and contains a 45-day right to cure that does not sunset. If it becomes law, it will go into effect May 1, 2027.

Meanwhile, two consumer data privacy law amendment bills advanced last week. Utah’s bill to apply its privacy law to motor vehicle manufacturers regardless of the law’s existing applicability standard is on Senate floor votes, having already passed the House. Virginia’s bill to amend the VCDPA to prohibit controllers from selling or offering to sell precise geolocation data passed the House but was amended, so it will need Senate concurrence for final passage. Conversely, Oklahoma’s consumer data privacy bill is still waiting for final passage.

Turning to new bills, the text of Connecticut Senator James Maroney’s CTDPA amendment was filed. The bill contains numerous parts but, as it relates to our scope, it includes a data broker registration / Delete Act provision, algorithmic pricing disclosure provision, and amends the CTDPA relating to facial recognition technology, publicly available information, employment profiling, and precise geolocation data.

Pivoting to kid’s privacy bills, Colorado Senator Matt Ball’s SB 51 unanimously passed out of a Senate committee and was placed on floor votes. The bill is based on the California Digital Age Assurance Act.

More details on those bills plus updates on all bill movements last week in the below post.

Consumer Data Privacy

In Alabama, HB 351 passed the House by a 103-0 vote. It is now with a Senate Committee.

In Utah, HB 357 passed out of a Senate Committee and is on floor votes. Among other things, the bill amends Utah’s consumer data privacy law to apply the law to motor vehicle manufacturers regardless of the law’s applicability standard.

In Virginia, an amended SB 338 unanimously passed the House. The bill still amends the VCDPA to prohibit controllers from selling or offering to sell precise geolocation data. The amendment removed language regarding attorney general enforcement of that provision. The bill will need to go back to the Senate for concurrence in the amendment.

In Minnesota, HF 2700 was the subject of a motion to recall and re-refer. The bill amends Minnesota’s consumer data privacy law relating to consumer health data.

Turning to new bills, the text for Connecticut Senator James Maroney’s SB 4 was filed. Among other things, the bill contains a data broker registration / Delete Act provision, algorithmic pricing disclosure provision, and amends the CTDPA relating to facial recognition technology, publicly available information, employment profiling, and precise geolocation data. A hearing is set for March 4.

In Kentucky, a Republican lawmaker introduced HB 692, which amends the commonwealth’s consumer data privacy law to add provisions regarding automatic content recognition data. This is the third bill introduced this year to amend the law. None of the bills have advanced.

Finally, Alaska lawmakers are now considering a consumer data privacy bill (HB 367).

Kid’s Privacy

In Colorado, an amended SB 51 (Digital Age Assurance) unanimously passed out of a Senate committee and was placed on floor votes.

In Utah, HB 498 passed the House on February 24 and passed out of a Senate Committee on February 27. The bill amends the Utah App Store Accountability Act.

Biometric Privacy

In New York, S 2539 passed out of the Senate Consumer Affairs and Protection Committee by a 6-0 vote and is now on floor votes. The bill requires retailers to post warning signs if they track customers through their cell phones, cameras, or other electronic devices or if they collect customer biometric information.

Data Broker

As noted, a data broker bill was introduced in Connecticut as part of Senator Maroney’s SB 4.

Consumer Health Data Privacy

In New York, A 10357 was introduced as the companion bill to S 9269. These are the revised New York Health Information Privacy Act bills.

Other

In Hawaii, SB 1163 was amended and passed out of committee with a January 1, 2077 effective date. The bill prohibits the sale of geolocation information and internet browser information without consent. It also prohibits the sale of data collected through eavesdropping or through an application operating in the background of a device that uses the device’s microphone.