Key point: Last week, Maine’s Senate passed a consumer data privacy bill while the Virginia and Utah legislatures passed bills amending their existing consumer data privacy laws.
Below is the eighth update on the status of proposed state privacy legislation in 2026. This post covers updates on proposed bills dealing with consumer data privacy, kid’s privacy, biometric privacy, data brokers, and consumer health data privacy. As always, the contents provided below are time-sensitive and subject to change.
What’s New
The big story last week was Maine’s consumer data privacy law narrowly passing out of the state’s Senate. Although the bill previously passed the House, it was amended in the Senate so it will need to go back to the House for concurrence. The IAPP’s Joe Duball provided a detailed overview of the events leading to the bill’s final passage out of the Senate.
Unfortunately, the Maine website does not contain an updated version of the bill with all amendments. However, piecing the publicly available information together, the Maryland-style bill contains the following notable provisions:
- A broad applicability standard with a low consumer threshold (35,000) and an Oregon-style state entity-level exemption for financial institutions.
- Maryland-style data minimization provisions where a controller’s collection and processing of sensitive data must be strictly necessary to provide or maintain a specific product or service requested by the consumer and the collection of personal data must be reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer.
- A prohibition on selling sensitive data.
- A narrow definition of publicly available information.
- Broad consumer rights, including the right to obtain a list of third parties to whom a controller has sold the consumer’s personal data or a list of third parties to whom the controller has sold all personal data as well as a duty to recognize opt-out preference signals.
- Consumer health data provisions similar to those found in Connecticut’s law.
- A prohibition on selling the personal data of minors or processing minors’ data for targeted advertising.
If it becomes law, the Maine bill will be enforceable by the state attorney general. It does not contain a private right of action.
Moving on, two states passed bills to amend their existing consumer data privacy laws. Virginia’s legislature passed a bill to prohibit controllers from selling or offering for sale precise geolocation data while Utah passed a bill to apply its law to motor vehicle manufacturers.
Turning to kid’s privacy bills, Utah passed a bill to amend its App Store law prior to closing for the year last week. Meanwhile, a Digital Age Assurance bill passed out of the Colorado Senate. On the other hand, bills in New Hampshire and South Dakota died.
More details on those bills plus updates on all bill movements last week in the below post.
Consumer Data Privacy
Maine’s consumer data privacy bill (LD 1822) passed the Senate. It previously passed the House. It was amended in the Senate, so it will need to go back to the House for concurrence.
Virginia’s SB 338 passed the legislature. The bill amends the VCDPA to prohibit controllers from selling or offering for sale precise geolocation data concerning a consumer.
Utah’s HB 357 also passed the legislature. The bill applies Utah’s privacy law to motor vehicle manufacturers regardless of the law’s existing applicability standard.
Finally, Minnesota’s HF 2700 was re-referred to the House Judiciary, Finance, and Civil Law Committee. The bill amends Minnesota’s law to add consumer health provisions.
Kid’s Privacy
Two bills advanced last week. Utah’s App Store amendment bill (HB 498) passed the legislature while Colorado’s SB 51 (Digital Age Assurance) passed out of the Senate by a 28-7 vote.
Conversely, bills in two states died last week. In New Hampshire, HB 1650 (children’s privacy) and HB 1658 (App Store) were voted inexpedient to legislate in committee, thereby effectively killing the bills. South Dakota’s App Store bill (HB 1275) failed to get out of a Senate Committee. That bill had previously passed the House.
Biometric Privacy
New York’s S 2539 advanced to a third reading in the Senate. The bill requires retailers to post warning signs if they track customers through their cell phones, cameras, or other electronic devices or if they collect customer biometric information.
A Minnesota House member introduced HF 4005, which requires consent for the collection of biometric data and prohibits the sale of such data.
Data Broker
Rhode Island lawmakers are considering a new data broker bill (SB 2766) filed by six Democrats and one Republican.
Consumer Health Data Privacy
There were no updates for this category last week.
Other
Hawaii’s SB 1163 was reported out of committee with a recommendation of passage on third reading. The bill prohibits the sale of geolocation information and internet browser information without consent. It also prohibits the sale of data collected through eavesdropping or through an application operating in the background of a device that uses the device’s microphone.