Key point: Colorado’s legislature passed an age attestation bill while Michigan’s Senate passed a Kid’s Code Act.

Below is the sixteenth update on the status of proposed state privacy legislation in 2026. This post covers updates on proposed bills dealing with consumer data privacy, kid’s privacy, biometric privacy, data brokers, and consumer health data privacy. As always, the contents provided below are time-sensitive and subject to change.

What’s New

While it was a very busy week with AI bills, last week was comparatively slower for privacy bills. That said, one bill did pass a legislature with Colorado passing an age attestation bill based in part, but with key differences, to last year’s California Digital Age Assurance Act.

Michigan Senators passed a Kid’s Code Act by a 20-17 vote. It is worth noting that Michigan’s Senate is controlled by Democrats while the House is controlled by Republicans.

California’s AB 2561 advanced to a third reading. The bill prohibits an operating system or an application from undoing a user’s affirmative configuration of a user’s privacy setting without the user’s consent. 

Finally, two Democrat North Carolina Senators introduced a consumer data privacy bill in the state’s Republican-controlled Senate.

Looking ahead, Connecticut’s legislature will close for the year on May 6. Senator Maroney’s data broker and CTDPA amendment bill is currently awaiting a vote in the House.

More details on those bills plus updates on all bill movements last week in the below post.

Consumer Data Privacy

A new consumer data privacy bill (SB 1022) was introduced in North Carolina.

Kid’s Privacy

Colorado’s SB 51 (Age Attestation on Computing Devices) passed the legislature on May 1 after the Senate voted to concur in the House amendments.

The Michigan Kids Code Act (SB 758) passed the Senate by a 20-17 vote.

Biometric Privacy

There were no developments for this category last week.

Data Broker

There were no developments for this category last week.

Consumer Health Data Privacy

There were no developments for this category last week.

Other

California’s AB 2561 was read for a second time and ordered to a third reading. The bill prohibits an operating system or an application from undoing a user’s affirmative configuration of a user’s privacy setting without the user’s consent. 

A Minnesota lawmaker introduced a bill to regulate the processing of geolocation data (SF 5221).