Photo of David Stauss

David Stauss

Subscribe to David Stauss's Posts

David guides clients as they navigate the complexities of privacy and cyber law. His straightforward advice and thorough approach are a benefit to clients as they confront their toughest challenges.

Follow:Read more about David StaussDavid's Linkedin Profile
Close up view of the Oklahoma state flag waving.

Key point: Oklahoma becomes the 20th state to enact a broad consumer data privacy law.

On March 20, 2026, Oklahoma Governor Kevin Stitt signed SB 546 into law. In doing so, Oklahoma becomes the 20th state to enact a broadly applicable consumer data privacy law.

Passage of a consumer data privacy law in Oklahoma has been a multiyear process. The Oklahoma House first passed a consumer data privacy bill authored by then-Representative Collin Walke in 2021, but the bill stalled in the Senate. The House again passed a bill in 2022, and it again stalled in the Senate.

The new law is a more business-friendly blend of the 2022 version of Virginia’s consumer data privacy law and the Texas consumer data privacy law. Ultimately, entities subject to other state privacy laws will not have any new compliance obligations. In the below article, we provide an overview of the new law.

Key point: Last week, Oklahoma became the 20th state to enact a broad consumer data privacy law, while Utah’s governor signed two bills into law, and bills advanced out of committees in Connecticut, Kansas, Maryland, New Jersey, and Vermont.

Below is the 10th update on the status of proposed state privacy legislation in 2026. This post covers updates on proposed bills dealing with consumer data privacy, children’s privacy, biometric privacy, data brokers, and consumer health data privacy. As always, the contents provided below are time-sensitive and subject to change.

Key point: Last week, the draft bill to repeal and replace the Colorado AI Act was publicly released, Tennessee’s legislature passed health care-related AI companion bills, bills crossed chambers in six states, and bills advanced out of committees in six states.

Below is the 10th update on the status of proposed state AI legislation in 2026. These posts track state AI bills that can directly or indirectly affect private-sector AI developers and deployers. These posts do not track AI bills that focus on government use of AI; insurance; workgroups; education; legal settings; name, image, and likeness; deepfakes; CSAM and sexual material; and election interference. As always, the contents provided below are time-sensitive and subject to change.

Washington flag, USA

Key point: With a private right of action and ambiguous and undefined terms, businesses deploying consumer-facing interactive AI will want to ensure they are not unintentionally triggering the bill’s provisions.

On March 11, 2026, the Washington legislature passed HB 2225, becoming the second state this session to pass a bill specifically aimed at regulating artificial intelligence (AI) companions. The bill is now with Governor Bob Ferguson for consideration. He has 20 days from receipt of the bill to either sign or veto it. If the governor takes no action within that timeframe, the bill will become law without his signature and will go into effect on January 1, 2027. The bill was filed at Ferguson’s request, so presumably, he will sign it.

Earlier this session, we wrote about Oregon’s SB 1546, another consumer-facing interactive AI bill focused on AI companions with a private right of action and statutory damages. Washington’s bill imposes similar requirements on businesses that deploy AI companion chatbots but arguably has an even broader applicability standard. The Washington bill also includes a private right of action, which is modeled on the private right of action in Washington’s My Health My Data Act (MHMD) and does not include statutory damages.

In the article below, we provide an overview of the Washington bill.

Key point: Last week, the Washington and New York legislatures each passed two bills; chatbot bills advanced in Georgia, Hawaii, and Tennessee; the Hawaii House passed a pricing bill while Colorado and Massachusetts committees advanced pricing bills; health care-related AI bills advanced in Missouri and Vermont; and New Hampshire advanced a deceptive AI bill.

Below is the ninth update on the status of proposed state AI legislation in 2026. These posts track state AI bills that can directly or indirectly affect private-sector AI developers and deployers. These posts do not track AI bills that focus on government use of AI; insurance; workgroups; education; legal settings; name, image, and likeness; deepfakes; CSAM and sexual material; and election interference. As always, the contents provided below are time-sensitive and subject to change.

Key point: Last week, consumer data privacy bills advanced in Alabama and Kentucky, Vermont’s data broker amendment bill passed a committee vote, and Hawaii’s Senate passed a bill prohibiting the sale of geolocation information and internet browser information without consent.

Below is the ninth update on the status of proposed state privacy legislation in 2026. This post covers updates on proposed bills dealing with consumer data privacy, children’s privacy, biometric privacy, data brokers, and consumer health data privacy. As always, the contents provided below are time-sensitive and subject to change.

Key point: If enacted, the bill will require GenAI systems to provide a conspicuous warning that GenAI outputs may be inaccurate.

On March 9, 2026, the New York legislature passed A 3411, which requires generative artificial intelligence (GenAI) systems to notify users that the system’s outputs may be inaccurate. The bill will next move to Governor Kathy Hochul for consideration. If it becomes law, the bill will go into effect 90 days from enactment. The bill is short (it contains only 30 lines of text) but has broad implications.

In the article below, we provide background on the bill, an overview of its requirements, and potential implications should it become law.

Oregon State (USA) Flag

Key point: With a private right of action, statutory damages, and ambiguous and undefined terms, businesses deploying consumer-facing interactive AI will want to make sure they are not unintentionally triggering the bill’s provisions.

On March 5, 2026, Oregon’s legislature passed a consumer-facing interactive artificial intelligence (AI) bill focused on AI companions (SB 1546). The bill will next head to Governor Tina Kotek who will have 30 full weekdays to sign, veto, or allow the bill to become law without her signature. According to Oregon’s legislative website, no one publicly testified in opposition to the bill and it passed both chambers with only two no votes. If the bill becomes law, it will go into effect January 1, 2027.

Although the bill is directed at AI companions, as discussed below, the bill contains ambiguous and undefined terms that could lead to businesses unintentionally triggering its provisions. This is particularly concerning given that the bill contains a private right of action with statutory damages of $1,000 for each violation.

The following article provides an overview of the Oregon bill, its applicability, obligations, and potential implications for businesses.

Key point: Last week, Oregon’s legislature passed a chatbot bill, Utah’s legislature passed a provenance bill, Washington’s legislature is on the cusp of passing both a chatbot and provenance bill, and Arizona’s Senate passed a provenance bill.

Below is the eighth update on the status of proposed state AI legislation in 2026. These posts track state AI bills that can directly or indirectly affect private-sector AI developers and deployers. These posts do not track AI bills that focus on government use of AI; insurance; workgroups; education; legal settings; name, image, and likeness; deepfakes; CSAM and sexual material; and election interference. As always, the contents provided below are time-sensitive and subject to change.

Key point: Last week, Maine’s Senate passed a consumer data privacy bill while the Virginia and Utah legislatures passed bills amending their existing consumer data privacy laws.

Below is the eighth update on the status of proposed state privacy legislation in 2026. This post covers updates on proposed bills dealing with consumer data privacy, children’s privacy, biometric privacy, data brokers, and consumer health data privacy. As always, the content provided below is time-sensitive and subject to change.