Photo of David Stauss

David Stauss

Subscribe to David Stauss's Posts

David guides clients as they navigate the complexities of privacy and cyber law. His straightforward advice and thorough approach are a benefit to clients as they confront their toughest challenges.

Follow:Read more about David StaussDavid's Linkedin Profile

Key point: Alabama became the 21st state to enact a broader consumer data privacy law, Kentucky and Virginia finalized amendments to their consumer data privacy laws, and Nebraska amended its Age-Appropriate Design Code Act.

Below is the 14th update on the status of proposed state privacy legislation in 2026. This post covers updates on proposed bills dealing with consumer data privacy, children’s privacy, biometric privacy, data brokers, and consumer health data privacy. As always, the contents provided below are time-sensitive and subject to change.

Alabama Flag

Key point: Alabama becomes the 21st state to enact a broad consumer data privacy law with a law that is one of the more business-friendly laws passed to date.

According to Privacy Daily, on April 16, 2026, Alabama Governor Kay Ivey signed the Alabama Personal Data Protection Act (HB 351) into law, making Alabama the 21st state to pass a broad consumer data privacy law and the second state to do so this year. This is the second privacy law Alabama enacted this year. The state enacted an app store law in February.

With passage of Alabama’s law, approximately 46% of the U.S. population will now be covered by a broad consumer data privacy law.

The new business-friendly law is largely unremarkable. Companies that are complying with other state consumer data privacy laws will not need to do anything new to comply with Alabama’s law. However, the law does have a few nuances that we discuss in the article below — in particular, the law’s applicability standard and its definition of “sale.”

Key point: Legislatures in Nebraska (chatbot bill), Maryland (pricing), and Maine (health) passed AI bills last week.

Below is the 13th update on the status of proposed state AI legislation in 2026. These posts track state AI bills that can directly or indirectly affect private-sector AI developers and deployers. These posts do not track AI bills that focus on government use of AI; insurance; workgroups; education; legal settings; name, image, and likeness; deepfakes; CSAM and sexual material; and election interference. As always, the contents provided below are time-sensitive and subject to change.

Key point: Last week, Alabama’s legislature passed a consumer data privacy bill.

Below is the 13th update on the status of proposed state privacy legislation in 2026. This post covers updates on proposed bills dealing with consumer data privacy, children’s privacy, biometric privacy, data brokers, and consumer health data privacy. As always, the contents provided below are time-sensitive and subject to change.

Key point: Last week, chatbot bills were signed into law in Oregon and Idaho, while a health care-related AI bill was signed into law in Tennessee.

Below is the 12th update on the status of proposed state AI legislation in 2026. These posts track state AI bills that can directly or indirectly affect private-sector AI developers and deployers. These posts do not track AI bills that focus on government use of AI; insurance; workgroups; education; legal settings; name, image, and likeness; deepfakes; CSAM and sexual material; and election interference. As always, the contents provided below are time-sensitive and subject to change.

Key point: Last week, Maine’s consumer data privacy bill stalled in the House, while Kentucky’s legislature passed a bill to amend the commonwealth’s consumer data privacy law.

Below is the 12th update on the status of proposed state privacy legislation in 2026. This post covers updates on proposed bills dealing with consumer data privacy, children’s privacy, biometric privacy, data brokers, and consumer health data privacy. As always, the contents provided below are time-sensitive and subject to change.

US state flag of Tennessee

Key point: Tennessee’s new law prohibits parties that develop or deploy AI systems from advertising or representing to the public that the AI systems can act as a qualified mental health professional. 

On April 1, 2026, Tennessee Governor Bill Lee signed SB 1580 into law, and it will go into effect on July 1, 2026. The new law is short — less than one page — but has potentially significant consequences given that it includes a private right of action.

In the following post, we provide an overview of the new law.

Key point: Last week, four bills were signed into law in three states, two state legislatures passed chatbot bills, and eight bills crossed chambers.

Below is the 11th update on the status of proposed state AI legislation in 2026. These posts track state AI bills that can directly or indirectly affect private-sector AI developers and deployers. These posts do not track AI bills that focus on government use of AI; insurance; workgroups; education; legal settings; name, image, and likeness; deepfakes; CSAM and sexual material; and election interference. As always, the contents provided below are time-sensitive and subject to change.

Key point: Last week, Maine’s consumer data privacy bill passed the state’s House for a second time; consumer data privacy amendment bills advanced in Kentucky, New Hampshire, and Maryland; and bills crossed chambers in New Jersey (biometric) and Vermont (data broker).

Below is the 11th update on the status of proposed state privacy legislation in 2026. This post covers updates on proposed bills dealing with consumer data privacy, children’s privacy, biometric privacy, data brokers, and consumer health data privacy. As always, the contents provided below are time-sensitive and subject to change.

Close up view of the Oklahoma state flag waving.

Key point: Oklahoma becomes the 20th state to enact a broad consumer data privacy law.

On March 20, 2026, Oklahoma Governor Kevin Stitt signed SB 546 into law. In doing so, Oklahoma becomes the 20th state to enact a broadly applicable consumer data privacy law.

Passage of a consumer data privacy law in Oklahoma has been a multiyear process. The Oklahoma House first passed a consumer data privacy bill authored by then-Representative Collin Walke in 2021, but the bill stalled in the Senate. The House again passed a bill in 2022, and it again stalled in the Senate.

The new law is a more business-friendly blend of the 2022 version of Virginia’s consumer data privacy law and the Texas consumer data privacy law. Ultimately, entities subject to other state privacy laws will not have any new compliance obligations. In the below article, we provide an overview of the new law.