Key point: Last week, Oklahoma became the 20th state to enact a broad consumer data privacy law, while Utah’s governor signed two bills into law, and bills advanced out of committees in Connecticut, Kansas, Maryland, New Jersey, and Vermont.

Below is the 10th update on the status of proposed state privacy legislation in 2026. This post covers updates on proposed bills dealing with consumer data privacy, children’s privacy, biometric privacy, data brokers, and consumer health data privacy. As always, the contents provided below are time-sensitive and subject to change.

Key point: Last week, the draft bill to repeal and replace the Colorado AI Act was publicly released, Tennessee’s legislature passed health care-related AI companion bills, bills crossed chambers in six states, and bills advanced out of committees in six states.

Below is the 10th update on the status of proposed state AI legislation in 2026. These posts track state AI bills that can directly or indirectly affect private-sector AI developers and deployers. These posts do not track AI bills that focus on government use of AI; insurance; workgroups; education; legal settings; name, image, and likeness; deepfakes; CSAM and sexual material; and election interference. As always, the contents provided below are time-sensitive and subject to change.

Data-Breach_1200x600_GettyImages-1895498673

This article was originally published on The Legal Intelligencer and is republished here with permission as it originally appeared on March 12, 2026.

In this third and final article in a three-part series on the FirstEnergy decision, we turn to what happens when litigation arrives and privilege is challenged.

Over the past several years, district courts have been skeptical of privilege claims over forensic investigation materials in the cybersecurity context. FirstEnergy provides a framework for defending those materials. Every cyber investigation serves two purposes. From a legal perspective, the investigation informs litigation exposure and defense strategy. But the same investigation also identifies compromised systems, drives remediation and supports business operations. After FirstEnergy, those dual purposes do not defeat privilege, provided the investigation was initiated because of legal risk and directed by counsel. This article also examines how the lessons of FirstEnergy apply in cases involving multiple defendants that may have both a desire and need—for both business and legal purposes—to work together to understand an incident and share information.

On March 16, 2026, New York Attorney General (AG) Letitia James rallied in support of the “One Fair Price Package” — a pair of bills aimed at curbing algorithmic and surveillance pricing in New York. Together, the bills would prohibit the use of personalized algorithmic pricing based on consumer data, ban electronic shelf labels in large food and drug retailers, and create robust enforcement mechanisms and private rights of action. The announcement from New York comes shortly after New Jersey Governor Mikie Sherrill backed legislation to ban what she has called “surveillance” pricing, and after California Attorney General Rob Bonta announced an investigative sweep focused on businesses that use consumer data to individualize prices for their goods or services earlier this year.

Cyber_1200x600_GettyImages-2155090853

In Part 1 of this series, we walked through the basics of the California Consumer Privacy Act’s (CCPA) new cybersecurity audit requirement: which businesses are covered, when audits are required, and the high-level obligations to have on your radar.

Security_1200x600_GettyImages-2153383852

A new discussion draft from Representative Bill Huizenga (R-MI) would significantly update Title V of the Gramm‑Leach‑Bliley Act (GLBA) to reflect how financial data is collected, shared, and monetized in today’s market. Released in connection with the March 17, 2026 House Financial Services Committee (Committee) hearing, “Updating America’s Financial Privacy Framework for the 21st Century,” the draft purports to give consumers greater control over their financial data, impose new limits on financial institutions and data aggregators, and create a more uniform national privacy regime for consumer financial information.

Washington flag, USA

Key point: With a private right of action and ambiguous and undefined terms, businesses deploying consumer-facing interactive AI will want to ensure they are not unintentionally triggering the bill’s provisions.

On March 11, 2026, the Washington legislature passed HB 2225, becoming the second state this session to pass a bill specifically aimed at regulating artificial intelligence (AI) companions. The bill is now with Governor Bob Ferguson for consideration. He has 20 days from receipt of the bill to either sign or veto it. If the governor takes no action within that timeframe, the bill will become law without his signature and will go into effect on January 1, 2027. The bill was filed at Ferguson’s request, so presumably, he will sign it.

Earlier this session, we wrote about Oregon’s SB 1546, another consumer-facing interactive AI bill focused on AI companions with a private right of action and statutory damages. Washington’s bill imposes similar requirements on businesses that deploy AI companion chatbots but arguably has an even broader applicability standard. The Washington bill also includes a private right of action, which is modeled on the private right of action in Washington’s My Health My Data Act (MHMD) and does not include statutory damages.

In the article below, we provide an overview of the Washington bill.

Key point: Last week, the Washington and New York legislatures each passed two bills; chatbot bills advanced in Georgia, Hawaii, and Tennessee; the Hawaii House passed a pricing bill while Colorado and Massachusetts committees advanced pricing bills; health care-related AI bills advanced in Missouri and Vermont; and New Hampshire advanced a deceptive AI bill.

Below is the ninth update on the status of proposed state AI legislation in 2026. These posts track state AI bills that can directly or indirectly affect private-sector AI developers and deployers. These posts do not track AI bills that focus on government use of AI; insurance; workgroups; education; legal settings; name, image, and likeness; deepfakes; CSAM and sexual material; and election interference. As always, the contents provided below are time-sensitive and subject to change.

Key point: Last week, consumer data privacy bills advanced in Alabama and Kentucky, Vermont’s data broker amendment bill passed a committee vote, and Hawaii’s Senate passed a bill prohibiting the sale of geolocation information and internet browser information without consent.

Below is the ninth update on the status of proposed state privacy legislation in 2026. This post covers updates on proposed bills dealing with consumer data privacy, children’s privacy, biometric privacy, data brokers, and consumer health data privacy. As always, the contents provided below are time-sensitive and subject to change.