State Legislation

Subscribe to State Legislation via RSS

Key point: Although the Executive Order seeks to bring regulatory certainty in the development and deployment of AI in the US – at least in the short term – it is unlikely to alleviate compliance burdens for businesses and only create more uncertainty.

On December 11, 2025, President Donald Trump signed an Executive Order entitled “Ensuring a National Policy Framework for Artificial Intelligence.” The purpose of the Executive Order is two-fold.

First, the order seeks to create a legal structure to stop states from enacting new state AI laws and from enforcing existing ones. According to the order, the goal of the United States must be “[t]o win” a “race with adversaries for supremacy” in AI. However, to do so, “United States AI companies must be free to innovate without cumbersome regulation.” Therefore, the order seeks to prevent “a patchwork of 50 different state regulatory regimes that makes compliance more challenging, particularly for start-ups.” Importantly, the order itself does not attempt to preempt state AI laws. Rather, as discussed below, it just creates a structure for the federal government to try to preempt some of them.

Second, the order states that the Trump administration will work with Congress to enact a “minimally burdensome national standard” that preempts state law and “ensure[s] that the United States wins the AI race, as we must.”

The order follows two prior attempts in Congress to pass a moratorium on states enacting AI laws. Most recently, an attempt to include a moratorium in the National Defense Authorization Act of 2026 failed, creating the impetus for the President to sign the order.

Although the Executive Order seeks to streamline and reduce AI regulation, there are many questions that it leaves open, including the scope of laws that will be challenged and the likelihood – if not certainty – that states will challenge the order’s legality. It also remains to be seen whether the order slows the passage of new state AI laws and enforcement of existing ones. Indeed, it could ultimately have the unintended consequence of resulting in even more state AI laws. In the below article, we discuss the scope of the order, the state AI laws that could be targeted by the administration, how states have reacted to the order, and takeaways for businesses that are trying to comply with existing and forthcoming state AI laws.

Key point: Starting August 1, 2026, registered data brokers will need to access California’s new one-stop-shop deletion platform to process deletion requests or risk significant fines.

Last month, the California Office of Administrative Law (OAL) approved the California Privacy Protection Agency’s (CalPrivacy) regulations further implementing the Delete Act (SB 362). Effective January 1, 2026, the Delete Act makes several changes to California’s data broker law, including charging CalPrivacy with creating a new one-stop-shop for California residents to request that all registered data brokers delete their personal information. California residents can begin registering on January 1, 2026, and data brokers must process requests starting August 1, 2026. Failure to comply is subject to a $200 fine “for each deletion request for each day the data broker fails to delete information.”

In the below article, we provide a brief background on the Delete Act and summarize the new regulations.

Key point: This is the eighth fine CalPrivacy has issued against an entity for failing to register as a data broker and comes just days after CalPrivacy announced a new Data Broker Enforcement Strike Force and only months before fines will significantly increase under the California Delete Act.

On December 3, 2025, the California Privacy Protection Agency (CalPrivacy) announced its latest fine for an entity failing to register as a data broker under California’s Delete Act. This is the eighth time CalPrivacy has fined an entity for failing to register as a data broker. The agency issued four fines in both 2024 and 2025.

The $56,600 fine comes just days after CalPrivacy announced the formation of a Data Broker Enforcement Strike Force, portending even more (and significantly higher) fines against data brokers and unregistered data brokers. This is particularly notable given that the agency’s data broker regulations adopt a broader definition of what constitutes a data broker, which definition may encompass entities that do not traditionally consider themselves to be data brokers.

In the below article, we provide a brief overview of the enforcement action. We also discuss the broader context of data broker regulation in California, including the increased risks and requirements on data brokers in 2026.

Key point: The court held that NetChoice’s complaint adequately states constitutional claims against Maryland’s Age-Appropriate Design Code Act and allowed NetChoice’s lawsuit to continue, but did not rule on the merits of the claims or enjoin the law.

On November 24, 2025, Maryland District Court Judge Richard Bennett denied Maryland’s motion to dismiss a complaint filed by NetChoice challenging Maryland’s Age-Appropriate Design Code Act, commonly referred to as the Maryland Kids Code. NetChoice’s complaint alleges that the Kids Code violates the First Amendment and is preempted by federal law. The decision finds only that NetChoice’s complaint states plausible claims. The court did not rule on the merits of the claims and did not enjoin the law. In the below article, we provide a brief overview of the Kids Code and the decision.

The Oklahoma state flag waving along with the national flag of the United States of America

Key point: Oklahoma recently updated its breach notification statute for the first time since enactment, aligning with broader state trends and underscoring the ongoing, continuous review of data breach notification laws by lawmakers.

Effective January 1, 2026, Oklahoma’s Senate Bill 626 substantially revises the state’s data breach notification statute by expanding the definition of personal information, introducing a regulatory notice requirement, and updating safe-harbor exemptions. The amendments are the first changes to the law since it was enacted in 2008 and are consistent with trends in other states in recent years. For example, California adopted similar amendments set to take effect on January 1, 2026.

The below article provides an overview of the amendments.

Key point: The most recent CCPA enforcement action focuses on the CCPA’s right to opt out of sales and shares and treatment of minor’s data.

On November 21, 2025, the California Attorney General (AG) announced its latest enforcement action for violations of the California Consumer Privacy Act (CCPA). The complaint alleges that a gaming app developer failed to provide a CCPA-compliant opt-out link or setting within any of its 21 apps or website. The complaint also alleges that six of the developer’s apps sold the personal information of consumers between the ages of 13 and 16 without obtaining consent. Pursuant to the final judgment and permanent injunction, the developer agreed to pay $1.4 million, implement corrective measures, and maintain a compliance program.

The settlement is the ninth CCPA public enforcement action, including six by the AG and three by the California Privacy Protection Agency. Seven of the nine enforcement actions are from this year, showing a notable increase in enforcement activity. As with prior enforcement actions, this settlement reinforces that businesses should be auditing their current practices and procedures to ensure that they are compliant and remain compliant.

In the below article, we provide a summary of the violations and penalties.

Key point: The California Privacy Protection Agency’s announcement places even more scrutiny on the compliance practices of data brokers.

On November 19, 2025, the California Privacy Protection Agency (now calling itself CalPrivacy) announced the creation of a Data Broker Enforcement Strike Force. The stated goal of the strike force is to review the data broker “industry for compliance with the data broker registration requirement in the Delete Act, as well as for compliance with the state’s comprehensive privacy law, the California Consumer Privacy Act.” Announcing the launch, Michael Macko, CalPrivacy’s head of enforcement, stated “For decades, strike forces have been a mainstay at U.S. Attorney offices and state Attorney General offices across the United States. We intend to bring the same level of intensity to our investigations into the data broker industry.”

CPRA_1200x600_GettyImages-1206098096

Key point: California’s new Digital Age Assurance Act will likely create significant compliance challenges for many businesses.

On October 13, 2025, California Governor Gavin Newsom signed AB 1043 — the Digital Age Assurance Act — into law. In doing so, California joins Louisiana, Texas, and Utah, in passing laws this year requiring app developers to receive age bracket signals. While California’s law is more operational in nature, and in key respects narrower than the content-focused nature of the laws passed by Louisiana, Texas, and Utah, when AB 1043 goes into effect on January 1, 2027, the law will likely require companies to consider unique implementation strategies and may frustrate approaches to creating a uniform age-assurance compliance program. Further, the law will likely affect almost every app developer operating in California, including many that have never dealt with age verification requirements.

In the below article, we provide background and a summary of the law, discuss how it compares with other similar-in-kind laws, and outline some implications businesses will need to consider.