Key point: Regulations proposed in June 2025 to implement the New Jersey Data Privacy Law expired on June 2, 2026, when the regulations were not adopted within a year of the proposal. The path forward for future rulemaking to implement the law is uncertain.
Key point: Louisiana becomes the 22nd state — and third this year — to enact a consumer data privacy law, adopting a law similar to Texas’ law.
On May 29, 2026, Louisiana Governor Jeff Landry signed the Louisiana Data Privacy Act (SB 386) into law. Louisiana is the 22nd state to pass a broad consumer data privacy law. It is the third state — following Oklahoma and Alabama — to pass a law this year.
The new law largely tracks Texas’ law but with some notable differences we identify below.
Key point: Vermont’s legislature passed a consumer data privacy bill, Illinois’ legislature passed an AI frontier model bill, and eight bills crossed chambers in California.
Below is the 20th update on the status of proposed state privacy and AI legislation in 2026. With state legislative activity slowing, we have combined our weekly privacy and AI posts.
On May 26, 2026, a bipartisan coalition of 44 attorneys general (AGs) issued a letter opposing the federal Kids Internet and Digital Safety Act (KIDS Act), H.R. 7757. The AGs assert that the KIDS Act would preempt their ability to enforce child online safety laws at the state level.
Key point: Louisiana’s legislature passed a consumer data privacy bill, five bills crossed chambers in Illinois, nine bills crossed chambers in California, and Delaware’s House passed a bill to significantly amend the state’s consumer data privacy law.
Below is the 19th update on the status of proposed state privacy and AI legislation in 2026.
Key point: Colorado repealed and replaced the Colorado AI Act, Georgia enacted a chatbot law, and California and New York advanced numerous bills.
Below is the 18th update on the status of proposed state privacy and AI legislation in 2026. With the state legislative activity slowing, we have combined our weekly privacy and AI posts.
This article was republished on IAPP on May 12, 2026.
Key point: The Colorado legislature passed a bill to replace Colorado’s existing artificial intelligence (AI) law with a more business-friendly regulatory regime focused on disclosures and limited consumer rights but, in doing so, added to the growing complexity of state AI regulation.
On May 12, the Colorado legislature passed SB 189, which repeals and replaces the Colorado AI Act. The bill will next head to Colorado Governor Jared Polis, who is expected to sign it, having been a driving force in the drafting of the bill.
SB 189 removes many of the hallmarks of the Colorado AI Act — such as a duty of care, risk management programs, and impact assessments — in favor of a disclosure-based framework with limited rights in narrow circumstances. That said, the bill’s January 1, 2027, effective date means that it will go into effect — the legislature will not reconvene until January 11, 2027 — thereby ending the uncertainty as to whether a Colorado AI law will go into effect.
The bill is complex, with many intertwined definitions and numerous exceptions. The article below provides an overview of the bill, digging into its many nuances. In addition, on May 18 from 12-1 p.m. ET, David Stauss will be hosting a webinar analyzing the bill. Click here to register.
Although the bill removes and narrows obligations under the existing law, Colorado still will have the most far-reaching legislatively enacted deployer/private sector AI law of any state. Further, the bill’s passage only adds to an increasingly complex state regulatory regime for businesses to navigate when deploying AI systems, including the California Consumer Privacy Act’s risk assessment and automated decision-making technology (ADMT) regulations and, in the employment context, laws in Illinois, New York City, and soon-to-be Connecticut.
Key point: Last week, Connecticut’s legislature passed a bill to amend the state’s consumer data privacy law and establish a data broker registration law, Iowa’s governor signed a chatbot bill into law, Colorado’s legislature passed a pricing bill and is poised to pass a bill to repeal and replace the Colorado AI Act, and Vermont’s legislature passed a health care AI bill.
Below is the 17th update on the status of proposed state privacy and AI legislation in 2026. With the state legislative activity slowing, we have combined our weekly privacy and AI posts.
Key point: Connecticut’s AI bill passed the legislature, Maryland’s pricing bill was signed into law, Colorado’s AI Act replacement bill was introduced, and chatbot bills advanced in several states.
Below is the 16th update on the status of proposed state AI legislation in 2026. These posts track state AI bills that can directly or indirectly affect private-sector AI developers and deployers. These posts do not track AI bills that focus on government use of AI; insurance; workgroups; education; legal settings; name, image, and likeness; deepfakes; CSAM and sexual material; and election interference. As always, the contents provided below are time-sensitive and subject to change.
Key point: Colorado’s legislature passed an age attestation bill while Michigan’s Senate passed a Kids Code Act.
Below is the 16th update on the status of proposed state privacy legislation in 2026. This post covers updates on proposed bills dealing with consumer data privacy, children’s privacy, biometric privacy, data brokers