Key point: Last week, Alabama’s legislature passed a consumer data privacy bill.
Below is the 13th update on the status of proposed state privacy legislation in 2026. This post covers updates on proposed bills dealing with consumer data privacy, children’s privacy, biometric privacy, data brokers, and consumer health data privacy. As always, the contents provided below are time-sensitive and subject to change.
A federal court in Michigan significantly narrowed Michigan Attorney General (AG) Dana Nessel’s privacy and consumer protection case against Roku, Inc. (Roku) dismissing all non-Children’s Online Privacy Protection Act (COPPA) claims for lack of standing while allowing the state’s privacy claims under COPPA to proceed. The decision highlights COPPA’s utility as a vehicle for state AGs to bring enforcement actions in federal court, while also underscoring the jurisdictional limits on bringing companion state privacy and consumer protection claims in the same forum.
Key point: Last week, chatbot bills were signed into law in Oregon and Idaho, while a health care-related AI bill was signed into law in Tennessee.
Below is the 12th update on the status of proposed state AI legislation in 2026. These posts track state AI bills that can directly or indirectly affect private-sector AI developers and deployers. These posts do not track AI bills that focus on government use of AI; insurance; workgroups; education; legal settings; name, image, and likeness; deepfakes; CSAM and sexual material; and election interference. As always, the contents provided below are time-sensitive and subject to change.
Key point: Last week, Maine’s consumer data privacy bill stalled in the House, while Kentucky’s legislature passed a bill to amend the commonwealth’s consumer data privacy law.
Below is the 12th update on the status of proposed state privacy legislation in 2026. This post covers updates on proposed bills dealing with consumer data privacy, children’s privacy, biometric privacy, data brokers, and consumer health data privacy. As always, the contents provided below are time-sensitive and subject to change.
Key point: Tennessee’s new law prohibits parties that develop or deploy AI systems from advertising or representing to the public that the AI systems can act as a qualified mental health professional.
On April 1, 2026, Tennessee Governor Bill Lee signed SB 1580 into law, and it will go into effect on July 1, 2026. The new law is short — less than one page — but has potentially significant consequences given that it includes a private right of action.
In the following post, we provide an overview of the new law.
Key point: Last week, four bills were signed into law in three states, two state legislatures passed chatbot bills, and eight bills crossed chambers.
Below is the 11th update on the status of proposed state AI legislation in 2026. These posts track state AI bills that can directly or indirectly affect private-sector AI developers and deployers. These posts do not track AI bills that focus on government use of AI; insurance; workgroups; education; legal settings; name, image, and likeness; deepfakes; CSAM and sexual material; and election interference. As always, the contents provided below are time-sensitive and subject to change.
Key point: Last week, Maine’s consumer data privacy bill passed the state’s House for a second time; consumer data privacy amendment bills advanced in Kentucky, New Hampshire, and Maryland; and bills crossed chambers in New Jersey (biometric) and Vermont (data broker).
Below is the 11th update on the status of proposed state privacy legislation in 2026. This post covers updates on proposed bills dealing with consumer data privacy, children’s privacy, biometric privacy, data brokers, and consumer health data privacy. As always, the contents provided below are time-sensitive and subject to change.
Key point: Oklahoma becomes the 20th state to enact a broad consumer data privacy law.
On March 20, 2026, Oklahoma Governor Kevin Stitt signed SB 546 into law. In doing so, Oklahoma becomes the 20th state to enact a broadly applicable consumer data privacy law.
Passage of a consumer data privacy law in Oklahoma has been a multiyear process. The Oklahoma House first passed a consumer data privacy bill authored by then-Representative Collin Walke in 2021, but the bill stalled in the Senate. The House again passed a bill in 2022, and it again stalled in the Senate.
The new law is a more business-friendly blend of the 2022 version of Virginia’s consumer data privacy law and the Texas consumer data privacy law. Ultimately, entities subject to other state privacy laws will not have any new compliance obligations. In the below article, we provide an overview of the new law.
Key point: Last week, Oklahoma became the 20th state to enact a broad consumer data privacy law, while Utah’s governor signed two bills into law, and bills advanced out of committees in Connecticut, Kansas, Maryland, New Jersey, and Vermont.
Below is the 10th update on the status of proposed state privacy legislation in 2026. This post covers updates on proposed bills dealing with consumer data privacy, children’s privacy, biometric privacy, data brokers, and consumer health data privacy. As always, the contents provided below are time-sensitive and subject to change.
Key point: Last week, the draft bill to repeal and replace the Colorado AI Act was publicly released, Tennessee’s legislature passed health care-related AI companion bills, bills crossed chambers in six states, and bills advanced out of committees in six states.
Below is the 10th update on the status of proposed state AI legislation in 2026. These posts track state AI bills that can directly or indirectly affect private-sector AI developers and deployers. These posts do not track AI bills that focus on government use of AI; insurance; workgroups; education; legal settings; name, image, and likeness; deepfakes; CSAM and sexual material; and election interference. As always, the contents provided below are time-sensitive and subject to change.