Usual Suspects Will Remain Privacy States to Watch in 2026, Lawyers Say
Many states that have had leading roles in the privacy space will continue to do so in 2026, but several newcomers will be noteworthy owing to laws coming online, potential enforcement and litigation, privacy lawyers said.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The “front-runners” remain California, Colorado, Connecticut and Texas, said Susan Duarte, a privacy lawyer at Marashlian & Donahue. She added that Illinois is also a leader, though more so with litigation.
Laura Riposo VanDruff, consumer privacy, data security, and consumer protection lawyer at Kelley Drye, agreed about Texas, adding it has "really been aggressive in its enforcement, including just using its [Unfair and Deceptive Acts and Practices] statute in protecting Texans online.”
But she said that “California is at the top of the list” to watch because it has “significant resources and expertise to enforce the laws that they have, as well as really a mandate from the people ... to do so.”
VanDruff also cited states in the bipartisan cross-state privacy enforcement coalition (see 2504160037) as others to watch.
For Julie Rubash, chief privacy officer for compliance vendor Sourcepoint, Maryland is "interesting.” The Maryland Online Data Privacy Act’s (MODPA) “data minimization provisions go far beyond anything that we've seen in any other state law,” she said.
She’s not sure “whether there's going to be a lot of enforcement or not” of MODPA, but the “significance” of it might not come from Maryland, but “how it influences ... legislation” in other states. "We're already seeing other states modeling their legislation" after Maryland.
This modeling may make data minimization “the new trend in comprehensive privacy laws,” which could make it “front and center,” even if it takes several years, Rubash said.
But since nobody yet “has a good feel for how [Maryland's] law will be interpreted” or “to what extent,” companies for the most part are “just keeping an eye on it, as opposed to taking any drastic measures.”
Duarte will also watch Oregon in 2026, as “it seems like they may start enforcing” their Consumer Privacy Act (OCPA) “more now that their cure period” is over. The state has indicated that “as soon as [the cure period] was over ... they were going to expect companies to be in compliance,” she said (see 2510300034).
Duarte and Rubash will be watching Rhode Island as well. Duarte is “curious” since it has “such a restrictive law and there is no cure period.”
For example, it asks companies to “predict anybody that you might share [data] with in the future” and outline that “when you're writing your privacy policy,” said Duarte, adding that she's watching to see if the state will enforce that or if it will be challenged.
Rubash said another notable thing about Rhode Island's law is that companies “will be required to display … the list of third parties that [they] are providing data to,” with respect to state residents. Though Oregon and Minnesota privacy laws (see 2507300075) have similar provisions, the list is only provided upon request, whereas Rhode Island “requires that you display the list somewhere on your website,” whether as part of a privacy policy, the consent management platform or somewhere else.
Though Rubash is unsure how much Rhode Island will enforce it, she said there are “probably a lot of companies that don't even know about” this aspect of the law. Many things “kind of fly under the radar until the first enforcement action happens,” she said, so it’s possible that “we don't see this from companies very much until that first enforcement action.”
In general, VanDruff is “interested to see what state legislatures do” in 2026. She noted there were no new comprehensive laws in 2025, though some “states got close.” Instead, several amended their laws, so “it'll be interesting to see the extent to which there's momentum going forward in the coming year.”
Duarte similarly is “curious to see what the states focus on.” In 2025, “we saw a lot in the car space,” with states like Texas regulating the share and sale of location data (see 2501130047) and in the California Privacy Protection Agency’s settlement with Honda (see 2503120037). While she doesn’t “know if that [trend] will continue,” she’s interested in seeing “how that will play out.”