Privacy professionals begin the new year considering significant changes to some state privacy requirements. Lawyers suggested resolutions to review data and get an early start on risk assessments.
All 20 U.S. comprehensive privacy laws will be in effect Jan. 1 when Kentucky, Indiana and Rhode Island join 17 other states with broad privacy statutes. However, those three new state laws coming online are unlikely to significantly reshape the U.S. consumer privacy landscape, privacy experts said in interviews with Privacy Daily.
A slew of comprehensive privacy law bills from 2025 are expected to return in the new year. While no new states joined about 20 others with broad consumer privacy laws this year, 16 additional states had bills that either will carry over to 2026 or could be reintroduced.
Efforts continue to pass a New Mexico comprehensive privacy bill that includes a private right of action, but logistical issues in the legislature could prevent the measure from getting a hearing in 2026, supporters said.
New York state will require warning labels on social networks detailing their mental health risks. Gov. Kathy Hochul (D) late Friday signed S-4505, which passed the legislature in June (see 2506180004).
Friday night’s veto of a New York health data privacy bill might not be the end of the story. S-929 sponsor Sen. Liz Krueger (D) “is planning to reintroduce this bill or something similar next session,” a spokesperson told Privacy Daily on Monday. In addition, the New York Civil Liberties Union (NYCLU) plans to work with S-929's sponsors to “try again next year,” Allie Bohm, senior policy counsel, emailed us.
A vast and confusing array of kids privacy laws in the states is likely to keep expanding in the near term, even though many are probably unconstitutional, Sheila Millar, a consumer protection lawyer at Keller & Heckman, said on a Better Business Bureau podcast posted Wednesday.
Data brokers must register quickly and comprehensively in California, the California Privacy Protection Agency said in an enforcement advisory Wednesday. CalPrivacy issued the advisory, which addresses data broker registration requirements related to trade names, websites and parent-subsidiary relationships, with about two weeks to go until the planned Jan. 1 launch of the Delete Request and Opt-Out Platform (DROP).
Businesses are working toward compliance with Maryland’s comprehensive privacy law, despite its differences with 19 other states' comprehensive privacy laws, two McNees privacy attorneys said in an interview with Privacy Daily on Monday. Devin Chwastyk, who co-chairs the firm’s privacy and data security group, predicted “the phone will start ringing with more vigor” as the Maryland Online Data Privacy Act’s April 1 “enforcement deadline approaches.” In addition, he said MODPA may signal the end of “cookie-cutter” state privacy bills.
It’s best to avoid building privacy compliance programs around specific regulations or treating customers differently by region, Iman Saleh, Airbnb senior manager of AI privacy architecture said during a panel at the Risk Digital Global virtual conference Thursday. “Generalize when possible" and "work within the spirit of the law, not the letter of the law,” she said.