State Privacy Law

State of play.

• The state privacy patchwork has reached 21+ active regimes, with enforcement dollars now in the billions. Alabama enacted the APDPA in April 2026 (effective May 2027), becoming the 21st state with comprehensive privacy legislation; Gartner-documented data shows U.S. state regulators imposed $3.425 billion in privacy fines during 2025 alone—exceeding the prior five-year combined total .
• The Seventh Circuit has fundamentally reset BIPA litigation economics. In Clay v. Union Pacific Railroad Co., the court held the 2024 damages cap applies retroactively to all pending cases, eliminating per-scan multipliers and collapsing settlement leverage for plaintiffs across hundreds of active suits (→ Seventh Circuit Rules BIPA Damages Cap Applies to Pending Cases, 7th Circuit Rules 2024 BIPA Damages Amendment Applies Retroactively to Pending Cases).
• The CPPA has launched an Audits Division and is assessing CCPA compliance now—two years before formal certification deadlines. Executive Director Tom Kemp has signaled the division will focus on real-world usability of consumer rights, AI tool governance, surveillance pricing, and sensitive data handling, not just policy documents .
• Federal preemption is back on the table—but without Democratic support. House Republicans introduced the SECURE Data Act on April 22, 2026, which would preempt most state privacy laws; both the SECURE Data Act and companion GUARD Financial Data Act lack Democratic backing and face a history of failed federal privacy efforts .
• For counsel advising multistate operators, the practical baseline is that state enforcement is the primary risk vector—the CPPA is auditing ahead of schedule, cure periods are disappearing, and the $3.425 billion 2025 enforcement figure signals that privacy compliance has moved from cost center to material financial exposure.

Where things stand.

• Twenty-one-plus states have enacted comprehensive privacy statutes, covering roughly 46 percent of the U.S. population. Indiana, Kentucky, and Rhode Island activated January 1, 2026; Alabama (APDPA) follows May 1, 2027; Oklahoma enacted separately in 2026 (→ Three New State Privacy Laws Activate January 1, 2026, Expanding U.S. Patchwork to 20 States).
• State AGs are the primary enforcement engine. Most state regimes vest exclusive enforcement authority in the AG; cure periods are narrowing or eliminated; California's CPPA operates as a dedicated enforcement agency alongside the AG and has now launched a dedicated Audits Division (→ Three New State Privacy Laws Activate January 1, 2026, Expanding U.S. Patchwork to 20 States).
• California's regulatory apparatus is the most complex and active. The CCPA now covers employee data (employment exemption expired January 2023); the DELETE Act's DROP platform launched in January 2026 with 242,000 deletion requests already submitted; mandatory data broker audits begin January 2028; CCPA amendments require cybersecurity audits, risk assessments, and automated decision-making disclosures (→ CalPrivacy Opens Preliminary Comments on DROP Audit Rules for Data Brokers, CalPrivacy Seeks Comments on CCPA Employee Data Notices by May 20, Three New State Privacy Laws Activate January 1, 2026, Expanding U.S. Patchwork to 20 States).
• BIPA remains the highest-stakes biometric privacy statute, now with restructured damages. The Seventh Circuit's Clay decision caps recovery at one award per person per collection method, eliminating the per-scan theory; Section 15 compliance obligations—notice and consent—remain fully enforceable (→ Seventh Circuit Rules BIPA Damages Cap Applies to Pending Cases, 7th Circuit Rules 2024 BIPA Damages Amendment Applies Retroactively to Pending Cases).
• State wiretap statutes—CIPA, WESCA, and analogs—are the primary private litigation vehicle for tracking technologies. CIPA's $5,000-per-violation statutory damages with no actual-harm requirement drives mass arbitration and class action filings; the Third Circuit has narrowed federal standing for WESCA claims based on routine browsing, redirecting plaintiffs to state court .
• Geolocation data has moved from consent-based to ban-based in multiple states. Virginia enacted an outright ban on the sale of precise geolocation data (effective July 1, 2026), joining Maryland and Oregon; Virginia's narrow "sale" definition may leave non-monetary data-sharing arrangements unaddressed .
• Children's and minors' data is the fastest-moving substantive category. Washington enacted the first chatbot disclosure law with prescriptive timing requirements and a private right of action; Utah restructured its App Store Accountability Act to replace AG enforcement with private suits by injured minors, mooting industry's First Amendment challenge; age verification mandates are proliferating across at least half of U.S. states despite expert consensus on technical ineffectiveness (→ Washington Gov. Ferguson Signs HB 2225 Requiring AI Companion Chatbot Disclosures, Tech Trade Group Drops Utah App Store Law Suit After Government Enforcement Removed).
• Florida's Digital Bill of Rights targets large platforms specifically. The statute applies to companies deriving at least 50% of global revenue from online advertising, app store operators with 250,000+ apps, and smart speaker operators; penalties reach $50,000 per violation, tripled for minor-related violations; no private right of action .
• TCPA federal rollback is running in parallel with surging state mini-TCPA laws, creating a fragmented telemarketing consent compliance landscape .

Latest developments.

• CPPA launches Audits Division and signals it will begin assessing CCPA compliance in 2026—two years before formal cybersecurity audit certification deadlines—with focus on real-world consumer rights usability, AI tool governance, surveillance pricing, and sensitive data handling .
• Fashion, beauty, and wearable tech sector faces compounding exposure under 2026 state privacy regimes: biometric data from virtual try-on tools classified as sensitive personal information; consumer health data from wearables regulated outside HIPAA by Connecticut and Washington; CIPA class actions targeting tracking and cookie practices; global GDPR fines exceeded €5 billion in 2025 (→ Fashion, Beauty, Wearable Brands Face Stricter 2026 Privacy Rules).
• iOS 18.1 call recording feature creates two-party consent compliance gap: disabling one's own recording setting provides no protection against being recorded by the other party; feature relies on a single audible announcement easily missed by AirPods users; feature unavailable in EU and other consent-law jurisdictions .

Active questions and open splits.

• Whether the SECURE Data Act's preemption language survives—and what it preempts. The bill would displace most state privacy laws, but lacks Democratic support and faces a decade of failed federal privacy efforts; if enacted, it eliminates California's private right of action and CPPA enforcement infrastructure while preserving COPPA, GLBA, and HIPAA sectoral regimes .
• Whether Illinois state courts will apply the BIPA damages cap retroactively. The Seventh Circuit's Clay ruling binds federal courts in Illinois, Indiana, and Wisconsin; Illinois state courts are not bound and may reach a different conclusion on retroactivity, preserving a two-track litigation landscape for plaintiffs' counsel (→ Seventh Circuit Rules BIPA Damages Cap Applies to Pending Cases, 7th Circuit Rules 2024 BIPA Damages Amendment Applies Retroactively to Pending Cases).
• Whether routine website tracking satisfies Article III standing across circuits. The Third Circuit has now twice held that mouse clicks and browsing activity without capture of sensitive data are insufficient; other circuits have not uniformly adopted this standard; the practical effect is forum-shopping toward state courts where standing requirements are lower .
• How states will define "sale" for geolocation ban purposes. Virginia's ban covers only monetary exchanges, potentially leaving non-monetary data-sharing arrangements—common in ad-tech—unaffected; California, Massachusetts, Vermont, and Washington have comparable legislation advancing with differing definitions .
• Whether age verification mandates will survive constitutional challenge. 438 security and privacy researchers have documented that age verification systems are technically ineffective and create centralized breach risks; legislatures are proceeding regardless; First Amendment challenges have succeeded in some jurisdictions while others have restructured enforcement to moot standing (→ Tech Trade Group Drops Utah App Store Law Suit After Government Enforcement Removed).
• Whether AI chatbot data retention practices violate existing state privacy statutes. Connecticut's AG has already invoked the CTDPA to require deletion rights within trained models; Stanford research documents opaque retention and training practices at major AI developers; the gap between commercial surveillance and Fourth Amendment protection for AI prompts remains unresolved (→ CT AG Tong Issues Feb. 25 Memo Applying Existing Laws to AI, Stanford Study Warns AI Firms Retain User Data for Training Without Clear Consent).
• What the CPPA Audits Division will actually examine—and when. The agency has not disclosed which companies face audits first or what specific compliance gaps trigger enforcement action; the division's stated focus on AI tool governance and surveillance pricing signals enforcement priorities beyond traditional consumer rights workflows .

What to watch.

• California CPPA employee data rulemaking comment period closes May 20, 2026—watch for proposed rules that could impose European-style employment privacy obligations on California employers (→ CalPrivacy Seeks Comments on CCPA Employee Data Notices by May 20).
• Virginia's geolocation sales ban takes effect July 1, 2026—first enforcement actions will test the scope of the "sale" definition and whether non-monetary data-sharing arrangements are covered .
• California's DROP platform mandatory processing deadline of August 1, 2026 is the next hard compliance trigger for data brokers; $200/day penalties begin accruing for unfulfilled requests (→ CalPrivacy Opens Preliminary Comments on DROP Audit Rules for Data Brokers).
• SECURE Data Act committee markup and amendment process—whether Democrats engage or the bill stalls will determine whether multistate compliance programs need to hedge against federal preemption .
• CPPA Audits Division's first enforcement targets—which sectors and compliance gaps draw early action will set the practical standard for what "audit-ready" means under the CCPA .
• Australia's Children's Online Privacy Code consultation closes June 5, 2026; final registration targeted December 2026—global platforms with Australian users face a hard implementation deadline with limited runway .