The US Introduces New State Privacy Laws

data protection
Written By Nathalie Pouderoux

As we move into 2026, U.S. state-level privacy enforcement is set to intensify. Businesses operating across multiple states face more obligations, driven by new laws and evolving regulations that aim to strengthen consumer privacy protections.

California: Expanded Privacy and Automated Decision-Making Rules

California continues to set the standard for state privacy regulation. In 2025, the California Privacy Protection Agency (CPPA) finalised regulations under the California Consumer Privacy Act (CCPA) covering automated decision-making technology (ADMT), risk assessments, and cybersecurity audits. These regulations became effective at the start of 2026 and impose specific obligations for businesses using AI or algorithmic systems that substantially replace human decision-making.

Key requirements include:

  • Opt-Out Rights: Consumers must be able to opt out when ADMT is used to make decisions that significantly affect them.

  • Human Oversight: Businesses must ensure that someone with authority can interpret and, if necessary, correct ADMT-driven decisions.

  • Risk Assessments: Companies must assess potential risks whenever they process sensitive personal data, use ADMT in significant consumer decisions, or sell or share personal information.

  • Cybersecurity Audits: The rules define what constitutes a "significant risk" and outline reasonable measures for protecting personal data.

Additionally, the California Delete Act introduced the DROP system, which allows consumers to submit deletion and opt-out requests that brokers are obligated to honour within 45 days. Data brokers who fail to comply face fines of USD 200 per violation, penalties that can quickly escalate for large databases.

The regulatory environment has already seen substantial enforcement activity, with 2025 marking record settlements, including:

  • Tractor Supply Company: $1.35 million for failing to adequately notify consumers and provide effective opt-out mechanisms.

  • Healthline Media LLC: $1.55 million for improper sharing of sensitive consumer information and failure to honour opt-out requests.

Other States Catching Up

While California remains the most active, other states have introduced comprehensive privacy laws, including Indiana, Kentucky, and Rhode Island, all effective in 2026. Though these laws do not radically depart from existing privacy frameworks, businesses must be vigilant, as coordinated enforcement across states could increase the risk of penalties.

Oregon’s Consumer Privacy Act, which entered into force in mid-2024, and reports from the state’s Department of Justice show high consumer engagement and indicate that enforcement activity is on the rise across states with active privacy laws. Similarly, Texas has emerged as a leading privacy enforcement authority, signaling a broader trend toward aggressive state-level oversight.

Federal Developments

At the federal level, the FTC amended the Children’s Online Privacy Protection Act (COPPA) in 2025, expanding parental control and transparency requirements for websites collecting data from children under 13. Compliance deadlines extend into 2026, and businesses participating in FTC-approved safe harbour programs must pay particular attention to the nuances of these timelines.

Additionally, the Department of Justice issued rules and guidance limiting the transfer of bulk sensitive personal data to certain foreign countries, reflecting national security concerns. These rules have practical implications for data governance, contractual arrangements, and cross-border transactions.

Key Takeaways for Businesses

  1. Review and update compliance programs: California’s new ADMT, risk assessment, and cybersecurity requirements necessitate careful documentation and operational oversight.

  2. Monitor multi-state obligations: With Indiana, Kentucky, Rhode Island, and other states introducing comprehensive privacy laws, businesses must ensure their policies meet varying standards.

  3. Prepare for enforcement: Record fines in 2025 demonstrate that regulators are willing to impose significant penalties for non-compliance.

  4. Stay aware of federal regulations: COPPA amendments and DOJ rules on bulk data transfers add another layer of complexity for U.S. businesses and those operating internationally.

For organisations that process large volumes of consumer data or use AI-driven decision-making, now is the time to reassess policies, ensure staff accountability, and implement transparent mechanisms for consumer rights.

How Can Gerrish Legal Help?

Gerrish Legal is a dynamic digital law firm. We pride ourselves on giving high-quality and expert legal advice to our valued clients. We specialise in many aspects of digital law such as GDPR, data privacy, digital and technology law, commercial law, and intellectual property. 

We give companies the support they need to successfully and confidently run their businesses whilst complying with legal regulations without the burdens of keeping up with ever-changing digital requirements. 

We are here to help you, get in contact with us today for more information.


Nathalie Pouderoux
Next

Your Business Guide to AI Compliance in 2026