After a legislative lull last year, 2026 has brought a new wave of state privacy lawmaking activity.
A number of states have introduced comprehensive state privacy bills during the legislative cycle, reflecting a continued trend toward expanding individual privacy rights and creating new compliance obligations on businesses that collect and process personal data.
While many of these proposals follow established frameworks modeled after existing state privacy laws, several include new provisions addressing emerging issues such as artificial intelligence (AI) and consumer health data.
The tables below summarize certain key details of the state privacy bills introduced during the 2026 legislative cycle.
Comprehensive privacy bills (in progress as of March 2, 2026)
These bills largely mimic existing comprehensive privacy laws passed since 2018. Certain new provisions are summarized in the last column.
| State | Link to bill | Date introduced | Title | Summary of provisions |
| Alabama | HB 351 | January 29, 2026 | Alabama Personal Data Protection Act | Expanded authority for authorized agents to exercise consumer rightsProvides an exemption for AI models in which no personally identifiable data is present in or extractable from the model |
| Arizona | SB 1815 | February 9, 2026 | N/A | Defines “child” as someone under the age of 16 |
| Iowa | HF 2048 | January 14, 2026 | N/A | A standalone privacy regime separate from Iowa’s comprehensive privacy law that applies to significantly smaller businessesCovers companies that process personal data of at least 5,000 Iowa residents annuallyRequires affirmative opt-in consent for personal data processing, rather than relying on an opt-out framework |
| Illinois | SB 2875 | January 16, 2026 | Illinois Consumer Data Privacy Act | Uses a definition of “specific geolocation data” based on latitude and longitude decimals, rather than feetRequires data inventory for controllersProvides a right to contest adverse profiling decisions |
| Illinois | SB 3220 | February 2, 2026 | Illinois Consumer Data Privacy Act | Defines “biometric data” more broadly than the norm (covering data from photos, videos, and audio if used to identify an individual)Exempts pseudonymous data from consumer rights |
| Illinois | SB 3890 | February 6, 2026 | Illinois Data Privacy Protection Act | Requires annual registration of data brokers with the Attorney GeneralMandates creation of a public, centralized deletion mechanism to allow consumers to delete personal data across all registered brokers |
| Illinois | SB 3548 | February 5, 2026 | Consumer Data Privacy Act | Establishes a Consumer Privacy Fund administered by the Attorney General and funded by enforcement proceeds |
| Illinois | HB 5221 | February 10, 2026 | Consumer Data Privacy Act | Explicitly pre-empts home‑rule authority with respect to consumer data privacy regulation (i.e., only the State of Illinois - not cities, counties, or other home‑rule local governments - may regulate how personal data is processed) |
| New Mexico | SB 53 | January 21, 2026 | Community and Health Information Safety and Privacy Act | Requires highest-level privacy settings as the defaultRequires opt-in consent for sensitive data processingProhibits geofencing around healthcare and immigration services facilities |
| New Mexico | HB 214 | January 29, 2026 | Consumer Information and Data Protection Act | Combines comprehensive privacy law requirements with consumer health data law requirements into one billProvides protections for minors under the age of 18Restricts federal agency sharing of New Mexico residents’ sensitive data |
| New Jersey | S2602 | January 13, 2026 | New Jersey Disclosure and Accountability Transparency Act | Creates a new state agency |
| Vermont | H. 812 | January 29, 2026 | Vermont Duty of Data Loyalty Act | Is largely based on the American Data Privacy and Protection ActDefines “sensitive covered data” to include “information identifying individual’s online activities over time and across third-party websites or online services” |
| West Virginia | HB 5123 | February 3, 2026 | Consumer Data Protection Act | Bans geofencing healthcare facilitiesProvides a private right of actionDamages for violations involving minors under the age of 16 can be tripled |
