Louisiana Gov. Jeff Landry recently signed into law Senate Bill 386, making Louisiana the 22nd state to enact a comprehensive consumer data privacy law following California, Virginia, Colorado, Utah, Connecticut, Iowa, Indiana, Tennessee, Montana, Texas, Oregon, Delaware, New Jersey, New Hampshire, Kentucky, Nebraska, Maryland, Minnesota, Rhode Island, Oklahoma and Alabama. The Louisiana Data Privacy Act will go into effect Jan. 1, 2027.
Colorado Gov. Jared Polis on May 14 signed into law Senate Bill 26-189, which repeals and replaces Colorado’s controversial AI law that was enacted in 2024 and would have gone into effect June 30. The new law will go into effect Jan. 1, 2027.
Alabama Gov. Kay Ivey signed into law House Bill 351 on April 16, making Alabama the 21st state to enact a comprehensive consumer data privacy law following California, Virginia, Colorado, Utah, Connecticut, Iowa, Indiana, Tennessee, Montana, Texas, Oregon, Delaware, New Jersey, New Hampshire, Kentucky, Nebraska, Maryland, Minnesota, Rhode Island, and Oklahoma. The Act will go into effect May 1, 2027.
Oklahoma Gov. Kevin Stitt signed into law Senate Bill 546 on March 20, making Oklahoma the 20th state to enact a comprehensive consumer data privacy law following California, Virginia, Colorado, Utah, Connecticut, Iowa, Indiana, Tennessee, Montana, Texas, Oregon, Delaware, New Jersey, New Hampshire, Kentucky, Nebraska, Maryland, Minnesota, and Rhode Island. The Act will go into effect Jan. 1, 2027.
Oklahoma Senate Bill 626, which amends Oklahoma’s Security Breach Notification Act, recently became law without the Governor’s signature. The legislation will go into effect Jan. 1, 2026. The amendments include...
North Dakota Gov. Kelly Armstrong recently signed into law House Bill 1127 which is nearly identical to the Gramm-Leach-Bliley Act Safeguards Rule, including the more recent amendments regarding data breach notifications. The law will go into effect Aug. 1, 2025.
New York’s standalone consumer protection statute, General Business Law § 349, may get a makeover. And if this proposal from New York’s Attorney General becomes law, it will be quite easy and economically beneficial for consumers and consumer advocacy groups to initiate litigation over any aspect of consumer-facing business activity.
Virginia Gov. Glenn Youngkin on March 24 vetoed House Bill 2094, the “High-Risk Artificial Intelligence Developer and Deployer Act.” The veto can only be overridden by a two-thirds vote of the House, which seems unlikely given the close vote in the House on the Senate substitute (52-Y; 46-N).
Utah Gov. Spencer Cox on March 27 signed into law Senate Bill 226 relating to the use of generative artificial intelligence in consumer transactions and regulated services. The law goes into effect on May 7, 2025.
Kentucky Gov. Andy Beshear on March 15 signed into law House Bill 473, which amends the Kentucky Consumer Data Protection Act. The amendments will go into effect Jan. 1, 2026.
The upward trend in data privacy legislation continued in 2024. Narrowing the focus to “comprehensive” legislation, i.e., that which conveys certain rights to consumers and restricts the collection and use of their personal information, over 70 bills were filed.
New York Gov. Kathy Hochul recently signed into law A8872-A and S2659-B which amend New York’s data breach notification law.