Insight

In 2026, new comprehensive data privacy laws will take effect in Indiana, Kentucky, and Rhode Island, while California, Colorado, Connecticut, Oregon, and Utah will implement modifications to their existing data privacy laws and regulations.

These developments reflect a nationwide trend: consumer protection, organizational transparency, and consumer rights and control over their personal information. States across nearly every region of the country have enacted data privacy laws, further emphasizing the importance of compliance programs that address multi‑jurisdictional obligations.

Recent implementation of new data privacy laws and changes to existing state data privacy laws highlight a growing emphasis on organizational accountability and consumer protection. Examples of this include the following:

Increased Importance on Assessments

Under Indiana’s, Kentucky’s, and Rhode Island’s new laws, the state Attorney-General may request that a controller (the organization that collects the data and determines why it is used) disclose the required data protection assessment pursuant to an investigative demand. In California, new requirements stemming from the recently revised California Consumer Privacy Act (CCPA) regulations will mandate enhanced cybersecurity measures, formal risk assessments, and greater transparency around the use of Automated Decision‑Making Technology (ADMT).

Additional Emphasis on Sensitive Data

Colorado and Oregon have strengthened their comprehensive data privacy laws by bolstering provisions that safeguard the processing of sensitive personal information such as biometric data, geolocation data, and the personal information of minors.

Expanding the Scope of the Laws

Connecticut has broadened the scope of its data privacy law by removing the entity-level exemption previously granted to financial institutions covered under the Gramm‑Leach‑Bliley Act, thereby extending privacy obligations onto a wider range of organizations. Utah added a right to correction along with requirements related to social media data portability and interoperability that are scheduled to go into effect in July 2026.

Universal Opt-Out Mechanisms

Beginning in January 2026, Connecticut and Oregon will join California, Colorado, Delaware, Maryland, Minnesota, Montana, New Jersey, New Hampshire, and Texas in requiring the recognition of a Universal Opt-Out mechanism on websites. This is a relatively new technology that enables consumers to automatically communicate their privacy preferences across multiple websites and services (e.g., to opt out of the selling of their personal data), without having to opt out manually on each individual platform.

Common Elements Across State Privacy Laws

While each law has its own nuances and unique requirements, some common elements within state comprehensive data privacy laws include the following:

  • Providing clear privacy notices explaining how personal information is collected, used, and shared;
  • Creating mechanisms for consumers to exercise their privacy rights, with organizations required to respond to consumer requests within statutory timelines and maintain adequate documentation;
  • Limiting the collection and retention of personal data through data and storage minimization, requiring organizations to collect only necessary data and retain it for proportionate and necessary periods; and
  • Conducting privacy risk assessments for processing activities involving certain types of personal data or for certain high-risk purposes.

Areas Where Organizations Often Struggle

  • Scoping Applicable Laws and Rules: Organizations operating across multiple jurisdictions—and sometimes multiple industries—often face a patchwork of privacy laws and regulations that apply unevenly across their operations, creating confusion and inconsistent requirements.
  • Effectuating Privacy Notices: Many organizations struggle to ensure that the growing number of detailed (and required) privacy-related disclosures are provided to consumers.
  • Handling Consumer Requests: Organizations often lack defined workflows to receive, respond, and document consumer requests. This usually results in a scramble when organizations begin receiving these requests. Without preparation, meeting the statutorily imposed response windows may prove difficult. To address this challenge, organizations should consider establishing a workflow and documented process to ensure timely and documented responses.
  • Conducting Assessments: Despite being required in under the majority of state comprehensive privacy laws, privacy-related assessments are frequently overlooked. It is important to conduct regular privacy risk assessments that are aligned with state and federal requirements, if applicable. This includes content requirements, record keeping obligations, and in some cases, availability to the state Attorney General if demanded for an investigation.

Considerations for 2026 Privacy Compliance Programs

  • Review new and existing privacy laws to confirm applicability and organizational responsibilities;
  • Update public‑facing privacy notices and other internal policies for consistency and compliance with relevant privacy laws;
  • Develop workflows to address required actions under applicable privacy laws, including handling consumer requests; and
  • Conduct privacy assessments to identify risks, define mitigation steps, and protect personal information of customers and employees.

For assistance in developing or updating your privacy program, please contact:

YES! PLEASE SIGN ME UP TO RECEIVE EMAIL ALERTS FROM OTHER GUNSTER PRACTICE AREAS.

This publication is for general information only. It is not legal advice, and legal counsel should be contacted before any action is taken that might be influenced by this publication.

Gunster. Florida's Law Firm for Leaders.
As a full-service law firm, Gunster provides full-service legal counsel to leading organizations and individuals from its 13 offices statewide. Established in 1925, the firm has expanded, diversified and evolved, but always with a singular focus: Florida and its clients’ stake in it. A magnet for business-savvy attorneys who embrace collaboration for the greatest advantage of clients, Gunster’s growth has not been at the expense of personalized service but because of it. The firm serves clients from its offices in Boca Raton, Coral Gables, Fort Lauderdale, Jacksonville, Miami, Naples, Orlando, Palm Beach, Stuart, Tallahassee, Tampa, Vero Beach, and its headquarters in West Palm Beach. With more than 320 attorneys and consultants, and 300 committed support staff, Gunster is ranked among the top 200 largest law firms by the National Law Journal and has been recognized as one of the Top 100 Diverse Law Firms by Law360. More information about its practices, industries, offices and news is available at www.gunster.com.

Related Capabilities

Jump to Page

Gunster Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek