2026 Legislative Update: New Data Privacy & AI Laws

So far in 2026, states have enacted a wave of new and amended laws targeting data privacy and artificial intelligence. This article provides an overview of key new and updated 2026 laws and provides key takeaways for companies navigating this challenging environment. 

New State Data Privacy Laws

Several states expanded the U.S. privacy patchwork in 2026, with new laws in Oklahoma, Alabama, Louisiana, and Vermont, alongside significant amendments to existing law in Connecticut. While the jurisdictional scope and compliance requirements of these new laws vary, more companies will be pulled into scope as lower applicability thresholds, broader sensitive-data definitions, and new data broker and profiling rules become more common. Here are some takeaways for businesses operating in multiple states:

• 23 states now require detailed disclosures of personal information use and broad consumer data privacy rights.The four new data privacy laws build on existing state laws granting consumer rights such as access, correction, deletion, portability, and the right to opt out of targeted advertising, data sales, and profiling. As with previously enacted laws, the definition of what is considered a “sale” and what counts as “sensitive personal data” in these new regulations varies from state to state.
• Connecticut remains a priority jurisdiction: Connecticut’s 2025 and 2026 amendments continue to push the Connecticut Data Privacy Act toward a more aggressive model, including broader profiling rights, algorithmic pricing disclosures, and restrictions on the sale or sharing of precise geolocation and other sensitive personal data uses. Effective July 1, 2026, Connecticut’s amended law will apply to entities processing personal data of 35,000 consumers, or entities processing any sensitive personal data or selling consumer personal data. It also narrows key exemptions, including by converting the Gramm-Leach-Bliley Act exemption from an entity-level exemption to a data-level exemption and tightening the exemption for publicly available information.
• Lower thresholds expand the compliance universe: Newer laws in Alabama (effective January 1, 2027) and Vermont (effective January 1, 2028) continue the trend toward lower consumer thresholds of 35,000 or more individuals, meaning companies that previously assumed they were out of scope may now need to revisit applicability.
• Louisiana is the second state with a revenue-based applicability threshold. The Louisiana Data Privacy Act (effective January 1, 2027) applies to entities that conduct business in Louisiana and meet at least one of three thresholds: (1) annual gross revenue exceeding $25 million, (2) annually buy, receive, sell, or share for commercial purposes the personal information of 75,000 or more consumers, households, or devices, or (3) derive 50% or more of annual revenue from selling consumers’ personal information.
• Sensitive personal data rules become more specific: Legislatures are adding categories such as neural data, inferred data, financial credentials, and geolocation to sensitive personal data definitions and adding restrictions on use of this data. Lower thresholds are also bringing more entities handling sensitive personal data within scope.
• More states require data broker registration: Connecticut joins California, Oregon, Texas, and Vermont in requiring data broker registration and easier data deletion mechanisms for consumers.
• Privacy and AI regulation converge: Profiling rights, inference access, algorithmic pricing disclosures, and automated decision-making disclosures are increasingly becoming standard features of privacy laws. Companies should evaluate privacy and AI governance together rather than as separate workstreams.

Businesses should be aware that compliance is no longer just about keeping up with one or two large-state laws. It now requires a more scalable approach to regulatory threshold tracking, sensitive personal data handling, consumer rights operations, and vendor oversight across a growing number of jurisdictions.

New State AI Laws

State legislatures regulated multiple aspects of AI this session, including regulations on frontier models, companion chatbots, and AI transparency and disclosure requirements. However, one of the clearest 2026 trends is the movement toward regulating AI in employment and recruiting decisions. Rather than imposing one uniform AI governance model, states are increasingly targeting the use of automated tools in hiring, promotion, discipline, compensation, and other employment-related decisions through notice, transparency, and anti-discrimination rules.

• Employment AI is a high-risk area: Illinois (HB 3773), Connecticut (SB 5), Colorado (SB 26-189), and New York (Local Law 144) all regulate AI in employment and recruiting decisions. The trend is toward treating AI-driven employment discrimination as a civil rights violation and requiring pre-use notices to employees and job candidates. For a complete overview of prohibited conduct and best practices with respect to the use of AI in employment and recruiting, please see LP’s recent webinar, “AI in the Workplace: Employment Law & Data Privacy Risks Employers Need to Know .”
• Illinois is a national leader: With HB 3773 (AI employment discrimination) and SB 315 (frontier AI safety with first-in-nation third-party audit requirement), Illinois has established a comprehensive, multi-layered AI regulatory framework. Effective January 1, 2026 Illinois’ law amending the Human Rights Act makes discriminatory use of AI in employment decisions a civil rights issue and kicked off a growing trend of requiring disclosure of AI tools in the workforce.
• Connecticut adds a broad transparency regime: Connecticut’s SB 5 goes into effect in stages from October 1, 2026-October 1, 2027 and requires disclosures and employer accountability where AI materially influences employment decisions. SB 5 also requires reporting of mass layoffs when caused by AI and regulates frontier AI models.
• Colorado’s revised AI law is instructive: SB 26-189 regulates automated decision-making technology (ADMT) and replaces the state’s landmark 2024 AI Act with a narrower framework. Rather than regulating “high-risk AI systems” as the AI Act did, Colorado’s new law focuses on ADMT used to materially influence consequential decisions in domains such as employment, education, real estate, financial or lending services, insurance, healthcare, and essential government services. Effective January 1, 2027, SB 26-189 eliminates the AI Act’s most rigorous requirements such as impact assessments and a duty of care to avoid algorithmic discrimination. Instead, SB 26-189 requires pre-use notice of ADMT, adverse outcome disclosures to individuals, recordkeeping obligations, and meaningful human review processes.

Taken together, these laws show that employment is becoming one of the most active areas of AI regulation. Employers using recruiting tools, résumé screening, candidate ranking, assessment systems, productivity analytics, or performance-management tools should expect heightened scrutiny over whether automated outputs materially influence decisions and whether those systems can be explained, challenged, and reviewed by humans.

It is crucial to stay in close touch with outside technology and privacy counsel to ensure compliance in this fast-moving regulatory environment. For more detail on specific laws relevant to your business, reach out to Kathryn Nadro or another member of LP’s AI and Technology Team.