Concord Privacy News: 4/25/2026
Alabama and Oklahoma enact comprehensive privacy laws; Maine data privacy bill fails in final vote; NASCIO report highlights progress and gaps in state privacy programs.
Concord Team · Published Sat Apr 25 2026
Alabama and Oklahoma Pass New Data Privacy Laws: What Businesses Need to Know
The U.S. state privacy landscape continues to expand in 2026, with Alabama and Oklahoma both enacting comprehensive data privacy laws. In the absence of a federal framework, states continue to build a complex, evolving patchwork of consumer privacy requirements — and businesses are feeling the impact.
Alabama: A Familiar Framework with Business-Friendly Elements
Alabama has passed the Alabama Personal Data Protection Act, becoming the 21st state to adopt a comprehensive data privacy law. The law follows a structure similar to other state frameworks and applies to businesses that meet certain data processing or revenue thresholds.
Key Highlights
- Consumer rights to access, correct, delete, and obtain copies of personal information
- Opt-out rights for targeted advertising and data sales
- Requirements for clear privacy policies and disclosures
- Obligations to implement reasonable data protection measures
What Stands Out
Alabama’s law includes Attorney General enforcement, a 45-day cure period, and no private right of action — features that may reduce litigation risk but still require operational readiness.
Oklahoma: Another New Addition
Oklahoma’s Consumer Data Privacy Act (OKCDPA), signed into law in March 2026, will take effect on January 1, 2027.
Key Highlights
- Consumer rights to access, correct, delete, and obtain personal information
- Opt-out rights for targeted advertising and data sales
- Requirements for transparency through privacy policies
- Mandatory data protection assessments for higher-risk processing
What Stands Out
Oklahoma takes a more business-friendly approach, with a narrow definition of “sale”, broad exemptions, no universal opt-out requirement, and enforcement limited to the Attorney General.
What This Means for Businesses
With two more states joining the privacy landscape, the U.S. regulatory environment continues to fragment. While these laws share common foundations, differences in scope, definitions, and enforcement create ongoing complexity. For organizations, the priority should be building scalable data privacy programs that can adapt as new laws emerge.
While Alabama and Oklahoma expand the number of states with comprehensive data privacy laws, some experts characterize these frameworks as more “middle-of-the-road” than stricter regimes like California's or Colorado's. Critics have also argued that the laws may not go far enough to meaningfully strengthen consumer privacy protections. In practice, this means many consumers may see limited immediate impact — but for businesses, the operational and compliance implications remain significant.
What Businesses Should Do Now
- Map personal information flows across systems and vendors
- Update privacy policies to reflect current data practices
- Operationalize consumer rights like access and deletion
- Conduct data protection assessments for higher-risk processing
- Prepare for continued expansion of state privacy laws
Looking Ahead
Alabama and Oklahoma reinforce a clear trend: state-level privacy regulation is accelerating. Businesses that invest in strong data protection and flexible privacy operations will be best positioned to keep pace.
Other Privacy News of Note
Maine Data Privacy Bill Fails in Final Legislative Vote
A proposal to regulate how companies collect and use certain personal data has failed on a final vote in the Maine Legislature, ending a closely watched effort to expand consumer privacy protections. The bill, LD 1822, focused on personal data that is not publicly available and was rejected during the final enactment stage after facing growing opposition. Read more.
More States Are Taking Privacy Seriously, But Their Work Isn’t Done
More states than ever are starting to take privacy seriously — but, there’s still ample work to do in creating fully operational, enterprise-wide privacy programs, especially as artificial intelligence raises the stakes. This finding was the key focus of a report published April 8 by the National Association of State Chief Information Officers. The report was based on a survey of state chief privacy officers, which also found that the CPO role is expanding in scope and influence. Read more.