Concord Privacy News: 6/30/2026
Four new state data privacy laws in 2026: Vermont, Louisiana, Alabama, and Oklahoma; Connecticut AG warns big tech that hooking kids on addictive online apps is illegal.
Concord Team · Published Tue Jun 30 2026

Four New State Data Privacy Laws in 2026: Vermont, Louisiana, Alabama, and Oklahoma
Four states have enacted comprehensive data privacy laws so far in 2026. Louisiana and Vermont signed their bills into law in May and June, respectively, following Alabama in April and Oklahoma in March. With these additions, 24 states now have comprehensive data privacy statutes on the books, and the pace is not slowing down.
For privacy and compliance teams managing operations across state lines, each new law adds another layer to an already complex regulatory patchwork. The good news: these four laws share a common structural DNA with existing state frameworks. The challenge: each one introduces its own thresholds, timelines, and, in Vermont's case, provisions that push meaningfully beyond the current norm.
Here's what each law requires, where they converge, and where they diverge.
Vermont Goes Further Than Most States on Privacy Protections
The Vermont Data Privacy and Online Surveillance Act, signed by Governor Phil Scott on June 16, 2026, is the most expansive of this year's four new laws. It takes effect on January 1, 2028, giving businesses roughly 18 months to prepare.
Who it Applies To
The law covers businesses that conduct business in Vermont or target Vermont residents and meet at least one of the following:
- Control or process the personal data of 35,000 or more consumers
- Control or process the sensitive data of 3,000 or more consumers
- Offer for sale the personal data of 3,000 or more consumers
What Consumers Can Do
Vermont's consumer rights mirror the framework established by Connecticut and other states, with some additions:
- Access, correct, delete, and copy personal data
- Opt out of processing for targeted advertising, sale, or profiling
- Request explanations of why profiling decisions were made
- Question profiling results, a right that goes beyond what most state laws provide
- Opt out through technology signals like browser privacy settings
Controllers must respond within 45 days and establish an appeal process for denied requests.
What Businesses Must Do
Vermont's business obligations include several provisions that stand out from the current state privacy landscape:
- Data minimization. Limit data collection to what is "reasonably necessary and proportionate" to the disclosed purpose.
- Consent for new purposes. Obtain consent before processing personal data for any "material new purpose" beyond the original disclosure.
- Data protection assessments. Conduct and document assessments for high-risk processing activities.
- LLM training disclosure. Privacy policies must disclose whether personal data is used for training large language models, a requirement that reflects the growing intersection of privacy law and AI governance.
- Minor protections. Selling personal data or using it for targeted advertising is prohibited for minors aged 13 to 17 without consent.
- Consumer health data. The sale of consumer health data without consent is restricted.
Enforcement
The Vermont Attorney General has exclusive enforcement authority. Violations are treated under the Vermont Consumer Protection Act. A 60-day cure period is available through June 30, 2029, after which businesses must comply without a grace period. There is no private right of action.
What Stands Out
Vermont's law is modeled on Connecticut's framework, which is widely regarded as one of the stronger state privacy statutes. But three provisions push it further: the LLM training disclosure requirement, the right to question profiling results, and the consumer health data restrictions. For organizations already navigating the AI governance conversation (particularly those subject to the EU AI Act), Vermont's LLM provision adds a domestic compliance dimension that did not previously exist at the state level.
Louisiana Adds a 23rd State to the Privacy Map
The Louisiana Data Privacy Act (SB 386) was signed by Governor Jeff Landry on May 29, 2026. It takes effect on January 1, 2027, the shortest runway of this year's four laws.
Who it Applies To
Louisiana uses a three-pronged applicability test. The law covers entities that conduct business in the state and meet at least one of the following:
- Annual gross revenue exceeding $25 million
- Annually buy, receive, sell, or share the personal information of 75,000 or more consumers, households, or devices
- Derive 50% or more of annual revenue from selling consumers' personal information
Consumer Rights and Business Obligations
The law provides standard consumer rights: access, correct, delete, and opt out of targeted advertising, data sales, and certain profiling. Controllers are subject to data protection assessment requirements for higher-risk processing activities.
Enforcement
The Louisiana Attorney General enforces the law. There is no private right of action. A 30-day cure period is available, but it sunsets on July 31, 2027, meaning businesses will have only seven months of cure availability after the law takes effect.
What Stands Out
Louisiana's short cure-period window is notable. Most states provide at least a year of cure availability; Louisiana's 30-day cure period expires just seven months after enforcement begins. Organizations subject to this law should plan for compliance from day one rather than relying on the cure period as a buffer.
Alabama Brings Familiar Provisions as the 22nd State
The Alabama Personal Data Protection Act (HB 351) was signed by Governor Kay Ivey on April 16, 2026, and takes effect on May 1, 2027. Alabama's law follows the pattern established by the majority of state privacy frameworks. Consumers have the right to access, correct, delete, and obtain copies of their personal data, and to opt out of targeted advertising and data sales. The Attorney General has exclusive enforcement authority, and a 45-day cure period applies. There is no private right of action. Alabama's law does not introduce provisions that meaningfully depart from the existing state privacy consensus. For organizations already compliant with laws like Virginia's VCDPA or Colorado's CPA, Alabama's requirements are unlikely to demand significant new operational changes.
Oklahoma Takes a Business-Friendly Approach
The Oklahoma Consumer Data Privacy Act (OKCDPA) was signed into law in March 2026 and takes effect on January 1, 2027. Oklahoma's law provides the core consumer rights (access, correct, delete, opt out of targeted advertising and sales) but is notably more business-friendly in its construction. The definition of "sale" is narrow, and the law includes broad exemptions that limit its reach compared to stricter frameworks like California's or Colorado's. There is no universal opt-out requirement, meaning businesses are not obligated to honor opt-out preference signals like the Global Privacy Control. Enforcement rests with the Attorney General. There is no private right of action.
What These Four Laws Have in Common
Despite their individual differences, all four laws share structural features that reflect the emerging consensus in state privacy legislation:
- Consumer rights core. Access, correct, delete, and opt out of targeted advertising and data sales appear in every law.
- Attorney General enforcement only. None of the four laws create a private right of action for consumers.
- Cure periods with sunset provisions. All four provide businesses with a window to correct violations before penalties apply, though the duration and sunset dates vary.
- Data protection assessments. Vermont, Louisiana, and Oklahoma require assessments for higher-risk processing activities.
- No comprehensive federal preemption. These laws exist because no federal data privacy statute preempts them, and the state-by-state approach shows no signs of yielding to a national framework.
Where They Diverge
The differences matter for compliance planning:
| Vermont | Louisiana | Alabama | Oklahoma | |
|---|---|---|---|---|
| Signed | June 16, 2026 | May 29, 2026 | April 16, 2026 | March 20, 2026 |
| Effective | Jan 1, 2028 | Jan 1, 2027 | May 1, 2027 | Jan 1, 2027 |
| Cure period | 60 days (until June 30, 2029) | 30 days (until July 31, 2027) | 45 days | Standard |
| LLM training disclosure | Yes | No | No | No |
| Consumer health data | Restricted | No | No | No |
| Universal opt-out signals | Yes | No | No | No |
| Minor protections (13–17) | Yes | No | No | No |
What This Means for Businesses
The practical takeaway is straightforward: multi-state compliance is now the default operating condition for any company with a digital footprint. Twenty-four states have enacted comprehensive privacy laws, and the trajectory points toward more.
Organizations already compliant with CCPA/CPRA or Connecticut's law are best positioned. Vermont's framework is modeled on Connecticut's, and the core consumer rights and business obligations across all four new laws are familiar territory for teams that have already built multi-jurisdiction compliance programs.
Organizations early in their privacy programs should focus on the January 1, 2027 effective dates for Louisiana and Oklahoma. That is the nearest deadline, and Louisiana's short cure window makes it the least forgiving of the four.
Three steps worth prioritizing:
- Map your exposure. Determine which of these four laws apply based on your consumer counts, revenue thresholds, and where you operate or target residents.
- Audit your consent and data practices. Ensure your consent mechanisms, privacy policies, and data processing activities meet the requirements of each applicable law, particularly Vermont's LLM training disclosure if you use personal data in AI development.
- Build for the patchwork, not for one law. A jurisdiction-by-jurisdiction approach does not scale. Privacy programs designed around a unified framework, one that can adapt consent experiences, policies, and data subject request handling by jurisdiction, are the ones that hold up as new states continue to legislate.
For a deeper look at the full landscape of state privacy laws, see our comprehensive guide: US State Data Privacy Laws: What Businesses Need to Know.
Key Takeaways
- Vermont's Data Privacy and Online Surveillance Act is the most expansive of the four 2026 laws, with LLM training disclosure, consumer health data restrictions, and the right to question profiling, effective January 1, 2028.
- Louisiana and Oklahoma both take effect on January 1, 2027. Louisiana's 30-day cure period sunsets just seven months later, making early compliance planning essential.
- Alabama's law follows the established state privacy consensus and takes effect May 1, 2027.
- 24 states now have comprehensive data privacy laws. The state-by-state patchwork is the regulatory reality, and building a scalable, multi-jurisdiction compliance program is no longer optional for companies with a digital presence.
Enacted and Pending Comprehensive Privacy Laws
| Enacted Comprehensive Privacy Laws | Pending Comprehensive Privacy Laws |
|---|---|
| California Consumer Privacy Act (Effective January 1, 2020) | Oklahoma Consumer Data Privacy Act (Effective January 1, 2027), signed into law March 20, 2026 |
| Virginia Consumer Data Protection Act (Effective January 1, 2023) | Louisiana Data Privacy Act (Effective January 1, 2027), signed into law May 29, 2026 |
| Colorado Privacy Act (Effective July 1, 2023) | Alabama Personal Data Protection Act (Effective May 1, 2027), signed into law April 16, 2026 |
| Connecticut Data Privacy Act (Effective July 1, 2023) | Vermont Data Privacy and Online Surveillance Act (Effective January 1, 2028), signed into law June 16, 2026 |
| Utah Consumer Privacy Act (Effective December 31, 2023) | |
| Florida Digital Bill of Rights (Effective July 1, 2024) | |
| Oregon Consumer Privacy Act (Effective July 1, 2024) | |
| Texas Data Privacy and Security Act (Effective July 1, 2024) | |
| Montana Consumer Data Privacy Act (Effective October 1, 2024) | |
| Delaware Personal Data Privacy Act (Effective January 1, 2025) | |
| Iowa Consumer Data Protection Act (Effective January 1, 2025) | |
| Nebraska Data Privacy Act (Effective January 1, 2025) | |
| New Hampshire Consumer Data Privacy Act (Effective January 1, 2025) | |
| New Jersey Data Privacy Act (Effective January 15, 2025) | |
| Tennessee Information Protection Act (Effective July 1, 2025) | |
| Minnesota Consumer Data Privacy Act (Effective July 31, 2025) | |
| Maryland Online Data Privacy Act (Effective October 1, 2025) | |
| Indiana Consumer Data Protection Act (Effective January 1, 2026) | |
| Kentucky Consumer Data Protection Act (Effective January 1, 2026) | |
| Rhode Island Data Transparency and Privacy Protection Act (Effective January 1, 2026) |
Other Privacy News of Note
AG Tong Warns Big Tech that Hooking Kids on Addictive Online Apps is Illegal in Connecticut
Connecticut Attorney General William Tong isn’t messing around when it comes to protecting local children and teenagers from online addiction. Tong issued a warning to “big tech,” informing the companies behind powerful online apps that “hooking kids” on their platforms is “illegal in Connecticut.” On July 1, under the Connecticut Data Privacy Act, several new protections went into place, including significant safeguards designed to protect young people online. Read more.