For data privacy laws outside the United States, see our World Data Privacy Laws guide covering GDPR, national data protection laws, and regulatory frameworks in 70+ countries. A privacy impact assessment (PIA) is a critical tool to determine where data is processed, stored, and who has access to it. As part of this exercise, organizations should map data flows and identify service providers that may be subject to foreign legal regimes. The Office of the Privacy Commissioner of New Zealand also released specific guidance on the intersection of AI and the 13 information privacy principles enshrined in its Privacy Act 2020. Building upon its earlier statement of expectations around the use of generative AI, the OPC’s full set of guidance is based on the principle that “privacy is a good starting point” when an organization is considering uptake of any new AI tool. Before turning to AI, organizations should do a preliminary assessment of necessity and proportionality and consideration of alternatives.
So, healthcare organizations should monitor state legislative developments closely and build processes capable of accommodating stricter standards before they become legally required, Levine said. Data privacy risk is increasing in 2026, even as the pace of new legislation slows. While no new comprehensive state privacy laws were enacted in 2025, state regulators are shifting their focus to refining and enforcing the laws already on the books. Two data privacy bills set to be introduced Wednesday and shared first with CNBC would preempt nearly two dozen state laws to create a national standard limiting how tech and finance companies handle user data. Because the Act is still in discussion draft, the next steps are not yet set. Because of the implication for both companies and consumers, Americans should carefully follow the discussions, and companies should begin preparing to follow the regulations if passed, which would go into effect 180 days after approval.
Health Insurance Portability And Accountability Act (hipaa)
Your team gets flexibility and convenience, and you can reduce the cost and admin of issuing and maintaining company-owned… The right set depends on what you collect, how you use it, and what systems you rely on. This is also a good time to check your contracts and ensure you have clear terms about confidentiality, security, and responsibility if there’s a breach. This inventory becomes the foundation for your Privacy Policy, collection notices, retention plan, and breach response plan.
Vice President & Cyber Risk Analyst, Morgan Stanley
2 The Minnesota Consumer Data Privacy Act extends the right to opt-out of profiling by affording consumers the right to access and question the results of a controller’s profiling. Also, Minnesota’s law only exempts non-profit organizations established to detect and prevent fraudulent acts in connection with insurance. Other non-profits may fall within the scope of the law, but further guidance is necessary. Senate Bill S8391 strengthens New York’s right of publicity protections for deceased performers in the AI era. Critically, the law now requires prior consent from a deceased performer’s heirs before using their digital replica in audiovisual works, sound recordings, or live musical performances—replacing the previous framework that merely required disclaimers. Platforms displaying such works must remove unauthorized content upon receiving good-faith notice from rights holders.
AML Identity Verification: How It Works and Why Compliance Depends on It
- U.S. data privacy laws tend to draw on existing privacy regulations when they’re drafted.
- The EU AI Act went into effect in 2024 and was updated during its phased implementation process to more precisely regulate various kinds of AI-based systems, as well as provide greater clarity regarding AI practices, high-risk AI systems, and other AI systems and models.
- The Trump administration’s deregulatory posture has not resolved that problem so much as made it easier to ignore, she added.
- Iowa, Tennessee, and Utah’s data privacy laws are considered the most business-friendly.
- The bill would require data brokers to register in a database and includes a provision that would permit consumers to obtain a copy of their personal data in a format that is both portable and usable.
That said, a number of the states’ regulations don’t specify how consent or opting out must be handled, what form that needs to take, etc. A high performance Consent Management Platform, like Usercentrics CMP, can help companies flexibly and scalably provide the required notifications and consent options for states where they need to comply with privacy regulations. Each state manages enforcement of the data privacy law, including investigations and penalties. The creation of the California Privacy Protection Agency (CPPA), now publicly known as CalPrivacy, was included in the CPRA. To date it is the only state with a separate agency to enforce privacy law, though it does work in conjunction with the California Attorney General’s office. All the other states have these functions solely under the Attorney General’s office.
On December 11, 2025, President Trump signed an executive order establishing federal policy to preempt state AI regulations deemed to obstruct national competitiveness. The order directs the Attorney General to establish an AI Litigation Task Force to challenge state laws on grounds including unconstitutional regulation of interstate commerce. The Secretary of Commerce must evaluate existing state AI laws within 90 days, identifying those requiring AI models to alter truthful outputs or compelling disclosures that potentially violate the First Amendment. The order conditions certain federal funding on states not enacting conflicting AI laws and directs the FTC to issue guidance on when state laws mandating alterations to AI outputs are preempted by federal prohibitions on deceptive practices.
PRACTICES
These bills largely mimic existing comprehensive privacy laws passed since 2018. However, states can still pass their own privacy laws in some instances, such as civil rights and consumer protections. When crafting the APRA, lawmakers preserved standards from key states, such as California, Illinois and Washington. A sweeping new federal legislative proposal could reshape how American companies collect, use, and profit from consumer data.
These 20 states have enacted omnibus consumer data privacy laws granting residents specific rights over their personal data. Click any state for the full guide including statute citations, consumer rights, penalties, and compliance requirements. As evidenced by the EU AI Act, many regulators are taking a risk-based approach to AI regulation. Given their public-facing nature, generative AI tools have also been a top concern.
Different industries and data types are governed by specific statutes rather than a single data privacy law. This creates strong protections in some areas but gaps in others, which states address. When working with federal privacy laws, it is important to understand key definitions, as these clarify the scope and obligations under each statute. Some are already doing that, reviewing security and continuity plans and taking another look at their facilities’ threat posture, in part based on where they’re located, for example, industry professionals said in interviews. For others, this could serve as a reminder to be familiar with the people and firms keeping data centers, and their own operations, online—especially as AI supply chains get more intertwined.
New Privacy, Data Protection and AI Laws in 2026
- Passed in 2024 and going into effect in 2026, it will require AI systems developers “to use reasonable care to protect consumers from any known or reasonably foreseeable risks of algorithmic discrimination in the high-risk system.”
- The CCPA permits a private right of action in some circumstances for data breaches of certain types of personal information.
- These enacted laws span a wide range of policy areas, reflecting experimentation in regulatory scope among lawmakers.
- Companies and websites that may collect data from children under 13 must post an online private policy that details their data practices and must obtain parental or guardian consent before collecting personal information from children.
- But the Trump administration has not enforced regulations governing consumer health data as aggressively, creating confusion for covered entities.
Guthrie said in a statement to CNBC that the SECURE Act would “put an end to the confusing state-by-state patchwork of laws that fail consumers and small businesses alike.” He added the measure would be similar to certain bills already passed by states like Kentucky. The bills — the SECURE Data Act, which focuses on technology companies and the GUARD Financial Data Act that focuses on financial services businesses – are designed to work together to form a single national standard. House Energy and Commerce Chair Brett Guthrie, R-Ky., and House Financial Services Chair French Hill, R-Ark., are throwing their support behind the bills, likely giving them momentum for first votes to take place next month.
The APRA gives Americans the ability to stop companies and data brokers from transferring or selling their data. Additionally, the Act requires consent from the consumer for companies to transfer sensitive data to a third party. https://www.biyouseikei-magic.com/a-beginners-guide-to-3/ Organizations will be required to have a privacy policy that details data collection processes and how consumers can opt-out. The Act also restricts the collection and transfer of specific types of data, such as biometric or genetic information, without the individual’s affirmative express consent unless expressly allowed by a stated permitted purpose. U.S. data privacy laws tend to draw on existing privacy regulations when they’re drafted.
Plenty of mid-sized businesses that have stayed below state thresholds would suddenly be in scope. If the SECURE Data Act’s “relates to” language holds, companies can consolidate the patchwork of policies, contracts, and workflows they have built across more than 20 states into one framework. The question is no longer whether a federal privacy law will emerge, but when and in what form.