The government shutdown may be over, but there won’t be much federal data privacy legislation being passed in 2026. Given the current dysfunction in Congress, the onus will continue to fall onto the states.
In fact, 8 states—Delaware, Iowa, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, and Tennessee—have already enacted new data privacy laws in 2025. According to the IAPP Weston Research Center, there are now 19 states with comprehensive data privacy laws on the books. As a quick caveat, different trackers have different qualifications; some trackers list 20 states and include Florida.
As seen above, the 19 states are California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia.
Although similar bills in Alabama, Georgia, Oklahoma, Maine, and Vermont failed to pass in 2025, other states—Massachusetts, Michigan, North Carolina, Pennsylvania, and Wisconsin—are currently considering data privacy legislation. Moreover, new laws from Indiana, Kentucky, and Rhode Island are expected to arrive in 2026.
Of the 19 states with comprehensive data privacy laws, 9 states (more specifically, 10 regulators across 9 states) have joined the Consortium of Privacy Regulators, a bipartisan initiative formed last April to protect consumers across different jurisdictions.
State-level data privacy bills generally include both protections for consumers and obligations for businesses. On the consumer side, these state laws allow consumers to control how their data is collected, stored, and shared with other parties. These rights—e.g., consumers’ right to delete, correct, and opt-out of data collection—are similar in nature to provisions in the GDPR and CCPA. On the business side, organizations are often obligated to adhere to various data minimization requirements.
Of course, not all states’ data privacy bills are created equal
Big Tech lobbyists have historically been extremely adept at watering down state-level bills. Speaking at the Capitol Forum’s 2025 Tech Conference, the Electronic Privacy Information Center’s Sara Geoghegan opines that Big Tech lobbyist involvement often results in watered-down bills.
Geoghegan describes the current landscape of state-level data legislation as a “mixed bag.” As Geoghegan explains, “Unfortunately, some states’ laws have kind of been written by Amazon and Big Tech; so it really depends a lot on the state. Some states have some really interesting proposals, and then Big Tech gets involved during the process and the final result is watered-down. But some [other] states have passed bans on the sale of geolocation information, special protections for things like abortion care. So, it’s kind of a mixed bag.”
With artificial intelligence progressing at a rapid pace, many state lawmakers are calling for more forms of data privacy regulation, particularly in regard to the data brokerage industry and surveillance pricing.
States are cracking down on the data brokerage industry
Recently, Texas and Oregon joined California and Vermont in requiring data brokers to register in their respective states and disclose their activities. (Data brokers are third-party entities that purchase our personal data, often unbeknownst to us.) All data brokers that process data not collected directly from the data subjects themselves now have to register with these four states. However, as of today, it is not exactly straightforward for data subjects to delete their information from these brokers’ databases.
On the Capitol Forum’s recent “Anticipated Trends for the Data Broker Industry and Enforcement” panel, cybersecurity and data privacy consultant Justin Sherman makes the case that we need a one-stop deletion request tool across the board.
Speaking specifically about states with data broker registries, Sherman says, “It’s not realistic to say to a consumer, here’s this registry in Vermont or Oregon—four states, Vermont, Oregon, Texas, and California, [each] has 500 or 600 entries—to go click on each one individually. No one is doing that, right? […] Having a one-stop shop is essential for actually effectuating those rights.”
He makes a good point. There should be a single button where one can have his or her information removed from all registered brokers in the state. California’s new Delete Act (SB 362) provides such a mechanism for Californians; this law, which is set to take effect in August 2026, is a welcome development—one that other states should follow.
Of course, there are other carve-outs and loopholes that need to be rectified as well. For example, Montana, which has been ahead of the data privacy legislation curve, recently became the first state to close the infamous data broker loophole for law enforcement. In May 2025, Montana signed their bill SB 282 into law.
Essentially, SB 282 prevents law enforcement from purchasing citizens’ data from data brokers when ordinarily they would need a warrant to access such information. This is another welcome step in the right direction.
Efforts are also being made to combat surveillance pricing at the state level
As I’ve written about in the past, surveillance pricing is the practice of surreptitiously collecting behavioral data on individuals and using that information to set prices. On the surface, it seems legitimate; much like dynamic pricing, surveillance pricing is a subset of algorithmic pricing that allows businesses to react quickly to market changes. However, by definition, surveillance pricing also includes surreptitious data collection.
Essentially, surveillance pricing is the use of one’s personal data—collected through geographic locations, credit scores, or browsing patterns—to set different prices for different users for the exact same products or services. As an example, think of a mechanic that charges different prices for the same car service depending on the customers’ location or browsing history.
In another panel at the Capitol Forum Tech Conference, “Personalization or Discrimination: Outlook for Surveillance Pricing Law,” a group of pundits addressed recent state-level developments on surveillance pricing.
Brad Weber, an attorney at Troutman Pepper Locke, points out that “over twenty states now have data privacy laws that somehow implicate surveillance pricing.” Another panel member, Javier Mabrey, a member of the Colorado House of Representatives, suspects that this number will increase.
Mabrey says, “I have very little faith in the institution of the United States Congress to step in and provide any meaningful protections for consumers any time soon […] Of course, we no longer have consumer friendly cops on the beat at the FTC and the CFPB. And, so if we’re going to do anything to protect the people in Colorado, we need to do it at the state level.” Maybrey recently brought a bill to ban surveillance pricing in Colorado; however, it didn’t pass. A similar bill proposed in California also did not pass.
Even without new state laws on the books, Mabrey makes the case that, given the size and scope of many of these companies, surveillance pricing might already be in violation of existing federal antitrust law.
Transparency alone is not an adequate policy solution
Some states have opted for transparency, rather than outright bans on surveillance pricing. As an example, New York’s recent Algorithmic Pricing Disclosure Act requires companies to disclose when they use consumers’ personal data to set a price.
Hannah Garden-Monheit, senior fellow at the American Economic Liberties Project, takes umbrage with this pivot to transparency. Garden-Monheit opines, “Transparency cannot be an end, in itself […] When you see something that is taking advantage of people, and your policy solution is ‘Let me tell you more information about how you’re being taken advantage of,’ but then you don’t actually stop it, that fundamentally undermines citizens’ trust that their institutions are capable of standing up for them.”
From a policy perspective, transparency is not as good as an outright ban on the practice; however, it certainly is yet another step in the right direction.
Breaking down the larger issue at hand, Garden-Monheit hits the nail on the head with her call for an assessment of the current mass collection of our personal data. She says, “I think we need to be thinking too about the mass collection of data in our society. One of my biggest regrets from my time in the last administration is that we didn’t succeed in passing comprehensive data minimization laws in this country; surveillance pricing is the latest pernicious symptom of an economy in which companies are amassing huge amounts of data to understand our innermost thoughts, wishes, and desires—and manipulate us with it.”
To be sure, getting companies to stop surreptitiously amassing large quantities of our personal data will not happen overnight. However, if and when these companies are reined in, one thing is certain: it will be the states leading the charge.
