Spring 2026 has been a busy season for state privacy legislation. Oklahoma and Alabama each enacted comprehensive privacy laws — bringing the national total to twenty-one — while Virginia moved to prohibit the sale of precise geolocation data, Kentucky expanded its definition of sensitive data to cover automated content recognition technology, and California’s privacy enforcement agency signaled support for a bill that would ban the sale or sharing of sensitive personal information under the California Consumer Privacy Act (“CCPA”). From new consumer rights taking root in the South to geolocation restrictions blooming on the East Coast and a potentially sweeping amendment budding out West, businesses that process personal data have no shortage of new developments to track. Below, we summarize each of these developments and highlight key compliance considerations.
Oklahoma
In March, Oklahoma’s governor Kevin Stitt signed the Oklahoma Consumer Data Privacy Act (“OCDPA”) into law, making it the 20th comprehensive state privacy law in the United States. The OCDPA will go into effect January 1, 2027. Although the OCDPA tracks closely to other state privacy laws and the Virginia-model, it contains several state-specific features around scope, exemptions, data protection assessments, and enforcement.
Applicability
Like other state comprehensive privacy laws, the OCDPA applies to a controller or processor who conducts business in the state or produces a product or service targeted to the residents of the state and that, during a calendar year, either:
- controls or processes personal data of at least 100,000 consumers, or
- controls or processes personal data of at least 25,000 consumers and derives over 50% of gross revenue from the sale of personal data.
“Consumers” are defined as Oklahoma state residents acting only in an individual or household context and excludes an individual acting in a commercial or employment context.
Exemptions
The OCDPA does not apply to:
- Oklahoma state agencies or a political subdivisions, or a service provider processing data on behalf of such;
- Financial institutions or data subject to the Gramm–Leach–Bliley Act (“GLBA”);
- Covered entities or business associates governed by the privacy, security, and breach notification rules issued by the Department of Health and Human Services, established under the Health Insurance Portability and Accountability Act (“HIPAA”)., and the Health Information Technology for Economic and Clinical Health Act;
- Nonprofit organizations;
- Institutions of higher education;
- Personal data processed purely for personal or household purposes; or
- Personal data collected and used for purposes of the federal policy under the Controlled Substances Act.
The law includes additional information exemptions for protected health information, health records, and other information covered under HIPAA, the Federal Credit Reporting Act (“FCRA”), the Driver’s Privacy Protection Act (“DPPA”), the Federal Education Rights and Privacy Act (“FERPA”), and the Farm Credit Act.
Consumer Rights
The rights established under the OCDPA provides consumers with largely the same rights as other comprehensive privacy laws, including the rights to: access; correct; delete; data portability; opt-out of targeting advertising, sale, or profiling; and appeal.
Controller Obligations
As with other state comprehensive privacy laws, the OCDPA includes requirements related to data minimization, data security practices, processing only for disclosed business purposes, anti-discrimination, and consent for processing sensitive data, including that of known minors.
Data Protection Assessments
States have increasingly focused on risk assessment requirements for certain processing activities, and Oklahoma is no exception. In fact, the OCDPA includes risk assessment requirements for broadly sweeping categories of processing activities that are more expansive than many of its predecessor laws, including:
- Processing for purposes of targeted advertising;
- The sale of personal data;
- Profiling, if the profiling presents a reasonably foreseeable risk of unfair or deceptive treatment of or unlawful disparate impact on consumers; financial, physical, or reputational injury to consumers; a physical or other intrusion on the solitude or seclusion, or the private affairs or concerns, of consumers, if the intrusion would be offensive to a reasonable person; or other substantial injury to consumers;
- Processing sensitive data; and
- Any processing activities involving personal data that present a heightened risk of harm to consumers.
Differences from Other State Privacy Laws
Like the Virginia Consumer Data Protection Act, the OCDPA limits its definition of “sale” to the exchange of personal data for monetary consideration, foregoing the broader definition that that includes “other valuable consideration” in states like California, Connecticut, and Delaware. Additionally, the OCDPA does not include a universal opt-out mechanism and does not provide the consumer with the ability to authorize another person, acting on their behalf to satisfy an opt out.
Enforcement
The OCDPA provides exclusive enforcement authority to the Oklahoma Attorney General and expressly does not establish a private right of action. Before initiating enforcement mechanisms, the Attorney General must notify the controller or processor in writing 30 days before and allow the entity to cure the violation. Violations may result in civil penalties of up to $7,500 per violation as well as injunctive relief and recovery of reasonable attorney’s fees.
Alabama
On April 17, 2026, Alabama Governor Kay Ivey signed into law House Bill 351, the Alabama Personal Data Protection Act (“ALPDPA”). The ALPDPA is the most recent addition to a group of now twenty-one (21) comprehensive state privacy laws, which regulate the commercial processing of data and give an added set of digital rights to consumers, above and beyond those provided by the pre-existing patchwork of federal legislation. The ALPDPA takes effect May 1, 2027. This article summarizes the framework created by the ALPDPA and highlights points of concern that commercial data processors should prepare for in the wake of the ALPDPA’s effective date.
Applicability
Persons covered under the ALPDPA include those persons that conduct business in or target residents of Alabama and either: (1) control or process the personal data of more than twenty-five thousand (25,000) consumers, excluding data controlled or processed solely for the purpose of completing a payment transaction; or (2) derive more than twenty-five percent (25%) of their gross revenue from the sale of personal data, regardless of the number of consumers whose data the person controls or processes.
Key Definitions
“Consumer” means an individual who is a resident of Alabama. The term excludes individuals acting in a commercial or employment context, or as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency whose communications or transactions with the controller occur solely within the context of that individual’s role.
“Personal Data” means any information that is linked or reasonably linkable to an identified or identifiable individual. The term does not include deidentified data or publicly available information.
“Sale of Personal Data” means the exchange of personal data for monetary consideration by a controller to a third party, or for other valuable consideration by a controller to a third party where the controller receives a material benefit and the third party is not restricted in its subsequent uses of the personal data. The term excludes, among other things, disclosures to processors, disclosures to provide a product or service requested by the consumer, transfers to affiliates, consumer-directed disclosures, disclosures as part of a merger or acquisition, and disclosures or transfers to a third party for the purposes of providing analytics or marketing services solely to the controller.
“Sensitive Data” means personal data that includes data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, information about an individual’s sex life, sexual orientation, or citizenship or immigration status; genetic or biometric data processed for the purpose of uniquely identifying an individual; personal data collected from a known child; or precise geolocation data.
“Precise Geolocation Data” means information derived from technology, including but not limited to global positioning system level latitude and longitude coordinates, which directly identifies the specific location of an individual with precision and accuracy within a radius of 1,750 feet. The term does not include the content of communications or any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility.
“Profiling” means any form of solely-automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. Because the definition is limited to “solely-automated” processing, human oversight and input into the outcome of the processing should remove it from the definition of profiling, consistent with other states that use the Virginia model.
Exemptions
The ALPDPA provides entity-level exemptions for: political subdivisions and public corporations of Alabama; two-year or four-year institutions of higher education and their affiliates; national securities associations registered under 15 U.S.C. § 78o-3; financial institutions and their affiliates governed by 15 U.S.C. Chapter 94 or the GLBA; covered entities or business associates as defined under HIPAA; businesses with fewer than 500 employees that do not engage in the sale of personal data; nonprofit entities with fewer than 100 employees that do not engage in the sale of personal data; and certain persons or entities regulated under specific chapters of Title 8 of the Code of Alabama.
The ALPDPA also exempts data already regulated by HIPAA, FCRA, FERPA, DPPA, the Farm Credit Act, the Airline Deregulation Act, and various other federal data protection statutes. Employment data, emergency contact information, and benefits administration data are also exempted.
Consumer Rights
When the ALPDPA takes effect, consumers will have the right to: confirm what personal data a controller is processing; access that personal data; correct inaccurate personal data; delete personal data; and obtain a copy of their personal data in a portable and readily usable format (data portability).
Opt-outs
Consumers also have the right to opt out of processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of solely automated significant decisions concerning the consumer. Notably, Alabama requires controllers to respond to opt-out preference signals by January 1, 2028.
Controller Obligations
Under the ALPDPA, controllers must: limit the collection of personal data to what is adequate, relevant, and reasonably necessary; establish reasonable data security practices appropriate to the volume and nature of the personal data at issue; provide an effective mechanism for consumers to revoke their consent that is at least as easy as the mechanism by which they provided consent; not process sensitive data without the consumer’s consent (or, in the case of a known child, in accordance with the Children’s Online Privacy Protection Act of 1998); not process personal data in violation of state or federal anti-discrimination laws; not process the personal data of a consumer for targeted advertising or sell a consumer’s personal data without consent where the controller has actual knowledge that the consumer is at least 13 but younger than 16 years of age; and not discriminate against consumers who opt out of data processing.
Carve-outs to the anti-price discrimination provision exist for bona fide loyalty, rewards, premium features, discount, or club card programs in which a consumer voluntarily participates. Additionally, if a consumer opts out of data processing, the controller is not required to provide a service that requires data processing.
If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller must clearly and conspicuously disclose the processing and the way a consumer may exercise the right to opt out.
Privacy Notice
Under the ALPDPA, a controller’s privacy notice must include: the categories of personal data processed by the controller; the purpose for processing personal data; the categories of personal data that the controller shares with third parties; the categories of third parties with which the controller shares personal data; an active email address or other mechanism that the consumer may use to contact the controller; and a description of how consumers may exercise their consumer rights, including a link or contact information for the opt-out method required by the ALPDPA.
The controller’s privacy notice must provide one or more secure and reliable means for consumers to submit a request to exercise their consumer rights. Controllers may not require consumers to create a new account to exercise their rights, but may require consumers to use an existing account. Contract clauses attempting to limit or waive a consumer’s rights under the ALPDPA are void and unenforceable.
Data Protection Assessments
Unlike other comprehensive state privacy laws, the ALPDPA does not require controllers to conduct a data protection assessment.
Enforcement and Penalties
The Office of the Alabama Attorney General has the sole authority to enforce the ALPDPA and consumers cannot sue directly. Before pursuing claims under the ALPDPA, the Attorney General must provide a controller with notice. After receiving the notice, controllers have forty-five (45) days to correct the alleged violation. If the controller corrects the violation within the forty-five (45) day period, no action may be initiated against the controller. However, if the controller is found to have violated the ALPDPA, the controller is liable for a $15,000 penalty per violation.
With an effective date of May 1, 2027, entities and organizations subject to ALPDPA have just over a year to review their data privacy practices and ensure compliance with the relevant provisions of the ALPDPA .
Kentucky amendment
In April, Kentucky governor Andy Beshear signed into law House Bill 692 amending the Kentucky Consumer Data Protection Act, to add “automated content recognition data” as sensitive data under the statute. Automated content recognition (“ACR”) is technology that is embedded in smart TVs and monitors to capture and record what users are watching by analyzing audio or video fingerprints in real time. The amendment, which will become effective July 1, 2027, will require controllers to obtain opt-in consent from users prior to collecting ACR data. Notably, the amendment’s definition of ACR does not include data about a consumer’s interactions with a controller’s own services, generated while providing a feature/service the consumer requested, or collected for the purpose of enforcing the controller’s terms of service. In other words, this amendment will largely apply to manufacturers/operators of smart TVs and monitors, not controllers who generate their own streaming content.
Virginia's amendment to its comprehensive privacy law
Also in April, Virginia amended the Virginia Consumer Data Protection Act (“VCDPA”) to prohibit the sale or offering for sale of precise geolocation data, effective July 1, 2026. The amendment does not include a consent exception. Businesses that monetize precise geolocation data collected from consumers will need to consider how to comply with this prohibition.
Fortunately, Virginia’s definition of “sell” requires monetary consideration. Businesses subject to the CCPA will not be so lucky if California AB 1542 becomes law. AB 1542 would amend the CCPA to prohibit businesses, service providers, and contractors from selling or sharing sensitive personal information to third parties. The CCPA’s definition of “sell” is not limited to monetary consideration—it includes “other valuable consideration,” which based on the Sephora enforcement action can include analytics. At its May 1, 2026 board meeting, CalPrivacy voted to support AB 1542.
As the state privacy landscape continues to bloom, one thing is clear: the pace of change is accelerating. Our Privacy and Data Security team is actively monitoring these developments and is available to help you navigate the growing patchwork of state privacy obligations.
