State privacy law continues to move quickly, and 2026 is no exception. While July 1, 2026, is the next major compliance milestone, it is not the only one. Several laws and amendments take effect on that date, with additional requirements following later in the year.
As of July 1, enforcement expands or begins under a number of state laws, including:
- Connecticut - Amendments to Connecticut’s Data Privacy Act (CTDPA).
- Arkansas - New online privacy protections for children and teens.
- Utah - Updates to Utah’s Consumer Privacy Act.
Additional Connecticut requirements will follow shortly thereafter.
For organizations managing multi-state compliance or assessing their obligations for the first time, these developments are worth a close look.
What Changes Under Connecticut’s – CTDPA Amendments (SB 1295)
Effective July 1, 2026
Expanded Scope & Lower Thresholds
The most immediate change is scope. The applicability threshold drops from 100,000 to 35,000 consumers, which will pull more businesses into coverage. At the same time, Connecticut moves away from a purely volume-based approach. Any organization that processes sensitive data or sells personal data will now fall within scope, regardless of volume.
Narrower Exemptions
The amendments also narrow key exemptions. The prior entity-level exemption under the Gramm-Leach-Bliley Act is replaced with a data-level exemption, which requires a more careful review of what data and activities are actually out of scope.
Broader Definition of Sensitive Data
The definition of sensitive data is expanded and now includes additional categories such as:
- government-issued identifiers;
- financial account information;
- Social Security numbers;
- neural data; and
- certain biometric or genetic data.
The law also makes clear that sensitive data cannot be sold without consent.
New Consumer Rights & Disclosure Requirements
On the consumer side, rights continue to evolve.
- The profiling opt-out is expanded by removing the limitation that the decision be based solely on automated processing.
- Consumers are given more transparency around how their personal data is used in automated decision-making contexts.
- New requirements around minors’ data.
- A disclosure obligation if personal data is introduced to train large language models. For many organizations, this will require updates to existing privacy notices.
What Takes Effect Later in 2026?
Not all requirements take effect on July 1. New impact assessment obligations will apply to certain high-risk processing activities created on or after August 1, 2026. These requirements will need to be incorporated into broader governance and assessment processes.
What Does Arkansas’ Children and Teens’ Online Privacy Protection Act (HB 1717) Require?
Effective July 1, 2026
The law applies to for-profit operators of websites, applications, and online services that are directed to children or teens, or that have actual knowledge they are collecting minors’ personal data.
Two-Tiered Consent Framework
The statute establishes a two-tiered consent framework. Parental consent is required for children aged 12 and under. For users aged 13 to 16, consent may be provided by either the teen or a parent.
Restrictions on Minors’ Data
The law also places clear limits on how minors’ data can be used. Targeted advertising based on minors’ personal data is prohibited, and data minimization principles restrict both what can be collected and how long it can be retained.
Enforcement & Exclusions
Enforcement rests exclusively with the Arkansas Attorney General, and the law does not provide for a private right of action. Certain entities, including nonprofits, government bodies, and educational institutions, are outside the scope of the statute.
What Are the Utah UCPA Amendments (HB 418)?
Effective July 1, 2026
Utah introduces additional consumer control in the social media context, including new requirements related to data portability and interoperability. These provisions are designed to give users greater flexibility in how their personal data is accessed and transferred across platforms.
The broader structure of the UCPA remains intact, including its existing enforcement framework.
Indiana Consumer Data Protection Act: A Brief Reminder
Indiana’s Consumer Data Protection Act took effect on January 1, 2026. The law grants consumers the right to access, correct, delete, and obtain copies of their personal data, as well as the right to opt-out of targeted advertising, sales of personal data, and certain profiling activities.
For a more detailed discussion of the ICDPA, see our prior coverage.
Why Do These State Privacy Law Changes Matter?
Taken together, these developments reflect a continued expansion in both scope and expectations:
- Connecticut’s approach will bring additional organizations into coverage, particularly those handling sensitive data or engaging in data sales at any level.
- Arkansas’s reflects a growing focus on youth privacy and signals where other states may follow.
- Utah’s updates, while more targeted, continue the broader push toward giving consumers more control over their data.
What Should Organizations Do Now?
Organizations should take this opportunity to:
- Reassess scope – Determine whether they fall within Connecticut’s expanded scope
- Update privacy notices – Reflect new sensitive data categories and LLM training disclosure obligations where needed
- Review practices involving minors – Particularly if operating platforms directed at children or teens
- Confirm consumer rights processes – Ensure existing processes can address evolving consumer rights.
What State Privacy Laws Are Coming Next?
The remainder of 2026 and early 2027 will bring additional developments.
The direction is clear. More states are adopting comprehensive privacy frameworks, and the requirements continue to expand. Privacy compliance is no longer a one-time exercise. It is an ongoing part of how organizations operate.
Frequently Asked Questions
What state privacy laws take effect on July 1, 2026?
Connecticut's CTDPA amendments (SB 1295), Arkansas's Children and Teens' Online Privacy Protection Act (HB 1717), and Utah's UCPA amendments (HB 418) all take effect on July 1, 2026.
Does Connecticut's privacy law now apply to smaller businesses?
Yes. The applicability threshold drops from 100,000 to 35,000 consumers. Additionally, any organization that processes sensitive data or sells personal data falls within scope regardless of volume.
Does Arkansas's privacy law allow targeted advertising to minors?
No. Targeted advertising based on minors' personal data is prohibited under HB 1717.
What new disclosure is required under Connecticut's CTDPA?
Organizations must disclose if personal data is used to train large language models (LLMs), among other updated privacy notice requirements.
What state privacy laws are coming in 2027?
Oklahoma's comprehensive privacy law takes effect January 1, 2027, and Alabama's comprehensive privacy law takes effect May 1, 2027.
