Takeaways

  • The enactments of Alabama’s and Oklahoma’s comprehensive privacy legislation are not remarkable in and of themselves. However, the passage of these business-friendly statutes, in contrast with the defeat of Maine’s more aggressive privacy law, points to a trend of deregulatory pressureoccurring at both the U.S. state and federal levels.
  • With sectorial regulation remaining robust, the U.S. is fully engrossed in its third era of privacy regulation, focusing on high-risk processing instead of generalized comprehensive regulation.

Discussion

Discussions comparing U.S. state-by-state comprehensive privacy regulations typically categorize the now twenty-one laws into two piles: those aligning with the more aggressive California model and those with the more business-friendly Virginia model.

This is an awkward framework, as no state has truly adopted the California model, and Virginia has aggressive consumer protections slotted into its toothier Virginia Consumer Protection Act (which includes a private cause of action and steep penalties).[1] However, as a means of generalized discussion, the dichotomy works fine.[2]

Thus far in 2026, three notable legislative developments have affected state comprehensive privacy laws. Oklahoma[3] and Alabama[4] passed their state comprehensive laws, while Maine’s[5] failed. These events are not independent shock waves, how they fit into the California / Virginia dichotomy can offer us insights into current trends.

Take a look at this chart:

Feature / ObligationCCPA / CPRA (California)VCDPA (Virginia)OCDPA (New Oklahoma)APDPA (New Alabama)LD 1822 (Failed Maine)
Status / Effective DateActiveActiveEnacted March 2026, effective date January 1, 2027Enacted April 2026, effective date May 1, 2027Failed April 2026
Applicability Thresholds>~$26m gross revenue; or 100k+ consumers/devices; or >50% revenue from sale/sharing of data.100k+ consumers; or 25k+ consumers + >50% revenue from data sales.100k+ consumers; or 25k+ consumers + >50% revenue from data sales.25k+ consumers; or >25% revenue from data sales.Would have applied broadly based on controlling/processing thresholds similar to Maryland’s strict framework.
Major Entity ExceptionsDoes not provide blanket entity-level exemptions for financial/healthcare institutions.GLBA financial institutions, HIPAA covered entities/business associates, non-profits, and higher education.GLBA financial institutions, HIPAA covered entities/business associates, non-profits, higher education, and government entities.Businesses with <500 employees & non-profits with <100 employees (if no data is sold). Also exempts GLBA/HIPAA institutions, higher education, and PACs/political parties.Lacked the broad, blanket entity-level exemptions seen in Virginia-style laws.
Consumer RightsAccess, correct, delete, portability, opt-out (sale/share).Access, correct, delete, portability, opt-out (sale/targeted ads/profiling).Access, correct, delete, portability, opt-out (sale/targeted ads/profiling).Access, correct, delete, portability, opt-out (sale/targeted ads/profiling).Access, correct, delete, portability, with strict limitations preventing certain targeted ads.
Sensitive Data ProcessingOpt-out (right to limit use and disclosure).Opt-in consent required prior to processing.Opt-in consent required prior to processing.Opt-in consent required prior to processing.Opt-in required, alongside strict bans on processing certain types of sensitive data entirely.
Data Protection Assessments (DPIAs)Required for processing, presenting significant risk.Required for targeted advertising, sales, profiling, and sensitive data.Required for targeted advertising, sales, profiling, and sensitive data.Not required.Would have required strict risk assessments and anti-discrimination testing.
Universal Opt-Out / GPC RequirementRequired to honor universal opt-out. signals (e.g., global privacy control).Not required.Not required (explicitly omitted from the statute).Not required.Included robust opt-out preference signal requirements.
Data Minimization StandardReasonably necessary and proportionate to the purpose.Adequate, relevant, and reasonably necessary.Adequate, relevant, and reasonably necessary.Adequate, relevant, and reasonably necessary.Strictly necessity.
Enforcement & Right to CureEnforced by CalPrivacy/AG. Discretionary cure period. Limited PRA for certain unencrypted data breaches.Enforced by AG. 30-day cure period. No PRA.Enforced by AG. Permanent 30-day right to cure. No PRA.Enforced by AG. Non-sunsetting 45-day right to cure. Civil penalties up to $15,000 per violation. No PRA.AG enforcement. No PRA.

The most important takeaway is also the most obvious: the enacted Oklahoma CDPA and Alabama PDPA follow the Virginia model, and the failed Maine law followed the California model.

Checking the till, that brings the score to 12 to 9[6] in favor of the Virginia model. Notably, nothing following the California model has been enacted since May 24, 2024 (Minnesota). Pair this with the intense deregulatory rhetoric of E.O. 14365 and the White House’s national AI legislative framework, as well as the intense handwringing over attempts to water down Colorado’s first-in-the-nation artificial intelligence law,[7] and a clear trend line forms.

Legislatures and executives are starting to observe how the growing patchwork of privacy, cyber, and artificial intelligence regulations is exhausting businesses and chilling local investment and development. Nothing ferments deregulatory fervor like the notion that the U.S. (or a particular state) will lose its share of the lucrative data technology economy to more friendly jurisdictions and wind up, God forbid, like Europe.[8]

Like all macro tends, these conclusions are not universal. U.S. state sector-specific regulation (like frontier AI, youth protection, and genetic/biometric regulations) have exploded with extremely onerous obligations for the organizations subject to them—but the vast majority of organizations will be free from that particular brand of regulation. The deregulatory trend is still significant, however, both for organizations feeling the pressure to adopt emerging technologies as well as for consumers living in the world that these technologies are creating.

[1] There are also myriad ways in which privacy laws following the Virginia model are more onerous than California, including opt-in consent for sensitive data processing and the lack of formally sanctioned service provider / data processor internal data use.

[2] Further, if you attempt to allocate specific obligations, penalties, application thresholds, and consumer rights into one model or the other, the lines become further blurred.

[3] Oklahoma Consumer Data Privacy Act, available at https://www.oklegislature.gov/cf_pdf/2025-26%20ENR/SB/SB546%20ENR.PDF, effective date of January 1, 2027.

[4] Alabama Personal Data Protection Act (APDPA) available at https://alison.legislature.state.al.us/files/pdf/SearchableInstruments/2026RS/HB351-enr.pdf, effective date May 1, 2027.

[5] Maine Online Data Privacy Act, available at https://legislature.maine.gov/legis/bills/display_ps.asp?LD=1822&snum=132.

[6] Generally, the laws can be sorted per the following (but many are hybrid). Virginia model: Virginia, Oklahoma, Alabama, Indiana, Iowa, Kentucky, Montana, Rhode Island, Nebraska, Tennessee, Texas and Utah. California model: California, Colorado, Connecticut, Delaware, Maryland, Minnesota, New Hampshire, New Jersey, and Oregon. Florida excluded. Your math may differ.

[7] Not to mention how SB 1047 (Safe and Secure Innovation for Frontier Artificial Intelligence Models Act) was vetoed by California Governor Gavin Newsom in September 2024, HB 2094 / SB 487 (AI Consumer Protections) was vetoed by Virginia Governor Glenn Youngkin in March 2025, and Connecticut failed to pass its AI legislation amid a veto threat from Gov. Ned Lamont.

[8] *clutches pearls* However, even the regulatory bastion of Europe is feeling the pressure. As of late 2025, the European Commission proposed significant, targeted amendments to the GDPR under the “Digital Omnibus” with a stated goal to simplify and streamline EU privacy, cyber, and artificial intelligence regulations.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Matthew T. Hays Matthew T. Hays

Matt Hays is a go-to advisor in matters relating to data sensitive projects, agreements, services and investigations. He has worked extensively with clients as they wrangle with the explosion of innovative and complicated artificial intelligence driven technologies, including the deployment of generative AI…

Matt Hays is a go-to advisor in matters relating to data sensitive projects, agreements, services and investigations. He has worked extensively with clients as they wrangle with the explosion of innovative and complicated artificial intelligence driven technologies, including the deployment of generative AI tools through internal development or sourced from a technology provider. With a background in engineering and patent law, Matt possesses a unique ability to quickly understand and assess new and complicated technologies to advise on the legal risk to your business. Working with clients in the insurance, health, tech and financial services industries, Matt’s wide experience brings a holistic approach to compliance projects that ends with a solution, and not at just identifying the problem.

Read more about Matthew T. Hays
Show more Show less
Photo of Alida Babcock Alida Babcock

Alida Babcock is an associate attorney in the firm’s Litigation and Data Privacy groups. Alida’s practice focuses on advising clients on data privacy compliance and regulatory matters, as well as representing clients in complex commercial litigation and data breach response.

Read more about Alida Babcock