U.S. Privacy and Data Protection | Insights | Q2 2026 (State Law)

Several state privacy changes taking effect in mid‑2026 will materially affect digital‑first businesses. These updates expand who is covered, strengthen protections for sensitive data and minors, and raise expectations around transparency, AI use, and automated decision‑making.

Connecticut

Connecticut’s Data Privacy Act (CTDPA) amendments significantly broaden which businesses are covered and expand what counts as sensitive data, with key changes effective July 1, 2026. Sensitive data now expressly includes additional categories such as certain health and disability data, gender‑related and biometric information, and additional financial and government‑ID details, and processing or selling sensitive data generally requires consent.

The amendments strengthen protections for minors by categorically prohibiting targeted advertising and the sale of personal data for individuals under 18. They also require more detailed privacy and AI disclosures, including when personal data is used for profiling or to train large language models and other AI systems, and they lay the groundwork for new profiling impact assessment obligations.

Beginning August 1, 2026, Connecticut adds a distinct “profiling impact assessment” requirement for certain high‑risk automated decision‑making. Controllers must conduct impact assessments when they engage in profiling that produces legal or “similarly significant” effects on consumers, such as decisions about access to essential services, eligibility, employment, housing, or credit. In addition, decisions made “on behalf of” a controller is now explicitly included; meaning decisions made by third parties or service providers may be included within “decisions that produce any legal or similarly significant effect.”

This requirement applies to profiling activities “created or generated” on or after August 1, 2026, meaning new systems and use cases after that date must go through an assessment process. In practice, this pushes companies to formally document risks, safeguards, and mitigations when they deploy or materially change high‑impact AI or scoring models affecting Connecticut residents, with additional obligations under the amendments rolling out later in 2026.

Arkansas

Effective July 1, 2026, the Arkansas Children and Teens’ Online Privacy Protection Act (HB 1717) imposes new duties on operators of online services directed at children or teens, or those with actual knowledge that they collect personal information from minors. It prohibits operators from collecting, using, or allowing others to maintain minors’ personal information for the purpose of targeted advertising to those users.

The law also embeds data‑minimization and retention limits, requiring operators to collect no more data than is reasonably necessary to provide the requested service and not to retain it longer than needed for the transaction or service. It grants minors and parents rights to access, delete, and correct personal information. These rights and obligations are enforced exclusively by the Arkansas Attorney General.

Utah

Utah’s 2026 updates build on the Utah Consumer Privacy Act and new social‑media data‑sharing amendments by adding a right to correction and, more notably, imposing robust data portability and interoperability obligations on social‑media platforms starting July 1, 2026. The new law expands the definition of “personal data” to include social connections, interactions, and content. Social‑media services that process user data by automated means must allow Utah consumers to export their personal data in a readily usable, machine‑readable format and transmit it to other platforms with minimal friction using open or publicly documented technical standards.

These changes are designed to give users more control over their digital lives, reduce lock‑in, and push platforms toward a more competitive, user‑centric ecosystem.

Upcoming Dates to Watch

• August 1, 2026: California’s DELETE Act data‑broker deletion mechanism becomes operational, and Connecticut’s new profiling impact assessment requirements start applying to newly created or generated high‑risk profiling uses.
• January 1, 2027: Oklahoma’s comprehensive privacy law takes effect.
• May 1, 2027: Alabama’s comprehensive privacy law becomes effective.

How to Support your Business

Targeted updates for your business are critical over the next 12–18 months. Focused adjustments now will reduce regulatory risk and create a more defensible, scalable data strategy.

• Confirm whether you now meet Connecticut’s lower applicability threshold or fall in scope because you process or sell sensitive data.
• Refresh your data map and explicitly label newly recognized “sensitive” categories, including biometric identifiers and expanded financial and government‑ID data.
• Update privacy notices, consent flows, and profiling disclosures, particularly if you use personal data for AI/LLM training, automated decision‑making, or high‑impact scoring models.
• For youth‑facing products and campaigns, review age‑gating, data‑collection practices, and advertising workflows to ensure you are not using minors’ data for targeted advertising in ways that conflict with Arkansas’ new rules.

Kronenberger Rosenfeld helps digital‑first companies translate this evolving patchwork into practical, defensible privacy programs, including policy updates, product counseling, and ad‑tech and marketing reviews. If your team is reassessing its 2026–2027 privacy roadmap, we can help you identify where you are newly in scope, prioritize high‑impact steps, and align your privacy posture with your growth strategy.