Advertising Law Tool Kit - Fourteenth Edition - 2026

Venable / 63 62 / Venable Privacy and Data Security — State Privacy Laws State privacy laws continue to evolve rapidly, challenging businesses to keep pace. In 2025, new omnibus privacy laws went into effect in Delaware, Iowa, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, and Tennessee. Three additional omnibus state privacy laws will come into effect at the start of 2026—in Indiana, Kentucky, and Rhode Island. Along with existing omnibus privacy laws, businesses should be prepared to comply with up to 20 comprehensive state privacy laws in 2026. To date, all such laws draw inspiration from both the first comprehensive state privacy law—the California Consumer Privacy Act (CCPA)—and all of the state laws give individuals certain rights with respect to “personal information” or “personal data” that “businesses” or “controllers” maintain about them. Similarly, all of the laws impose certain obligations related to “service providers” or “processors.” However, the state privacy laws differ from each other in a range of ways. For instance, while all of the state omnibus laws have requirements related to “sensitive” personal data, the specific requirements and the types of data considered to be “sensitive” vary. Additionally, while the CCPA applies to personal data collected in an employment context, other laws exclude such data. Variation among state privacy laws is increasing as states continue to enact both omnibus statutes and more targeted measures focused on areas like health data, children and teens, social media, and apps. The first step is to assess what laws, if any, apply to your business. Smaller businesses are generally exempt, as are certain types of organizations in some states, such as nonprofits, and/or certain types of data. The thresholds for being subject to the state laws vary, and businesses may be subject to some Kelly DeMarchis Bastide kabastide@Venable.com Julia Tama jktama@Venable.com Katelyn R. Asmus krasmus@Venable.com laws but not others, depending on practices. Businesses subject to one or more laws should then take steps to drive compliance. Experienced privacy counsel can help businesses to develop a practical compliance program that harmonizes many different laws. The following steps will help your business to comply with state privacy laws effective in 2026: • Determine which, if any, of the laws going into effect will apply, given your business’s size and practices. To be subject to such laws, a business typically must do business in the state, control or process personal data about consumers in such state, and meet certain thresholds relating to revenue and/or data processing activities. • Assess your practices regarding personal data collection, use, and disclosure, noting exemptions that may apply. For example, pseudonymous data (like device identifiers) faces more limited requirements in many states. • Create or update your data map, with a focus on data transactions that may incur compliance burdens, such as data sales. • Conduct a gap analysis to determine whether your practices meet the requirements of applicable laws, then develop a compliance checklist based on the gaps identified. For instance, certain data (like health data) or products (like apps) may be subject to new obligations. • As applicable, ensure that your compliance strategy aligns with regulations where issued, and keep an eye on ongoing rulemaking developments. • Conduct written data protection impact assessments if your business engages in activities that require such assessments, like sales or targeted advertising. • Determine what categories of sensitive data are collected. If sensitive data is collected in states that require consent to process such data or that require opt- out rights, review those processes for compliance. • Review your privacy policy to meet state privacy law requirements. Create internal policies to document your compliance processes. • Maintain mechanisms for consumers to submit rights requests, including new rights related to third‑party disclosures and profiling. Certain state laws specifically require a link by which consumers can submit requests to opt out of sales of personal data or sharing for targeted advertising. • Maintain processes for responding to consumer rights requests, with close attention paid to deadlines for responding to such requests under applicable laws.