A

Welcome to State Scoop's Priorities podcast. I'm Keeley Quindlen, a reporter with StateScoop. This week I talk with two privacy professionals from IAPP, a non profit association for privacy professionals, about both 2025's most notable developments in the legal realm of data privacy and what's to come. In this space for 2026, we talk through challenges to enforcing privacy, how recent amendments to existing comprehensive privacy laws are changing the landscape, and what's set to come online in 2026. But first things first, we want to take a moment to wish you a happy New Year from all of us@statescoop. Last year was chock full of interesting developments and novel applications of tech in the public sector, and this year in state and local government, technology news is already starting off strong. So let's get to the. New Jersey Governor Phil Murphy on Monday signed a bill that establishes an innovation authority in the state Treasury Department and codifies the state's Office of Innovation. The law is the first of its kind for a state government. New Jersey Governor Elect Mikey Sherrill on Monday also announced that Dave Cole, the state's chief innovation officer, will continue on in his role under her administration. Matt Frazier, who served as New York's chief technology officer since January 2022 under former Mayor Eric Adams, stepped down on Dec. 31. But the city's technology priorities under the newly inaugurated Mayor Zoran Mandani, remain unclear. He named Ruby Choi, OTI's deputy commissioner for strategic initiatives, as acting CTO, but has revealed little else about his plans for technology policy. There were many big stories in state and local government IT last year, but five stood out from the rest. I chronicled them in a piece called 5 State Tech Stories that Made 2025 look for it at statesgroup.com. While 2025 was an eventful year in all segments of government, it panned out to be quite the interesting year for privacy professionals on the state and local level who had to contend with and enforce a number of new laws regulating data privacy. While over a dozen states now have comprehensive data privacy laws on the books, and some were passed a number of years ago now, some, some only just now, came into effect, and some of those laws have been amended as well. Coben Zweigfelken, managing director of iapp, a non profit, non advocacy membership association for privacy professionals, and David Bolero, a Weston fellow with IAPP, spoke with me about 2025's highlights in privacy, followed by an analysis of what's to come in 2026. We started with the most notable legislation that defines 2025 and privacy, I think

B

this is the first time since 2020 that we did not see a new privacy, comprehensive privacy law being enacted. This is something that is revolutionary in a certain way. But at the same time, we could classify 2025 as two things. Number one, the year where bills came online as seven states had their bills come online. Delaware, Iowa, Maryland, Minnesota, New Hampshire, New Jersey and Tennessee, the most that we have had to this point. With most bills already online at this point in 2025 and the year of the amendments, nine privacy bills were amended either directly or indirectly. We saw trends pretty clear on protection of minors in states like Connecticut, Montana and Oregon. We also saw some trends regarding definitions of sensitive data and how some new categories are going to be included within this, this bigger, broad category of sensitive data in on itself. And also a certain level of expansion for privacy. Consumer rights, especially Connecticut and Utah took that route of expanding their rights with Utah introducing finally the right to correct going into the standard for, for the states in general. And Connecticut in its big overhaul, which was the bigger, the biggest of all the bills amended in the year, expanding their right to access to include a right to access on automated decision making technologies and the decisions made with those technologies.

A

Gotcha. So it sounds like this year was a little bit less legislative action. Right. And more enactment. Coben, I want to hear from you. Talk to me about some of the enforcement measures that stood out to you this year. What would be the Spotify rapt of data Privacy enforcement of 2025?

C

That's a great way to put it. I think we, I mean, it's the, it's the year that privacy enforcement really woke up in the states for these comprehensive consumer privacy laws. We've always had consumer protection laws at the state level that have been enforced by attorneys general and that always comes in drips and drabs. But this year we saw some of the oldest privacy laws really start to gain steam in their enforcement. So it's an exciting time to actually see the results of these laws come into effect and to see what enforcers are actually interested in and the types of things that companies should be most focused on. I think some big themes in the enforcement this year. It's a good reminder, I think, to see some of these cases that this, that privacy and consumer protection laws do overlap and there's a lot of them moving together in places because attorneys general do have the ability to enforce both at the same time. So we see that in like the lawsuits, there are big lawsuits brought against Arity in Texas, an insurance company focused on driving related data, which is kind of a continuation of a theme that we saw last year where like it's. We also see similar lawsuits brought by states that don't have a consumer privacy law. So it's interesting to kind of see how those two tools work together. For attorneys general. There's other kind of thematic things to pick apart from the enforcements that we have seen in the non privacy law sector. There's a lot of action against kids related companies like Roku and snap. There's like a overlap between like family things, connected devices like Roku I think is a really good example of connected devices and things that families use together. And then the SNAP kind of focus which has seen enforcement lawsuits and other scrutiny from multiple states. But there's also I think a big theme of data brokers where we saw in California a lot of enforcement against folks who had failed to register under the Delete act, which is also not part of the consumer privacy law. But there's a lot of interest in continuing to investigate data brokers and the use of sensitive data. In particular, California announced a roundup, a sweep of data brokers that we'll probably continue to see into next year. And then I think retail general kind of consumer websites and services, we saw a lot of retail focused activity at least in California which brought a case against Todd Snyder and another case against Tractor Supply and Connecticut also enforced against Ticket Network. So those sorts of just general consumer facing website type issues are some of the things that we've seen a lot of. And most of the takeaways from those are really focused on privacy basics of actually following the requirements that these privacy laws set out. Most of them don't have super exciting or nerdy takeaways for practitioners where you kind of learn something new about how the enforcer is thinking about things. But we do see things coming online and, and I think it's also worth pointing out just that the level of funding for these enforcers really matters. So that's really a big part of why we see Texas punching so heavily in the privacy space because they do have a dedicated team with dedicated funding focused on bringing these types of actions. And so other states that might be doing that moving forward would continue to kind of punch above their weight and. And we're going to keep seeing more states come online.

A

Yeah. So to kind of like carry that on. Right. Like to switch the conversation to 2026. Right. I would love to hear from you Koben. Like could you give me like A snapshot of some of those laws and those amendments as well that are coming online in the next year. Like, what should folks be keeping an eye out for?

C

Yeah. So as David said, we didn't see any new state laws passed this year in the comprehensive consumer privacy segment, but we do have the last of those from the prior years coming online on January 1st. So as of the beginning of the year in 2026, we'll have all 19 of those laws in effect, which means that they're enforceable most of the remainder. The remainder are not super exciting in terms of like, things to talk about. They, of course, they will provide the same rights as all the others to the people of those states. It's Indiana, Kentucky and Rhode Island. They don't have a lot of notable differences. I would be remiss if I didn't mention a couple of things. First of all, since Kier Lamont is no longer a public figure who talks about these things, I can make his joke, which is that you have privacy rights in Indiana unless you're on a riverboat casino, because casinos have been carved out of that law in just the same way that we saw ski resorts carved out in Colorado. But Kentucky is a. Both Kentucky and Indiana are industry friendly laws, relatively similar, kind of in that vein, like a Utah or a Virginia. Rhode island is a little more modern in its approach, but it doesn't have a ton of unique elements. The one thing that everybody's talking about is that it requires third parties. It requires you to list all of the third parties to whom you have sold or may sell customers personal information, which puts it a little step farther than some of the states that have started to require you to disclose those that list on demand for consumers. That language just has multiple elements in it that set it apart from other states. And I think it'll be a while before we understand exactly how they'll interpret that. But companies will need to be prepared to potentially be disclosing third parties upfront, which is a different requirement. There's also some of the amendments are coming online. I think all of but a good portion of the amendments come online pretty quickly, like Connecticut's amendment that David mentioned being pretty substantial, that comes online on July 1st. And so some of those other states that we saw have amendments this year are also coming to be immediately kind of making this enforceable next year.

A

Yeah. And David, I want to turn back to you to talk about some of the regulatory stuff.

C

Right.

A

The really nerdy inside knowledge stuff with regard to. I know California's got some Requirements that are coming online, especially as it relates to data brokers under the Delete Act. I know New Jersey as well has a couple of things. Would you mind, you know, going through some of those, like, more nuanced things and let the folks know what they should be watching for?

B

Yeah, sure. I think a good way to do it is first New Jersey. We are still on, on the promise of they are going to release their final regulations hopefully at the beginning of next year, because we don't expect it to happen in the last 14 days of 2025. But they did. It might happen. It's possible. But they did release some draft regulations at a certain point that are kind of similar to Colorado's regulation at certain point. So that line is something that it's good to look to look forward to. However, we will know once we have the regulations on our hands, what to expect specifically. Specifically on the side of California, Cal Privacy, they were really clear on their purpose of being very proactive with their education of their new drop system as a tool to actually register and opt out from having your data sailed by data brokers. So that's something that they have been doing, a statewide campaign informing and letting people know, stakeholders and individual consumers on how to do it. And at the same time, I think they release the most important piece of regulation that we have on the privacy space at this moment coming from the states, that is their regulations on automated decision making technologies, cybersecurity audits, risk assessments, and some transparency and consent issues. So these regulations kind of do many things at the same time. On the one hand, a good thing to look forward to is an expanded right of access for automated decision making linked to a right to appeal to those decisions. That includes a human in the loop when the decision has a certain level of importance for the consumer. So this human has to have the authority to overrule the decisions made by the system. And at the same time, it has to be a process that is easy for the consumer. So I think California is taking that little pro consumer route of making it easier for the consumers to participate within their process of exercising their rights at the same time in the same regulations. They went through a whole list of what is considered to be transparency and accessibility within the same regulations. So for example, consumer silence or failure to act on certain decisions, it's not going to be considered at any point as valid consent within the regulations. And the consumers will also have to have the ability to opt out for more privacy protection protective measures in the same easy way that they should be covered by least privacy protective measures, quote, unquote, and within the the way that they have relations with this controllers of data. On the side of cybersecurity audits, I think the most important thing is to highlight that they will have to start doing cybersecurity audits made by independent auditors and that there is a level of detail that the reports most have, including identifying the current cybersecurity information systems that the companies use, gaps and weaknesses that they have, and they must propose or include a plan on how to correct or address those issues as well. So it's not just here's the problem, but it's also here's how we plan to address it, which is something that I think makes creates a proactive security and proactive privacy for consumers as well. And finally, on the risk assessment side, in I think one of the most, most important points was that when the risk assessment goes in hand by hand with automated decision making technologies, the third part the companies will have to make the third, the recipient and the business will have to make available the information and the tools and risk assessment requirements that they use to do this kinds of, these kinds of risk assessments when these technologies were used. So it's not this level of shadowy what's going on in the background, but information has to be transparent for the consumers as well.

C

Yeah.

A

And before we get to the 2026 enforcement trend predictions, something you said about automated decision making tools just kind of made a light bulb go off my head. As far as this recent executive order that President Trump signed with relation preempting state AI laws. Right. They have said that they're going to go on a case by case basis and evaluate some of these laws. But because of a lot of these, you know, state laws have very neutral language with what they're qualifying as AI. Right. Are you, are either of you concerned at all that this executive order may then target some of these privacy laws, right. That have that ADMT regulatory language built in, or are you thinking, you know, that they might not look at it because of the top line. It's, it's got the word privacy in it and maybe they might not assume or like how are you guys thinking about this?

B

Well, I think that the Justice Department and again this is just a prediction. I'm taking out my, my glass bowl and doing some, some predicting magic at this point. I think that the, that Pam Bounty's DOJ will try to go after this kind of regulations as well and this kind of ADMT processes and regulations that are in place in the sense that many companies might raise this as, hey, the definition is broad enough that AI might be covered through it. But during the process of the redlining in California and the Commons, they had to change the language because the original regulations included artificial intelligence as the category rather than ADMT in a more. In a broader way. So this is something that's going to end up in the, in the courts, like we all know already. But I think maybe there's a risk or a possibility that DOJ will come after this kind of regulations.

A

Yeah. Copenhagen, did you have anything to add to that?

C

Sure, yeah. You saw me thinking deeply. I mean, I think, yeah, I think David's captured it. There's just a lot of uncertainty both in interpreting how the actual scope of authority that the administration has to engage on this and then the actual scope of interest that they have to go after certain state laws or regulations. Yeah, there isn't a mention of automated decision making in the executive order. And as David I think mentioned or could have mentioned the, in the most recent legislative text that we saw, they did specifically call that out, which was a way of bringing these laws into focus and specifically California's regulations. But we, yeah, we didn't see that echoed in the eo. Maybe we'll learn more as we go forward, but I think it will be, this creates more uncertainty than it creates certainty. So it'll be a while before we know whether there's any impact at all.

A

All right, so we will file this under tbd. So then Coben, going back to some of those, like, you know, enforcement measures based off of what we saw in 2025, like, what are some of the trends that you think will carry over into 2026? Like, are there going to be some, like through lines that, that are, you know, more obvious than others? Or how are you thinking about this?

C

Yeah, I think moving forward, a lot of the same. There's not that much when we've heard from enforcers, from the assistant attorneys general who speak at some of the conferences, like IAPP's conferences and stuff like that. We haven't heard any new big themes in particular when they talk about their priorities. So we'll see connected devices still at the top of the agenda, children's data still up there, maybe some more car related stuff, although we didn't see that much this year. So it'll be interesting to see if they're still interested in driving related data because that was a big confluence of kind of connected cars and location sensitive data. Stuff that was really interesting to watch. One thing that's new that we're seeing a lot of legislative scrutiny of are the AI chatbots, especially their relation to kids. I could see enforcers focusing on that. And we've actually seen Texas. One of the roundups that was announced this year was Texas saying that they wanted to start investigating those companies. We also, and I think there's clear kind of general consumer protection standards that might apply in that context. So that's something to watch. And just kids stuff generally. We're not even talking about kids legislation in this podcast because that's its own podcast because there's too many things to talk about. But even on the enforcement side, there's plenty that states can do with what they already have to protect kids and teens. And so we might see more of that. Another thing that's on my radar, but I don't know if enforcers are focused on it yet, is variable pricing seems to be getting a lot of policy attention, at least in D.C. and kind of I think it's going to be a big part of the conversation next year, which is to say when consumers pay different prices from each other because of information, you know, about the consumer, I think that could invite, it's going to invite scrutiny. It definitely legislative scrutiny. There are a lot of bills that have been passed related to that, but in the state level, but there's, it'll be interesting to see if there's enforcement because there's a huge privacy angle to that. Right. Because you have to first rely on the personal data of people in order to make those variable prices. And so those are the kind of themes that I'm watching in terms of who's doing that activity. We will still see California very heavily. Connecticut is now online. We saw them. I think there's kind of a, as states come, it takes a couple years before you start to see some of these public settlements. And as I said before, it relates to the size of their teams and the type of funding that they have. So we saw today Texas sued a bunch of companies, so they, I guess, aren't they're going to keep doing what they're doing. But the other state that I'm watching closely is Minnesota because they have a sizable team that they're building there. And it'll be interesting to see what they want to focus on and what they can bring next year.

A

Yeah, all gas, no breaks on those two, especially around the holidays. Well, anyway, let's wrap this up because this conversation has been so interesting. My to do list for 2026 is just growing. So let's talk about what's coming on the legislative front. Right. David, I would love to hear from you. Like, what activities are you keeping an eye out for? Um, I know there's been some movement, you know, in Pennsylvania, Massachusetts, a couple of other states, but is there any hope for another comprehensive law potentially? I know there's, let's see, 19. So what is that third? 30 some odd states still to go?

B

Yeah, 31 still to go. And if you don't count Florida as we don't count it as well, and maybe a federal bill, who knows at this point, I'll do a shameless block first. It's always a good way to keep an eye on our state legislative tracker, which it's one of the best tools out there for doing this job of tracking what's going on. So we are watching specifically at five states that have more possibilities than anything else. Pennsylvania, the only one that is right now still in session. They have a bipartisan bill that is right now waiting to for action in the Senate, and they follow. And most of these bills of all of them follow a model similar to Virginia, which is industry friendly, but at the same time granting real consumer rights to consumers. So that's Pennsylvania as a whole. Massachusetts has three bills that are relevant. However, the most Important one is S. 2619, which is the one that's right now on this. On the House floor, is on the House committee. Sorry. And they did remove their private right of action, which was something that Massachusetts has tried to include into their bills previously, but maybe that was used as a chip to try to move things forward within the legislature. Then there's two bills that are two states that are relevant, Georgia and Oklahoma. Both of them have bills that moved very fast at the beginning of the year, but as their year move across and the adjourned session, they kind of fizzle out a little bit from the radar of everyone else. But we might see them coming back into it on the beginning of 2026. And the other one, which I think is the one that has more potential, the most potential of them all is Vermont, as they already passed a bill in 2024, which was vetoed by Governor Scott. But the legislature has already a bill at this point that still includes the private right of action. So one of the most bolder and protective bills for consumers, and it might invite a new veto for the governor if the bill actually gets sued. To that point, we will see if actually it happens or it doesn't happen. And the other thing that I'm looking to is the federal level. We do know that there are rumblings that a new bill might be introduced. Another shameless plug. We did an analysis and we published it today. I wrote the analysis about what stakeholders are looking forward in the federal bill if it comes to fruition. So that's both those things. Those lines are very interesting to keep an eye on. Work for 2026.

A

That was Coben Zwiefelken, IAPP's managing director, with David Bolero, one of the organization's fellows. Many thanks to them both for participating in that conversation. You can subscribe to the priorities podcast@priitiespodcast.com and wherever you get your podcasts. While you're there, be sure to leave a review or a rating on the podcast page. That small extra step helps more people like you find the show. This podcast is a production of Scoop News Group in Washington, D.C. adam Butler and Carlin Fisher help put it together until next week. I'm Keely Quindlen. Thanks for listening.