The 2026 state legislative season is entering its sprint phase. With multiple legislatures closing in the coming weeks, privacy bills that have been working through committees all session are now racing toward passage — or expiration. This week brought significant movement on three fronts that compliance teams should be tracking closely.
Alabama: Comprehensive Privacy Law on the Razor’s Edge
Alabama’s consumer data privacy bill took a critical step forward this week when an amended version was voted out of a Senate committee. The bill had already passed the Alabama House — unanimously, 104-0, after a substitute amendment was approved by the House Commerce Committee on February 10.
But time is the enemy. The Alabama legislature closes on March 27 — less than two weeks away. The bill still needs a full Senate vote, and any amendments in the Senate would kick it back to the House for concurrence.
What’s in the Bill
If passed, Alabama would join the growing list of states with comprehensive consumer data privacy legislation. The bill follows the now-familiar Virginia/Connecticut model, giving consumers rights to:
- Access their personal data
- Delete their personal data
- Correct inaccurate data
- Opt out of data sales, targeted advertising, and profiling
The proposed effective date was pushed back to May 1, 2027 (originally October 2026), giving businesses additional time to prepare.
What Changed in Committee
The Senate committee amendments are significant — and reveal the political compromises that often water down privacy legislation in the final stretch:
Removed: Opt-out preference signal recognition. The original bill would have required data controllers to honor universal opt-out mechanisms like the Global Privacy Control (GPC). The amendment strips this requirement entirely.
This is a meaningful concession. States like Nebraska have mandated opt-out signal recognition from day one, while Colorado and Connecticut phased it in. Alabama’s removal of this requirement means consumers would need to submit individual opt-out requests to each data controller — a burden that privacy advocates argue renders the opt-out right largely theoretical.
Added: New exemptions. The amended version includes additional exemptions, though the full text of these exemptions hasn’t been published at the time of writing. Industry exemptions have been a consistent point of negotiation in state privacy bills — healthcare, financial services, and nonprofit entities frequently lobby for carve-outs.
What It Means for Compliance Teams
If Alabama passes its bill, organizations operating in the state would have until May 2027 to implement compliance programs. However, the more immediate takeaway is strategic: the removal of opt-out preference signal requirements continues a patchwork approach that makes multi-state compliance increasingly complex.
Companies that have already implemented GPC recognition for states like Colorado and Connecticut won’t need to turn it off for Alabama — but they also can’t rely on it as a universal compliance mechanism across all jurisdictions.
Compliance action: Monitor the bill’s progress through the Senate floor vote. If passed, begin mapping Alabama-specific requirements against your existing privacy program. The Virginia/Connecticut model means most organizations with existing state privacy compliance programs will need incremental rather than wholesale changes.
Kentucky: Your Smart TV Is Now a Privacy Issue
Kentucky moved quickly this week. HB 692 — a bill to amend the state’s existing Kentucky Consumer Data Protection Act — passed through a House committee and then unanimously cleared the full House.
The bill does one specific, targeted thing: it adds automatic content recognition (ACR) data to the definition of “sensitive data” under Kentucky’s privacy law.
What Is Automatic Content Recognition?
ACR is the technology that allows smart TVs to identify what you’re watching by analyzing the audio or video content displayed on screen. Most major smart TV platforms — Samsung, LG, Vizio, Roku — use some form of ACR to:
- Track viewing habits for advertising purposes
- Generate recommendations
- Sell audience measurement data to advertisers and content providers
- Create detailed viewer profiles
The data generated by ACR is remarkably granular. It can capture not just which channel or streaming service you’re using, but the specific content on screen — including content from external devices like gaming consoles, cable boxes, or media players connected via HDMI.
Why This Matters
By classifying ACR data as “sensitive data,” Kentucky would require:
- Opt-in consent before ACR data can be processed (sensitive data under most state privacy laws requires explicit consumer consent, not just an opt-out mechanism)
- Purpose limitation on how ACR data can be used
- Enhanced security requirements for storage and processing
- Data protection assessments for ACR-related processing activities
This is a direct response to the FTC’s 2024 enforcement action against smart TV manufacturers over inadequate disclosure of ACR data collection. The FTC found that most consumers didn’t understand that their TVs were watching them back.
Kentucky’s bill, with a proposed effective date of July 1, 2027, signals a potential trend. If other states follow Kentucky’s lead in classifying ACR as sensitive data, smart TV manufacturers and the advertising technology ecosystem built on ACR data would face a fundamental business model challenge.
Compliance Implications
For organizations that process ACR data:
- Consent mechanisms need upgrading. Moving from opt-out to opt-in for ACR data collection requires redesigning consent flows on smart TV platforms.
- Data inventories need updating. If you receive ACR data from smart TV manufacturers as part of advertising or analytics services, you may now be processing sensitive data under Kentucky law.
- Data protection assessments required. Processing sensitive data triggers enhanced assessment obligations under most state privacy frameworks.
- Watch for copycats. If Kentucky’s bill passes, expect similar bills in other states. Building ACR-specific compliance now is cheaper than retrofitting later.
Hawaii: The Eavesdropping Economy Gets a Stop Sign
Hawaii’s Senate passed SB 1163, a targeted bill that tackles two of the most invasive forms of data collection head-on.
The bill prohibits the sale of:
- Geolocation information without consent
- Internet browser information without consent
- Data collected through eavesdropping or through an application operating in the background of a device that uses the device’s microphone
That third category is the one that should make ad tech companies nervous.
The “Is My Phone Listening to Me?” Bill
We’ve all had the experience: you mention a product in conversation and then see ads for it on your phone. The debate over whether apps actually listen through device microphones has been ongoing for years, with tech companies consistently denying the practice while researchers and journalists continue to find evidence of it.
Hawaii’s SB 1163 doesn’t try to settle the technical debate. Instead, it takes a practical approach: regardless of how the data is collected, if it was gathered through eavesdropping or background microphone access, it cannot be sold.
The bill also includes exemptions for lawful law enforcement investigations, ensuring it targets commercial data practices rather than public safety operations.
The Geolocation Dimension
The geolocation provisions are equally significant. Location data has become one of the most valuable — and most sensitive — categories of personal information in the data broker ecosystem. It can reveal:
- Where someone lives and works
- Medical facilities they visit
- Religious institutions they attend
- Political rallies or protests they participate in
- Domestic violence shelters they access
The commercial sale of geolocation data has been the subject of increasing regulatory scrutiny, with the FTC taking enforcement actions against data brokers selling location data that could be used to track visits to sensitive locations.
Hawaii’s bill puts a consent requirement squarely in front of geolocation data sales — you can’t sell it unless the consumer explicitly agrees.
What Compliance Teams Should Do
- Audit your data supply chain for geolocation and audio-derived data. If you purchase data from brokers or ad tech providers that includes location information or data derived from audio/microphone access, Hawaii’s bill could affect your operations.
- Review consent mechanisms for Hawaii consumers. If the bill becomes law, you’ll need to obtain explicit consent before selling geolocation or browser data for Hawaii residents.
- Examine your SDK and app permissions. If your mobile applications access microphone permissions, ensure you have clear justification and consent — and that any data derived from microphone access isn’t flowing into data sale pipelines.
The Clock Is Running: Upcoming Legislative Closures
Several state legislatures are approaching their session-end deadlines, creating urgency for privacy bills still in the pipeline:
| State | Closing Date | Bills to Watch |
|---|---|---|
| Wisconsin | March 19 | Consumer data privacy bill, App Store regulation bill |
| Alabama | March 27 | Comprehensive consumer data privacy bill (in Senate) |
| Maryland | April 13 | Multiple privacy-related bills |
| Maine | April 15 | LD 1822 (comprehensive privacy, narrowly passed House) |
Wisconsin’s closure on March 19 is particularly imminent. The state has been considering both a consumer data privacy bill and an App Store regulation bill, but neither has advanced rapidly enough to suggest passage before the deadline. These bills would likely need to be reintroduced in the next session.
Maryland and Maine have more runway, and both have active privacy legislation that could advance in the coming weeks. Maine’s LD 1822 — which narrowly passed the House — is now in the Senate and remains a live possibility.
The Bigger Picture: Patchwork Accelerating
The 2026 legislative session is reinforcing a trend that’s been building since 2023: the U.S. state privacy patchwork is getting more complex, not less.
Each new state bill introduces slightly different definitions, thresholds, exemptions, and requirements. Alabama removes opt-out signal recognition while other states mandate it. Kentucky creates a new category of sensitive data that doesn’t exist in most other state frameworks. Hawaii bans practices that most states haven’t addressed at all.
For multi-state organizations, the compliance burden is cumulative. Every new state law requires:
- Legal analysis of how it differs from existing obligations
- Data mapping updates for state-specific requirements
- Consent mechanism adjustments
- Privacy policy revisions
- Staff training on new obligations
The absence of a comprehensive federal privacy law means this patchwork will continue to grow. Organizations that haven’t invested in scalable, flexible privacy compliance infrastructure will find each new state law increasingly expensive to implement.
For compliance teams tracking the 2026 session: the next two weeks are critical. Alabama and Wisconsin are approaching their deadlines, and the compromises being struck in committee — like Alabama’s removal of opt-out signal requirements — will shape the privacy obligations your organization faces for years to come.
For more on the evolving state privacy landscape, see our analysis of the Great Privacy Patchwork of 2025 and CPPA’s 2025 Enforcement Blitz.
