The state-level privacy landscape continues to evolve at a rapid clip. This week’s roundup covers significant developments in Alabama, Utah, Virginia, Connecticut, Oklahoma, Minnesota, and Colorado — a snapshot of just how busy legislatures have become as they race to establish consumer data protections in the absence of a comprehensive federal law.

Alabama Steps Into the Privacy Arena

The headline story from this past week is Alabama’s House passage of a comprehensive consumer data privacy bill — a meaningful milestone for a state that had been largely absent from the conversation for the past three years.

The Alabama House unanimously passed the comprehensive privacy legislation in a 104-0 vote. Before final passage of the bill (HB-351), members supported an amendment that bill sponsor Rep. Mike Shaw said would effectively remove “any mention of AI” from the proposed Alabama Personal Data Protection Act.

At a structural level, the bill follows what privacy practitioners call the “Washington Privacy Act model” — the same framework adopted by Virginia, Colorado, Connecticut, and several other states. Key provisions include:

  • Applicability threshold: A 25,000-consumer trigger applies, meaning smaller businesses have room to breathe before obligations kick in.- Entity-level exemptions: GLBA-regulated financial institutions and HIPAA covered entities are carved out at the entity level, not just the data level — a distinction that matters significantly for large tech companies with financial or healthcare arms.- Small business exemption: Small businesses are exempt, unless they are in the business of selling personal data.- Teen consent: Businesses must obtain consent before targeting advertising or selling personal data for consumers ages 13–15.- Opt-out signals: The bill requires recognition of opt-out preference signals, keeping Alabama aligned with the growing national standard.- No DPIAs required: Notably, the bill does not require data protection impact assessments, making it more business-friendly than some peer states.- Enforcement: The state Attorney General has exclusive enforcement authority, with a 45-day right to cure that does not sunset — a more lenient stance than states like Connecticut, which eliminated its cure period at the start of 2025.

If it becomes law, the proposed effective date would be May 1, 2027. The bill now moves to the Alabama Senate, where it faces a tight legislative calendar.

This comes on the heels of Alabama enacting an App Store law, signaling that the state’s appetite for tech-related regulation is growing.

Amendment Bills: Utah and Virginia Keep Moving

Two states continued advancing amendment bills to their existing privacy frameworks last week.

Utah is pushing a targeted but notable change: its amendment bill — which has already cleared the House and is now awaiting Senate floor votes — would apply the state’s existing consumer data privacy law to motor vehicle manufacturers, regardless of whether those manufacturers otherwise meet the standard applicability thresholds. As connected vehicles generate increasingly granular data about drivers’ habits, locations, and behaviors, this is a significant move to close what has become an obvious loophole.

Virginia is tackling geolocation data. The state’s amendment bill would prohibit controllers from selling or offering to sell precise geolocation data. The bill passed the House but was amended in the process, meaning it now needs to return to the Senate for a concurrence vote before it can advance further.

Both bills reflect an emerging trend: states that were early movers on privacy are now going back to patch specific gaps — vehicles and location data being two of the most pressing.

Connecticut: Maroney’s CTDPA Amendment Is a Broad Reform Package

Senator James Maroney — the architect of Connecticut’s original Consumer Data Privacy Act — has released the text of a sweeping new amendment bill. The proposal is multifaceted and touches several areas of particular interest to privacy and security professionals:

  • Data Broker Registration / Delete Act Provisions: The bill would introduce a data broker registration requirement alongside Delete Act-style provisions, giving consumers mechanisms to request deletion of their data from brokers.- Algorithmic Pricing Disclosures: Businesses using algorithms to set prices would face new transparency requirements — a provision that directly targets practices like dynamic pricing and personalized pricing based on consumer profiles.- Facial Recognition Technology: The bill amends the CTDPA’s treatment of facial recognition, responding to growing concerns about retailers and other businesses deploying the technology for loss prevention and identification purposes.- Publicly Available Information: Revisions address how the exemption for publicly available information is applied — an area that has created compliance ambiguity.- Employment Profiling: The bill extends protections to employment-related automated profiling, a category that is increasingly relevant as employers use AI-driven tools in hiring and workforce management.- Precise Geolocation Data: The bill tightens restrictions on geolocation data, consistent with Virginia’s parallel effort and a broader national trend.

The bill is set for a public hearing in the coming days. Connecticut has consistently been one of the most aggressive states on privacy enforcement, and the state Attorney General’s office has been actively investigating data brokers, connected vehicles, social media platforms involving children, and AI chatbot products posing risks to minors. This amendment bill looks to give the AG’s office additional statutory backing for those enforcement priorities.

Oklahoma: Awaiting Final Passage

Oklahoma remained quiet this week as the state’s consumer data privacy bill waits for final passage. Oklahoma’s consumer data privacy bill (SB 546) had advanced out of the House Commerce and Economic Development Oversight Committee by a 15-2 vote in a prior session, and the bill had already cleared the Senate. The finish line is in sight — the question now is whether it crosses before the legislative calendar runs out.

Minnesota: Amending Consumer Health Data Protections

In Minnesota, Representative Steve Elkins’s HF 2700 received committee attention last week. The bill proposes targeted amendments to the state’s existing consumer data privacy law, specifically focused on consumer health data. As states increasingly recognize that health data — including data about reproductive health, mental health, and chronic conditions — warrants heightened protections beyond what HIPAA covers, Minnesota’s effort is part of a growing wave of state-level health data legislation that fills the gaps left by federal law.

Colorado: Kids’ Privacy Bill Clears Senate Committee

Colorado Senator Matt Ball’s SB 51 — formally titled the Age Attestation on Computing Devices bill — unanimously cleared a Senate committee last week and has been placed on floor votes.

The bill is based on California’s Digital Age Assurance Act (AB-1043), a similar California bill that was passed and will take effect in 2027. Both the Colorado bill and the California law require operating system providers — rather than individual apps — to verify user age.

Here’s how the mechanism works: the measure would require operating systems to collect and store the age of the device’s registered owner at setup. Rather than sharing an exact birthdate with third-party apps, the operating system would convert that information into a broad “age bracket” and make it available to app developers through an API. The defined brackets are: under 13, 13 to under 16, 16 to under 18, and 18 and above.

Unlike some laws in other states, SB 51 doesn’t require users to share personally identifiable information or use facial recognition technology.

The bill is not without controversy. Critics have pointed out that the legislation doesn’t specify how age is actually verified — meaning a minor could simply enter an incorrect birthdate at device setup. There are also scope concerns: the bill appears to apply primarily to mobile apps and app stores, not to websites accessed through internet browsers, potentially leaving a significant workaround in place.

To encourage compliance, SB26-051 includes financial penalties. Companies that negligently violate the law could face fines of up to $2,500 per affected minor. Intentional violations could carry penalties of up to $7,500 per minor.

If passed, the bill would take effect January 1, 2028.

The Bigger Picture

This week’s activity reflects several converging themes in state privacy legislation:

Geolocation data is a priority target. Both Virginia’s amendment and Connecticut’s forthcoming bill address precise geolocation data. This is not coincidental — location data has become one of the most commercially sensitive and personally revealing categories of information in existence, and state AGs are increasingly focused on it.

Children’s privacy is driving legislative energy. Colorado’s SB 51 and Minnesota’s health data amendments both reflect growing urgency around protecting younger users. States are not waiting for federal action.

Early adopters are iterating. Virginia, Connecticut, and Utah are all amending laws they already have on the books. The first generation of state privacy laws left gaps, and legislatures are beginning the work of closing them.

Alabama’s passage signals continued expansion of the privacy map. With Alabama moving, the list of states without any comprehensive consumer data privacy law continues to shrink.

For organizations operating across multiple states, the compliance burden grows with each new law and amendment. Building a privacy program that can flex to accommodate state-by-state variation — particularly around teen consent, opt-out signals, geolocation data, and health information — is no longer optional. It is a baseline operational requirement.

Stay current with ComplianceHub for ongoing coverage of state and federal privacy legislation, enforcement actions, and practical compliance guidance for security and privacy professionals.