Key point: The U.S. state privacy law landscape has rapidly expanded in 2026, growing from 20 to 24 states—and reinforcing a common framework for compliance.
Heidi counsels clients on a wide range of privacy, cybersecurity, and artificial intelligence laws, regulations, and standards, including the CCPA, FERPA, EU AI Act, EU and U.K. GDPR, HIPAA, FCRA, GLBA, and NIST frameworks, as well as various U.S. state laws and regulations touching on healthcare and financial privacy, artificial intelligence, biometrics, and information security. She draws on a notable background as one of the first U.S. attorneys focused on data privacy and cybersecurity, as well as experience as a corporate executive. Heidi previously held executive roles at two large multinational corporations, Thomson Reuters and Leidos.
Key point: Colorado has repealed and replaced the Colorado AI Act, amid years of skepticism from industry critics.
On May 14, Colorado Governor Jared Polis signed SB 26-189 into law, repealing and replacing the landmark Colorado Artificial Intelligence Act (CAIA), just under two months before it was set to take effect. CAIA was enacted in 2024 with an amended effective date of June 30, 2026.
Key point: The Utah legislature just passed a first-of-its-kind digital identity law that gives residents new rights over what personal information they share when verifying their identity. If your business chooses to participate as a verifier in Utah’s state-endorsed digital ID program—or builds the technology behind it—new consent, purpose-limitation, and loyalty obligations apply starting May 6, 2026.
Key point: Whether your business runs a retail loyalty program, a restaurant rewards app, a software referral campaign, or an online sweepstakes, these programs often collect customer information, and that can trigger real privacy compliance obligations that are easy to overlook.
The Rules Vary by Program. Privacy Obligations Do Not.
Online promotional activities frequently involve the collection, use, and sharing of consumer personal information, and data privacy laws play an important role across all of them. Examples:
All these instances trigger compliance obligations—even if the activities feel informal or low-risk.
With three new state privacy laws that took effect on January 1, 2026 (Indiana, Kentucky, and Rhode Island), adding to an extensive list of others, many organizations are discovering that their website privacy practices haven’t kept pace. Even those that updated their websites recently are finding hidden gaps, often due to unnoticed changes in technological tools and files, such as first and third-party cookies, third-party analytics software, and/or third-party scripts, tags, and pixels. A website audit can prevent enforcement issues and potential litigation or arbitration demands.
In October 2023, California passed the Delete Act, which, in addition to requiring data brokers to register with the state, directed Cal Privacy (f/k/a the California Privacy Protection Agency or CPPA) to create a data deletion software tool by January 1, 2026. This deletion software tool, now called the Delete Request and Opt-Out Platform (DROP), allows California residents to submit a single request to require all registered data brokers to 1) delete their personal information, and 2) stop selling or sharing that information through one verified, government‑administered process, rather than contacting hundreds of companies individually.
Litigation targeting website tracking technologies—such as cookies, pixels, session replay, and analytics tools—remains a major risk for businesses in 2025 and beyond. Courts continue to shape the boundaries of liability, consent, and compliance, with California and federal courts issuing several pivotal decisions this year. The legal landscape is evolving, with new theories, defenses, and legislative proposals emerging.…
California continues to set the pace for digital privacy reform, enacting three groundbreaking laws that will reshape how personal information is handled across the state. On October 8, 2025, Governor Newsom signed three new privacy bills, which will allow California consumers to gain greater control over their personal information, while businesses, data brokers, and social media platforms will face new transparency and compliance obligations.
Key point: Recent legislative efforts in Massachusetts, seeking to add another comprehensive data privacy law to the national patchwork of state laws, and in California enacting a law to regulate AI development, occurred this week when the Massachusetts Senate unanimously sent Senate Bill 2608 to the state House, and California enacted the nation’s second substantive state law regulating AI.