State privacy legislation

Customer loyalty program concept in e-commerce for customer engagement. Man holding phone displaying earning points after purchasing online.

Key point: Whether your business runs a retail loyalty program, a restaurant rewards app, a software referral campaign, or an online sweepstakes, these programs often collect customer information, and that can trigger real privacy compliance obligations that are easy to overlook.

The Rules Vary by Program. Privacy Obligations Do Not.

Online promotional activities frequently involve the collection, use, and sharing of consumer personal information, and data privacy laws play an important role across all of them. Examples:

  • A retailer runs a points-based loyalty program which collects purchase history and behavioral data.
  • A company with a household brand name runs a sweepstakes and collects contact information for prize fulfillment.
  • A manufacturer offers mail-in rebates and collects names, addresses, and receipts to provide the rebates.
  • A mobile app runs a referral campaign and collects device identifiers and app usage data.
  • A sports betting app runs an advertising campaign to attract participants and inadvertently collects personal information from middle school kids who like sports.

All these instances trigger compliance obligations—even if the activities feel informal or low-risk.

employee-scaled.jpeg

With three new state privacy laws that took effect on January 1, 2026 (Indiana, Kentucky, and Rhode Island), adding to an extensive list of others, many organizations are discovering that their website privacy practices haven’t kept pace. Even those that updated their websites recently are finding hidden gaps, often due to unnoticed changes in technological tools and files, such as first and third-party cookies, third-party analytics software, and/or third-party scripts, tags, and pixels. A website audit can prevent enforcement issues and potential litigation or arbitration demands.

In October 2023, California passed the Delete Act, which, in addition to requiring data brokers to register with the state, directed Cal Privacy (f/k/a the California Privacy Protection Agency or CPPA) to create a data deletion software tool by January 1, 2026. This deletion software tool, now called the Delete Request and Opt-Out Platform (DROP), allows California residents to submit a single request to require all registered data brokers to 1) delete their personal information, and 2) stop selling or sharing that information through one verified, government‑administered process, rather than contacting hundreds of companies individually.

Keypoint: Last week, the Connecticut legislature passed an amendment to the state’s consumer data privacy law and bills advanced in Oregon, California, Texas, Nevada, Louisiana, and New York.

Below is the twenty second weekly update on the status of proposed state privacy legislation in 2025. As always, the contents provided below are time-sensitive and subject

Keypoint: Last week, Oregon and New Jersey advanced bills to amend their state’s consumer data privacy laws, California committees advanced several bills, Nebraska enacted a social media law, and Texas advanced several social media bills.

Below is the twentieth weekly update on the status of proposed state privacy legislation in 2025. As always, the contents

Keypoint: Last week, Oregon’s legislature passed a bill to amend the state’s consumer data privacy law, the Connecticut Senate passed two bills, and there were developments with bills in New Jersey, Nebraska, Texas, Massachusetts, and Louisiana.

Below is the nineteenth weekly update on the status of proposed state privacy legislation in 2025. As always, the