AGG Celebrates Data Privacy Day 2026 With a U.S. Privacy Law Update

Key Takeaways

• U.S. state privacy laws continue to expand and evolve. As of January 1, 2026, Indiana, Kentucky, and Rhode Island joined the list of states with consumer privacy laws in effect, bringing the total to 19 states, while amendments to existing laws in states such as California and Connecticut trigger enhanced compliance obligations.
• Regulatory scrutiny and private litigation over tracking technologies remain high. Website cookies, pixels, chat tools, and session replay software continue to fuel demands under wiretapping statutes, prompting organizations to reassess consent practices, vendor contracts, and technology governance.
• Ongoing privacy governance is essential. Privacy compliance is not a one-time exercise; organizations must adopt proactive planning to address regulatory change and rising consumer expectations around data protection.

Data Privacy Day, observed annually on January 28, is a global initiative promoting awareness of privacy and personal data protection in an increasingly digital world. Started in Europe in 2007, this year’s observance comes amid continued regulatory expansion, heightened enforcement activity, increased use of artificial intelligence, and growing consumer expectations around responsible data stewardship.

State Privacy Law Patchwork Grows in Size and Complexity

As of January 1, 2026, Indiana, Kentucky, and Rhode Island joined the growing list of states with comprehensive consumer privacy laws in effect, bringing the total to 19 (or 20, if Florida is included), while several other states have refined their existing frameworks through targeted amendments.

For example, in California, recent amendments to the CCPA regulations that took effect on January 1, 2026, introduce new risk assessment and cybersecurity audit requirements and adjust privacy notice and consumer rights request obligations, including a mandate for businesses to disclose on their websites whether they have processed a consumer’s request to opt-out of sale or sharing (including requests made through the Global Privacy Control (“GPC”) signal).

Additionally, beginning July 1, 2026, Connecticut’s privacy law will significantly lower its applicability thresholds, meaning that unless an exception is applicable, it will apply to any person that:

1.  controls or processes the personal data of at least 35,000 Connecticut residents (down from 100,000);
2. controls or processes any sensitive data of Connecticut residents; or
3. offers any consumer personal data for sale in trade or commerce (down from 25,000 consumers and at least 25% of gross revenue from the sale of personal data).

The first two prongs include an exception for control or processing “solely” to complete a payment transaction.

Tracking Technologies Litigation Continues

Plaintiffs continue repurposing old wiretapping statutes, like the California Invasion of Privacy Act (“CIPA”), to argue that companies deploying third-party technologies on their websites — such as cookies, pixels, chat tools, and session replay software — permit third parties to illegally “intercept” or “wiretap” communications between a website visitor and the website operator.

This theory has fueled a wave of demand letters and class actions seeking statutory damages based on the use of these common website technologies, prompting many organizations to explore ways to manage this risk, including inventorying and auditing website technologies and consent management tools, collecting consent before use of website technologies, and executing appropriate contractual terms with third parties.

Looking Forward

In today’s day and age, privacy compliance cannot be treated as a one-time, “set-it-and-forget-it” exercise. Rather, it demands ongoing governance, periodic review, and proactive planning to keep pace with legal and technological change.

Data Privacy Day serves as a timely reminder for organizations to elevate data protection efforts — not only to meet regulatory obligations, but also to reinforce data protection as a fundamental building block of trust with consumers and other stakeholders.