State Privacy Bills: Six States, Four Stories
The patchwork of U.S. state consumer data privacy legislation keeps expanding. This week’s roundup covers six states — Maine’s ongoing legislative standoff, three amendment bills crossing key milestones, Vermont’s data broker tightening, and a New Jersey move on biometric surveillance that compliance teams in retail and financial services should have on their radar.
1. Maine: The Deadlock Continues
Maine’s consumer data privacy bill has become one of the more closely watched state privacy standoffs of the 2026 legislative session. Here’s where things stand:
- The House passed an initial version of the bill earlier in the session
- The Senate amended the House bill before passing it
- Last week, the House amended the Senate’s version and passed it back
The bill is now back in the Senate’s court. This kind of chamber-to-chamber amendment cycle — sometimes called a “ping-pong” process — is common when the two chambers have substantive disagreements over the bill’s scope or definitions. Until both chambers agree on identical language, the bill cannot advance to the governor.
What compliance teams should watch: Maine’s bill, if passed, would add another state to the growing list of jurisdictions with comprehensive consumer privacy rights (access, deletion, correction, portability, opt-out of sale and targeted advertising). The specific provisions in dispute between the chambers have not been publicly detailed, but the back-and-forth suggests disagreement over scope — likely around business thresholds or exemptions.
Practical implication: If you’re already compliant with a modern state privacy law — Virginia’s CDPA, Connecticut’s CTDPA, or Colorado’s CPA — Maine will likely map closely. No need to act now, but flag it for your compliance calendar.
2. Three Amendment Bills: Kentucky, New Hampshire, and Maryland
These aren’t new privacy laws — they’re surgical updates to existing ones. Each targets a specific gap or emerging risk.
Kentucky: Automatic Content Recognition as Sensitive Data
Kentucky’s amendment bill passed its Senate last week, having previously cleared the House. It now heads to the governor.
The amendment adds automatic content recognition (ACR) to the list of sensitive data categories under the commonwealth’s consumer data privacy law.
What is ACR? Automatic content recognition is the technology used by smart TVs and streaming devices to identify what you’re watching — essentially audio and visual fingerprinting of on-screen content. ACR data is used extensively for targeted advertising and audience measurement. Companies like Samba TV and Vizio have faced regulatory scrutiny over ACR practices.
Compliance implication: If your organization (or a third party you work with) uses ACR data for advertising targeting, audience analytics, or data brokerage, Kentucky consumers’ ACR data would now require the heightened protections applicable to sensitive data — including explicit consent requirements.
New Hampshire: Children’s Location and Sensitive Data Sale Prohibition
New Hampshire’s amendment bill also advanced through the Senate last week, having passed the House. It prohibits the sale of location data and other sensitive data about children.
This builds on the national trend of children’s data protections accelerating significantly faster than adult privacy protections. The amendment reflects growing legislative consensus that children’s location data is in a distinct risk category — particularly given its potential for physical safety implications.
Compliance implication: Any business that collects location or sensitive data from users under 18 and monetizes that data (through sale, sharing for advertising, or data broker arrangements) should review New Hampshire’s amended definitions immediately once the final text is confirmed.
Maryland: Immigration Enforcement Data Restrictions
Maryland’s amendment bill — which passed the state House before the crossover deadline — amends the state’s existing privacy law to address immigration enforcement.
Specifically, the bill restricts how personal data can be used in connection with immigration enforcement activities. This is a narrower, policy-driven amendment reflecting Maryland’s political posture on immigration, but it has compliance implications for any data processors or vendors operating in the state who handle government contracts or law enforcement requests.
Compliance implication: Data processors serving Maryland state agencies, or those who receive law enforcement data requests, should review the final text carefully. The interaction between state privacy law restrictions and federal law enforcement obligations will require legal analysis.
3. Vermont: Tightening the Data Broker Registration Law
Representative Monique Priestley’s bill to amend Vermont’s existing data broker registration law passed the House last week.
Vermont has had a data broker law since 2018 — one of the earliest in the country. The Priestley amendment tightens its requirements. The specific changes in the amendment haven’t been fully published, but Vermont’s data broker framework already requires:
- Annual registration with the state Attorney General
- A publicly accessible registry of registered data brokers
- Disclosure of data collection practices and opt-out mechanisms
Why this matters beyond Vermont: Vermont’s data broker law has historically been a leading indicator. Several other states have modeled or expanded their own data broker requirements based on Vermont’s framework. An amendment strengthening the Vermont law is worth monitoring as a signal of where the national conversation on data brokers is heading — especially given FTC scrutiny of the data broker industry at the federal level.
Compliance implication: If your business meets Vermont’s definition of a data broker (collecting and selling personal data of consumers with whom you have no direct relationship), review the amendment text once it’s finalized and ensure your registration and opt-out processes remain compliant.
4. New Jersey: Biometric Surveillance in Business Settings
New Jersey’s Assembly passed a bill last week to prohibit the use of biometric surveillance systems by businesses under certain circumstances.
New Jersey has been active on privacy legislation this session — a trend the author of our source material cheekily notes by calling it “the Springsteen state was born to run privacy bills this year.” (The Springsteen reference will either land or it won’t.)
What counts as biometric surveillance? The bill targets systems that collect and analyze biometric identifiers — facial recognition, gait analysis, iris scanning, voiceprints — in real-time in public or semi-public spaces. The “under certain circumstances” qualifier suggests there will be carve-outs, likely for law enforcement, security, or employment contexts.
Who is most affected:
- Retail — stores using facial recognition for loss prevention
- Financial services — branches using biometric authentication in customer-facing environments
- Hospitality and entertainment — venues using crowd analytics
- Real estate — commercial property managers using biometric access systems
Compliance implication: New Jersey’s bill needs to clear the Senate before it becomes law, but the Assembly passage is significant. New Jersey is a large commercial state. A biometric surveillance prohibition — even a partial one — would affect a substantial number of businesses operating customer-facing locations there.
The Bigger Picture: What Update #11 Tells Us
Eleven weeks into 2026 and the pattern is clear:
1. Amendment activity is accelerating. Three amendment bills in a single week signals that states with existing privacy laws are moving into a second-generation phase — fixing gaps, adding categories, responding to new technology like ACR and biometric systems.
2. Children’s data remains the legislative fast lane. New Hampshire’s child-focused amendment joins a long line of state actions that move faster on children’s privacy than on adult privacy. If you handle any data from users under 18, the compliance bar is consistently higher and moving faster.
3. Biometric data is the next major battleground. Between New Jersey’s surveillance bill and a growing number of municipal ordinances, biometric data collection in commercial settings is heading toward a much more restrictive regulatory environment. Organizations still relying on facial recognition or other biometric systems in customer-facing contexts without a clear legal basis should be building their compliance roadmap now.
4. Deadlocks like Maine are normal — until they’re not. Chamber disagreements drag out for weeks or months and then resolve suddenly. Maine’s bill could stall indefinitely or pass in a single week. Keep it on your watchlist with a low-effort monitoring posture.
Quick Reference: This Week’s State Privacy Activity
| State | Action | Status | Key Provision |
|---|---|---|---|
| Maine | House re-amended Senate version, returned to Senate | ⏳ Pending Senate | Comprehensive consumer privacy |
| Kentucky | Amendment bill passed Senate | ✅ To Governor | ACR added as sensitive data category |
| New Hampshire | Amendment bill advanced in Senate | ✅ Near final | Children’s location/sensitive data sale ban |
| Maryland | Amendment bill passed House | ⏳ Awaiting Senate | Immigration enforcement data restrictions |
| Vermont | Data broker amendment passed House | ⏳ Awaiting Senate | Tightened data broker registration |
| New Jersey | Biometric surveillance bill passed Assembly | ⏳ Awaiting Senate | Business biometric surveillance restrictions |
For more coverage of U.S. state privacy legislation, browse our state privacy law articles.
