Privacy Law News Today: Latest Updates for April 2026

Privacy Law News Today highlights key developments in data protection as regulators, lawmakers, and courts continue to shape how personal information is collected, used, and safeguarded across the United States and globally. In April 2026, federal lawmakers advanced proposals for a nationwide privacy framework, multiple state laws took effect or advanced, and enforcement actions underscored ongoing priorities around transparency, children’s data, and emerging technologies. These updates affect businesses of varying sizes, consumers exercising privacy rights, and organizations navigating a patchwork of obligations.

Federal Push for National Data Privacy Standards

On April 22, 2026, House Republicans introduced two coordinated bills aimed at establishing a single national standard for consumer data privacy. The Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act (SECURE Data Act), led by the House Committee on Energy and Commerce, and the GUARD Financial Data Act, led by the House Committee on Financial Services, would apply to technology companies and financial institutions respectively.

The measures seek to preempt nearly two dozen state privacy laws, addressing what sponsors describe as a confusing patchwork of requirements. Under the proposed framework, covered entities would face obligations to limit data collection and use while granting consumers rights to access, correct, and delete their personal information. Consumers could also opt out of targeted advertising and the sale of personal data. Enforcement would rest primarily with the Federal Trade Commission (FTC) and state attorneys general, with no private right of action contemplated in the current drafts.

These bills represent the most significant federal privacy legislation introduced in the 119th Congress to date. If enacted, they would create parallel regimes for nonfinancial and financial data handling, potentially providing greater uniformity for businesses operating nationwide while raising questions about the preemption of stronger state protections already in place. As of April 25, 2026, the bills remain in the early stages of the legislative process following referral to committee.

Earlier in March 2026, the Online Privacy Act of 2026 (H.R. 8014) was introduced by Rep. Zoe Lofgren (D-CA). That proposal would establish a dedicated Digital Privacy Agency and impose broad data-minimization requirements, though it has seen limited movement to date.

State-Level Privacy Law Expansions Continue

April 2026 also saw continued momentum at the state level. Oklahoma Governor Kevin Stitt signed Senate Bill 546, enacting the state’s first comprehensive consumer data privacy law and bringing the total number of states with such statutes to 20. The law, modeled largely on Virginia’s Consumer Data Protection Act, applies to businesses meeting certain thresholds related to the volume or revenue derived from personal data processing. It grants consumers rights to access, know, delete, and opt out of the sale or targeted advertising of their data. Data protection assessments are required for high-risk processing activities. Enforcement lies exclusively with the Oklahoma Attorney General, and the statute includes a 30-day cure period. The law takes effect January 1, 2027.

Several other state laws that took effect on January 1, 2026, remain in active implementation. Indiana, Kentucky, and Rhode Island joined the list of jurisdictions with comprehensive privacy statutes. Rhode Island’s law features notably low applicability thresholds, covering entities that process data of at least 35,000 consumers (or 10,000 if deriving more than 20 percent of revenue from data sales). Kentucky’s statute includes targeted provisions on health data exemptions and profiling assessments. These additions bring the total active comprehensive state privacy frameworks to approximately 20 as of April 2026.

California Nowadays

In California, the California Privacy Protection Agency (CPPA) continues to implement updated California Consumer Privacy Act (CCPA) regulations that became effective January 1, 2026. Businesses must now conduct risk assessments before engaging in activities such as selling or sharing personal information, processing sensitive personal information, or using automated decision-making technology (ADMT). Consumers gained enhanced tools for confirming the status of opt-out requests submitted via preference signals like the Global Privacy Control. The agency has also solicited preliminary comments on reducing friction in the exercise of privacy rights, with input due earlier in April.

South Dakota enacted the Genetic Data Privacy Act, providing specialized protections for consumer genetic information and adding to sector-specific safeguards.

Focus on Children’s Privacy and COPPA Compliance

Children’s online privacy remained a priority in April 2026. The compliance deadline for the Federal Trade Commission’s amended Children’s Online Privacy Protection Act (COPPA) Rule passed on April 22, 2026. The amendments strengthen requirements for verifiable parental consent before third-party disclosures or targeted advertising involving children’s data, impose stricter data retention limits, and broaden the definition of personal information. The FTC has signaled heightened enforcement in this area.

States continue to advance children’s privacy legislation, including age-appropriate design measures and restrictions on data use in product design, even as courts scrutinize such bills for First Amendment and preemption concerns. These developments reflect growing scrutiny of how digital platforms and applications handle data from minors.

Enforcement Actions and Global Coordination

Regulatory agencies demonstrated continued activity. The FTC announced enforcement actions, including a complaint against Match Group and OkCupid alleging unauthorized sharing of user photos and location data with third parties in violation of privacy promises. The agency also released its Strategic Plan for fiscal years 2026 through 2030, reaffirming its commitment to privacy and data security enforcement.

Internationally, the European Data Protection Board (EDPB) launched its 2026 Coordinated Enforcement Framework (CEF) action on March 19, 2026. This year’s focus shifts to compliance with GDPR transparency and information obligations under Articles 12 and 13-14. The initiative follows the 2025 coordinated effort on the right to erasure and aims to promote consistent application across EU member states.

Practical Implications for Businesses and Consumers

These developments carry direct consequences for everyday operations and rights exercise. For consumers, the expanding set of state laws and potential federal framework mean greater ability to access, correct, or delete personal data in more jurisdictions. Individuals in states like Oklahoma will soon gain new statutory rights, while those in California benefit from refined opt-out mechanisms and risk assessment requirements that indirectly enhance accountability.

Businesses, particularly those operating across multiple states or handling sensitive categories such as health, genetic, or children’s data, face increased compliance obligations. Risk assessments, data protection impact evaluations, and updated privacy notices have become standard practice. Organizations using automated decision-making tools must prepare documentation on training data, limitations, and human review options under frameworks like the proposed Colorado AI policy revisions or CCPA updates.

The federal preemption discussion in the SECURE Data Act and GUARD Financial Data Act highlights a recurring tension: uniformity versus stronger localized protections. Until Congress acts, multistate compliance remains the norm, requiring careful mapping of obligations under laws like the CCPA, Indiana Consumer Data Protection Act, and others.

Data brokers and adtech firms face particular scrutiny, with registration requirements and disclosure obligations appearing in multiple proposals and existing statutes.

Looking Ahead

As of late April 2026, Privacy Law News Today reflects a maturing but still fragmented U.S. privacy landscape alongside coordinated global enforcement efforts. The introduction of federal bills, full implementation of new state statutes, and the COPPA deadline underscore a period of heightened activity. Stakeholders should monitor committee proceedings on the SECURE and GUARD Acts, CPPA rulemaking outcomes, and EDPB enforcement results for further clarity.

This article is for informational purposes only and does not constitute legal advice. Readers should consult qualified counsel for guidance specific to their circumstances or operations. Legal requirements continue to evolve, and compliance depends on individual facts and applicable jurisdictions.

You may also like: Gitmeid Law Group | Debt Relief & Bankruptcy Attorneys