By Rightful Advice 
As of March 11, 2026, privacy regulators and courts continue to scrutinize government data access, state-level consumer protections, and emerging artificial intelligence rules. This daily briefing highlights three developments with immediate implications for individuals, businesses, and global data handlers: a federal court ruling on improper sharing of taxpayer information with the Department of Homeland Security (DHS), the first enforcement action under Kentucky’s new privacy law alongside the activation of Indiana’s statute, and the approaching compliance deadlines under the European Union’s Artificial Intelligence Act.
These updates matter because they affect how personal data is collected, shared, and used across borders. Consumers face risks to sensitive information such as tax records, location data, and biometric details. Companies processing data for U.S. residents or operating in the EU must review internal practices to avoid civil penalties, injunctive relief, or reputational harm. The developments illustrate a broader trend: enforcement agencies are moving from rulemaking to active oversight, while courts and legislatures emphasize accountability in data-handling practices.
Background & Legal Context
U.S. federal privacy protections for taxpayer data trace back to the Internal Revenue Code (26 U.S.C. § 6103), which generally prohibits disclosure of returns and return information without explicit authorization. Similar safeguards appear in the Privacy Act of 1974 (5 U.S.C. § 552a), which limits federal agencies’ collection and dissemination of personally identifiable information. Despite these statutes, inter-agency data-sharing agreements have grown in recent years, particularly for immigration enforcement.
Kentucky and Indiana joined a growing list of states enacting comprehensive consumer data privacy laws modeled in part on Virginia’s Consumer Data Protection Act. Kentucky’s Consumer Data Protection Act (KCDPA), codified at KRS 367.3611–367.3629, and Indiana’s Indiana Consumer Data Protection Act (ICDPA) both took effect on January 1, 2026. These statutes grant consumers rights to access, correct, delete, and opt out of the sale of personal data while imposing obligations on controllers and processors regarding data minimization, purpose limitation, and consent for sensitive data.
The EU Artificial Intelligence Act (Regulation (EU) 2024/1689), which entered into force on August 1, 2024, adopts a risk-based framework. It prohibits certain AI practices outright, imposes transparency and conformity assessment requirements on high-risk systems, and sets lighter obligations for general-purpose AI models. The Act’s phased timeline reflects legislative intent to balance innovation with fundamental rights protection under the EU Charter.
Key Legal Issues Explained
At the federal level, the core issue involves unauthorized disclosure of taxpayer addresses and related records to immigration authorities. Federal law requires verification steps before such transfers; failure to follow them can constitute thousands of discrete violations because each improper disclosure is treated separately under the statute. Courts assess compliance through administrative records and affidavits, often focusing on whether agencies had “reasonable procedures” to ensure accuracy and authorization.
State privacy laws center on consumer rights and business responsibilities. Under both the KCDPA and ICDPA, “personal data” means information linked to an identified or identifiable individual. Consumers may submit authenticated requests to exercise rights; controllers must respond within 45 days (extendable once). The laws prohibit processing sensitive data (e.g., precise geolocation, health information, or data of known children) without consent in many cases. Enforcement rests exclusively with each state’s Attorney General, who must provide a 30-day cure period before seeking penalties of up to $7,500 per violation. No private right of action exists, distinguishing these statutes from laws such as California’s CCPA.
The EU AI Act classifies systems by risk level. “High-risk” AI systems those used in employment, credit scoring, or critical infrastructure require risk-management systems, technical documentation, conformity assessments by notified bodies, and post-market monitoring. General-purpose AI models must comply with transparency obligations, including copyright-policy summaries and watermarking where feasible. Violations can trigger fines up to 6% of global annual turnover or €35 million, whichever is greater. The framework draws on established EU data-protection principles under the GDPR, requiring data minimization and lawful-basis processing.
Latest Developments or Case Status
On February 26, 2026, U.S. District Court Judge Colleen Kollar-Kotelly ruled that the Internal Revenue Service (IRS) violated federal law approximately 42,695 times by sharing taxpayer addresses with Immigration and Customs Enforcement (ICE) without proper verification. The disclosures stemmed from an April 2025 data-sharing agreement between the Treasury and DHS. The IRS discovered the error in January 2026 and requested remediation; the case remains under appeal in the U.S. Court of Appeals for the D.C. Circuit.
Separately, congressional oversight continues. On February 19, 2026, a group of House Democrats led by Rep. Shontel Brown sent a letter to DHS Secretary Kristi Noem demanding briefing on the Department’s use of surveillance tools such as Penlink for cellphone location data. The request followed reports of renewed contracts for bulk commercial data that agencies might otherwise need warrants to obtain.
In Kentucky, the Attorney General filed the first enforcement action under the KCDPA on January 8, 2026 just eight days after the law’s effective date against Character Technologies, Inc., an AI chatbot provider. The complaint alleges unfair collection and exploitation of children’s data in addition to violations of the state’s consumer-protection and data-breach statutes. The AG seeks injunctive relief rather than immediate monetary penalties, consistent with the statutory 30-day cure framework.
Indiana’s ICDPA became enforceable on January 1, 2026. The Attorney General’s office published a Consumer Bill of Rights to educate residents on their new rights and has signaled proactive enforcement through consumer complaints and targeted investigations. No specific enforcement actions have been publicly announced as of March 11, 2026, but the office has emphasized that the mandatory cure period does not prevent swift injunctive relief when violations persist.
For the EU AI Act, the Commission issued guidelines on February 2, 2026, clarifying practical implementation of high-risk classification rules. The next major milestone remains August 2, 2026, when most obligations for high-risk AI systems and the bulk of the regulation’s enforcement mechanisms take effect. Operators of systems already on the market before that date receive limited transitional relief, but new deployments must meet full conformity requirements.
Who Is Affected & Potential Impact
Individuals whose tax or immigration-related data was shared face heightened risks of identity exposure or erroneous enforcement actions. Broader DHS data-acquisition practices potentially affect millions through commercial location tracking. Consumers in Kentucky and Indiana now hold enforceable rights to control their personal data; those interacting with AI chatbots or data-heavy services may see improved transparency and deletion options.
Businesses operating nationally must audit data-sharing agreements with federal agencies and implement state-specific compliance programs. Companies deploying AI in the EU especially high-risk systems in hiring, lending, or biometric identification, face significant preparation costs for risk assessments, documentation, and conformity procedures. Non-compliance could result in cumulative fines, operational injunctions, or loss of market access.
What This Means Going Forward
These developments signal tighter scrutiny of government data purchases and inter-agency transfers, reinforcing long-standing statutory firewalls. State attorneys general appear ready to test newly effective privacy statutes quickly, particularly in cases involving children or emerging technologies. The EU AI Act’s August 2026 deadline will likely accelerate global AI governance efforts, as multinational companies align practices to the strictest applicable standard.
Organizations should monitor appellate outcomes in the IRS-DHS litigation, track additional state enforcement announcements, and begin mapping high-risk AI systems against EU requirements. Consumers can exercise rights through company portals or state AG offices and should review privacy notices for changes prompted by these laws.
Frequently Asked Questions
What rights do Kentucky and Indiana residents now have under their state privacy laws?
Residents may request access to, correction or deletion of, and opt-out from the sale or targeted advertising using their personal data. Controllers must respond within 45 days and provide a clear appeals process.
Does the EU AI Act apply to U.S.-based companies?
Yes, if they place AI systems on the EU market or the output of the system is used in the EU. Extraterritorial reach mirrors the GDPR.
Can individuals sue companies directly for violations of the KCDPA or ICDPA?
No. Enforcement authority rests exclusively with each state’s Attorney General.
What is the significance of the February 2026 court ruling against the IRS?
The decision underscores that each improper disclosure of taxpayer information constitutes a separate violation, potentially exposing agencies to substantial remedial obligations even absent monetary damages in the current proceeding.
When must high-risk AI systems comply with the EU AI Act?
Most obligations apply beginning August 2, 2026, with limited grandfathering for systems already on the market before that date.
Are there penalties for DHS data-sharing violations?
Civil remedies and injunctive relief are available through litigation; criminal penalties may apply in cases of willful misconduct under the Internal Revenue Code.
Conclusion
The March 11, 2026, privacy law landscape reflects accelerating enforcement at both federal and state levels alongside the final countdown to major EU AI obligations. Individuals benefit from stronger rights and heightened agency accountability, while businesses face clear compliance deadlines and the risk of swift regulatory action. Staying informed through official agency announcements, court filings, and regulatory guidance remains the most reliable way to navigate this evolving environment.
This article is for informational purposes only and does not constitute legal advice. Readers should consult qualified counsel for advice specific to their circumstances. For further reading, consult primary sources from the U.S. District Court for the District of Columbia, Kentucky and Indiana Attorneys General offices, and the Official Journal of the European Union.
YOU MAY ALSO LIKE: Possession is Nine-Tenths of the Law: Meaning, Myths, and Legal Reality