State Privacy, Data Center, and AI Laws: What Consumers Need to Know

A growing number of states are passing laws that change how companies handle your personal data, operate data centers, and use artificial intelligence. While no single federal privacy law exists, these state-level rules create a patchwork of consumer protections—and obligations for businesses. Here’s what the latest wave means for you, and how to stay ahead.

What Happened

In 2025 and 2026, several states enacted or updated laws covering three areas: general consumer privacy, data center regulation, and AI transparency. According to a July 2026 analysis by Bloomberg Government, these measures are among the most active areas of state policymaking.

Key state privacy updates

  • California’s existing Consumer Privacy Act (CCPA) was amended to expand categories of sensitive data and require more explicit opt-out mechanisms.
  • Colorado’s Privacy Act added new requirements for profiling and automated decision-making, with stricter consent rules for data used to train AI models.
  • Virginia amended its Consumer Data Protection Act to include biometric data and to mandate data protection impact assessments for high-risk processing.

Data center regulations

  • States like Virginia, Georgia, and Oregon passed laws requiring data centers to disclose their energy and water usage, and in some cases to implement specific environmental controls.
  • A few states also introduced data localization requirements—forcing certain types of consumer data to be stored within state borders—though these have faced legal challenges and remain uncertain.

AI transparency rules

  • California’s AI Transparency Act (effective 2026) requires companies using AI to generate content or make consequential decisions to disclose that to consumers.
  • Colorado’s AI rules (effective mid-2025) mandate that developers of high-risk AI systems publish notices about their training data sources and accuracy.
  • The New York City AI law, which took effect earlier, was cited as a model for these state efforts.

It’s important to note that these laws are not uniform, and some are still being interpreted by regulators. A federal AI framework proposed by the Trump administration, reported by Bloomberg Government in March 2026, would preempt many state AI laws—but it has not passed Congress.

Why It Matters

For everyday users, these laws affect three concrete areas:

  1. How your data is collected and sold. Stronger opt-out rights mean you can more easily stop companies from sharing your data for advertising or AI training. But the effectiveness depends on whether a company actually honors your request. The laws improve accountability but don’t eliminate data collection.

  2. How AI tools treat your inputs. When you use an AI assistant or chatbot that is covered by transparency laws, the company must tell you whether a decision or output was generated by AI. This is especially relevant for hiring, credit, and medical tools. However, many consumer AI apps are exempt under “small provider” exceptions, so the rule won’t cover every tool you use.

  3. Where your data lives and how secure it is. Data center regulations typically don’t give you direct rights, but they may indirectly improve security standards and environmental accountability. Data localization laws could make cross-border data transfers more difficult, potentially affecting services you rely on.

What Readers Can Do

Given the patchwork nature of these laws, you can take practical steps to protect yourself:

  • Check your state’s privacy law. If you live in California, Colorado, Virginia, or other states with comprehensive laws, visit the state attorney general’s website for specific guidance on how to submit a data deletion or opt-out request. For other states, your rights are more limited. Without a federal law, companies may still collect data with minimal restrictions.

  • Review privacy settings on major platforms. Google, Meta, and Microsoft have updated their privacy dashboards to comply with new state rules. Look for toggles labeled “do not share my data for AI training” or “opt out of profile building.” Keep in mind: these settings may not apply if a company claims a legitimate business interest.

  • Ask before using AI tools. Before entering sensitive personal information into an AI chatbot, check the service’s privacy policy or FAQ. Many disclose how your data is used for model training. If the policy is unclear, assume it will be retained. Some states’ transparency laws require a clear disclosure, but not all companies comply.

  • Follow Bloomberg Government’s tracking. They publish regular updates on state law trends. (The July 2026 article “Data Center, Privacy, AI Rules Lead New State Laws” is a good starting point.) Keep an eye on whether federal preemption happens, as that could override many of these rules.

Sources

  • BGOV OnPoint: Data Center, Privacy, AI Rules Lead New State Laws – Bloomberg Government (July 10, 2026)
  • BGOV OnPoint: Data Center Boom Confounds Policymakers – Bloomberg Government (May 18, 2026)
  • AI Transparency Requirements Emerge as Congress Crafts Framework – Bloomberg Government (April 6, 2026)
  • BGOV OnPoint: Trump AI Framework Would Preempt State Laws – Bloomberg Government (March 23, 2026)
  • Text of California AI Transparency Act (2025), Colorado Privacy Act Rules (2025), Virginia Consumer Data Protection Act amendments (2026) – official state websites