New State Privacy and AI Laws: What They Mean for Your Data
Intro
Over the past two years, a wave of new state laws has reshaped how companies handle personal data and artificial intelligence. While Congress continues to debate a federal privacy framework, states from California to Texas have moved ahead with their own rules covering data centers, consumer privacy, and AI transparency. Many of these laws take effect in 2025 and 2026, creating a patchwork of obligations that can be confusing for consumers. This article breaks down the key developments and explains what they mean for your online safety and digital rights.
What Happened
In 2025 and 2026, several states enacted or updated comprehensive privacy laws. California expanded its existing California Consumer Privacy Act (CCPA) with new rights covering automated decision-making. Colorado and Virginia also passed amendments that tighten rules around data sharing and consumer consent. Meanwhile, lawmakers in states like Texas, Florida, and Maryland introduced broader privacy bills that include provisions on data minimization and limits on the use of sensitive personal information.
At the same time, a growing number of states have passed AI transparency laws. These typically require companies to disclose when they use an automated system to make decisions about consumers—for example, in credit scoring, hiring, or insurance pricing. Some laws also mandate that companies reveal the data used to train these models and allow individuals to opt out of such profiling.
A less visible but equally significant development is the regulation of data centers. Several states, including Virginia and Illinois, now require data center operators to meet certain security and data retention standards. These laws can affect how long companies keep your personal information and what happens to it when a data center changes ownership or shuts down. Some also impose breach notification timelines that are stricter than existing federal rules.
According to a Bloomberg Government News report, these areas—data center regulation, privacy, and AI rules—are now leading the state legislative agenda, with over 40 states considering bills related to at least one of them. (Source: BGOV OnPoint: Data Center, Privacy, AI Rules Lead New State Laws, Bloomberg Government News, July 2026.)
Why It Matters
If you live in a state with a new privacy law, you may now have legal rights that did not exist before the law passed. These often include the right to know what personal data a company holds about you, the right to request deletion of that data, and the right to opt out of the sale or sharing of your information. Some newer laws also give you the right to correct inaccurate data and to limit the use of sensitive data such as health information or precise geolocation.
AI transparency rules are particularly relevant for anyone who has applied for a loan, a job, or housing in recent years. Companies using AI to evaluate applicants must now explain in plain language how the model works and what factors it relies on. In theory, this makes it easier for consumers to challenge unfair decisions. However, enforcement varies and some exemptions exist, so the practical impact is still uncertain.
Data center regulations matter because they influence the security of your information once it is stored in the cloud. Stronger retention limits and breach notification rules can reduce the risk that your data is exposed in a breach or kept longer than necessary.
That said, the patchwork nature of these laws creates gaps. Not all states have passed comprehensive privacy laws, and even within states that have, enforcement can be slow. Federal legislation could eventually override some of these state rules, but as of mid-2026, no preemptive bill has been signed into law. (Bloomberg Government News reports that the current administration’s proposed AI framework would supersede state laws, but it remains under congressional review.)
What Readers Can Do
Take these practical steps to make use of your new rights:
Check your state’s law. If you live in California, Colorado, Connecticut, Virginia, or Texas, you likely have stronger privacy protections. Look up the exact law and its effective date. Even if your state hasn’t passed a law yet, many companies apply the most protective state rules nationwide for simplicity.
Exercise your opt-out rights. Most privacy laws let you opt out of the sale or sharing of your personal data. Look for a “Do Not Sell or Share My Personal Information” link on websites and apps. Some laws also require companies to honor global privacy controls like Global Privacy Control (GPC) if your browser sends that signal.
Request a copy of your data. You have the right to ask companies for a list of the personal information they hold about you. Do this with major services you use—social media platforms, retailers, credit bureaus—to see what they have collected.
Inquire about AI decision-making. If you suspect an automated system influenced a decision about you, ask the company for an explanation. Under newer state laws, they must provide a meaningful description of the logic involved. Keep a record of the response.
Monitor federal activity. Congress may pass a national privacy bill that could supersede state laws. Stay informed through sources like the Bloomberg Government news tracker or consumer advocacy groups. If preemption occurs, your rights may change, so it pays to act now while state protections are in force.
Sources
- “BGOV OnPoint: Data Center, Privacy, AI Rules Lead New State Laws” – Bloomberg Government News (July 2026)
- “BGOV OnPoint: Data Center Boom Confounds Policymakers” – Bloomberg Government News (May 2026)
- “AI Transparency Requirements Emerge as Congress Crafts Framework” – Bloomberg Government News (April 2026)
- “BGOV OnPoint: Trump AI Framework Would Preempt State Laws” – Bloomberg Government News (March 2026)