Navigating the 2026 Privacy Patchwork: New State Laws for Small Businesses

Different states have their own rules for handling personal data, and sometimes these laws conflict with one another. This patchwork can make compliance confusing and costly. Recent research shows that the lack of standardized privacy laws has left organizations struggling to meet varying state requirements, with overlapping regulations projected to cost small businesses at least $200 billion over the next decade.

If you run a law firm, are you confident you know which rules apply to your clients across different states? Are you feeling the strain of keeping up with constant changes?

The stakes are high. Failing to secure client information or comply with state privacy laws can lead to fines and harm your firm’s reputation. Understanding the legal landscape in every state where your clients reside is critical. To help, our team has compiled the essential privacy regulations that law firms need to know in 2026.

Key State Privacy Laws in 2026

Connecticut’s Senate Bill 1295 

Connecticut enacted Senate Bill 1295 on June 24, 2025, which significantly amends the Connecticut Data Privacy Act (CTDPA) to broaden privacy protections. The changes are set to take effect on July 1, 2026, and introduce new requirements, including: 

• Lower applicability thresholds: The law now covers any firm that controls or processes the personal data of at least 35,000 Connecticut residents, down from the previous threshold of 100,000. Additional triggers, such as processing sensitive data or selling personal data, can also bring a firm under the law.

• Expanded definition of sensitive data: “Sensitive data” now includes additional categories such as mental or physical health information, disability or treatment data, neural data, financial account details, government-issued ID numbers, and status as nonbinary or transgender. This broadens the types of information that require heightened protection.

• Children’s privacy protections: Processing personal data of individuals under 18, particularly for targeted advertising, profiling, or sale, is now more strictly regulated.

• Privacy notice requirements: Firms must clearly disclose how personal data is used, the purposes for processing, and consumer rights, including opt-out options. Privacy policies must be accessible and updated as practices change.

Why it matters for law firms:

• Noncompliance can result in fines and reputational harm.

• Firms should review internal systems, client intake processes, and data-handling workflows to ensure coverage of sensitive data categories and minors’ protections.

• Proactive compliance helps reduce risk and demonstrates commitment to client privacy, a competitive advantage in today’s legal market.

Oregon House Bill 2008

Oregon’s House Bill 2008 (HB 2008) was enacted on June 19, 2025, and will be effective on January 1, 2026. It imposes stricter privacy protections for certain categories of data, such as geolocation data and children’s personal data. Key changes to know include:

• Sale of geolocation data prohibited: Firms may no longer sell or transfer precise location information that identifies a consumer’s current or past location within a 1,750‑foot radius. Limited exceptions exist for certain communications or utility-related systems.

• Enhanced protections for minors under 16: The sale, targeted advertising, and profiling of personal data for consumers under 16 are now prohibited when the firm knows, or willfully disregards, that the data belongs to a minor.

• Privacy notice requirements: Firms must clearly state the purposes for collecting and processing personal data. Data collection should be limited to what is adequate, relevant, and reasonably necessary. Clients must have a straightforward way to revoke consent or opt out of processing.

Why it matters for law firms:

• Noncompliance can result in fines and reputational damage.

• Firms handling geolocation data or personal data of minors need to review internal workflows, client intake procedures, and privacy notices.

• Proactive compliance ensures your firm protects sensitive client information while demonstrating accountability and trustworthiness.

Kentucky House Bill 473

Enacted on March 15, 2025, and effective January 1, 2026, Kentucky’s House Bill 473 amends the Kentucky Consumer Data Protection Act (KCDPA), clarifying compliance obligations and aligning state privacy rules with existing federal standards. Key changes to know include:

• HIPAA-aligned exemptions: Personal data collected by HIPAA-compliant health care providers is generally exempt from KCDPA requirements. This means that health information your firm handles under federal privacy rules does not need to meet overlapping state-level privacy mandates.

• Clarified DPIA requirements: Data protection impact assessments (DPIAs) are now required only if profiling creates a foreseeable risk of unlawful disparate impact on consumers. This focuses compliance efforts on situations where there is a real risk, making profiling reviews more practical and targeted.

Why it matters for law firms:

• HIPAA-aligned exemptions reduce regulatory overlap and administrative burden when handling health-related client data.

• Understanding when DPIAs are required helps your firm prioritize compliance resources efficiently.

• Proactively updating privacy practices in line with HB 473 ensures that your firm remains compliant and protects sensitive client information while minimizing unnecessary operational complexity.

Enhance Your Data Handling and Privacy Compliance 

Law firms handle highly sensitive client information, making them especially vulnerable when personal data is exposed. Many states have enacted strict privacy laws to protect personal data, and the cost of a breach can be staggering. According to IBM’s 2025 Cost of a Data Breach report, the global average breach costs around $4.4 million. Protecting client data is not just good practice, it’s essential for avoiding costly disruptions and reputational damage.

With each state rolling out its own privacy rules, staying compliant can be challenging, especially for firms serving clients across multiple jurisdictions. To meet these requirements, your firm may need to:

• Update internal processes to align with new state regulations.

• Revise privacy policies to clearly communicate how client data is used.

• Train staff on updated procedures and compliance obligations.

• Manage client consent and preferences for data collection and processing.

• Review third-party vendors to ensure they meet privacy standards.

At Digital Crisis, we help law firms navigate evolving privacy regulations and stay fully compliant. Our team guides you on what client data to collect, how to store it securely, and how to use it responsibly. We update privacy policies, implement access controls, monitor data activity, enable encryption, set up backup and recovery systems, manage client consent, and optimize your workflows to ensure compliance with state privacy laws. Contact us today to speak with our privacy compliance experts and protect your firm and clients.

Article FAQs

What kinds of data are considered sensitive?

Sensitive data often includes health information, financial data, government IDs, racial or ethnic information, biometric data, sexual orientation, and data about minors. Handling this data requires stricter protections under most state laws.

What are the penalties for non-compliance?

Penalties vary by state but can include fines and lawsuits. Some states also allow consumers to seek civil damages for data breaches or misuse.

What is a data protection impact assessment (DPIA), and do law firms need one?

A DPIA evaluates the risk of processing personal data. Law firms may need one if profiling or processing sensitive data could result in unlawful discrimination or privacy risks.