The Bottom Line
- Four states — Alabama, Louisiana, Oklahoma, and Vermont — have enacted significant new data privacy legislation, further expanding the patchwork of state privacy laws businesses must navigate.
- The new laws are modeled on existing frameworks like the Virginia Consumer Data Privacy Act and Colorado Privacy Act, granting consumers rights over their personal data and imposing obligations on controllers and processors.
- Businesses should begin assessing whether these laws apply to their operations and evaluate whether updates to privacy notices, consumer rights processes, data governance practices, and targeted advertising activities may be needed before the laws take effect.
The state privacy law landscape continues to expand at a rapid pace. So far in 2026, Alabama, Louisiana, Oklahoma, and Vermont each enacted new legislation addressing the collection, use, and protection of personal data. These laws follow the increasingly common model of comprehensive consumer data privacy legislation, drawing from frameworks established by states such as California, Virginia, and Connecticut. Their addition further complicates an already challenging compliance environment for businesses. Each law carries its own applicability thresholds, consumer rights provisions, controller obligations, enforcement mechanisms, and effective dates.
Comparative Analysis: Alabama, Louisiana, Oklahoma, and Vermont
Applicability Thresholds
Alabama, Louisiana, and Oklahoma follow the familiar pattern of setting threshold criteria based on the number of consumers whose personal data is controlled or processed by a business in the preceding calendar year. Vermont’s unique numeric criteria based on sensitive data processing and personal data sales makes it potentially applicable to a broader range of businesses.
| State | Number of consumers whose personal data is controlled or processed |
| Alabama | 1) 35,000; or 2) 5,000 and derived over 25% of gross revenue from the sale of personal data |
| Louisiana | 1) 35,000; or 2) 25,000 and derived over 20% of gross revenue from the sale of personal data |
| Oklahoma | 1) 35,000; or 2) 25,000 and derived over 25% of gross revenue from the sale of personal data |
| Vermont | 1) 35,000; 2) sensitive data of at least 3,000 consumers; or 3) sale of at least 3,000 consumers. |
Controller Obligations
Alabama
Alabama requires controllers to limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the disclosed purpose. Controllers must:
- establish, implement, and maintain reasonable administrative, technical, and physical data security practices;
- not process personal data for purposes that are not reasonably necessary to or compatible with the disclosed purposes without consumer consent;
- not discriminate against consumers for exercising their rights. Processing of sensitive data requires prior consent;
- provide a reasonably accessible, clear, and meaningful privacy notice describing the categories of data processed, purposes, consumer rights, categories of third parties with whom data is shared, and sale/targeted advertising disclosures.
Louisiana
Louisiana imposes the same core obligations as Alabama, plus additional requirements. Controllers must conduct and document data protection assessments before engaging in targeted advertising, selling personal data, processing sensitive data, profiling that presents a reasonably foreseeable risk of substantial injury to consumers, and any processing that presents a heightened risk of harm to consumers.
If a controller sells sensitive personal data, it must post a clear and conspicuous notice stating: “NOTICE: We may sell your sensitive personal data.” If a controller sells biometric personal data, it must post: “NOTICE: We may sell your biometric personal data.”
Oklahoma
Oklahoma’s controller obligations largely mirror Alabama’s, with the addition of mandatory data protection assessments. Like Louisiana, Oklahoma requires assessments for targeted advertising, the sale of personal data, processing sensitive data, and profiling that presents a reasonably foreseeable risk of substantial injury to consumers.
Vermont
Vermont’s controller obligations are broadly consistent with those of the other three states, with a few additional requirements. Vermont requires controllers to conduct and document data protection assessments, similar to Louisiana and Oklahoma. Additionally, controllers must disclose in their privacy notice whether they collect, use, or sell personal data for training large language models.
Controllers must also contend with a narrower scope of what is considered “publicly available information” under the law, which excludes, for example, biometric data collected without the consumer’s knowledge, or activities that involve combining public information with other personal data to create a consumer profile. Finally, the law imposes additional obligations relating to the collection of “consumer health data,” including a prohibition on selling or offering to sell such data without a consumer’s opt-in consent.
Rights of Data Subjects/Consumers
All four states grant consumers a substantially similar suite of rights over their personal data:
- Right to confirm whether a controller is processing the consumer’s personal data and to access such data
- Right to correct inaccuracies in the consumer’s personal data
- Right to delete personal data provided by or obtained about the consumer
- Right to obtain a copy of personal data in a portable and readily usable format (data portability)
- Right to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. In addition, Vermont requires that opt-out preference signals, such as the Global Privacy Control (GPC), be treated as an opt-out request.
Controllers must respond to authenticated consumer requests within 45 days, with the possibility of a 45-day extension where reasonably necessary. Louisiana, Oklahoma, and Vermont require controllers to establish an appeals process if a request is denied.
Vermont also grants consumers additional rights not found in the other three states. This includes a right to obtain additional information about profiling to make decisions that produce legal or similarly significant effects, question such decisions, be informed of the reason for such decisions, and review the personal data that was processed for the purposes of such profiling.
Consumers also have the right to obtain a list of third parties to which the controller has sold the consumer’s personal data, similar to the privacy rights offered to consumers under the laws in Minnesota and Oregon.
Obligations and Rights Regarding Targeted Advertising and Selling Personal Data
All four states provide consumers with the right to opt out of the processing of their personal data for purposes of targeted advertising and the sale of their personal data. Controllers engaging in these activities must provide appropriate disclosures and a mechanism for consumers to exercise their opt-out rights.
Louisiana, Oklahoma, and Vermont all require controllers to conduct data protection assessments before engaging in targeted advertising or selling personal data. Louisiana also imposes specific disclosure requirements for sales of sensitive personal data and biometric personal data, and entities that derive 50% or more of their gross revenue from the sale of personal data may not sell sensitive personal data without the consumer’s prior consent. Vermont prohibits the sale of sensitive data without consumer consent.
Alabama does not impose a data protection assessment requirement for targeted advertising or the sale of personal data.
Effective Dates
| State | Effective Date |
| Alabama | May 1, 2027 |
| Louisiana | January 1, 2027 |
| Oklahoma | January 1, 2027 |
| Vermont | January 1, 2028 |
Enforcement Authority and Mechanisms
Alabama: The Alabama Attorney General has exclusive enforcement authority. Before initiating an action, the Attorney General must provide the controller or processor with a 45-day written cure notice identifying the specific provisions alleged to have been violated. If the controller cures the violation within 45 days and provides a written statement that the alleged violation has been cured and that no further violations will occur, no enforcement action may be initiated. There is no private right of action under the law.
Louisiana: The Louisiana Attorney General has exclusive enforcement authority. Violations of the Louisiana Data Privacy Act constitute unfair and deceptive trade practices under Louisiana’s Unfair Trade Practices and Consumer Protection Law; however, the private right of action otherwise available under that statute is expressly excluded. During a temporary transition period from January 1, 2027 through July 31, 2027, the Attorney General must provide a 30-day notice and cure period before initiating enforcement action.
Oklahoma: The Oklahoma Attorney General has exclusive enforcement authority. No private right of action exists under the law. The Attorney General must provide a 30-day written notice before initiating action, specifying the provisions alleged to have been violated. If the controller cures the violation within 30 days, no action may be commenced.
Vermont: The Vermont Attorney General has exclusive enforcement authority. Violations of the Vermont Data Privacy and Online Surveillance Act are deemed violations of the Vermont Consumer Protection Act. No private right of action exists. During a transition period from January 1, 2028 through June 30, 2029, the Attorney General must issue a notice of violation before initiating action if the Attorney General determines that a cure is possible, and if the controller fails to cure the violation within 60 days after receipt of the notice, the Attorney General may bring an enforcement action.
Penalties
| State | Penalties |
| Alabama | Civil penalty of up to $15,000 per violation. |
| Louisiana | Penalties available under the Unfair Trade Practices and Consumer Protection Law. |
| Oklahoma | Civil penalty of up to $7,500 per violation. The court may also award reasonable attorney fees and expenses to the Attorney General. |
| Vermont | Penalties available under the Vermont Consumer Protection Act. |
Takeaways
Businesses operating nationwide should assess their obligations under the new laws by evaluating whether they meet the applicability thresholds in each state, which vary significantly.
Businesses should update privacy notices and consumer-facing disclosures to comply with each state’s requirements, including Louisiana’s additional notice requirements for businesses that sell sensitive or biometric data and Vermont’s requirement to disclose whether personal data is used to train large language models.
Businesses should implement or enhance consumer rights request processes to ensure existing processes meet the specific requirements of these new laws.
These four states are likely not the last to enact new comprehensive consumer privacy laws, so compliance obligations will continue to evolve.