Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Jun 17, 2026 · 6 min read

3 State Privacy Laws Take Effect July 1, 2026

Two weeks from today, three U.S. states simultaneously raise the legal floor on data privacy. Compliance teams that have not mapped these obligations yet are running out of time.

Two weeks from today, three U.S. states simultaneously raise the legal floor on data privacy. Connecticut dramatically widens the net of who must comply with its data protection law. Arkansas bans targeted advertising tracking aimed at anyone under 16. Utah gives consumers the right to fix inaccurate data companies hold on them. If your organization operates across the U.S. and has not yet mapped these obligations, the clock is running.

Key Takeaways

  • Connecticut's CTDPA now covers businesses processing data of just 35,000 state residents — down from 100,000 — and the cure period that gave companies a remediation window expired in December 2024.
  • Arkansas's Children and Teens' Online Privacy Protection Act, signed by Governor Sarah Huckabee Sanders in April 2025, prohibits collecting personal data for targeted advertising from anyone under 16 with no consent exception.
  • Utah's HB 418 adds a right to correct inaccurate personal data and establishes new social media data portability and interoperability rules under the Digital Choice Act.
  • All three changes take effect July 1, 2026 — adding to a patchwork that now includes 20 states with comprehensive consumer privacy laws.
  • Connecticut's cure period expiration means regulators can initiate enforcement immediately upon discovering a violation — there is no soft landing.

Connecticut: Lower Thresholds, More Rights

The amendment that matters most for compliance teams is the one that nearly triples Connecticut's scope overnight. Under the original CTDPA, a business had to process the personal data of at least 100,000 Connecticut residents before the law applied. From July 1, that threshold drops to 35,000. More significantly, the threshold disappears entirely for two categories: any business that sells personal data — even a single resident's record — now falls under the CTDPA, and any business that processes sensitive data is covered regardless of volume.

That sensitive data definition just got longer. The July 2026 amendments add disability and medical information, transgender or nonbinary status, neural data, financial account details, and government-issued ID numbers to the existing list. Businesses that touch any of these categories must now comply with Connecticut's full framework, regardless of how few residents they serve.

The new consumer rights are equally demanding. Connecticut residents can now request a list of every third party that received their data, access to inferences drawn about them, and access to profiling decisions — including the rationale behind those decisions. The inference access right in particular has few parallels in other state laws and will require new disclosure infrastructure from data brokers, ad tech platforms, and anyone who builds consumer profiles.

One detail that deserves attention: Connecticut's cure period expired in December 2024. Most state privacy laws have included a 30 or 60-day window during which companies can fix violations before formal enforcement. Connecticut removed that buffer more than 18 months ago. A business newly swept in by the lower threshold on July 1 faces immediate enforcement risk if it is not compliant from day one.

There is also a disclosure requirement with no equivalent elsewhere: businesses must state in their privacy notices whether they use personal data to train large language models or sell it for that purpose. As AI data pipelines become routine infrastructure, this obligation will catch organizations that have not thought carefully about where their user data flows.

Arkansas: A Targeted Advertising Ban for Kids' Inboxes

Arkansas's Children and Teens' Online Privacy Protection Act takes a harder line than any comparable U.S. law. For children under 13 and teens aged 13 through 16, there is a flat prohibition on collecting personal data for targeted advertising. Not conditional. Not subject to parental opt-in. Prohibited outright.

The law applies to operators "directed at" minors or those with "actual knowledge" they collect from that age group — the same trigger standard used in COPPA, which means federal precedent on what constitutes actual knowledge is directly relevant. For teens aged 13 to 16, collection for purposes other than advertising is permitted, but requires consent from either the teen or a parent. For children under 13, parental consent is required across the board.

Enforcement sits exclusively with the Arkansas Attorney General, who can pursue penalties of $10,000 per violation. There is no private right of action and no cure period. The Alston & Bird analysis of the Act notes the law also prohibits operators from allowing third parties to collect, use, disclose, or maintain personal information from minors for targeted advertising — a provision that directly implicates third-party pixels and tracking scripts.

What This Means for Your Inbox

Email marketing platforms are inside the scope of this law if they have actual knowledge that their campaigns reach under-16 recipients. A newsletter service targeting youth sports, a school communication platform, or any operator that knowingly includes minors in its subscriber lists cannot use behavioral tracking to power its targeting. That includes tracking pixels that report open events back to an ad platform, click-tracking redirects that feed behavioral profiles, and any other mechanism that routes minor engagement data into a targeting system. Tools like Gblock that block these pixels on the recipient side illustrate the exact data flows the Arkansas legislature intended to cut off on the sender side. The legal obligation now makes explicit what was previously just good practice.

US map with Connecticut, Arkansas, and Utah highlighted in indigo blue with a July 1 calendar date marker, representing three state privacy laws taking effect simultaneously

Utah: The Right to Correct

Utah's HB 418, signed by Governor Spencer Cox on March 27, 2025, is a quieter but practically significant change. The Utah Consumer Privacy Act previously gave residents rights to access, delete, and opt out of the sale of their data. The right to correct inaccurate data was absent — a gap that matters when companies hold outdated addresses, wrong employment records, or erroneous financial information.

From July 1, businesses have 45 days to comply with correction requests. The Ice Miller analysis of the amendments notes that Utah also enacted the Digital Choice Act alongside HB 418, targeting social media platforms specifically. Under the new rules, social media companies must allow Utah users to transfer their data — including the ability to select portions — to competing platforms in real time when switching services. Platforms must also support interoperability, and third-party content such as comments can only be included in a transfer with the commenter's consent.

The portability provisions apply narrowly to social media operators, but the correction right applies broadly across any business covered by the Utah Consumer Privacy Act. For compliance teams managing data across CRMs, marketing databases, and third-party processors, a formal correction workflow now needs to exist where Utah residents are involved.

What Compliance Officers Need to Do Before July 1

With 14 days left, the priority actions are:

  • Re-run your Connecticut applicability analysis. If you process data for between 35,000 and 100,000 Connecticut residents, or if you sell any personal data or process any sensitive data involving Connecticut residents, you are newly in scope. Map that exposure today.
  • Audit your privacy notice for Connecticut's new disclosures. The LLM training disclosure, the expanded sensitive data categories, and the new consumer rights (third-party list, inferences, profiling rationale) all require updated policy language by July 1.
  • Inventory your email and ad tech stack for Arkansas compliance. Any platform with actual knowledge that it reaches under-16 users must strip behavioral tracking from those campaigns. Audit third-party pixel deployments, click-tracking redirects, and any behavioral data flows that touch that audience.
  • Build a correction workflow for Utah. The 45-day response window starts from the date of the consumer's request. Your intake process, verification logic, and downstream processor coordination all need to be operational on July 1.
  • Document your cure-period posture for Connecticut. There is none. If your Connecticut compliance is not complete on July 1, your first enforcement risk begins that morning. Prioritize accordingly.

The California AB 2564 surveillance pricing bill moving through the legislature reflects the same trend visible in these three laws: states are moving faster than federal privacy legislation, targeting the data flows that power behavioral advertising, and removing the safety valves — cure periods, private rights of action thresholds, high applicability floors — that made earlier laws easier to work around.

July 1 is not the finish line. It is the next enforcement date in a series that has no end in sight.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.