Key players include state attorneys general in Florida (with a new enforcement unit) and Texas, alongside the DOJ; legislation encompasses Florida and Texas privacy laws overlapping with the DOJ rule, plus 2026 state measures like California's expanded data broker registration (CA SB 361) requiring disclosures on sales to foreign entities or AI developers.[6][1][5] New comprehensive privacy laws effective January 1, 2026, in Indiana (ICDPA), Kentucky (KCDPA), and Rhode Island add to the landscape, mandating data protection assessments that could flag foreign transfers, while amendments in states like Connecticut, Oregon, and California tighten sensitive data rules.[1][2][4][7]
This stems from a post-2025 slowdown in new laws, pivoting to enforcement as 20 states now have active comprehensive privacy regimes, with Florida/Texas actions signaling national security risks from cross-border flows.[6][7] Timeline: DOJ rule implementation began 2024; state enforcements ramped up early 2026 alongside January 1 laws in three states and mid-year changes (e.g., Utah's July 1 social media portability).[1][2][6] Newsworthy now due to rising enforcement momentum—e.g., California's Delete Act platform launch and data broker penalties—urging organizations to audit data flows amid multi-jurisdictional risks.[5][6][7]