State attorneys general serve as primary enforcers, while the FTC is advancing expanded COPPA rules on children's data, enforceable in 2026, with broadened definitions of personal information including biometrics. Data brokers face particular scrutiny under California's DROP platform. Most states have eliminated cure periods for violations, with the exception of Indiana and Kentucky's 30-day windows. New amendments across Oregon, Connecticut, Colorado, and California heighten focus on sensitive data categories such as geolocation and information on minors under 16, and introduce age-verification requirements for social media platforms. Businesses operating across multiple states now face 30 to 40 percent higher compliance costs due to automated workflows and privacy-by-design requirements.
Companies are currently assessing first-quarter compliance as enforcement activity accelerates without cure periods and amid rising litigation. The regulatory expansion stems from sustained 2025 legislative momentum and stalled federal privacy bills, creating urgency for immediate action. Attorneys should prioritize audits of data handling practices, consent management systems, and automated decision-making processes, particularly those affecting children. Particular attention should be paid to data broker relationships and deletion request workflows ahead of California's August deadline.