← Back to Blog

2026 Data Privacy Laws: What Changed and What's Coming

📅 2026-06-30 👤 CyberForget Team ⏱ 10 min read
Privacy Data Brokers Regulation California Massachusetts FTC

2026 Data Privacy Laws: What Changed and What's Coming

Published: June 29, 2026 Category: Privacy Regulation, Data Broker Laws Reading time: ~10 minutes Meta description: Complete overview of 2026 data privacy laws — California's Delete Act, Massachusetts location privacy, FTC location data ban, and what federal legislation means for your personal data.


2026 has been the most transformative year for data privacy legislation in American history. In just the first six months, we've seen a state-level one-click deletion portal go live, a landmark federal rule banning the sale of sensitive location data, bipartisan momentum for a national data broker registry, and multiple states passing comprehensive privacy laws.

If you're trying to understand what these laws mean for your personal data — and what they don't do — this guide covers everything that changed in 2026 and what's coming next.


Why 2026 Is a Watershed Year for Privacy

The data broker industry is now valued at over $32.5 billion annually, with an estimated 4,000 to 5,500 data brokers operating globally. The average American adult has their data held by 150 to 200 different data brokers, according to Consumer Reports.

For years, federal privacy legislation stalled in Congress while states filled the gap with a patchwork of laws. But 2026 marks a tipping point:

Here's what each of these changes means for your personal data.


California's Delete Act: One Portal, 665+ Data Brokers

The California Delete Act (SB 362) became operational this year, allowing California residents to submit a single deletion request that's forwarded to all 665 registered data brokers in the state.

> Deep dive: Read our full breakdown of California's Delete Act →

What it does

SB 1125 (June 2026)

Governor Newsom signed SB 1125 on June 10, closing a major loophole: the original law didn't cover "inferences" — the predictions and profiles built from your data. SB 1125 extends deletion requirements to derived data.

What it doesn't do


Massachusetts Location Privacy Law

On June 8, 2026, Massachusetts lawmakers passed a sweeping bill that bans the sale of precise location data without explicit consumer consent.

> Deep dive: Read our full analysis of the Massachusetts law →

Key provisions

Why location data matters

Your smartphone's GPS coordinates reveal where you live, work, worship, receive medical care, and who you meet with. Data brokers have been selling this information for years — including to stalkers, abusive partners, and foreign governments.


FTC Sensitive Location Data Rule

On May 12, 2026, the FTC finalized a rule banning the sale or transfer of location data within 500 meters of sensitive locations — hospitals, reproductive health clinics, places of worship, domestic violence shelters, addiction treatment centers, schools, military bases, and prisons.

Penalties: Up to $50,000 per consumer device per day, with treble damages for willful violations. Enforcement begins September 12, 2026.


The Growing State-by-State Patchwork

As of mid-2026, 20 states have comprehensive consumer data privacy laws in effect:

| State | Law | Effective | Key Feature | |-------|-----|-----------|-------------| | California | CCPA / CPRA / Delete Act | 2020 / 2023 / 2026 | One-click deletion, most comprehensive | | Virginia | VCDPA + 2026 location bill | 2023 / 2026 | New ban on location data sale | | Massachusetts | New location privacy bill | 2026 | Opt-in consent, private right of action | | Connecticut | CTDPA + amended 2026 | 2023 / 2026 | Expanded protections | | Colorado | CPA | 2023 | Broad consumer rights | | Alabama | New comprehensive law | 2026 | First southern state with comprehensive law | | Rhode Island | New comprehensive law | 2026 | Strong enforcement provisions | | Texas | TX Data Privacy & Security Act | July 2025 | Registration + opt-out, ~200 brokers | | Oregon | OR Consumer Privacy Act | July 2024 | Registration + opt-out | | +11 more states | Various | 2023–2026 | Varying protections |

Bills are pending in New York, Arizona, Florida, Illinois, Maryland, Michigan, New Jersey, North Carolina, Ohio, and Pennsylvania.

> The problem: No two state laws are identical, creating a compliance nightmare for companies and confusion for consumers. If you move between states, your privacy rights change.


The Data Broker Accountability Act: What's Coming at the Federal Level

On June 9, 2026, Senators Cantwell and Wicker introduced the Data Broker Accountability Act (S. 1234) — the most serious federal attempt to regulate data brokers to date.

What the bill would do

| Requirement | Details | |-------------|---------| | Registration | All brokers with >$5M revenue or 50K+ individuals must register with the FTC | | Annual audits | Independent third-party audits of data practices | | National opt-out portal | FTC-run "Do Not Sell" portal — one request, nationwide | | Mandatory deletion | Brokers must delete data within 30 days | | Penalties | Up to $5,000 per violation per day | | Private right of action | You can sue violators |

Where it stands

The bill has a Senate Commerce Committee hearing scheduled for July 15, 2026. It has bipartisan co-sponsors including Klobuchar, Moran, Blumenthal, and Blackburn. With 87% public support for federal privacy legislation (Pew Research), it has real momentum — but faces industry opposition and a crowded Senate calendar.


What These Laws Don't Solve

Despite the rapid progress, significant gaps remain:

1. No retroactive deletion

Most laws only restrict *new* data collection. Data brokers have already collected years of historical data — these laws don't force them to delete what they already have.

2. Enforcement is reactive, not proactive

Even the best laws require you to discover violations, file complaints, or sue. Most people won't know their data has been sold until it's exploited.

3. Data brokers adapt quickly

When California passed the CCPA, brokers simply added "service provider" language to their contracts. When the FTC cracked down on X-Mode, the company rebranded. The industry is skilled at finding loopholes.

4. State laws leave most Americans unprotected

If you live in Florida, Texas, Ohio, or any of the 30 states without a comprehensive privacy law, these state-level protections don't apply to you.

5. No substitute for proactive removal

Even a perfect federal law wouldn't automatically remove your data from people-search sites like Spokeo, Whitepages, and BeenVerified. These require active opt-out requests.


How to Protect Yourself in 2026

Step 1: Use State Deletion Portals (if you're eligible)

California residents: Submit a request through the CPPA portal Massachusetts residents: Location data protections take effect this fall

Step 2: Opt Out of People Search Sites

The most visible exposure comes from Spokeo, Whitepages, BeenVerified, and similar sites. Each requires a separate opt-out request.

> DIY guide: How to Remove Your Personal Information from the Internet for Free →

Step 3: Consider Automated Data Broker Removal

Manual opt-out from hundreds of data brokers takes 50-100 hours of work upfront, plus ongoing maintenance. Services like CyberForget automate the entire process:

> Comparison: DeleteMe vs Incogni vs Optery vs CyberForget →

Step 4: Lock Down Future Data Collection


What to Watch in the Second Half of 2026

| Date | Event | Impact | |------|-------|--------| | July 15 | Senate hearing on Data Broker Accountability Act | Could accelerate federal legislation | | September 12 | FTC location data rule enforcement begins | First major fines expected | | Fall 2026 | Massachusetts location law takes effect | 4th state with location protections | | November 2026 | Midterm elections | Could shift congressional privacy priorities | | Ongoing | New state bills in NY, FL, IL, PA | 10+ more states may pass laws |


Frequently Asked Questions

Do these laws automatically remove my data from people-search sites?

No. State deletion portals and data broker laws give you the *right* to request deletion, but they don't automatically remove your data. You still need to submit opt-out requests.

If I live in California, do I still need a service like CyberForget?

The California portal is a great first step, but it only sends a deletion request — it doesn't verify compliance. Many brokers silently ignore requests or re-list data after the 45-day window. Ongoing monitoring is still essential.

Will the federal bill pass?

The bipartisan sponsorship is encouraging, but it's too early to predict. Similar bills have stalled in previous sessions.

How many data brokers actually comply with deletion requests?

During California's pilot, the compliance rate was ~78%. The remaining 22% either ignored or rejected requests. Compliance varies by broker.

What's the single most effective thing I can do right now?

Identify which data brokers have your information and submit opt-out requests. The most efficient way is to use a service like CyberForget that handles the entire process — but even a few manual opt-outs make a difference.


The Bottom Line

2026 is a landmark year for data privacy legislation. California's one-click portal, the FTC's location data ban, and the proposed federal bill represent the most aggressive regulatory push against the data broker industry in history.

But legislation alone won't solve the problem. The data broker industry is too large, too profitable, and too adept at finding workarounds. Real protection requires a combination of:

1. Strong laws and enforcement — support the Data Broker Accountability Act 2. Personal action — opt out of data broker sites and monitor for re-appearance 3. Automated services — use a professional removal service to handle ongoing effort at scale

Start your free scan at CyberForget → — see exactly which data brokers have your personal information, then take it back.


*Updated June 29, 2026. This article is for informational purposes and does not constitute legal advice. Laws and regulations may change; consult a qualified professional for advice specific to your situation.*

Take Control of Your Data

Ready to remove your personal information from data broker sites? CyberForget automates the entire process.

Start Free Scan →
← Browse All Blog Posts

CyberForget — Automate data broker removal and protect your privacy.