Cybersecurity Law Report quoted Covington partner Libbie Canter and associate Jayne Ponder on Alabama’s and Oklahoma’s new Virginia-style comprehensive privacy laws and their implications for the evolving U.S. privacy landscape.
Libbie observed that the Alabama Personal Data Protection Act and the Oklahoma Consumer Data Privacy Act are based on Virginia’s Consumer Data Protection Act and contain some similar provisions. She noted that state policymakers continue to look to the Virginia model because it “provides strong consumer protections within a workable framework that is fairly well understood and borrows key principles from international data protection laws.”
However, Libbie continued, even in states following the Virginia model, there are discrepancies, such as Maryland’s data minimization standard and the aspects of the Minnesota law regarding documentation of policies and procedures. “On top of that, as enforcement has increased, it raises the potential for regulators in different states to take inconsistent approaches on a topic,” she said.
Libbie noted that in late April 2026, the House Energy and Commerce Committee leadership proposed a federal privacy bill based on the Virginia model, though its prospects remain uncertain. The passage of the two new laws is unlikely to be “the straw that breaks the camel’s back,” she added, but it contributes to an already heavy patchwork of divergent state requirements that has renewed bipartisan interest in a national privacy standard with preemption.
On compliance, Libbie said that given the rapid pace of change in state privacy laws, continually updating vendor agreements can be impractical, and that companies may seek to embed strong baseline protections that future-proof vendor contracts. Companies that already have adopted strong baseline protections still may want to look at their template data processing terms currently in place to ensure they address what is required in Alabama and Oklahoma, she added. Libbie continued that many companies apply baseline contractual protections across all personal data processing, regardless of whether the data is currently subject to a comprehensive privacy law, noting that this approach avoids questions about which data falls within the scope of evolving state privacy requirements.
Jayne noted that over the past few years, apart from 2025, at least one or two states have passed a comprehensive privacy law each year, and that it is possible this trend will continue during this legislative session. “We have already seen comprehensive privacy frameworks pass at least one chamber in a number of other states, including Massachusetts, Louisiana and Pennsylvania,” she observed. Jayne noted that the House proposal takes an approach on two long-debated issues: whether a federal law should broadly preempt state privacy regimes, and whether enforcement authority should rest with the FTC and state AGs.
On compliance, Jayne said that companies generally can apply their existing privacy programs to the two new state laws, and suggested that to reduce operational burden, companies may choose to build a rights program around areas of commonality across state laws and address state-specific differences as needed. She noted that Oklahoma and Alabama regulators may look to whether consumer rights processes are clearly presented and consistently honored.
Jayne also urged companies to review their externally facing materials and statements like privacy policies and responses to consumer rights requests through the lenses of the new laws, as such materials and statements are readily observable by regulators and consumers, attracting scrutiny because they are publicly available.
Back
