Meet the new tech laws of 2026

As usual, 2025 was a year of deep congressional dysfunction in the US. But state legislatures were passing laws that govern everything from AI to social media to the right to repair. Many of these laws, alongside rules passed in past years, take effect in 2026 — either right now or in the coming months.

As of January 1st, Americans should have the right to crypto ATM refunds in Colorado, wide-ranging electronics repairs in Colorado and Washington, and AI system transparency in California, among other things. But a last-minute court ruling offered a reprieve from one high-profile state law: Texas’ App Store-based age verification rule.

For a longer rundown of tech-related regulations that go into force in 2026 — including a major piece of one federal law, the Take It Down Act — read on.

California passed a parcel of AI-related rules last year. The most prominent is SB 53: a transparency law that requires major AI companies to publish safety and security details and protects whistleblowers. It’s a revised version of SB 1047, which Gov. Gavin Newsom vetoed after a heated fight in 2024, and it goes into effect on January 1st, 2026.

Several other bills deal with more specific implementations of AI. Among them is SB 243, one of the first regulations on so-called companion chatbots, requiring them to maintain protocols for preventing suicidal ideation and self-harm, as well as remind known underage users every few hours that the system isn’t human. SB 524, another of the bills, requires law enforcement agencies to “conspicuously” disclose how they use AI.

All this has set up California as a test case for how far state AI laws can push, especially as Donald Trump’s administration aims to ban them altogether. That fight, too, is poised to play out in 2026.

Colorado passed one of the country’s most comprehensive right-to-repair rules in 2024, requiring manufacturers to facilitate repairs on a large swath of electronic devices. That law, HB24-1121, will finally kick in this year. The state is also adding consumer protections to a major fraud vector: cryptocurrency ATMs, which — because they let users convert fiat money into crypto and send it to an anonymous wallet — reportedly helped scammers extract hundreds of millions of dollars from victims this year. SB25-079 requires daily transaction limits for new and existing customers, plus refund options for first-time users who transfer money outside the US — a major signal they might have been sending money because they were duped by a scam.

Idaho joins the long list of states with laws combating strategic lawsuits against public participation, or anti-SLAPP laws, with SB 1001. While this isn’t technically a tech law, SLAPP suits have been a key weapon of tech billionaires like Elon Musk, and limiting them helps prevent what can amount to online censorship. A much-needed federal law remains nowhere to be seen.

Starting this year, Illinois will restrict sharing personal information of public officials at their request. HB 576 covers general assembly members and former members, public defenders, and county clerks, among others, and the covered information includes home addresses, home phone numbers, personal email addresses, and the identity of children under 18. The goal is preventing harassment — an increasingly prominent issue — as officials “administer their public duties.”

Data privacy is another area long neglected by Congress but taken up by states, with highly mixed results. Indiana’s Consumer Data Protection Act aims to provide a “data consumer bill of rights” that includes obtaining, correcting, and deleting personal information a company holds about you. But data privacy and consumer protection groups have denounced the law as toothless — a 2025 privacy report card by PIRG and the Electronic Privacy Information Center (EPIC) gave it an F.

HB 15 is another data privacy framework that failed the 2025 PIRG/EPIC evaluation. Kentucky and Indiana both fall under what that report dubs the “Virginia model”: a framework they allege lets companies “continue collecting whatever data they wanted as long they disclosed it somewhere in a privacy policy,” while making opt-outs onerous.

As with so many regulations, the federal rule banning difficult-to-cancel subscriptions is in legal hell, but some states have been stepping up. Maine is joining them with LD 1642, a rule modeled on the FTC standard — which means, among other things, making companies disclose the terms of subscriptions and offer a cancellation method as simple as the system for signing up.

LB 504 is one of multiple state-level “age-appropriate design” rules — it restricts app features like notifications, in-game purchases, and infinite scrolling for children, aiming to combat compulsive use by stopping “dark patterns” that keep kids online. A similar code was blocked in California, however, so a legal challenge could materialize later this year.

With AB 73, Nevada joins the slew of states trying to curb undisclosed AI-powered electioneering. Its disclosure rules include letting candidates sue if they find themselves starring in unwelcome, unlabeled AI-generated ads.

Oklahoma is broadening the scope of its data breach notification rules with SB 626, including by expanding them to cover biometric data and offering some new safe harbors for avoiding legal damages.

HB 2299 adds AI-generated (or otherwise digitally manipulated) imagery to its ban on nonconsensual sexual imagery — a move seen in nearly every state since 2019. HB 2008 bans data collectors from selling personal information and targeting ads using data from users they know are under 16, while adding a similar all-ages ban for precise geolocation data. And HB 3167 bans the sale of software designed to facilitate ticket-scalping bots, addressing a maddening problem the Federal Trade Commission focused on in 2025 as well.

Rhode Island’s HB 7787, the Rhode Island Data Transparency and Privacy Protection Act, includes rules that require disclosure of how personal information is collected and sold. It rounds out the trifecta of “Virginia model” rules that failed a privacy evaluation and take effect this year.

Mere weeks ago, Texas was set to implement a new form of online age-gating: requiring app stores to check users’ ages and pass that information to app developers. But a district court granted a preliminary injunction blocking SB 2420. The law remains worth watching, however, because Texas will likely appeal to the Fifth Circuit — which is notorious for reversing lower court decisions on internet regulation.

Texas is enacting HB 149, an AI regulatory framework that prohibits using the technology to incite harm, capture biometric identifiers, or discriminate based on characteristics like race and gender or “political viewpoint.” That’s going to be another test of the Trump administration’s plan to repeal state-level AI laws, highlighting a split between state and federal Republicans on AI.

If you’re under 16 years old in Virginia, your screen time may have just been drastically reduced. SB 854 requires social media companies to verify users’ ages and limit younger teens to one hour of use per app per day. A parent can choose to increase or decrease that limit. Like many internet regulations, this one is being challenged in court, so its ultimate fate remains undecided.

Washington passed a pair of right-to-repair laws, HB 1483 and SB 5680, in 2025. As iFixit explains, they require companies to make repair materials available for most consumer electronics, block parts pairing, and provide specific protections for wheelchair users.

The RAISE Act has been touted as a landmark AI law that would require large model developers to follow new safety and transparency rules. But it was significantly stripped down at the last minute, lessening its likely impact. Regardless, it’ll take effect on March 19th, 90 days after being signed late last year.

Michigan is another state getting a new anti-SLAPP law — HB 4045 — as of March 24th. On the same date, it’s effectuating a package of rules known as the “Taylor Swift” bills, targeting ticket bots and modeled on the federal BOTS Act.

The Take It Down Act criminalized AI-generated nonconsensual intimate imagery distribution at a federal level in 2025, a change groups like the Cyber Civil Rights Initiative (CCRI) called long overdue. But in the words of CCRI president Mary Anne Franks, it included a “poison pill” with a broad, ambiguous requirement that online platforms remove such images rapidly, raising concerns about censorship and enforcement. That platform takedown provision came with a one-year enforcement delay that will expire on May 19th — so we’ll soon figure out how effective (or disruptive) it actually is.

Utah’s App Store Accountability Act, SB 142, technically took effect last year. But app stores were given until May 6th of 2026 to start verifying users’ ages with “commercially available methods” and require parental consent if they detect minors. One final piece — letting minors or their parents sue for damages if app stores don’t comply — will take effect on December 31st.

Colorado’s SB 24-205 is a named target of the Trump administration’s war on state AI laws. It requires AI companies to disclose information about high-risk systems, and more specifically, take “reasonable care to protect consumers” from algorithmic discrimination. Originally slated for February, it’s now set to take effect June 30th instead.

HB 1717 is a children’s data privacy rule similar to the federal COPPA law and the proposed COPPA 2.0, barring online services from collecting unnecessary personal data if they’re aimed at minors or know a user is underage. It takes effect July 1st.

Utah’s HB 418, dubbed the Digital Choice Act, aims to make social media networks less sticky by letting you move data between them. A writeup from Harvard’s Ash Center explains the nuances, but broadly, it requires social media companies to implement open protocols that allow users to share personal data across different services. Europe has mandated data portability for years and the results haven’t been revolutionary, but there’s still a chance it could promote more competition on a centralized web. Its enforcement date is also July 1st.

Did you think we were done with California AI laws? Well, a delay pushed back the original January goalpost for SB 942, which requires the government to develop standards for AI detection systems and requires covered providers to make such tools available. Now its first provisions kick in on August 2nd, with additional requirements for companies taking effect in 2027 and 2028. It’s taking on a serious issue, but also an incredibly messy one — and like other rules, it depends on preserving the right to state-level AI laws.