Q2 2026 Privacy Compliance Deadlines: Maryland Enforcement, COPPA Rules, and What Else Is Coming
Why Q2 2026 Matters for Privacy Compliance
Q2 2026 (April through June) packs more privacy compliance milestones into a single quarter than any period since the original CCPA took effect in 2020. Maryland’s strict new privacy law begins enforcement, the FTC’s updated COPPA Rule kicks in, Oklahoma becomes the 21st state with a comprehensive privacy law, and Virginia’s governor faces a deadline on a geolocation data ban.
Whether you’re a compliance officer, a business owner, or a privacy professional, here is your month-by-month guide to what’s coming and what to do about it.
April 2026 Deadlines
April 1: Maryland MODPA Enforcement Begins
The Maryland Online Data Privacy Act (MODPA) entered into force on October 1, 2025, but the six-month enforcement grace period ends on April 1, 2026. Starting that date, the Maryland Attorney General can issue violation notices and pursue civil penalties.
MODPA stands out from other state privacy laws in several important ways:
- Data minimization — Maryland imposes the strictest data minimization requirements of any US state. Businesses may only collect data that is “reasonably necessary and proportionate” to provide the product or service the consumer requested. This goes beyond the “notice and choice” approach of most state laws.
- Sensitive data ban — MODPA prohibits the sale of sensitive data entirely, including precise geolocation, health data, and data about minors. Not just opt-out — an outright ban.
- No revenue threshold — Unlike California (\$25M revenue) or other states, MODPA has no revenue threshold. It applies to any business that processes the personal data of Maryland residents, subject to a consumer count threshold of 35,000+.
- 60-day cure period — The AG must provide a 60-day cure period before taking enforcement action. This cure period expires on April 1, 2027, after which the AG can take immediate action.
Penalties: up to \$10,000 for a first violation and \$25,000 for subsequent violations, enforced as unfair trade practices under Maryland’s Consumer Protection Act.
For a deeper dive, see our Maryland MODPA enforcement preparation guide and the Maryland compliance checklist.
April 13: Virginia SB 338 Governor Action Deadline
Virginia Governor Abigail Spanberger has until 11:59 PM on April 13, 2026, to act on SB 338, which would ban the sale of precise geolocation data under the Virginia Consumer Data Protection Act (VCDPA).
The bill passed both chambers with unanimous, bipartisan support. Consumer Reports and a coalition of advocacy groups have urged the governor to sign. If signed, Virginia would join Maryland and Oregon as the third state to ban the sale of precise geolocation data entirely.
This is a significant shift: the current VCDPA permits businesses to process and sell geolocation data with consumer consent. SB 338 would eliminate that option.
April 22: COPPA Rule Enforcement Date
The FTC’s updated Children’s Online Privacy Protection Rule takes effect on April 22, 2026. Key changes include expanded definitions of personal information (adding biometric identifiers and persistent identifiers used for non-operational purposes), stricter requirements for parental consent mechanisms, and tighter data retention limits for operators of child-directed services.
Businesses that operate websites, apps, or services directed at children under 13 — or that have actual knowledge they collect data from children — should audit their COPPA compliance before this date.
May 2026 Deadlines
May 1: Oklahoma OCPA Takes Effect
The Oklahoma Consumer Privacy Act (OCPA), signed by Governor Stitt on March 20, 2026, takes effect on May 1, 2026. Oklahoma becomes the 21st US state with a comprehensive consumer privacy law.
Key provisions:
- Applicability — Businesses processing personal data of 100,000+ Oklahoma consumers, OR 25,000+ consumers while deriving 25% or more of gross revenue from data sales.
- Consumer rights — Access, correction, deletion, data portability, and opt-out of sale, targeted advertising, and profiling.
- Cure period — 30-day cure period (permanent, not sunsetting).
- Enforcement — Oklahoma Attorney General, with civil penalties up to \$100,000 per violation.
For the full breakdown, see our Oklahoma privacy law guide. Use the Privacy Law Calculator to check if your business meets Oklahoma’s thresholds.
June 2026 Deadlines
June 30: Nebraska and New Hampshire Privacy Law Anniversaries
Both Nebraska’s Data Privacy Act and New Hampshire’s Privacy Act will have been in effect for one full year by the end of June 2026. While not hard deadlines, these anniversaries are a good trigger for businesses to audit compliance and check for enforcement signals.
Neither state has announced enforcement actions yet, but regulators often use the first-anniversary mark as a natural enforcement milestone.
Bills and Developments to Watch in Q2 2026
Beyond hard deadlines, several legislative developments could reshape the privacy landscape during Q2:
- Vermont H 211 (Data Broker Delete Act) — Passed the full Vermont House on March 25, 2026 and is now in the Senate. Would create a universal data broker deletion portal, making Vermont only the second state (after California) to offer one. Senate action expected by mid-May. See our Vermont H 211 analysis.
- Connecticut SB 4 — Would add data broker registration requirements, facial recognition restrictions, and algorithmic pricing protections to the Connecticut Data Privacy Act (CTDPA). Still in committee. See our analysis of SB 4.
- Alabama HB 351 — Stalled in the 2026 session but widely expected to return. See our session recap.
Compliance Checklist for Q2 2026
- Audit Maryland MODPA compliance — Conduct a data minimization review. Do you collect only what’s “reasonably necessary”? Inventory any sensitive data sales (geolocation, health, minors).
- Check Virginia geolocation data practices — If SB 338 is signed, prepare to stop selling precise geolocation data of Virginia consumers.
- Review COPPA compliance — If your service is directed at or knowingly collects data from children under 13, audit parental consent mechanisms and data retention practices against the new rule.
- Prepare for Oklahoma OCPA — If you meet the thresholds, update your privacy policy, implement opt-out mechanisms, and train your team on consumer rights requests.
- Anniversary audit — Review Nebraska and New Hampshire compliance for any gaps identified over the past year.
- Monitor Vermont and Connecticut — If you operate as a data broker, track H 211 closely. Budget for potential \$900/year registration fees.
How PrivacyLawMap Can Help
Navigating 21 (soon to be more) state privacy laws is complex. PrivacyLawMap offers free tools to simplify compliance:
- Privacy Law Calculator — Enter your business details to see which state laws apply to you.
- State Law Comparison — Compare requirements across multiple states side-by-side.
- State Compliance Checklists — Step-by-step checklists for each state, including Maryland, Oklahoma, and more.
- GPC Compliance Checker — Check your Global Privacy Control obligations by state.
- Compliance Deadlines Tracker — See all upcoming privacy law deadlines in one place.
Frequently Asked Questions
When does Maryland MODPA enforcement start?
Maryland MODPA enforcement begins on April 1, 2026. The Maryland Attorney General can begin issuing violation notices on that date, with a mandatory 60-day cure period that remains in effect until April 1, 2027.
Does the Oklahoma privacy law have a cure period?
Yes. The Oklahoma Consumer Privacy Act (OCPA) includes a permanent 30-day cure period. Unlike some states (such as Colorado and Connecticut, which have sunset their cure periods), Oklahoma’s cure period does not expire.
What is Virginia SB 338?
Virginia SB 338 is a bill that would amend the Virginia Consumer Data Protection Act to ban the sale of consumers’ precise geolocation data. It passed both legislative chambers unanimously and awaits Governor Spanberger’s signature. The governor’s action deadline is April 13, 2026.
How many state privacy laws are active in 2026?
As of April 2026, 20 states have active comprehensive privacy laws. When the Oklahoma Consumer Privacy Act takes effect on May 1, 2026, that number rises to 21. Use our interactive state map to see all active laws.
Last updated: March 29, 2026.Disclaimer: PrivacyLawMap provides general information about US state privacy laws for educational purposes only. This is NOT legal advice. Privacy laws are complex and frequently amended. Consult with a qualified privacy attorney for advice specific to your business. PrivacyLawMap makes no warranties about the accuracy or completeness of this information.