Q3 2026 Privacy Compliance Deadlines: Connecticut Overhaul, DELETE Act Processing, and Nebraska Enforcement

Q3 2026 Is a Pivotal Quarter for Privacy Compliance

The third quarter of 2026 (July through September) brings several major privacy compliance deadlines that businesses operating across the United States must prepare for now. From Connecticut’s sweeping amendments to the CTDPA to California’s Delete Act processing mandate, Q3 marks a significant escalation in state privacy requirements.

This guide covers every critical deadline, what each one requires, and the practical steps you should take before each date arrives. If you need to determine which laws apply to your business, start with our Privacy Law Calculator.

July 1, 2026: Connecticut SB 1295 — Major CTDPA Overhaul

Connecticut’s SB 1295 is one of the most significant amendments to any state privacy law in 2026. Signed into law in 2025, it fundamentally expands the scope and strength of the Connecticut Data Privacy Act (CTDPA). Here are the key changes taking effect July 1:

Lower Applicability Threshold

The base consumer threshold drops from 100,000 to 35,000 consumers. If your business processes data from more than 35,000 Connecticut residents (excluding payment transactions), you are now covered by the CTDPA. This change alone could bring thousands of additional businesses into scope.

Financial Institution Exemption Eliminated

The GLBA entity-level exemption for financial institutions is removed. Banks, credit unions, insurance companies, and other financial entities that were previously exempt at the entity level must now comply with CTDPA requirements for consumer data that falls outside GLBA’s data-level protections.

LLM Training Disclosure

Businesses must disclose whether they use consumer personal data to train large language models (LLMs) or other AI systems. This is one of the first state-level requirements addressing AI training data transparency and directly affects any company that feeds consumer data into machine learning pipelines.

Expanded Sensitive Data Categories

The definition of sensitive data now includes neural data and transgender or nonbinary status. Businesses collecting brainwave data through neurotechnology devices or processing gender identity information face new consent requirements for these categories.

Stronger Minor Protections

Targeted advertising directed at minors and the sale of minors’ data are banned. This applies to all consumers the business knows or should reasonably know are under 18.

Right to Contest Profiling

Consumers gain the right to contest the results of profiling decisions. If your business uses automated decision-making or profiling, you must provide a mechanism for consumers to challenge adverse outcomes.

What to Do Before July 1

• Re-evaluate whether your business meets the new 35,000-consumer threshold using our compliance calculator
• If you are a financial institution, audit your data processing for consumer data not covered by GLBA
• Update your privacy policy to disclose any use of personal data for AI or LLM training
• Review your sensitive data inventory for neural data or gender identity data
• Implement profiling contestation procedures if you use automated decision-making
• Stop targeted advertising to known minors and halt sale of minors’ data

July 1, 2026: Nebraska LB 504 Enforcement Begins

Nebraska’s Age-Appropriate Online Design Code Act (LB 504), which took effect January 1, 2026, begins formal enforcement on July 1. The Nebraska Attorney General can now pursue violations as deceptive trade practices with penalties up to $50,000 per violation.

Who Is Affected?

LB 504 applies to online services, products, or features that are “likely to be accessed by children” (under 18). This standard goes beyond services explicitly targeted at children — if children are likely to use your service, you are covered.

Key Requirements

• Privacy-by-design: Default privacy settings must be set to the highest level for users under 18
• Data Protection Impact Assessments: Required before launching any new feature that children are likely to access
• Dark pattern prohibition: Cannot use deceptive design techniques that undermine children’s privacy choices
• Parental controls: Must be enabled by default for children under 13
• Data minimization: Cannot collect more personal data from children than strictly necessary

For businesses already compliant with COPPA, Nebraska’s requirements add a layer of state-specific obligations. Check your compliance status with our Nebraska compliance checklist.

August 1, 2026: California DELETE Act DROP Processing Mandatory

This is one of the most consequential deadlines in Q3. Starting August 1, every registered data broker in California must begin actively processing consumer deletion requests through the CPPA’s Delete Request and Opt-out Platform (DROP).

What Is DROP?

DROP is a centralized platform operated by the California Privacy Protection Agency that allows California consumers to submit a single deletion request that reaches all registered data brokers simultaneously. It launched in January 2026 for consumer submissions. Starting August 1, brokers must actually process those requests.

Compliance Requirements

• Access DROP every 45 days: Data brokers must retrieve pending deletion requests at least every 45 days
• Process within 45 days: After retrieving a request, the broker must delete all matching personal data (including inferences) and report status within 45 days
• Annual registration: Data brokers must be registered with the CPPA (annual fee of $6,000 for 2026) by January 31 each year
• No exceptions for “administrative error”: As the S&P Global enforcement action showed, even unintentional registration failures result in fines

Penalties for Non-Compliance

The CPPA has demonstrated aggressive enforcement posture with its Data Broker Enforcement Strike Force. Penalties include:

• $200 per day for failure to register as a data broker
• $200 per unfulfilled deletion request per day for failure to process DROP requests
• These are compounding daily fines — costs escalate rapidly

The CPPA has already fined companies like Datamasters ($45,000) and S&P Global ($62,600) just for registration failures. Once August 1 passes, expect a new wave of enforcement targeting brokers that fail to process deletion requests. See our guide to the data broker landscape for more context.

Am I a Data Broker?

California defines a data broker as a business that knowingly collects and sells the personal information of consumers with whom it does not have a direct relationship. If that sounds like your business, use our Data Broker Classification Quiz to assess your status.

Other Q3 2026 Dates to Watch

Maine LD 1822 — Potential Effective Date (July 1, 2026)

Maine’s comprehensive privacy bill (LD 1822), the Maine Online Data Privacy Act, passed both chambers and is awaiting the Governor’s signature. If signed, it would take effect July 1, 2026. Key features include strict data minimization (processing limited to what is “strictly necessary”), a 35,000-consumer threshold, and standard consumer rights. See our Maine privacy law analysis for details.

Virginia SB 338 — Geolocation Data Ban (If Signed)

Governor Spanberger has until April 13 to sign SB 338, which would ban the sale of precise geolocation data under the Virginia VCDPA. If signed, implementation would likely begin in Q3 2026, joining Maryland and Oregon in restricting location data sales. Check your geolocation compliance with our Geolocation Compliance Checker.

Hawaii SB 1163 — Geolocation and Browser Data

Hawaii’s Senate unanimously passed SB 1163, which would prohibit the sale of geolocation information and internet browser information without consent. The bill is now with the House. While the effective date is distant, businesses should track this trend of states restricting location and browsing data sales.

Ongoing Enforcement to Monitor

Q3 2026 will see continued enforcement activity from several agencies:

• Maryland MODPA: First enforcement actions expected after April 1 enforcement start; watch for AG guidance and initial complaints
• California CPPA: Fresh off the Disney $2.75M settlement and Ford $375K fine, expect continued focus on opt-out compliance
• Multi-state sweeps: The CA/CO/CT joint GPC enforcement sweep pattern may expand to additional states

Your Q3 2026 Compliance Checklist

Use this timeline to plan your compliance work:

Now (April–May 2026)

• Run the Privacy Law Calculator to identify all applicable laws, especially Connecticut’s lower threshold
• Determine if you are a data broker under California law using the Data Broker Quiz
• Audit your AI and LLM training data practices for Connecticut’s new disclosure requirement
• Review your minor-targeted advertising and data sale practices

May–June 2026

• Update privacy policies for Connecticut amendments (LLM disclosure, expanded rights)
• If you are a data broker, integrate with the California DROP system and establish 45-day access cadence
• Implement profiling contestation mechanism for Connecticut consumers
• Review your children’s data practices for Nebraska enforcement readiness

June 2026 (Final Preparation)

• Test your DROP integration and deletion workflow end-to-end
• Train customer service teams on new Connecticut consumer rights
• Verify that GPC and universal opt-out mechanisms work across all properties
• Document your compliance efforts for potential regulator inquiries

Looking Ahead: Q4 2026 and Beyond

While Q3 is the immediate priority, keep these future deadlines on your radar:

• January 1, 2027: Oklahoma OKCDPA becomes effective (20th comprehensive privacy law)
• April 1, 2028: California privacy risk assessments due under proposed regulations
• 2028: First mandatory third-party audits for California data brokers under the Delete Act

The US state privacy law landscape continues to expand and tighten. Use our compliance deadline tracker to monitor all upcoming dates and the state law comparison tool to understand differences between jurisdictions.

Frequently Asked Questions

How many state privacy laws will be in effect by the end of Q3 2026?

At least 20 comprehensive state privacy laws will be in effect by September 30, 2026, with Maine potentially making it 21 if LD 1822 is signed. This includes the new laws that took effect in 2026 (Indiana, Kentucky, Rhode Island) plus all previously effective laws.

Does the Connecticut CTDPA lower threshold apply retroactively?

The 35,000-consumer threshold takes effect July 1, 2026 and applies to data processing from that date forward. However, if you already hold data from 35,000+ Connecticut consumers, you must be compliant by July 1 — there is no grace period.

What happens if a data broker misses the August 1 DROP processing deadline?

The CPPA can impose fines of $200 per unfulfilled deletion request per day. For a broker with thousands of pending requests, this can quickly escalate to millions of dollars. The CPPA’s Data Broker Enforcement Strike Force has already demonstrated willingness to pursue non-compliant brokers.

Do I need to comply with Nebraska LB 504 if my service isn’t designed for children?

Yes, if children are “likely to access” your service. This is a broader standard than COPPA’s “directed to children” test. If your service is popular with users under 18 (even unintentionally), you should evaluate compliance.

How do I compare requirements across all these states?

Use our state privacy law comparison tool to see side-by-side differences between any two state laws, including thresholds, consumer rights, enforcement mechanisms, and cure periods.

Last updated: March 29, 2026.