AI Regulation & Policy: Week of April 22–28, 2026
Key Points
- 1.The House Energy & Commerce Committee introduced the SECURE Data Act on April 22, 2026, aiming to replace the U.S. state privacy law patchwork with a single federal framework, though critics at Tech Policy Press characterized it as 'built on empty promises' and historical obstacles around preemption scope and private right of action persist [2] and [5].
- 2.Alabama became the 21st U.S. state to enact a comprehensive consumer privacy law when Governor Kay Ivey signed the Alabama Personal Data Protection Act on April 17, 2026, effective May 1, 2027, compounding compliance complexity for organizations operating across multiple jurisdictions [2].
- 3.The California Privacy Protection Agency announced it expects to conduct CCPA compliance audits in 2026 through its newly created Audits Division, and on April 20, 2026 issued an invitation for preliminary comments on regulatory changes covering notices, disclosures, and employee data — including AI-specific Automated Decision-Making Technology requirements [2] and [4].
- 4.The FTC's 2025 COPPA Rule amendments reached their compliance deadline on April 22, 2026, shifting the regulatory dynamic from preparation to active enforcement risk for AI platforms interacting with minors [2].
- 5.The EDPB's draft Guidelines 1/2026, published April 15, 2026 and open for public consultation until June 25, 2026, explicitly clarify how GDPR applies to AI-driven research and large dataset reuse, representing a significant EU regulatory signal for organizations conducting AI research [1].
Executive Summary
- •The SECURE Data Act's introduction marks an updated development from the previous period's baseline, now attracting sustained policy debate — including a dedicated Tech Policy Press podcast episode on April 26, 2026 — but its passage remains uncertain given persistent congressional disputes over preemption and enforcement mechanisms [5] and [3].
- •State-level privacy regulation continues to expand at an accelerating pace, with Alabama joining 20 other states in enacting comprehensive consumer privacy law, while Virginia banned the sale of geolocation data and Kentucky classified Smart TV data as sensitive personal data, all signed in April 2026 [2].
- •California's privacy enforcement posture has escalated materially: the CPPA is simultaneously pursuing compliance audits, new rulemaking on notices and disclosures, and AI-specific requirements around automated decision-making — creating a multi-layered compliance burden for organizations deploying AI in consumer contexts [2] and [4].
- •The Connecticut Attorney General's April 8, 2026 advisory applying existing state laws to AI systems — without new AI-specific legislation — reinforces an emerging pattern of regulators leveraging legacy frameworks to govern AI conduct, a development that extends compliance obligations beyond jurisdictions with dedicated AI laws [3].
- •AI governance discourse is evolving beyond static compliance frameworks: Tech Policy Press identified structural measurement challenges ('the denominator problem') on April 24, 2026, while OneTrust highlighted the need for continuous risk management models and governance of autonomous agentic AI systems [5] and [4].
Market Trends
Federal Privacy Legislation Push Intensifies with SECURE Data Act
A significant new development in U.S. federal privacy regulation emerged on April 22, 2026, when the House Energy & Commerce Committee announced the introduction of the SECURE Data Act, intended to replace the existing patchwork of U.S. state consumer privacy laws with a single federal law [2]. This legislative push is corroborated by multiple sources: Privacy World Blog noted House Republicans introduced a federal consumer privacy bill on April 22, 2026, highlighting that two recurring issues —…
State-Level Privacy and AI Regulation Continues to Accelerate
While federal privacy legislation remains contested, state-level regulatory activity is accelerating rapidly. Alabama Governor Kay Ivey signed the Alabama Personal Data Protection Act on April 17, 2026, making Alabama the 21st state to enact a comprehensive consumer privacy law, effective May 1, 2027 [2]. Virginia added new restrictions by banning the sale of geolocation data effective July 1, 2026, following Governor Abigail Spanberger's signing of S.B. 388 on April 13, 2026 [2]. Kentucky class…
EDPB Issues Draft Guidelines on Personal Data Use in AI-Driven Research
On April 15, 2026, the European Data Protection Board published draft Guidelines 1/2026 addressing the processing of personal data for scientific research purposes, with a public consultation period open until June 25, 2026 [1]. The guidelines are notable for their explicit coverage of research that relies on AI, large datasets, and the reuse of personal data, clarifying how the GDPR applies to academic, public-sector, and commercial research contexts [1]. This development is relevant to the bro…
Competitor Trends
SECURE Data Act Advances with Bipartisan Scrutiny
The SECURE Data Act, introduced by House Republicans on April 22, 2026, continues to generate significant policy debate. The House Energy & Commerce Committee announced its intention to advance the bill as a replacement for the existing patchwork of US state consumer privacy laws [2]. Tech Policy Press published a perspective on April 23, 2026 characterizing Congress's new privacy bill as 'built on empty promises,' reflecting skepticism about whether the legislation will achieve meaningful consu…
US State Privacy Law Expansion Continues Unabated
The rapid expansion of US state-level privacy regulation continues as a dominant trend. Alabama became the 21st state to enact a comprehensive consumer privacy law when Governor Kay Ivey signed the Alabama Personal Data Protection Act on April 17, 2026, effective May 1, 2027 [2]. OneTrust's blog also highlighted Alabama's law as a notable development in its trending content [4]. The California Privacy Protection Agency issued an invitation for preliminary comments on April 20, 2026 regarding pot…
AI Governance Frameworks Shift Toward Continuous and Scalable Models
Across the regulatory and compliance technology landscape, a clear shift is emerging from periodic, point-in-time AI governance reviews toward continuous, scalable risk management frameworks. OneTrust's blog highlights multiple recent publications on this theme, including a March 2026 piece on 'the shift from periodic reviews to continuous risk management' and a guide titled 'Responsible AI in 2026: A 3-step guide for governance that scales,' both emphasizing that enabling innovation requires mo…
Regulatory Trends
SECURE Data Act Advances: Federal Privacy Preemption Debate Intensifies
The SECURE Data Act, introduced on April 22, 2026 by the House Energy & Commerce Committee, continues to generate significant regulatory debate. The bill aims to replace the patchwork of U.S. state consumer privacy laws with a single federal framework [2]. Tech Policy Press published a perspective piece titled 'Congress's New Privacy Bill Is Built on Empty Promises' on April 23, 2026, indicating substantive criticism of the bill's approach [5]. Privacy World Blog also noted that two recurring ob…
State-Level Privacy Expansion: Alabama Becomes 21st State
The acceleration of state-level consumer privacy legislation documented in the previous period has continued. On April 17, 2026, Alabama Governor Kay Ivey signed the Alabama Personal Data Protection Act, effective May 1, 2027, making Alabama the twenty-first state to enact a comprehensive consumer privacy law [2]. This was corroborated by both Privacy World Blog, which published 'The Heart of Dixie Embraces Consumer Privacy' on April 20, 2026 [3], and OneTrust's blog, which listed Alabama's law …
COPPA Compliance Deadline Reached: Children's Data Enforcement Era Begins
As of April 22, 2026, the compliance deadline for the FTC's 2025 amendments to the COPPA Rule arrived, marking a transition from rulemaking to active enforcement obligations for organizations subject to the Children's Online Privacy Protection Act [2]. This milestone, continuing from the previous reporting period, now shifts the regulatory dynamic from preparation to enforcement risk. Concurrently, Australia's Exposure Draft Children's Online Privacy Code was noted as having potential implicatio…
California Privacy Agency Moves Toward Active Enforcement and New Rulemaking
California's privacy regulatory activity intensified across multiple fronts during this reporting period. The California Privacy Protection Agency's Executive Director Tom Kemp indicated the agency expects to conduct CCPA compliance audits in 2026 as it builds out its newly created Audits Division [2]. On April 20, 2026, CalPrivacy issued an invitation for preliminary comments on potential regulatory changes concerning notices, disclosures, and employee data under the CCPA [2]. OneTrust's blog h…
EDPB Scientific Research Guidelines Open for Consultation
The European Data Protection Board's draft Guidelines 1/2026 on personal data processing for scientific research purposes, published on April 15, 2026, remain open for public consultation until June 25, 2026 [1]. The guidelines clarify how the GDPR applies to academic, public-sector, and commercial research that relies on AI and large datasets, representing a continuing and significant regulatory development for organizations conducting AI-driven research in the EU. The EDPB's decision to explic…
AI Governance Denominator Problem and Governance Scalability Debate
Tech Policy Press published a perspective titled 'The Denominator Problem in AI Governance' on April 24, 2026, reflecting emerging policy discourse around structural challenges in designing effective AI oversight frameworks [5]. This coincides with OneTrust's publication of 'Responsible AI in 2026: A 3-step guide for governance that scales' on March 11, 2026, and 'Agents Governing Agents: The Next Evolution of AI Governance' which addresses the challenge of governing increasingly autonomous AI s…
South Africa and Brazil: Emerging Market AI and Data Regulation Activity
Tech Policy Press published a perspective on April 23, 2026 titled 'South Africa Has AI Leverage. Its Draft Policy Leaves It Unused,' indicating that South Africa has released a draft AI policy that commentators argue fails to capitalize on the country's regulatory positioning [5]. Separately, Tech Policy Press reported on April 24, 2026 that Brazil's competition watchdog has opened a probe into Google over publisher pay, reflecting broader digital market regulatory activity in a major emerging …
Important Changes
EDPB Draft Guidelines on Scientific Research Data Open for Consultation
MonitoringThe European Data Protection Board's draft Guidelines 1/2026 on personal data processing for scientific research, published April 15, 2026, remain open for public consultation until June 25, 2026. The guidelines clarify GDPR application to AI-driven research and large dataset reuse. No new developments reported since initial publication. [1]
SECURE Data Act Advances with Bipartisan Attention
UpdatedThe SECURE Data Act, introduced by House Republicans on April 22, 2026 to replace the U.S. state privacy law patchwork with a single federal law, is drawing continued commentary. According to [5], a podcast episode unpacking the SECURE Data Act was published April 26, 2026, reflecting ongoing policy debate. [3] also notes recurring congressional skepticism about passage, citing preemption and enforcement as persistent sticking points.
Alabama Comprehensive Privacy Law Signed; State Count Reaches 21
MonitoringAlabama's Personal Data Protection Act, signed April 17, 2026 and effective May 1, 2027, remains the most recent state-level comprehensive privacy enactment. No additional states have been reported as enacting similar laws in the current period. [2]
California Privacy Agency Launches Audit Division and Seeks Regulatory Comments
UpdatedThe California Privacy Protection Agency is actively building out its newly created Audits Division and expects to conduct CCPA compliance audits in 2026, according to [2]. Additionally, on April 20, 2026, the agency issued an invitation for preliminary comments on potential regulatory changes concerning notices, disclosures, and employee data under the CCPA — signaling an expanding enforcement and rulemaking posture beyond the previously reported audit plans.
Connecticut AG Issues AI Advisory Using Existing State Laws
NewAccording to [3], the Connecticut Attorney General issued an advisory on April 8, 2026 clarifying how current Connecticut laws apply to artificial intelligence — a notable development indicating that regulators are increasingly applying existing legal frameworks to AI conduct without waiting for new AI-specific legislation. This complements Washington State's earlier AI companion chatbot law and reflects a broader trend of state-level AI governance activity.
Insights & Takeaways
- 1.With Alabama as the 21st state to enact comprehensive privacy law and the SECURE Data Act facing credibility concerns from critics, organizations must now make a near-term strategic decision: invest in scalable state-by-state compliance infrastructure or wait for federal preemption that may not materialize — a bet that prior congressional failures suggest is high-risk [2] and [3].
- 2.California's simultaneous pursuit of audits, new rulemaking, and AI-specific ADMT requirements signals that the CPPA is transitioning into a fully operational enforcement agency in 2026; organizations relying on AI for consumer-facing decisions should treat CCPA compliance as an immediate enforcement risk, not a future compliance project [2] and [4].
- 3.The COPPA compliance deadline arriving on April 22, 2026 combined with Australia's parallel children's online privacy code and Tech Policy Press debate on regulatory approach means AI platforms interacting with minors now face a convergence of active enforcement obligations and international regulatory scrutiny that requires urgent cross-jurisdictional compliance review [2] and [5].
- 4.The EDPB's decision to explicitly address AI-driven research and large dataset reuse within GDPR scientific research guidelines — ahead of full EU AI Act implementation — confirms that EU regulators are extending data protection scrutiny to AI workflows through existing legal channels; organizations should engage with the public consultation before June 25, 2026 to influence the final framework [1].
- 5.The emergence of AI governance critiques from emerging markets — South Africa's draft AI policy criticized on April 23, 2026 for failing to leverage the country's regulatory positioning — signals that multinational organizations must begin monitoring AI governance developments beyond the EU and U.S. as regulatory activity expands globally [5].
Sources
Reports on EDPB draft Guidelines 1/2026 published April 15, 2026, clarifying GDPR application to scientific research including AI-driven research and large dataset reuse, with public consultation open until June 25, 2026.
Related: Regulatory TrendsCovers SECURE Data Act introduction, Alabama privacy law enactment, COPPA compliance deadline, Virginia geolocation data ban, Kentucky Smart TV data classification, and California Privacy Protection Agency audit and rulemaking developments.
Related: Regulatory TrendsReports on Connecticut AG AI advisory applying existing state laws to AI, SECURE Data Act historical obstacles, Alabama privacy law, and Australia's children's online privacy code.
Related: Regulatory TrendsCovers enterprise shift to continuous AI risk management, CCPA 2026 ADMT requirements, and agentic AI governance frameworks. (Company blog — may reflect promotional framing.)
Related: Market TrendsPublished perspectives on SECURE Data Act ('built on empty promises' and podcast episode), 'The Denominator Problem in AI Governance,' children's online privacy regulation, and South Africa's draft AI policy critique.
Related: Regulatory TrendsReported on the Online Privacy Act of 2026 (House Bill 8014) introduced March 19, 2026 with a single sponsor, providing context for the SECURE Data Act as a more institutionally backed federal privacy effort.
Related: Market Trends