State Privacy & AI Watch: 3 Legislative Developments To Know

Sadia Mirza, a partner with Troutman Pepper Locke and leader of the firm’s Incidents + Investigations team, was quoted in the March 27, 2026 Law360 article, “State Privacy & AI Watch: 3 Legislative Developments To Know.”

• “What’s most notable about this law is what’s not included in it,” Sadia Mirza, a data security and privacy partner at Troutman Pepper Locke LLP, told Law360. “This will definitely be viewed as one of the more business-friendly state laws.”

• While the law is set to take effect in less than a year, Mirza noted that, given the lack of unique provisions that depart or go beyond laws that are already on the books, “business that already have mature compliance programs and have taken steps to align with other state data privacy laws likely aren’t going to do a lot more or need a huge on-ramp to meet this effective date.”

• The 30-day cure provision is also likely to be helpful to companies that are attempting to comply with the law by giving them a chance to address issues with the state’s attorney general before facing an enforcement action, Mirza said, although she noted that the cure period should be viewed as more of a “buffer” and not an invitation to completely ignore compliance obligations.

• “There’s a bit of a comfort in knowing that if there are any concerns about how a company is interpreting the law or about what it did to comply with the law, that there will at least be an opportunity for discussion,” Mirza said, adding that the provision reflects the “nature of the law” in attempting to “not be a compliance burden” while extending privacy rights to its citizens. 

• “It’s not surprising that states are taking their time and following what California and other states have done, and it’s likely that we’re going to continue to see comprehensive state privacy laws going through the same process as data breach notification laws, which started in California and that we now have in all 50 states,” Mirza said.