Skip to main content
Clicks & ClientsClicks&Clients
08 / Field Notes
PrivacyJuly 13, 20266 min read

What July 2026 state privacy laws change for ad targeting

Three state privacy laws took effect July 1, 2026. What the July 2026 changes mean for ad targeting: consent thresholds, age exclusions, and first-party data.

Three laws took effect July 1, and a court order kept a fourth in play

Connecticut’s CTDPA amendments, Arkansas’s Children and Teens’ Online Privacy Protection Act, and Utah’s privacy amendments all took effect on July 1, 2026 1. Five days later, on July 6, the U.S. Supreme Court declined to block Texas SB 2420, the state’s app store age verification law, which is now in effect 2.

None of the July 2026 state privacy laws changes ad targeting enough on its own to reorganize a media plan. Together they extend a five-year pattern: the set of people you can reach by default keeps shrinking, and the durable answer keeps being the same three things. Consent infrastructure. Age-aware exclusions. First-party data hygiene.

One note on scope before the details. This is a compliance-mechanics piece: what each law does, and what an account team has to change. It takes no position on whether any of these laws is good policy, because the firm does not publish positions on that question.

Connecticut lowered the bar for who is covered

Connecticut’s applicability threshold dropped from 100,000 consumers to 35,000, and any business that processes sensitive data or sells personal data is now in scope regardless of volume 1. The 35,000 figure is easy to cross without anyone on the team having counted. A mid-size ecommerce brand with a few years of national order history and an email list holds that many Connecticut consumer records as a matter of course.

The second change is the one that generates work. Connecticut residents can now request the list of third parties that received their data 1. Answering that request requires an inventory most accounts have never assembled: every pixel, every conversions API connection, every audience share, every enrichment vendor that touches a customer record. Building the inventory before the first request arrives is cheaper than building it after, and the same document feeds every other state’s disclosure requirements.

Arkansas draws a harder age line than COPPA

Arkansas now prohibits collecting personal data for targeted advertising for children under 13 and for teens ages 13 to 16, a harder line than federal COPPA 1. For an advertiser, the operational surface is age signals: declared age on the platforms, age-gating on owned properties, and age settings at the campaign level.

The practical review is narrow and concrete. Pull every campaign that could plausibly reach users under 17, check the age exclusions, and check what data collection sits behind the targeting. Categories with any youth adjacency, which includes gaming, snacks, apparel, education, and most consumer apps, should treat this as a this-month task rather than a someday task.

Utah added rights, and the map keeps filling in

Utah’s amendments add a right of correction plus social media data portability rules 1. For most advertisers this is the lightest lift of the three, because correction requests route through the same request-handling workflow the other state laws already require.

The heavier point is cumulative. Twenty comprehensive state privacy laws are in effect during 2026 3. At that count, tracking each state’s thresholds one by one stops being a workable operating model for a marketing team. The accounts that handle this well build one consent and data-rights workflow to the strictest common standard and let the state-by-state variation collapse into configuration.

Texas moved age verification to the app store layer

On July 6, 2026, the U.S. Supreme Court declined to block Texas SB 2420, which requires app stores to verify user age, sorting users into under 13, 13 to 15, 16 to 17, or adult, and requires parental consent for minors’ downloads and in-app purchases 2. Google Play has been rolling out age verification flows for Texas users whose accounts were created after May 28, 2026 4.

The advertising implication is mechanical rather than dramatic. Declared age has been a self-reported field for two decades, and this is one of the first regimes that verifies it at the distribution layer. As age data firms up, age-based exclusions firm up with it, and the gap between an account’s stated age settings and its true delivery narrows. Platform-declared age is becoming a compliance surface, not just a targeting choice, and campaign settings should be reviewed on that assumption.

California’s risk-assessment clock is already running

Under CPPA regulations effective January 1, 2026, California businesses whose processing presents significant risk must conduct documented risk assessments, and the significant-risk category includes selling or sharing personal information, which covers most advertisers running pixels and audience sharing 5. Assessments covering 2026 and 2027 processing must be completed by the end of 2027, with first submissions to the CPPA due April 1, 2028 5.

Those dates read as distant. They are not, because the assessment documents processing as it happens. A business that starts the paperwork in late 2027 is reconstructing two years of data decisions from memory and old vendor contracts. If California revenue is material to the account, the sane version of this starts now: a running record of what data is collected, what it feeds, and who receives it.

The checklist for this week

Four items, in the order the firm runs them in audits:

  1. Age settings. Verify age exclusions and age-gating on any campaign that could reach minors. Treat declared age as a compliance surface, not a targeting preference.
  2. Consent coverage. Confirm your consent management setup covers Connecticut at the 35,000-consumer threshold. Many mid-size ecommerce brands cross it without knowing.
  3. Third-party inventory. List every destination your pixel and audience data reaches. Connecticut residents can now ask for that list, and you want to write it on your own schedule rather than a statutory one.
  4. California assessments. If California revenue is material, start the risk-assessment record now instead of reconstructing it in 2027.

None of this is new strategy. The firm made the same argument reviewing five years of Apple’s ATT: first-party data and server-side infrastructure age well through every one of these cycles, and server-side tracking built for one platform’s signal loss absorbs the next regulation with configuration changes rather than rebuilds. That plumbing is part of what a managed engagement buys, and it is the reason some accounts barely noticed July 1.

The pattern since 2018 has not wavered: each cycle, some reach that used to be free starts requiring infrastructure. Consent, age handling, and first-party data are account plumbing now. The accounts that treat them as legal overhead will install them later anyway, under a deadline, at a worse price.

Sources
  1. 1.Ice Miller: State Privacy Law Updates, What Takes Effect July 1 2026 · accessed 2026-07-07
  2. 2.US News / Reuters: US Supreme Court Won't Block Texas App Store Age Verification Law · accessed 2026-07-07
  3. 3.MultiState: Comprehensive Privacy Laws That Take Effect in 2026 · accessed 2026-07-07
  4. 4.Google Play Console Help: Changes to Google Play for upcoming app store bills · accessed 2026-07-07
  5. 5.California Privacy Protection Agency: CCPA Updates, Risk Assessments, ADMT · accessed 2026-07-07
From the firm

Field Notes is the public version of the working theory we run on every account. If you want to talk about your own, book a discovery call.