United States of America: Privacy Protection Act (A6309) entered into force with grace period

On 12 January 2026, the Privacy Protection Act (A6309) entered into force, with certain provisions regarding health care facilities subject to a grace period. The Act restricts government entities from collecting personal data such as immigration status or social security numbers unless required for assessing eligibility for public benefits or professional qualifications. It establishes that records collected for these purposes are not public records and may not be disclosed unless required to administer benefits, services, programs, or professional qualifications and licensure, required by subpoena, court order, or judicial warrant. Further, government entities are prohibited from selling or sharing automated license plate recognition information except to other government bodies as permitted by law or under a judicial warrant. On the same day, the Act was adopted by both chambers of the legislature, conditionally vetoed by the Governor, and passed again by both chambers. The Act enters into force on the same day, except for the obligations for healthcare providers, which enter into force on 1 February 2027.