If you updated your cookie banner this spring, congratulations: you are compliant with the past.
The next eighteen months are unusually busy. Two brand-new US state privacy laws were signed this spring with 2027 effective dates, Connecticut just rewrote its privacy act with changes landing in July 2026, India's DPDP clock is ticking toward hard enforcement, and the EU is actively negotiating the biggest rewrite of its cookie rules since 2009.
None of this requires panic. Most of it requires a calendar. This post is that calendar — what is genuinely coming, what is still just a proposal, and what to prepare for first.
(For what is already in force and enforced today, see do you need to update your cookie banner in 2026; for how we got here, the 2026 changes retrospective. This post is about what comes next.)
Which new cookie consent and privacy laws take effect before 2027?
The confirmed pipeline: Connecticut's amended privacy act takes effect July 1, 2026; California data brokers must process DROP deletion requests from August 1, 2026; India's DPDP Rules hit their one-year transition marker in November 2026; and on January 1, 2027 Oklahoma's new privacy law, California's ADMT rules, and Vermont's Age-Appropriate Design Code all kick in — followed by Alabama in May 2027 and full DPDP enforcement in India that same month. The EU's Digital Omnibus, which would rewrite cookie consent rules entirely, is still a proposal under negotiation.
Here is the watchlist at a glance:
| Date | Jurisdiction | What happens | Status |
|---|---|---|---|
| Jun 19, 2026 | UK | DUAA complaints-procedure requirement commences | Enacted |
| Jul 1, 2026 | Connecticut | CTDPA amendments (SB 1295): lower thresholds, minors' ad ban | Enacted |
| Jul 1, 2026 | Virginia | VCDPA amendments on specific data categories | Enacted |
| Aug 1, 2026 | California | Data brokers must process DROP deletion requests | Enacted |
| Nov 14, 2026 | India | DPDP Rules one-year mark; consent-manager framework phase | Enacted |
| Jan 1, 2027 | Oklahoma | Oklahoma Consumer Data Privacy Act takes effect | Enacted |
| Jan 1, 2027 | California | CCPA ADMT (automated decision-making) compliance date | Enacted (regs) |
| Jan 1, 2027 | Vermont | Age-Appropriate Design Code (Act 63) takes effect | Enacted |
| May 1, 2027 | Alabama | Alabama Personal Data Protection Act takes effect | Enacted |
| May 13–14, 2027 | India | DPDP 18-month transition ends; full enforcement powers | Enacted |
| Jul 1, 2027 | Kentucky | KCDPA amendments (HB 692) take effect | Enacted |
| TBD (2027+) | EU | Digital Omnibus moves cookie rules into the GDPR | Proposed only |
| TBD | Canada | Federal PIPEDA replacement; Alberta PIPA amendments | Expected, not introduced |
United States: the 2026–2027 pipeline keeps filling
The wave that brought Tennessee, Minnesota, and Maryland online in 2025, then Indiana, Kentucky, and Rhode Island on January 1, 2026, has not crested. Those laws are live and belong to the enforcement conversation; the spring 2026 legislative season added fresh names to the map.
Connecticut, July 1, 2026: the amendment that quietly widens the net
Connecticut's SB 1295 amendments take effect July 1, 2026, and they matter even if you ignored the CTDPA the first time:
- The applicability threshold drops from 100,000 to 35,000 consumers — and disappears entirely if you process sensitive data or offer personal data for sale.
- Targeted advertising and data sales involving minors aged 13–17 are flatly prohibited where you know (or wilfully disregard) the user's age. Consent does not cure it.
- Privacy notices must explicitly disclose targeted-advertising processing and sales.
If you run ads or analytics with meaningful Connecticut traffic, re-check whether you are now covered.
The rest of H2 2026
- Virginia amendments to the VCDPA, signed in April 2026, take effect July 1, 2026, tightening rules around specific sensitive data categories.
- California's DROP (the Delete Request and Opt-out Platform under the Delete Act): registered data brokers must start processing consumer deletion requests submitted through DROP by August 1, 2026. Not a cookie-banner change, but a signal of where US enforcement energy is going — centralized, one-click rights execution.
January 1, 2027: three things land at once
- Oklahoma Consumer Data Privacy Act — signed in March 2026, effective January 1, 2027. Another opt-out-model comprehensive law in the Virginia mold.
- California ADMT rules — under the CCPA regulations finalized in September 2025, businesses using automated decision-making technology for significant decisions must comply by January 1, 2027, including notices and opt-outs.
- Vermont's Age-Appropriate Design Code (Act 63) — effective January 1, 2027 for services reasonably likely to be accessed by under-18s: data minimization by default, no targeted nudging, restrictions on push notifications. Similar laws have drawn First Amendment challenges, so watch for litigation — but do not bank on it.
Later in 2027
- Alabama Personal Data Protection Act — signed April 17, 2026, effective May 1, 2027.
- Kentucky HB 692 — amendments to the KCDPA effective July 1, 2027.
The upshot: the US still is not adopting EU-style opt-in, but the matrix of opt-out rights, minors' protections, and universal opt-out signals keeps expanding. Our US state cookie banner requirements guide covers the per-state mechanics.
United Kingdom: the DUAA's big bang already happened — but it's not finished
The Data (Use and Access) Act's main PECR changes commenced on February 5, 2026: new consent exceptions for low-risk purposes (first-party statistics, appearance preferences, emergency assistance) and PECR fines raised from £500,000 to GDPR levels — up to £17.5 million or 4% of global turnover. The ICO's final Storage and Access Technologies guidance followed on April 29, 2026. All of that is "now," not "next" — see the 2026 banner update guide.
What is still ahead:
- June 19, 2026: the DUAA requirement to operate a formal data-protection complaints procedure commences. Operational, not banner-related — but a hard date.
- The ICO's review of PECR regulation 6 for online advertising. Alongside the final guidance, the ICO said its work on how storage-and-access rules apply to online advertising continues separately, with further updates to follow. If you are hoping the UK relaxes consent for some advertising use cases, this is the workstream to watch through late 2026.
The ICO also noted that 99% of the UK's top 1,000 websites now meet its cookie banner standards — which tells you how the remaining 1% should expect to be treated.
India: the DPDP countdown is real, with two hard dates
India's DPDP Rules were notified on November 14, 2025 — final, not draft — with an 18-month phased rollout:
- November 14, 2026: the one-year mark. The consent-manager framework phases in (registered Consent Managers must be India-incorporated companies meeting net-worth requirements), and the window for revalidating legacy data consents effectively closes. Industry expectation is that the Data Protection Board shifts from awareness-building toward active supervision around this point.
- May 13–14, 2027: the substantive obligations — notice, consent, breach notification, data principal rights — become fully enforceable, with penalties up to INR 2.5 billion (roughly USD 26 million).
If you have an Indian user base, 2026 is the build-and-test year. The architecture signal matters even if India is not your market: consent is being treated as auditable, interoperable infrastructure, not a banner you bolt on.
EU: the Digital Omnibus could rewrite cookie consent — but it is not law
The long-stalled ePrivacy Regulation proposal was formally withdrawn in early 2025. Its replacement arrived on November 19, 2025: the Digital Omnibus, which would fold cookie rules out of the ePrivacy Directive and into the GDPR. The headline changes, as proposed:
- Single-click reject with equal prominence to accept.
- A six-month cooling-off period: if a user refuses consent, you cannot re-ask for the same purpose for at least six months.
- A whitelist of consent-exempt low-risk purposes, such as aggregated audience measurement.
- Machine-readable consent signals — browser-level preferences that websites would have to honor.
- GDPR-level fines (up to 4% of global turnover) for violations.
Status as of mid-2026: the AI portion of the omnibus reached a provisional political deal in May 2026, but the data-protection and cookie portion is still working through the Council, with Parliament at an earlier stage. The text may change substantially, and adoption will be followed by a transition period. Realistically, nothing here changes your EU banner before 2027 — quite possibly later.
Supportive: If it passes as proposed, fewer banners for harmless purposes and honest one-click choices are genuinely good news.
Cynical: The EU has been about to fix cookie banners since 2017. Do not architect your 2026 roadmap around a press release.
Until then, the ePrivacy Directive and national enforcement remain fully in force — see our developer's guide to the ePrivacy Directive.
Canada: reform is expected, not scheduled
Canada is the "watch but don't build yet" file:
- Federal: Bill C-27 died when Parliament was dissolved in early 2025. A new private-sector privacy bill — expected to carry over C-27-style penalties of up to CAD 25 million or 5% of global revenue — has been repeatedly signalled for 2026 but had not been tabled as of this writing.
- Alberta: a legislative committee delivered 12 recommendations for amending PIPA in February 2025, including children's-privacy obligations and a penalty-based enforcement regime; amendments are anticipated in 2026.
- Quebec: Law 25 is fully in force — its opt-in consent rules belong on your "now" list, not your watchlist. Our Canada consent banner guide covers it.
How to prioritize: a traffic-based triage
You do not prepare for thirteen deadlines at once. You rank them by your traffic and the cost of being wrong.
| Priority | Prepare for | If you have... | By when |
|---|---|---|---|
| 1 | Connecticut amendments | US traffic + ads/analytics | Jul 1, 2026 |
| 2 | UK complaints procedure + reg 6 watch | UK users | Jun 19, 2026 / ongoing |
| 3 | India DPDP consent revalidation | Indian users | Nov 14, 2026 |
| 4 | Oklahoma + CA ADMT + Vermont AADC | US traffic (AADC: minors) | Jan 1, 2027 |
| 5 | Alabama, Kentucky amendments, India full enforcement | US / India traffic | May–Jul 2027 |
| 6 | EU Digital Omnibus | EU users | Monitor only — proposal |
Three rules of thumb:
- Hard dates beat big headlines. Connecticut's July 2026 amendments will affect more real businesses this year than the Digital Omnibus. Enacted law with a date outranks any proposal.
- Minors' data is the common thread. Connecticut, Vermont, Oregon's under-16 sale ban, India's parental-consent rules — if your audience skews young, this is your biggest 2026–2027 workstream.
- Don't rebuild for proposals. Monitor the Digital Omnibus and Canada's federal bill quarterly; build when there is final text and a commencement date.
What to actually do this quarter
- Re-run your Connecticut applicability analysis under the 35,000-consumer threshold.
- Audit whether you serve targeted ads to known or likely 13–17-year-olds in the US.
- Put June 19, 2026 (UK complaints procedure) and November 14, 2026 (India) on the compliance calendar with named owners.
- If you profile for significant decisions, scope California ADMT notice and opt-out work for January 1, 2027.
- Confirm your CMP can add a new regional ruleset (Oklahoma, Alabama) as configuration, not code.
- Set a quarterly check on the Digital Omnibus and Canada's federal bill — and resist doing more than that.
Where CookieChimp fits
The pattern across every jurisdiction above is the same: rules keep changing, and the teams that cope are the ones whose consent setup is configuration, not hardcoded UI. CookieChimp is built for exactly that — geo-targeted banners that apply the right ruleset per region, automatic cookie scanning so new tags don't outrun your policy, consent logs that prove what each user saw and chose, and built-in Google Consent Mode v2 and Global Privacy Control support as US states keep adding signal requirements. When Oklahoma's effective date arrives, it should be a settings change, not a sprint. And if you're wondering whether one banner can stretch across all of this: can one cookie banner cover every country?
FAQ
Which US states have new privacy laws taking effect in 2027?
Oklahoma's Consumer Data Privacy Act takes effect January 1, 2027, and Alabama's Personal Data Protection Act follows on May 1, 2027 — both signed in spring 2026. Kentucky's HB 692 amendments follow on July 1, 2027. California's automated decision-making (ADMT) rules and Vermont's Age-Appropriate Design Code also have January 1, 2027 compliance dates.
Will the EU Digital Omnibus get rid of cookie banners?
No — and it is not law yet. The proposal would move cookie rules into the GDPR, exempt low-risk purposes like aggregated audience measurement, require single-click reject, and stop sites re-asking for six months after a refusal. Banners would get simpler and rarer for benign uses, not disappear. As of mid-2026 the data-protection portion is still being negotiated, so current ePrivacy rules apply unchanged.
What changes in Connecticut on July 1, 2026?
The CTDPA's applicability threshold drops from 100,000 to 35,000 consumers (with no threshold at all if you process sensitive data or sell personal data), targeted advertising and sales involving consumers aged 13–17 are banned outright, and privacy notices must disclose targeted-advertising processing. Many businesses previously below the threshold will be covered for the first time.
When does India's DPDP Act become fully enforceable?
The DPDP Rules were notified on November 14, 2025 with an 18-month phased rollout. The consent-manager framework phases in around November 14, 2026, and the substantive obligations — notice, consent, breach notification, user rights — become fully enforceable by May 13–14, 2027, with penalties up to INR 2.5 billion.
Is anything still changing in the UK after the February 2026 PECR changes?
Yes, two things. From June 19, 2026, organisations must have a formal data-protection complaints procedure. And the ICO is still reviewing how PECR regulation 6 applies to online advertising, with further updates promised. The new consent exceptions and the higher £17.5m/4% PECR fines are already in force.
Should I wait for new laws before updating my consent setup?
No. Everything enforceable today — EU/UK opt-in rules, US state opt-outs, Quebec's Law 25 — stays enforceable regardless of what is coming. Build a setup where each new law is a configuration change, then add jurisdictions as their dates arrive.
References
- MultiState, "20 State Privacy Laws in Effect in 2026: Key Dates & Changes": multistate.us
- Wiley, "Major Changes to Connecticut's Consumer Privacy Law Will Take Effect July 1, 2026": wiley.law
- Moore & Van Allen (JD Supra), "Privacy in Bloom: Four States Reshape the Data Protection Landscape This Spring": jdsupra.com
- California Privacy Protection Agency, "California Finalizes Regulations to Strengthen Consumers' Privacy": cppa.ca.gov
- CalPrivacy, "About DROP and the Delete Act": privacy.ca.gov
- Vermont General Assembly, "Bill Status S.69 (Act 63) — Age-Appropriate Design Code": legislature.vermont.gov
- ICO, "Statement on the commencement of the Data (Use and Access) Act (DUAA)" (5 Feb 2026): ico.org.uk
- ICO, "Final storage and access technologies guidance published" (29 Apr 2026): ico.org.uk
- European Commission, "Digital Package — FAQs" (Digital Omnibus proposal): digital-strategy.ec.europa.eu
- Press Information Bureau (India), "DPDP Rules, 2025 Notified" (17 Nov 2025): pib.gov.in
- India Briefing, "India's DPDP Timeline: Critical Compliance Deadlines for 2026-27": india-briefing.com
- IAPP, "What 2026 may bring for Canada's privacy reform efforts": iapp.org
The laws will keep coming; your banner rebuild doesn't have to. Get started with CookieChimp and turn the next effective date into a configuration change.