April 3, 2026

State legislatures and EU enforcement bodies are driving most of the actionable compliance work this week. Oklahoma has enacted a comprehensive privacy law, algorithmic pricing bills are proliferating across 24 states, Colorado is reconsidering its AI Act wholesale, and the Trump Administration has issued its first formal federal AI legislative recommendations—all while the Garante, AEPD, and other EU DPAs continued issuing fines across financial services, marketing, and workplace surveillance. The practical question for most compliance teams is sequencing: which of these developments demands immediate resource allocation versus structured monitoring.

Oklahoma Governor signed SB 546, the Oklahoma Data Privacy Act, into law, effective January 1, 2027. The statute tracks the Virginia CDPA framework closely, meaning organizations with existing VCDPA compliance programs have a structural head start—but practitioners should not assume full equivalence without a gap analysis. Oklahoma joins a growing list of Virginia-aligned states, and the absence of a federal floor continues to drive this state-by-state layering. Teams operating multi-state consumer businesses should begin scoping Oklahoma into existing privacy program roadmaps now. Watch level: PREPARE (privacy counsel and compliance teams with Oklahoma consumer operations — effective January 1, 2027; begin gap analysis against VCDPA baseline)

Italy's Garante fined Intesa Sanpaolo €36 million for inadequate technical and organizational security measures under GDPR Article 32. In a separate action, the Garante also imposed a €563,052 fine aggregating violations across Articles 5, 6, 7, 24, and 28 of the GDPR plus Article 130 of Italy's Privacy Code, and issued a further enforcement action against a controller for unlawful direct marketing consent practices. Three distinct Garante actions in a single reporting cycle signals sustained enforcement intensity—not a single-incident pattern. Financial sector and marketing-dependent organizations under Italian jurisdiction should treat Article 32 security adequacy and consent documentation as active enforcement priorities, not audit checklist items. Watch level: ACT NOW (financial institutions and direct marketers operating in Italy — enforcement is active; conduct Article 32 security review and consent audit immediately)

The Trump Administration released formal legislative recommendations for a federal AI governance framework, and Colorado's AI Policy Work Group simultaneously proposed replacing—not amending—the Colorado AI Act with a new framework. These two developments, read together, suggest the federal-state AI governance architecture may be in genuine flux. The White House recommendations may indicate an intent to preempt state AI laws, though no bill text has been introduced and preemption scope is not yet determinable. Colorado's wholesale replacement proposal raises the immediate practical question of whether compliance work scoped to the existing Colorado AI Act should be paused or redirected pending the revised framework's content. Both warrant close tracking through Q2 2026. Watch level: PREPARE (AI governance leads and product counsel — federal preemption scope unknown; monitor bill text; pause or qualify Colorado AI Act compliance scoping pending revised framework details)

More than 40 algorithmic and dynamic pricing bills have been introduced across 24 U.S. states in 2026, already exceeding 2025's full-year volume. Definitions, thresholds, and scope vary materially across these bills, meaning a single compliance posture will not transfer across jurisdictions. Organizations running multi-state personalized or dynamic pricing models should begin inventorying which state bills are nearest to committee votes or floor action, as the risk of enacted obligations appearing with short lead times is rising. Separately, EU Parliament's IMCO and LIBE committees adopted a joint position advancing the Digital Omnibus on AI, now proceeding to a full plenary vote—a procedural milestone that warrants monitoring for organizations tracking EU AI Act amendment activity. Watch level: PREPARE (pricing strategy, product counsel, and AI governance teams with U.S. multi-state operations — no bills enacted yet, but volume and pace suggest near-term enactments are likely across multiple jurisdictions)