On September 25, attorneys from Troutman Pepper Locke’s Privacy + Cyber + AI team hosted the second of two webinars analyzing the new California Consumer Privacy Act (CCPA) regulations. This webinar focused on the CCPA’s new cybersecurity audit and insurance regulations, as well as updates to the existing regulations. The webinar recording and slide deck are now available here and here, respectively.
Key point: Our new chart identifies and analyzes the varying and changing applicability standards for the 19 state consumer data privacy laws.
The applicability standards for state consumer data privacy laws have become a complicated maze that is, at times, difficult to track and apply. These laws are no longer just based on revenue or the number of consumers whose information a controller processes. For example:
Key point: Businesses subject to the CCPA must comply with extensive new regulations.
On September 22, 2025, the California Office of Administrative Law (OAL) approved the California Privacy Protection Agency’s latest California Consumer Privacy Act (CCPA) rulemaking package. The rulemaking package covers updates to the existing regulations, automated decision-making technology (ADMT), risk assessments, cybersecurity audits, and insurance requirements.
Key point: Plaintiffs’ attorneys have started sending a wave of letters asserting opt-out and access rights under California’s Shine the Light law.
Over the last three months, businesses have been receiving requests from California residents seeking to exercise their rights under California’s Shine the Light law, Cal. Civ. Code § 1798.83. These requests are sent by attorneys who purport to represent a California resident who is a “customer” of, and has an “established business relationship” with, the business receiving the request. The requests seek an accounting of the customer’s personal information disclosed to third parties for direct marketing purposes within the past year.
Key point: Regulators will ensure corporate accountability by imposing stringent sanctions on businesses that are perceived as neglecting the protection of consumer personal information.
Key point: Children’s privacy remained a hot topic during the 2025 state legislative session, with multiple states passing laws, adding to the growing patchwork of children’s privacy laws.
Key point: Our new chart identifies and compares the definitions of sensitive data under the 19 state consumer data privacy laws.
Key point: The California legislature closed its 2025 legislative session by passing 14 privacy and AI-related bills.
The California legislature closed for the year by passing numerous privacy and AI-related bills. The bills will next head to Governor Gavin Newsom, who will have 30 days to sign, approve without signing, or veto the bills. That is still a significant hurdle for the bills to clear, as last year, Newsom vetoed multiple privacy and AI bills. Below, we identify which of the bills passed and failed, and provide a summary for each of the bills that passed.
Key point: The investigative sweep is part of a growing multistate approach to privacy enforcement actions.
On September 9, the California Privacy Protection Agency (CPPA) announced that it has initiated a joint regulatory sweep in collaboration with attorneys general (AG) from California, Colorado, and Connecticut. The sweep will target businesses’ compliance with legal requirements associated with recognition of opt-out preference signals (OOPS) and universal opt-out mechanisms (UOOMs) that consumers can use to exercise their right to opt out of online tracking technologies (i.e., targeted advertising, sales, or sharing).
This article was republished on ALM’s Business Crimes Bulletin on September 30, 2025 and on Law.com on October 14, 2025.
Key point: Addressing the litigation and regulatory risks regarding tracking technologies requires a balanced approach between legal exposure and business impact, through a close and continuing collaboration between legal, technology, and business stakeholders.
U.S. companies face a massive wave of wiretapping law class action lawsuits and regulatory enforcement actions over online “tracking technologies.” Nearly every company with a website or app uses pixels, SDKs, cookies, session-replay technology, and chat/chatbot tools, putting them in the crosshairs. In California alone, plaintiffs have reportedly filed more than 1,800 lawsuits since 2022 under the state’s two-party consent wiretapping law (the California Invasion of Privacy Act (CIPA)). These laws carry statutory damages (e.g., up to $5,000 per violation under CIPA), which makes them an extremely attractive target for class action plaintiff attorneys. Plaintiffs’ attorneys have also issued thousands of demand letters, the settlement of which has helped build a war chest for funding further litigation.