KEYPOINT– The N.D.Cal. shared its frustration with the language of CIPA, the conflicting rulings on how it has been applied, and the need for the legislature to fix it, as part of its recent decision granting summary judgment and dismissing a CIPA claim.
Key point: California expands the scope of the California AI Transparency Act by adding compliance obligations and extends the operative date to August 2, 2026.
Key point: California’s new Digital Age Assurance Act will likely create significant compliance challenges for many businesses.
On October 13, 2025, California Governor Gavin Newsom signed AB 1043 — the Digital Age Assurance Act — into law. In doing so, California joins Louisiana, Texas, and Utah, in passing laws this year requiring app developers to receive age bracket signals. While California’s law is more operational in nature, and in key respects narrower than the content-focused nature of the laws passed by Louisiana, Texas, and Utah, when AB 1043 goes into effect on January 1, 2027, the law will likely require companies to consider unique implementation strategies and may frustrate approaches to creating a uniform age-assurance compliance program. Further, the law will likely affect almost every app developer operating in California, including many that have never dealt with age verification requirements.
In the below article, we provide background and a summary of the law, discuss how it compares with other similar-in-kind laws, and outline some implications businesses will need to consider.
Key point: Courts are concluding that not all data breaches should result in a lawsuit. Businesses need to consider causation and damages when responding to an incident and take steps to determine if there is no evidence of harm or traceability including on a class wide basis.
Key point: All businesses struggle with cybersecurity risks presented by their service providers. New guidance from the NY DFS applies to all DFS regulated entities, but the guidance would assist any business in any industry in addressing these risks.
On October 21, 2025, the New York Department of Financial Services (the “DFS”) issued important guidance for covered entities (including all DFS licensees) for managing their cybersecurity risk related to third-party service providers (“TPSPs”). Industry Letter – October 21, 2025: Guidance on Managing Risks Related to Third-Party Service Providers | Department of Financial Services specifically includes the covered entity’s use of cloud, file transfer, AI and fintech providers (“Guidance”). According to the DFS, the “Guidance does not impose new requirements or obligations . . ..” Rather, “it is intended to clarify regulatory requirements, recommend industry best practices . . ., and promote compliance . . ..” The Guidance highlights that managing the cybersecurity risk presented by TPSPs “remains a crucial element of a Covered Entity’s cybersecurity program,” and notes that it applies to all covered entities, regardless of size.
Key point: Our new chart identifies and analyzes several remaining provisions in U.S. state consumer data privacy laws that are not already covered in our prior charts.
In our next comparison chart of U.S. state consumer data privacy laws, we compare various provisions of the laws that we did not
2025 was another incredibly active year in state privacy and AI laws with states enacting numerous new laws and amending existing laws and regulations. Enforcement also picked up speed and intensity. Combined, this activity created an ever-increasing and complex patchwork of requirements and obligations on companies.
On November 6, from
Key point: California’s expansion of its antitrust law — targeting algorithmic pricing and lowering the bar for litigation — signals a major shift in how companies must approach algorithmic pricing tools and compliance.
On October 6, 2025, Governor Gavin Newsom signed into law two significant amendments to California’s Cartwright Act: AB 325 and SB 763. These amendments to the Cartwright Act are the most significant updates to the law in recent years. AB 325 addresses algorithmic price-fixing by prohibiting the use or distribution of pricing algorithms among two or more entities to coordinate prices or commercial terms. SB 763 substantially increases corporate and individual criminal fines for violations. The new laws take effect on January 1, 2026.
Key point: Of the 15 privacy and AI-related bills passed by the California legislature in the 2025 session that we have been tracking, Governor Gavin Newsom signed 10 into law and vetoed five.
Throughout the 2025 legislative session, we tracked numerous privacy and AI-related bills pending in California. Fifteen of those bills passed the state legislature before the legislative session ended in September. Of the 15 total bills, Newsom signed 10 into law and vetoed five. Those 10 bills that became law consist of three laws related to privacy and seven laws related to AI.
The below article provides a summary of the 10 bills that Newsom either signed into law or vetoed.
Key Point: California’s existing breach notification statute was amended to include more decisive guidelines for reporting to individuals and regulators.
On October 5, 2025, California Governor Gavin Newsom signed SB-446 into law, which bill sponsor Sen. Melissa Hurtado (D-CA) indicates is aimed at “closing a critical loophole” in California’s existing breach notification statute. Below, we first provide a brief background on the scope of the law and then discuss the amendment.