November 2025

Key point: The court held that NetChoice’s complaint adequately states constitutional claims against Maryland’s Age-Appropriate Design Code Act and allowed NetChoice’s lawsuit to continue, but did not rule on the merits of the claims or enjoin the law.

On November 24, 2025, Maryland District Court Judge Richard Bennett denied Maryland’s motion to dismiss a complaint filed by NetChoice challenging Maryland’s Age-Appropriate Design Code Act, commonly referred to as the Maryland Kids Code. NetChoice’s complaint alleges that the Kids Code violates the First Amendment and is preempted by federal law. The decision finds only that NetChoice’s complaint states plausible claims. The court did not rule on the merits of the claims and did not enjoin the law. In the below article, we provide a brief overview of the Kids Code and the decision.

The Oklahoma state flag waving along with the national flag of the United States of America

Key point: Oklahoma recently updated its breach notification statute for the first time since enactment, aligning with broader state trends and underscoring the ongoing, continuous review of data breach notification laws by lawmakers.

Effective January 1, 2026, Oklahoma’s Senate Bill 626 substantially revises the state’s data breach notification statute by expanding the definition of personal information, introducing a regulatory notice requirement, and updating safe-harbor exemptions. The amendments are the first changes to the law since it was enacted in 2008 and are consistent with trends in other states in recent years. For example, California adopted similar amendments set to take effect on January 1, 2026.

The below article provides an overview of the amendments.

Privacy_1200x600_GettyImages-1952157610

Key point: The Third Circuit Court of Appeals recently issued an opinion affirming the dismissal of a class action complaint asserting both California Invasion of Privacy Act (CIPA) and California Medical Information Act (CMIA) claims, providing helpful guidance on the application of the “party exception” defense to a wiretap claim, as well as the meaning of “medical information” under the CMIA claim.

Key point: The most recent CCPA enforcement action focuses on the CCPA’s right to opt out of sales and shares and treatment of minor’s data.

On November 21, 2025, the California Attorney General (AG) announced its latest enforcement action for violations of the California Consumer Privacy Act (CCPA). The complaint alleges that a gaming app developer failed to provide a CCPA-compliant opt-out link or setting within any of its 21 apps or website. The complaint also alleges that six of the developer’s apps sold the personal information of consumers between the ages of 13 and 16 without obtaining consent. Pursuant to the final judgment and permanent injunction, the developer agreed to pay $1.4 million, implement corrective measures, and maintain a compliance program.

The settlement is the ninth CCPA public enforcement action, including six by the AG and three by the California Privacy Protection Agency. Seven of the nine enforcement actions are from this year, showing a notable increase in enforcement activity. As with prior enforcement actions, this settlement reinforces that businesses should be auditing their current practices and procedures to ensure that they are compliant and remain compliant.

In the below article, we provide a summary of the violations and penalties.

AI Webinar

In today’s rapidly evolving digital landscape, AI is transforming how businesses operate. One challenge is the rapidly emerging patchwork of state and local AI laws and regulations. Last year alone, state lawmakers introduced more than 500 bills on various AI topics and issues.

On December 10, from noon to 1

Key point: The California Privacy Protection Agency’s announcement places even more scrutiny on the compliance practices of data brokers.

On November 19, 2025, the California Privacy Protection Agency (now calling itself CalPrivacy) announced the creation of a Data Broker Enforcement Strike Force. The stated goal of the strike force is to review the data broker “industry for compliance with the data broker registration requirement in the Delete Act, as well as for compliance with the state’s comprehensive privacy law, the California Consumer Privacy Act.” Announcing the launch, Michael Macko, CalPrivacy’s head of enforcement, stated “For decades, strike forces have been a mainstay at U.S. Attorney offices and state Attorney General offices across the United States. We intend to bring the same level of intensity to our investigations into the data broker industry.”

TPL_Podcasts_ConsumerFinance_LinkedIn

In this episode of The Consumer Finance Podcast, Chris Willis is joined by colleagues Jason Manning, Angelo Stio, and Rob Jenkin to unpack the surge of litigations arising from the use of tracking technologies (e.g., cookies, pixels, and session tools) on websites. This episode explains how plaintiff firms are repurposing federal and state wiretap and “trap-and-trace” laws, as well as the Video Privacy Protection Act (VPPA), to assert claims associated with a business’s use of tracking technologies without consent. 

Privacy_1200x600_GettyImages-1400779382

Key point: The California AG’s fifth CCPA-related enforcement action focuses on the CCPA’s right to opt out of sales/shares and on children’s privacy provisions and, with respect to the right to opt out, it should trigger businesses to reevaluate their procedures, especially as it relates to the treatment of account holders and mobile apps.

On October 30, 2025, the California attorney general (AG) announced a settlement with a streaming services provider[1] over violations of the California Consumer Privacy Act (CCPA). Pursuant to the proposed final judgment and permanent injunction, the company will pay a $530,000 fine and implement several injunctive relief requirements. According to the press release, the settlement arose from a 2024 investigative sweep of streaming services.

The complaint alleges two CCPA violations: (1) failure to provide easy-to-execute methods for consumers to opt out of the selling and sharing of their personal information; and (2) failure to provide sufficient privacy protections for children. Given that these are distinct issues, we will address them in two separate articles. This first article provides a brief background of the enforcement action, an analysis of the right to opt-out violations, and a summary of the injunctive relief requirements. The next article will analyze the children’s privacy violations.