2025

Key point: A federal district court judge rejected the claim that the disclosure law violates the First Amendment.

On October 8, 2025, a judge for the U.S. District Court for the Southern District of New York granted the New York attorney general’s (AG) motion to dismiss a lawsuit filed by a retail trade association claiming that New York’s Algorithmic Pricing Disclosure Act violates the First Amendment. Below, we provide a brief history and summary of the law and analysis of the court’s decision.

Key point: California lawmakers once again increase the disclosure and transparency requirements for registered data brokers.

On October 8, 2025, California Governor Newsom signed SB 361 into law. The bill amends California’s existing data broker registration law to require data brokers to provide significantly more disclosures regarding their processing activities when annually registering with the California Privacy Protection Agency (CPPA).

This amendment comes shortly after the CPPA board’s recent approval of amendments to the state’s data broker regulations to incorporate the 2023 Delete Act (SB 362), including the creation of an accessible deletion mechanism that data brokers will need to comply with starting in August 2026. Those regulations were filed with the Office of Administrative Law on September 26.

Given these developments, California data brokers will need to engage in additional compliance measures in the coming months. In the below article, we provide an overview of the changes made by SB 361.

IoT_1200x600_GettyImages-1661051950

Key point: California enacts first-in-the-nation law focused on regulating frontier artificial intelligence models.

On September 29, 2025, California Governor Gavin Newsom signed SB 53 — the Transparency in Frontier Artificial Intelligence Act (TFAIA) — into law. As explained in the Senate floor analysis, the law “requires large artificial intelligence (AI) developers . . . to publish safety frameworks, disclose specified transparency reports, and report critical safety incidents to the Office of Emergency Services (OES).” The law also “creates enhanced whistleblower protections for employees reporting AI safety violations and establishes a consortium to design a framework for ‘CalCompute,’ a public cloud platform to expand safe and equitable AI research.” The law was hailed by both Newsom and its primary sponsor, Senator Scott Wiener, as striking a proper balance between innovation and placing sensible guardrails on frontier AI models.

Webinars_1200x600_GettyImages-1286694373

On September 25, attorneys from Troutman Pepper Locke’s Privacy + Cyber + AI team hosted the second of two webinars analyzing the new California Consumer Privacy Act (CCPA) regulations. This webinar focused on the CCPA’s new cybersecurity audit and insurance regulations, as well as updates to the existing regulations. The webinar recording and slide deck are now available here and here, respectively.

Blogs_PrivacyCyberAI_OG_2025StatePrivacyGuide

Key point: Our new chart identifies and analyzes the varying and changing applicability standards for the 19 state consumer data privacy laws.

The applicability standards for state consumer data privacy laws have become a complicated maze that is, at times, difficult to track and apply. These laws are no longer just based on revenue or the number of consumers whose information a controller processes. For example:

Key point: Businesses subject to the CCPA must comply with extensive new regulations.

On September 22, 2025, the California Office of Administrative Law (OAL) approved the California Privacy Protection Agency’s latest California Consumer Privacy Act (CCPA) rulemaking package. The rulemaking package covers updates to the existing regulations, automated decision-making technology (ADMT), risk assessments, cybersecurity audits, and insurance requirements.

Key point: Plaintiffs’ attorneys have started sending a wave of letters asserting opt-out and access rights under California’s Shine the Light law.

Over the last three months, businesses have been receiving requests from California residents seeking to exercise their rights under California’s Shine the Light law, Cal. Civ. Code § 1798.83. These requests are sent by attorneys who purport to represent a California resident who is a “customer” of, and has an “established business relationship” with, the business receiving the request. The requests seek an accounting of the customer’s personal information disclosed to third parties for direct marketing purposes within the past year.