2026

Blogs_PrivacyCyberAI_OG_PrivacyLitigationReport

Key point: Three takeaways from May decisions: (1) cookie banners cut both ways for plaintiffs and defendants; (2) generic wiretapping “contents” allegations lose while transaction-specific ones survive; and (3) courts are splitting on whether a profit motive satisfies the crime-tort exception.

Welcome to our monthly update on how courts across the U.S. have handled privacy litigation involving website tools such as cookies, pixels, session replay, and similar technologies. In this post, we cover decisions from May 2026.

Key point: Two courts in 2026 have allowed CCPA claims to proceed based on adtech use without addressing whether adtech discloses “personal information” under the CCPA

According to plaintiffs’ interpretation of a May 2026 decision from the Northern District of California, if your company uses Google Analytics, Meta Pixel, or other third-party tracking technology on its website, you may be exposed to not only wiretapping or trap-and-trace claims under the California Invasion of Privacy Act (CIPA) or federal law, but also claims under the California Consumer Privacy Act (CCPA) even if you never experience a data breach.

Flag of Louisiana Background, Pelican State

Key point: Louisiana becomes the 22nd state — and third this year — to enact a consumer data privacy law, adopting a law similar to Texas’ law.

On May 29, 2026, Louisiana Governor Jeff Landry signed the Louisiana Data Privacy Act (SB 386) into law. Louisiana is the 22nd state to pass a broad consumer data privacy law. It is the third state — following Oklahoma and Alabama — to pass a law this year.

The new law largely tracks Texas’ law but with some notable differences we identify below.

Webinars_1200x600_GettyImages-1055951048

Tracking technology litigation continues to evolve and expand, driven by increasingly sophisticated data collection techniques, broader use of session replay, identity resolution, AI-driven profiling, and growing scrutiny from plaintiffs, regulators, and courts over whether companies are adequately disclosing, governing, and technically controlling how user data is collected, shared, and monetized. 

Blogs_PrivacyCyberAI_OG_StatePrivacyandAILawUpdate

Key point: Vermont’s legislature passed a consumer data privacy bill, Illinois’ legislature passed an AI frontier model bill, and eight bills crossed chambers in California.

Below is the 20th update on the status of proposed state privacy and AI legislation in 2026. With state legislative activity slowing, we have combined our weekly privacy and AI posts.

TPL_Podcasts_ConsumerFinance_LinkedIn

In this episode of The Consumer Finance Podcast, Chris Willis and Kim Phan unpack Colorado’s brand-new Automated Decision-Making Technology (ADMT) Act, which repeals and replaces the state’s much-criticized 2024 AI law. They explain the shift from “high-risk AI systems” to the broader ADMT framework, what it means for consequential decisions in lending and financial services, and how the statute’s “material influence” standard can sweep in tools that do far more than make final credit determinations.

Flag of the state Connecticut.

Key point: Connecticut’s new AI law adds to the growing complexity of state laws directed at commonly used automated employment decision tools.

On May 27, 2026, Connecticut Governor Ned Lamont signed SB 5 into law. Connecticut Senator James Maroney authored the bill, which covers several different areas involving the regulation of artificial intelligence (AI), including frontier models, chatbots, employment, and provenance. Lamont also signed into law a companion bill, SB 4, which amends Connecticut’s consumer data privacy law and establishes a data broker registration law. Altogether, the two bills significantly redefine the state’s privacy law and introduce requirements for the use of AI.

In the coming weeks, we will be posting articles analyzing several of the key aspects of these bills. In this first article, we analyze SB 5’s provisions as they relate to the use of automated employment decision technologies (AEDT).

Waving flag of NEW JERSEY

Key point: In response to an open records request submitted by Troutman Pepper Locke, the New Jersey Attorney General’s office provided copies of all cure letters sent pursuant to New Jersey’s consumer data privacy law and resolved by the recipient.

As shown by recent enforcement actions in California, including its most recent $12.5 million fine, the risk for companies that are out of compliance with state consumer data privacy laws has never been higher. As more state laws go into effect and cure periods sunset, the risk will only grow. One state where the enforcement risk may be higher is New Jersey.