Photo of Bianca Nalaschi

Bianca Nalaschi

Subscribe to Bianca Nalaschi's Posts

Bianca brings extensive experience in data privacy, cybersecurity, and litigation. She develops incident response strategies tailored to unique client objectives, coordinates with third-party experts to determine the nature and scope of cybersecurity events, and counsels clients on compliance with state, federal, international, and contractual legal obligations. Bianca has represented clients in third-party liability actions, from pre-suit through case resolution.

Contact:Read more about Bianca Nalaschi
Cyber_1200x600_GettyImages-1987307560

In Part 1 of this series, we outlined the basics of the California Consumer Privacy Act’s (CCPA) new cybersecurity audit requirement: who is covered, when audits are required, and the key obligations to keep in mind. In Part 2, we explored the mechanics and explained what the California Privacy Protection Agency (CalPrivacy) expects the cybersecurity audit to look like in practice, including what must be evaluated, who may conduct the audit, how thorough it must be, and what goes into the audit report.

Cyber_1200x600_GettyImages-2155090853

In Part 1 of this series, we walked through the basics of the California Consumer Privacy Act’s (CCPA) new cybersecurity audit requirement: which businesses are covered, when audits are required, and the high-level obligations to have on your radar.

Washington flag, USA

Key point: With a private right of action and ambiguous and undefined terms, businesses deploying consumer-facing interactive AI will want to ensure they are not unintentionally triggering the bill’s provisions.

On March 11, 2026, the Washington legislature passed HB 2225, becoming the second state this session to pass a bill specifically aimed at regulating artificial intelligence (AI) companions. The bill is now with Governor Bob Ferguson for consideration. He has 20 days from receipt of the bill to either sign or veto it. If the governor takes no action within that timeframe, the bill will become law without his signature and will go into effect on January 1, 2027. The bill was filed at Ferguson’s request, so presumably, he will sign it.

Earlier this session, we wrote about Oregon’s SB 1546, another consumer-facing interactive AI bill focused on AI companions with a private right of action and statutory damages. Washington’s bill imposes similar requirements on businesses that deploy AI companion chatbots but arguably has an even broader applicability standard. The Washington bill also includes a private right of action, which is modeled on the private right of action in Washington’s My Health My Data Act (MHMD) and does not include statutory damages.

In the article below, we provide an overview of the Washington bill.

This five-part series provides an introductory roadmap to the California Consumer Privacy Act’s (CCPA) new cybersecurity audit requirement and the California Privacy Protection Agency’s (CalPrivacy) implementing regulations.

Oregon State (USA) Flag

Key point: With a private right of action, statutory damages, and ambiguous and undefined terms, businesses deploying consumer-facing interactive AI will want to make sure they are not unintentionally triggering the bill’s provisions.

On March 5, 2026, Oregon’s legislature passed a consumer-facing interactive artificial intelligence (AI) bill focused on AI companions (SB 1546). The bill will next head to Governor Tina Kotek who will have 30 full weekdays to sign, veto, or allow the bill to become law without her signature. According to Oregon’s legislative website, no one publicly testified in opposition to the bill and it passed both chambers with only two no votes. If the bill becomes law, it will go into effect January 1, 2027.

Although the bill is directed at AI companions, as discussed below, the bill contains ambiguous and undefined terms that could lead to businesses unintentionally triggering its provisions. This is particularly concerning given that the bill contains a private right of action with statutory damages of $1,000 for each violation.

The following article provides an overview of the Oregon bill, its applicability, obligations, and potential implications for businesses.

AI_chatbot_1200x600_GettyImages-2022766813

Key point: Businesses operating companion chatbots in California or New York are subject to new legal obligations, including providing notices to users and ensuring protocols are in place to prevent self-harm.

On January 1, 2026, California’s companion chatbot law (SB 243) took effect after being signed into law on October 13, 2025 by Governor Gavin Newsom. The law imposes certain obligations on companion chatbot operators to implement “critical, reasonable, and attainable” safeguards surrounding the use of and interaction with “companion chatbots” with a focus on protecting minors. SB 243 follows New York’s AI Companion Models statute, N.Y. Gen. Business Law § 1700, et seq., a similar companion chatbot bill that went into effect November 5, 2025.

Data-Breach_1200x600_GettyImages-2210246405

Key Point: California’s existing breach notification statute was amended to include more decisive guidelines for reporting to individuals and regulators.

On October 5, 2025, California Governor Gavin Newsom signed SB-446 into law, which bill sponsor Sen. Melissa Hurtado (D-CA) indicates is aimed at “closing a critical loophole” in California’s existing breach notification statute. Below, we first provide a brief background on the scope of the law and then discuss the amendment.