In this episode of our special 12 Days of Regulatory Insights podcast series, Gene Fishel, a member of the firm’s RISE Practice Group and State AG team, is joined by Partner Dave Navetta of the Privacy + Cyber Practice Group, to discuss the biggest privacy and cyber enforcement themes of 2025 and preview what’s ahead for 2026.
KEYPOINT– The N.D.Cal. shared its frustration with the language of CIPA, the conflicting rulings on how it has been applied, and the need for the legislature to fix it, as part of its recent decision granting summary judgment and dismissing a CIPA claim.
This article was republished on ALM’s Business Crimes Bulletin on September 30, 2025 and on Law.com on October 14, 2025.
Key point: Addressing the litigation and regulatory risks regarding tracking technologies requires a balanced approach between legal exposure and business impact, through a close and continuing collaboration between legal, technology, and business stakeholders.
U.S. companies face a massive wave of wiretapping law class action lawsuits and regulatory enforcement actions over online “tracking technologies.” Nearly every company with a website or app uses pixels, SDKs, cookies, session-replay technology, and chat/chatbot tools, putting them in the crosshairs. In California alone, plaintiffs have reportedly filed more than 1,800 lawsuits since 2022 under the state’s two-party consent wiretapping law (the California Invasion of Privacy Act (CIPA)). These laws carry statutory damages (e.g., up to $5,000 per violation under CIPA), which makes them an extremely attractive target for class action plaintiff attorneys. Plaintiffs’ attorneys have also issued thousands of demand letters, the settlement of which has helped build a war chest for funding further litigation.
Key point: Unable to reach an agreement on amending the Colorado AI Act during the special session, the Colorado legislature voted to delay the law’s effective date to June 30, 2026.
On August 26, the Colorado legislature ended its special session by voting to pass SB 4, which extends the Colorado AI Act’s effective date from February 1, 2026, to June 30, 2026. The bill will next head to Governor Jared Polis, who is expected to sign it into law.
Key point: Starting August 21, Colorado lawmakers will consider four bills that significantly amend the Colorado AI Act.
On August 21, Colorado lawmakers will reconvene for a special legislative session. Earlier this month, Governor Jared Polis called the special session to deal with a nearly $1 billion hole in Colorado’s state budget created by the federal government’s One Big Beautiful Bill (H.R. 1) and to consider amendments to Colorado’s first-in-the-nation Colorado AI Act.
Key point: The Colorado attorney general’s (AG’s) office is considering amendments to its Colorado Privacy Act (CPA) rules to provide further guidance to controllers subject to the law’s children’s privacy protections.
In late July, the Colorado AG’s office circulated draft amendments to the CPA rules. The draft amendments modify and supplement the existing CPA rules in reaction to the Colorado legislature passing two bills amending the CPA over the prior two sessions. Below, we provide an overview of the draft amendments and relevant context for the rulemaking.
Key point: The California legislature is currently considering several privacy-related bills that could impact the private sector.
The California legislature is currently in its summer recess, returning on August 18. Once it returns, it will have approximately five weeks to pass bills prior to closing for the year on September 12.
We are currently tracking 23 private sector AI-related bills and eight privacy-related bills that crossed chambers at the legislature’s deadline. If passed and signed into law, these bills could significantly impact companies doing business in California.
In this two-part series, we provide a brief summary of the bills and their current status. This article focuses on the privacy bills. Our prior article focused on the AI bills. Once the legislature reconvenes, we will provide regular updates on the status of the bills. If you are not already subscribed to this blog, we encourage you to do so to stay up to date.
Key point: Colorado lawmakers will have another opportunity to amend the Colorado AI Act.
On August 6, Colorado Governor Jared Polis announced that he is calling back the Colorado legislature for a special session starting Thursday, August 21, at 10:00 a.m. The special session is primarily directed at dealing with
Key point: The California legislature is considering more than 20 AI-related private sector bills.
The California legislature is currently in its summer recess, returning on August 18. Once it returns, it will have approximately five weeks to pass bills prior to closing for the year on September 12.
Renowned Privacy Law Attorney Brings Extensive Experience in State Legislation and AI Regulation, Strengthening Firm’s National Reach and Service Offerings
David Stauss has joined Troutman Pepper Locke as a partner in the firm’s Privacy and Cyber Practice Group. A distinguished authority in privacy, information security, and AI law, Stauss brings