Photo of David Stauss

David Stauss

Subscribe to David Stauss's Posts

David guides clients as they navigate the complexities of privacy and cyber law. His straightforward advice and thorough approach are a benefit to clients as they confront their toughest challenges.

Follow:Read more about David StaussDavid's Linkedin Profile
Privacy_1200x600_GettyImages-1400779382

Key point: The California AG’s fifth CCPA-related enforcement action focuses on the CCPA’s right to opt out of sales/shares and on children’s privacy provisions and, with respect to the right to opt out, it should trigger businesses to reevaluate their procedures, especially as it relates to the treatment of account holders and mobile apps.

On October 30, 2025, the California attorney general (AG) announced a settlement with a streaming services provider[1] over violations of the California Consumer Privacy Act (CCPA). Pursuant to the proposed final judgment and permanent injunction, the company will pay a $530,000 fine and implement several injunctive relief requirements. According to the press release, the settlement arose from a 2024 investigative sweep of streaming services.

The complaint alleges two CCPA violations: (1) failure to provide easy-to-execute methods for consumers to opt out of the selling and sharing of their personal information; and (2) failure to provide sufficient privacy protections for children. Given that these are distinct issues, we will address them in two separate articles. This first article provides a brief background of the enforcement action, an analysis of the right to opt-out violations, and a summary of the injunctive relief requirements. The next article will analyze the children’s privacy violations.

CPRA_1200x600_GettyImages-1206098096

Key point: California’s new Digital Age Assurance Act will likely create significant compliance challenges for many businesses.

On October 13, 2025, California Governor Gavin Newsom signed AB 1043 — the Digital Age Assurance Act — into law. In doing so, California joins Louisiana, Texas, and Utah, in passing laws this year requiring app developers to receive age bracket signals. While California’s law is more operational in nature, and in key respects narrower than the content-focused nature of the laws passed by Louisiana, Texas, and Utah, when AB 1043 goes into effect on January 1, 2027, the law will likely require companies to consider unique implementation strategies and may frustrate approaches to creating a uniform age-assurance compliance program. Further, the law will likely affect almost every app developer operating in California, including many that have never dealt with age verification requirements.

In the below article, we provide background and a summary of the law, discuss how it compares with other similar-in-kind laws, and outline some implications businesses will need to consider.

CA_StateFlag_1200x600_GettyImages-1435108815

Key point: Of the 15 privacy and AI-related bills passed by the California legislature in the 2025 session that we have been tracking, Governor Gavin Newsom signed 10 into law and vetoed five.

Throughout the 2025 legislative session, we tracked numerous privacy and AI-related bills pending in California. Fifteen of those bills passed the state legislature before the legislative session ended in September. Of the 15 total bills, Newsom signed 10 into law and vetoed five. Those 10 bills that became law consist of three laws related to privacy and seven laws related to AI.

The below article provides a summary of the 10 bills that Newsom either signed into law or vetoed.

This article was republished in ALM’s Cybersecurity Law & Strategy Newsletter on October 31, 2025.

Key point: The rules provide further guidance to controllers subject to the law’s children’s privacy protections.

On October 9, 2025, the Colorado attorney general’s (AG) office announced final revisions to the proposed draft amendments to the Colorado Privacy Act (CPA) rules. The office published draft rules in July and solicited public comments. The final revisions reflect changes to the rules based on those public comments. The office has requested an AG opinion letter for these rules. After the opinion letter is received, the rules will be filed with the secretary of state for publication in the Colorado Register. The rules will become effective 20 days after publication.

In the below article, we provide a brief summary of the changes.

Key point: A federal district court judge rejected the claim that the disclosure law violates the First Amendment.

On October 8, 2025, a judge for the U.S. District Court for the Southern District of New York granted the New York attorney general’s (AG) motion to dismiss a lawsuit filed by a retail trade association claiming that New York’s Algorithmic Pricing Disclosure Act violates the First Amendment. Below, we provide a brief history and summary of the law and analysis of the court’s decision.

Key point: California lawmakers once again increase the disclosure and transparency requirements for registered data brokers.

On October 8, 2025, California Governor Newsom signed SB 361 into law. The bill amends California’s existing data broker registration law to require data brokers to provide significantly more disclosures regarding their processing activities when annually registering with the California Privacy Protection Agency (CPPA).

This amendment comes shortly after the CPPA board’s recent approval of amendments to the state’s data broker regulations to incorporate the 2023 Delete Act (SB 362), including the creation of an accessible deletion mechanism that data brokers will need to comply with starting in August 2026. Those regulations were filed with the Office of Administrative Law on September 26.

Given these developments, California data brokers will need to engage in additional compliance measures in the coming months. In the below article, we provide an overview of the changes made by SB 361.

IoT_1200x600_GettyImages-1661051950

Key point: California enacts first-in-the-nation law focused on regulating frontier artificial intelligence models.

On September 29, 2025, California Governor Gavin Newsom signed SB 53 — the Transparency in Frontier Artificial Intelligence Act (TFAIA) — into law. As explained in the Senate floor analysis, the law “requires large artificial intelligence (AI) developers . . . to publish safety frameworks, disclose specified transparency reports, and report critical safety incidents to the Office of Emergency Services (OES).” The law also “creates enhanced whistleblower protections for employees reporting AI safety violations and establishes a consortium to design a framework for ‘CalCompute,’ a public cloud platform to expand safe and equitable AI research.” The law was hailed by both Newsom and its primary sponsor, Senator Scott Wiener, as striking a proper balance between innovation and placing sensible guardrails on frontier AI models.