Key point: The enforcement action alleges that the retailer failed to provide adequate privacy disclosures to website visitors and job applicants, failed to effectuate opt-out requests, including recognizing the Global Privacy Control signal, and lacked legally compliant data processing agreements with third parties.
Key point: Our new chart identifies and analyzes the varying and changing applicability standards for the 19 state consumer data privacy laws.
The applicability standards for state consumer data privacy laws have become a complicated maze that is, at times, difficult to track and apply. These laws are no longer just based on revenue or the number of consumers whose information a controller processes. For example:
Key point: Businesses subject to the CCPA must comply with extensive new regulations.
On September 22, 2025, the California Office of Administrative Law (OAL) approved the California Privacy Protection Agency’s latest California Consumer Privacy Act (CCPA) rulemaking package. The rulemaking package covers updates to the existing regulations, automated decision-making technology (ADMT), risk assessments, cybersecurity audits, and insurance requirements.
Key point: Children’s privacy remained a hot topic during the 2025 state legislative session, with multiple states passing laws, adding to the growing patchwork of children’s privacy laws.
Key point: Our new chart identifies and compares the definitions of sensitive data under the 19 state consumer data privacy laws.
Key point: The California legislature closed its 2025 legislative session by passing 14 privacy and AI-related bills.
The California legislature closed for the year by passing numerous privacy and AI-related bills. The bills will next head to Governor Gavin Newsom, who will have 30 days to sign, approve without signing, or veto the bills. That is still a significant hurdle for the bills to clear, as last year, Newsom vetoed multiple privacy and AI bills. Below, we identify which of the bills passed and failed, and provide a summary for each of the bills that passed.
Key point: The investigative sweep is part of a growing multistate approach to privacy enforcement actions.
On September 9, the California Privacy Protection Agency (CPPA) announced that it has initiated a joint regulatory sweep in collaboration with attorneys general (AG) from California, Colorado, and Connecticut. The sweep will target businesses’ compliance with legal requirements associated with recognition of opt-out preference signals (OOPS) and universal opt-out mechanisms (UOOMs) that consumers can use to exercise their right to opt out of online tracking technologies (i.e., targeted advertising, sales, or sharing).
Key point: Our new chart identifies and categorizes the numerous triggers for when companies must conduct risk assessment and impact assessment requirements under state privacy and AI laws.
Key point: The California legislature heads into its final week with more than 20 privacy and AI bills still under consideration.
Over the last few weeks, we have been tracking and providing weekly updates on 32 privacy- and AI-related bills that crossed chambers prior to the legislative deadline. Below is an update on last week’s events.
Key point: Our new tracker chart identifies state privacy and AI deadlines from 2025 to 2030.
Between consumer data privacy laws, AI laws, data broker laws, and children’s privacy laws, the number of deadlines companies must track has exploded. This includes deadlines that are often buried in laws and regulations, beyond just a law’s effective date. The new California Consumer Privacy Act (CCPA) regulations will add even more dates for companies to track, including new deadlines for risk assessments, cybersecurity audits, and automated decision-making technology.