Key point: Businesses subject to the CCPA must comply with extensive new regulations.
On September 22, 2025, the California Office of Administrative Law (OAL) approved the California Privacy Protection Agency’s latest California Consumer Privacy Act (CCPA) rulemaking package. The rulemaking package covers updates to the existing regulations, automated decision-making technology (ADMT), risk assessments, cybersecurity audits, and insurance requirements.
Key point: Children’s privacy remained a hot topic during the 2025 state legislative session, with multiple states passing laws, adding to the growing patchwork of children’s privacy laws.
Key point: Our new chart identifies and compares the definitions of sensitive data under the 19 state consumer data privacy laws.
Key point: The California legislature closed its 2025 legislative session by passing 14 privacy and AI-related bills.
The California legislature closed for the year by passing numerous privacy and AI-related bills. The bills will next head to Governor Gavin Newsom, who will have 30 days to sign, approve without signing, or veto the bills. That is still a significant hurdle for the bills to clear, as last year, Newsom vetoed multiple privacy and AI bills. Below, we identify which of the bills passed and failed, and provide a summary for each of the bills that passed.
Key point: The investigative sweep is part of a growing multistate approach to privacy enforcement actions.
On September 9, the California Privacy Protection Agency (CPPA) announced that it has initiated a joint regulatory sweep in collaboration with attorneys general (AG) from California, Colorado, and Connecticut. The sweep will target businesses’ compliance with legal requirements associated with recognition of opt-out preference signals (OOPS) and universal opt-out mechanisms (UOOMs) that consumers can use to exercise their right to opt out of online tracking technologies (i.e., targeted advertising, sales, or sharing).
Key point: Our new chart identifies and categorizes the numerous triggers for when companies must conduct risk assessment and impact assessment requirements under state privacy and AI laws.
Key point: The California legislature heads into its final week with more than 20 privacy and AI bills still under consideration.
Over the last few weeks, we have been tracking and providing weekly updates on 32 privacy- and AI-related bills that crossed chambers prior to the legislative deadline. Below is an update on last week’s events.
Key point: Our new tracker chart identifies state privacy and AI deadlines from 2025 to 2030.
Between consumer data privacy laws, AI laws, data broker laws, and children’s privacy laws, the number of deadlines companies must track has exploded. This includes deadlines that are often buried in laws and regulations, beyond just a law’s effective date. The new California Consumer Privacy Act (CCPA) regulations will add even more dates for companies to track, including new deadlines for risk assessments, cybersecurity audits, and automated decision-making technology.
Key point: After the August 29 deadline for fiscal committees to report bills, four of the nine privacy-related bills and 17 of the 23 AI-related bills we have been tracking are still alive.
Key point: Unable to reach an agreement on amending the Colorado AI Act during the special session, the Colorado legislature voted to delay the law’s effective date to June 30, 2026.
On August 26, the Colorado legislature ended its special session by voting to pass SB 4, which extends the Colorado AI Act’s effective date from February 1, 2026, to June 30, 2026. The bill will next head to Governor Jared Polis, who is expected to sign it into law.