In Parts 1-3 of this series, we covered the mechanics of the CCPA’s new cybersecurity audit requirement: who is covered, when audits are required, what must be audited, who can perform the audit, how it fits with existing security frameworks, and what needs to be documented.
In Part 1 of this series, we outlined the basics of the California Consumer Privacy Act’s (CCPA) new cybersecurity audit requirement: who is covered, when audits are required, and the key obligations to keep in mind. In Part 2, we explored the mechanics and explained what the California Privacy Protection Agency (CalPrivacy) expects the cybersecurity audit to look like in practice, including what must be evaluated, who may conduct the audit, how thorough it must be, and what goes into the audit report.
On March 16, 2026, New York Attorney General (AG) Letitia James rallied in support of the “One Fair Price Package” — a pair of bills aimed at curbing algorithmic and surveillance pricing in New York. Together, the bills would prohibit the use of personalized algorithmic pricing based on consumer data, ban electronic shelf labels in large food and drug retailers, and create robust enforcement mechanisms and private rights of action. The announcement from New York comes shortly after New Jersey Governor Mikie Sherrill backed legislation to ban what she has called “surveillance” pricing, and after California Attorney General Rob Bonta announced an investigative sweep focused on businesses that use consumer data to individualize prices for their goods or services earlier this year.
In Part 1 of this series, we walked through the basics of the California Consumer Privacy Act’s (CCPA) new cybersecurity audit requirement: which businesses are covered, when audits are required, and the high-level obligations to have on your radar.
This five-part series provides an introductory roadmap to the California Consumer Privacy Act’s (CCPA) new cybersecurity audit requirement and the California Privacy Protection Agency’s (CalPrivacy) implementing regulations.
Key Points: California Attorney General Rob Bonta announced a sweep concerning so-called “surveillance pricing” or “algorithmic pricing” The AG highlights potential CCPA privacy violations tied to the use of individualized pricing models based on a lack of transparency and failure to comply with the CCPA’s “purpose limitation” principle. Other regulators are likely to follow suit — now is the time to assess and mitigate potential compliance and enforcement risks.
On January 27, 2026, California Attorney General (AG) Rob Bonta announced an investigative sweep focused on businesses that use consumer data to individualize prices for their goods or services. Bonta framed the issue as follows:
“Consumers have the right to understand how their personal information is being used, including whether companies are using their data to set the prices that Californians pay, whether that be for groceries, travel, or household goods. We need to know whether businesses are charging people different prices for the same good or service — and if they’re complying with the law.”
The California Department of Justice (DOJ) is issuing written inquiries to businesses with substantial online operations in the retail, grocery, and hotel industries that leverage individualized pricing. It is requesting certain information on this issue, including details about:
This post summarizes the basis for the California DOJ’s investigatory sweep, how it intends to apply California Consumer Privacy Act (CCPA) requirements, and how businesses can prepare for and mitigate the risk of these inquiries and potential enforcement actions.
Key point: Oklahoma recently updated its breach notification statute for the first time since enactment, aligning with broader state trends and underscoring the ongoing, continuous review of data breach notification laws by lawmakers.
Effective January 1, 2026, Oklahoma’s Senate Bill 626 substantially revises the state’s data breach notification statute by expanding the definition of personal information, introducing a regulatory notice requirement, and updating safe-harbor exemptions. The amendments are the first changes to the law since it was enacted in 2008 and are consistent with trends in other states in recent years. For example, California adopted similar amendments set to take effect on January 1, 2026.
The below article provides an overview of the amendments.