Photo of Shelby Dolen

Shelby Dolen

Subscribe to Shelby Dolen's Posts

Shelby develops and implements comprehensive privacy programs that are tailored to the specific needs of each client, helping them to remain compliant as privacy laws continue to evolve at the state, federal, and international levels. She is well versed in all U.S. state privacy laws, laws governing social media and children’s data, AI laws and regulations, and international data privacy laws, including the GDPR.

Contact:Read more about Shelby Dolen
The Texas state flag waving along with the national flag of the United States of America

Key point: Set to take effect on January 1, 2026, court blocks the Texas App Store Accountability Act on constitutional grounds.

A Texas federal district court granted a preliminary injunction enjoining the Texas App Store Accountability Act today, stating that the law likely violates the First Amendment and is unconstitutionally vague. In October, an internet trade association sued the state of Texas over the act, and this month the case was consolidated with another case stating similar claims. The law was scheduled to take effect January 1, 2026, and imposed obligations on both app stores and developers providing mobile applications to Texas users. Texas will be unable to implement or enforce the act while the litigation is ongoing.

Privacy_1200x600_GettyImages-1400779382

Key point: The California AG’s fifth CCPA-related enforcement action focuses on the CCPA’s right to opt out of sales/shares and on children’s privacy provisions and, with respect to the right to opt out, it should trigger businesses to reevaluate their procedures, especially as it relates to the treatment of account holders and mobile apps.

On October 30, 2025, the California attorney general (AG) announced a settlement with a streaming services provider[1] over violations of the California Consumer Privacy Act (CCPA). Pursuant to the proposed final judgment and permanent injunction, the company will pay a $530,000 fine and implement several injunctive relief requirements. According to the press release, the settlement arose from a 2024 investigative sweep of streaming services.

The complaint alleges two CCPA violations: (1) failure to provide easy-to-execute methods for consumers to opt out of the selling and sharing of their personal information; and (2) failure to provide sufficient privacy protections for children. Given that these are distinct issues, we will address them in two separate articles. This first article provides a brief background of the enforcement action, an analysis of the right to opt-out violations, and a summary of the injunctive relief requirements. The next article will analyze the children’s privacy violations.

CPRA_1200x600_GettyImages-1206098096

Key point: California’s new Digital Age Assurance Act will likely create significant compliance challenges for many businesses.

On October 13, 2025, California Governor Gavin Newsom signed AB 1043 — the Digital Age Assurance Act — into law. In doing so, California joins Louisiana, Texas, and Utah, in passing laws this year requiring app developers to receive age bracket signals. While California’s law is more operational in nature, and in key respects narrower than the content-focused nature of the laws passed by Louisiana, Texas, and Utah, when AB 1043 goes into effect on January 1, 2027, the law will likely require companies to consider unique implementation strategies and may frustrate approaches to creating a uniform age-assurance compliance program. Further, the law will likely affect almost every app developer operating in California, including many that have never dealt with age verification requirements.

In the below article, we provide background and a summary of the law, discuss how it compares with other similar-in-kind laws, and outline some implications businesses will need to consider.

This article was republished in ALM’s Cybersecurity Law & Strategy Newsletter on October 31, 2025.

Key point: The rules provide further guidance to controllers subject to the law’s children’s privacy protections.

On October 9, 2025, the Colorado attorney general’s (AG) office announced final revisions to the proposed draft amendments to the Colorado Privacy Act (CPA) rules. The office published draft rules in July and solicited public comments. The final revisions reflect changes to the rules based on those public comments. The office has requested an AG opinion letter for these rules. After the opinion letter is received, the rules will be filed with the secretary of state for publication in the Colorado Register. The rules will become effective 20 days after publication.

In the below article, we provide a brief summary of the changes.

Key point: A federal district court judge rejected the claim that the disclosure law violates the First Amendment.

On October 8, 2025, a judge for the U.S. District Court for the Southern District of New York granted the New York attorney general’s (AG) motion to dismiss a lawsuit filed by a retail trade association claiming that New York’s Algorithmic Pricing Disclosure Act violates the First Amendment. Below, we provide a brief history and summary of the law and analysis of the court’s decision.

Key point: Businesses subject to the CCPA must comply with extensive new regulations.

On September 22, 2025, the California Office of Administrative Law (OAL) approved the California Privacy Protection Agency’s latest California Consumer Privacy Act (CCPA) rulemaking package. The rulemaking package covers updates to the existing regulations, automated decision-making technology (ADMT), risk assessments, cybersecurity audits, and insurance requirements.

Colorado state flags waving along with the national flag of the United States of America

Key point: Unable to reach an agreement on amending the Colorado AI Act during the special session, the Colorado legislature voted to delay the law’s effective date to June 30, 2026.

On August 26, the Colorado legislature ended its special session by voting to pass SB 4, which extends the Colorado AI Act’s effective date from February 1, 2026, to June 30, 2026. The bill will next head to Governor Jared Polis, who is expected to sign it into law.

Colorado state flags waving along with the national flag of the United States of America

Key point: Starting August 21, Colorado lawmakers will consider four bills that significantly amend the Colorado AI Act.

On August 21, Colorado lawmakers will reconvene for a special legislative session. Earlier this month, Governor Jared Polis called the special session to deal with a nearly $1 billion hole in Colorado’s state budget created by the federal government’s One Big Beautiful Bill (H.R. 1) and to consider amendments to Colorado’s first-in-the-nation Colorado AI Act.