Key point: Plaintiffs’ attorneys have started sending a wave of letters asserting opt-out and access rights under California’s Shine the Light law.

Over the last three months, businesses have been receiving requests from California residents seeking to exercise their rights under California’s Shine the Light law, Cal. Civ. Code § 1798.83. These requests are sent by attorneys who purport to represent a California resident who is a “customer” of, and has an “established business relationship” with, the business receiving the request. The requests seek an accounting of the customer’s personal information disclosed to third parties for direct marketing purposes within the past year.

CA_StateFlag_1200x600_GettyImages-1435108815

Key point: The California legislature closed its 2025 legislative session by passing 14 privacy and AI-related bills.

The California legislature closed for the year by passing numerous privacy and AI-related bills. The bills will next head to Governor Gavin Newsom, who will have 30 days to sign, approve without signing, or veto the bills. That is still a significant hurdle for the bills to clear, as last year, Newsom vetoed multiple privacy and AI bills. Below, we identify which of the bills passed and failed, and provide a summary for each of the bills that passed.

Key point: The investigative sweep is part of a growing multistate approach to privacy enforcement actions.

On September 9, the California Privacy Protection Agency (CPPA) announced that it has initiated a joint regulatory sweep in collaboration with attorneys general (AG) from California, Colorado, and Connecticut. The sweep will target businesses’ compliance with legal requirements associated with recognition of opt-out preference signals (OOPS) and universal opt-out mechanisms (UOOMs) that consumers can use to exercise their right to opt out of online tracking technologies (i.e., targeted advertising, sales, or sharing).

IoT_1200x600_GettyImages-1661051950

This article was republished on ALM’s Business Crimes Bulletin on September 30, 2025 and on Law.com on October 14, 2025.

Key point: Addressing the litigation and regulatory risks regarding tracking technologies requires a balanced approach between legal exposure and business impact, through a close and continuing collaboration between legal, technology, and business stakeholders.

U.S. companies face a massive wave of wiretapping law class action lawsuits and regulatory enforcement actions over online “tracking technologies.” Nearly every company with a website or app uses pixels, SDKs, cookies, session-replay technology, and chat/chatbot tools, putting them in the crosshairs. In California alone, plaintiffs have reportedly filed more than 1,800 lawsuits since 2022 under the state’s two-party consent wiretapping law (the California Invasion of Privacy Act (CIPA)). These laws carry statutory damages (e.g., up to $5,000 per violation under CIPA), which makes them an extremely attractive target for class action plaintiff attorneys. Plaintiffs’ attorneys have also issued thousands of demand letters, the settlement of which has helped build a war chest for funding further litigation.

Webinars_1200x600_GettyImages-1286694373

At its July 24 meeting, the California Privacy Protection Agency Board authorized agency staff to finalize and submit to the Office of Administrative Law the rulemaking package for various new California Consumer Privacy Act (CCPA) regulations. Once effective, these regulations will significantly impact entities doing business in California.