Key point: Our new chart identifies and analyzes the rights provided by the 19 state consumer data privacy laws.
One way state consumer data privacy laws vary is in the rights they provide to consumers. In 2025, this patchwork became even more pronounced, with Connecticut and Utah passing amendments that
Key point: The enforcement action alleges that the retailer failed to provide adequate privacy disclosures to website visitors and job applicants, failed to effectuate opt-out requests, including recognizing the Global Privacy Control signal, and lacked legally compliant data processing agreements with third parties.
On September 25, attorneys from Troutman Pepper Locke’s Privacy + Cyber + AI team hosted the second of two webinars analyzing the new California Consumer Privacy Act (CCPA) regulations. This webinar focused on the CCPA’s new cybersecurity audit and insurance regulations, as well as updates to the existing regulations. The webinar recording and slide deck are now available here and here, respectively.
Key point: Our new chart identifies and analyzes the varying and changing applicability standards for the 19 state consumer data privacy laws.
The applicability standards for state consumer data privacy laws have become a complicated maze that is, at times, difficult to track and apply. These laws are no longer just based on revenue or the number of consumers whose information a controller processes. For example:
Key point: Businesses subject to the CCPA must comply with extensive new regulations.
On September 22, 2025, the California Office of Administrative Law (OAL) approved the California Privacy Protection Agency’s latest California Consumer Privacy Act (CCPA) rulemaking package. The rulemaking package covers updates to the existing regulations, automated decision-making technology (ADMT), risk assessments, cybersecurity audits, and insurance requirements.
Key point: Plaintiffs’ attorneys have started sending a wave of letters asserting opt-out and access rights under California’s Shine the Light law.
Over the last three months, businesses have been receiving requests from California residents seeking to exercise their rights under California’s Shine the Light law, Cal. Civ. Code § 1798.83. These requests are sent by attorneys who purport to represent a California resident who is a “customer” of, and has an “established business relationship” with, the business receiving the request. The requests seek an accounting of the customer’s personal information disclosed to third parties for direct marketing purposes within the past year.
Key point: Regulators will ensure corporate accountability by imposing stringent sanctions on businesses that are perceived as neglecting the protection of consumer personal information.
Key point: Children’s privacy remained a hot topic during the 2025 state legislative session, with multiple states passing laws, adding to the growing patchwork of children’s privacy laws.
Key point: Our new chart identifies and compares the definitions of sensitive data under the 19 state consumer data privacy laws.
Key point: The California legislature closed its 2025 legislative session by passing 14 privacy and AI-related bills.
The California legislature closed for the year by passing numerous privacy and AI-related bills. The bills will next head to Governor Gavin Newsom, who will have 30 days to sign, approve without signing, or veto the bills. That is still a significant hurdle for the bills to clear, as last year, Newsom vetoed multiple privacy and AI bills. Below, we identify which of the bills passed and failed, and provide a summary for each of the bills that passed.