Key point: The investigative sweep is part of a growing multistate approach to privacy enforcement actions.

On September 9, the California Privacy Protection Agency (CPPA) announced that it has initiated a joint regulatory sweep in collaboration with attorneys general (AG) from California, Colorado, and Connecticut. The sweep will target businesses’ compliance with legal requirements associated with recognition of opt-out preference signals (OOPS) and universal opt-out mechanisms (UOOMs) that consumers can use to exercise their right to opt out of online tracking technologies (i.e., targeted advertising, sales, or sharing).

IoT_1200x600_GettyImages-1661051950

This article was republished on ALM’s Business Crimes Bulletin on September 30, 2025 and on Law.com on October 14, 2025.

Key point: Addressing the litigation and regulatory risks regarding tracking technologies requires a balanced approach between legal exposure and business impact, through a close and continuing collaboration between legal, technology, and business stakeholders.

U.S. companies face a massive wave of wiretapping law class action lawsuits and regulatory enforcement actions over online “tracking technologies.” Nearly every company with a website or app uses pixels, SDKs, cookies, session-replay technology, and chat/chatbot tools, putting them in the crosshairs. In California alone, plaintiffs have reportedly filed more than 1,800 lawsuits since 2022 under the state’s two-party consent wiretapping law (the California Invasion of Privacy Act (CIPA)). These laws carry statutory damages (e.g., up to $5,000 per violation under CIPA), which makes them an extremely attractive target for class action plaintiff attorneys. Plaintiffs’ attorneys have also issued thousands of demand letters, the settlement of which has helped build a war chest for funding further litigation.

Webinars_1200x600_GettyImages-1286694373

At its July 24 meeting, the California Privacy Protection Agency Board authorized agency staff to finalize and submit to the Office of Administrative Law the rulemaking package for various new California Consumer Privacy Act (CCPA) regulations. Once effective, these regulations will significantly impact entities doing business in California.

Blogs_PrivacyCyberAI_OG_2025StatePrivacyGuide

Key point: Our new tracker chart identifies state privacy and AI deadlines from 2025 to 2030.

Between consumer data privacy laws, AI laws, data broker laws, and children’s privacy laws, the number of deadlines companies must track has exploded. This includes deadlines that are often buried in laws and regulations, beyond just a law’s effective date. The new California Consumer Privacy Act (CCPA) regulations will add even more dates for companies to track, including new deadlines for risk assessments, cybersecurity audits, and automated decision-making technology.

Colorado state flags waving along with the national flag of the United States of America

Key point: Unable to reach an agreement on amending the Colorado AI Act during the special session, the Colorado legislature voted to delay the law’s effective date to June 30, 2026.

On August 26, the Colorado legislature ended its special session by voting to pass SB 4, which extends the Colorado AI Act’s effective date from February 1, 2026, to June 30, 2026. The bill will next head to Governor Jared Polis, who is expected to sign it into law.