Flag of the state Connecticut.

Key point: The Connecticut Office of the Attorney General issued the third annual enforcement report under the Connecticut Data Privacy Act, focusing on the office’s privacy and security efforts, consumer complaints, data breaches, and enforcement priorities.

The Connecticut Office of the Attorney General (OAG) issued its 2025 enforcement report under the Connecticut Data Privacy Act (CTDPA) last week. This is the third report since the CTDPA went into effect in July 2023. The report provides an update on (1) privacy-related consumer complaints, (2) data breach notice review and enforcement, and (3) enforcement efforts and priorities. Importantly, the OAG emphasized that protecting “kids online remains a topmost priority” and that it would continue to pursue investigations and enforcement actions focused on companies that offer online services, products, or features to consumers under 18.

In the report, the OAG also outlined recent amendments to the CTDPA, which will take effect on July 1, 2026. For more information regarding these amendments, see the recording of our webinar on 2025 Key Updates on State Privacy and AI Laws.

This article summarizes the OAG’s report and the positions the OAG takes on various issues. While the report highlights the OAG’s strong pro-consumer stance and illustrates the OAG’s expansive view of the CTDPA and its provisions, in breaking down the report, this article takes no position on the substance of those positions.

The South Carolina state flag waving along with the national flag of the United States of America

Key point: The law, which went into effect at signing, contains significant design and development requirements, requires independent third-party audits, and can be enforced against officers and employees.

On February 5, 2026, South Carolina Governor Henry McMaster signed the South Carolina Age-Appropriate Design Code Act (H 3431). South Carolina now joins California, Maryland, Nebraska, and Vermont in enacting Age-Appropriate Design Code (AADC) laws although these laws vary widely in both scope and requirements.

South Carolina’s law has several unique requirements, including requiring covered online services to engage in independent third-party audits, which are to be publicly posted by the state attorney general. We review these requirements below.

Of further note, the law went into effect upon the governor’s signature and does not contain a right to cure. The law is generally enforceable by the state attorney general who can seek treble financial damages for violations. The law also specifically provides that officers and employees of covered online services can be held personally liable for willful and wanton violations. In addition, the law’s prohibition against dark patterns is enforceable under the South Carolina Unfair Trade Practices Act, which allows for a private right of action. In the below post, we provide an overview of the new law and provide more general context on its provisions.

Blogs_PrivacyCyberAI_OG_PrivacyLitigationReport

Key point: In this post: (1) increase in ECPA litigation as courts extend “crime tort” exception beyond health care; (2) service provider wins again against wiretapping claim; (3) defendants lose standing arguments in federal court; (4) VPPA circuit split widens as courts reject existing tests to determine whether disclosure of PII occurred; and (5) first PTFA decision in 15 years is issued, with more likely to come.

Welcome to our monthly update on how courts across the U.S. have handled privacy litigation involving website tools such as cookies, pixels, session replay, and similar technologies. In this post, we cover decisions from January 2026. And there were a lot of decisions. Courts issued twice as many California Invasion of Privacy Act (CIPA) wiretapping decisions in January 2026 than in December 2025.

Artificial_Intelligence_1200x600_GettyImages-2170346048

Key Point: In a significant win for electronic communication providers that utilize artificial intelligence (AI) as part of their core functions, the Northern District of Illinois held that a defendant’s AI transcription and analytics service operated in the ordinary course of its electronic communications business and therefore did not violate the Electronic Communications Privacy Act (ECPA). The ruling may provide a powerful defense to federal and state law wiretap claims targeting AI call technologies.

Kentucky State Flag

Key point: Kentucky attorney general files a lawsuit against an artificial intelligence chatbot company, eight days after the Kentucky Consumer Data Protection Act went into effect.

On January 8, the Kentucky attorney general (AG) announced its first lawsuit for violations of the Kentucky Consumer Data Protection Act (KCDPA) against an artificial intelligence (AI) chatbot company. The complaint alleges that the defendant violated the KCDPA with unfair, false, misleading, or deceptive acts and practices, and through unfair collection and exploitation of children’s data. Among other claims, the complaint also states claims under the state’s consumer protection law and data breach law.

The complaint is the latest in a growing trend of states regulating AI chatbots, including companion chatbots. As we recently discussed, New York and California passed laws last year specifically regulating companion chatbots. Lawmakers in other states have already proposed numerous bills this year. This comes notwithstanding the recent executive order, which seeks to preempt “onerous” state AI laws. As we foreshadowed in our analysis of that order, the instant complaint also reinforces the difficulty in defining what constitutes a state AI law, as the complaint is brought under existing state laws that are not specifically written to cover AI.

In the article below, we provide a summary of the allegations in the complaint.

Waving flag of NEW JERSEY

Key point: With a new governor taking office in New Jersey later this month, the fate of rules proposed last year to implement the New Jersey Data Privacy Act (NJDPA) will be decided by the incoming administration.

On January 20, 2026, New Jersey’s governorship will pass from Governor Phil Murphy to Governor-elect Mikie Sherrill. Under the state’s rulemaking publication schedule, January 8 was the final deadline for the Murphy administration to adopt rules and transmit them for publication. The next biweekly deadline, January 23, occurs after the transition of the governorship.

AI_chatbot_1200x600_GettyImages-2022766813

Key point: Businesses operating companion chatbots in California or New York are subject to new legal obligations, including providing notices to users and ensuring protocols are in place to prevent self-harm.

On January 1, 2026, California’s companion chatbot law (SB 243) took effect after being signed into law on October 13, 2025 by Governor Gavin Newsom. The law imposes certain obligations on companion chatbot operators to implement “critical, reasonable, and attainable” safeguards surrounding the use of and interaction with “companion chatbots” with a focus on protecting minors. SB 243 follows New York’s AI Companion Models statute, N.Y. Gen. Business Law § 1700, et seq., a similar companion chatbot bill that went into effect November 5, 2025.