Privacy

Subscribe to Privacy via RSS

Key point: Two courts in 2026 have allowed CCPA claims to proceed based on adtech use without addressing whether adtech discloses “personal information” under the CCPA

According to plaintiffs’ interpretation of a May 2026 decision from the Northern District of California, if your company uses Google Analytics, Meta Pixel, or other third-party tracking technology on its website, you may be exposed to not only wiretapping or trap-and-trace claims under the California Invasion of Privacy Act (CIPA) or federal law, but also claims under the California Consumer Privacy Act (CCPA) even if you never experience a data breach.

Waving flag of NEW JERSEY

Key point: In response to an open records request submitted by Troutman Pepper Locke, the New Jersey Attorney General’s office provided copies of all cure letters sent pursuant to New Jersey’s consumer data privacy law and resolved by the recipient.

As shown by recent enforcement actions in California, including its most recent $12.5 million fine, the risk for companies that are out of compliance with state consumer data privacy laws has never been higher. As more state laws go into effect and cure periods sunset, the risk will only grow. One state where the enforcement risk may be higher is New Jersey.

Cybersecurity_682462080

Key Point: With the June 3, 2026, compliance deadline fast approaching, small firms subject to amended Regulation S‑P under the Gramm-Leach-Bliley Act (GLBA) should be in the final stages of updating their privacy and safeguards programs. In January 2026, the Securities and Exchange Commission (SEC) held an outreach event to help small firms comply with the amendments to Regulation S-P. This webinar was geared toward small firms in advance of the June 3, 2026, compliance deadline. The SEC highlighted new Regulation S-P compliance obligations, SEC exam team approaches moving forward, and held an examination workshop, which included an incident response tabletop discussion, review of a sample document request list, and a mock examination session.

Data_1200x600_GettyImages-2157013271

On April 22, the U.S. House of Representatives Financial Services Committee and the Energy and Commerce Committee jointly unveiled a paired privacy package that, taken together, would substantially recast the federal obligations for the treatment of consumer data. The “Guidelines for Use, Access, and Responsible Disclosure of Financial Data Act” (the GUARD Financial Data Act) would update and enhance Title V of the Gramm‑Leach‑Bliley Act (GLBA) for financial institutions. The “Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act” (the SECURE Data Act) would create a national, cross‑sector privacy framework that would have applicability and features similar to the current patchwork of state comprehensive privacy laws, with strong entity-level and data-level exemptions for financial institutions and financial data subject to GLBA (and for HIPAA-covered entities and business associates, certain nonprofits, and institutions of higher education).

TPL_Podcasts_ConsumerFinance_LinkedIn

In this episode of The Consumer Finance Podcast, Chris Willis is joined by Troutman Pepper Locke Partners Stefanie Jackman and Brent Hoard to take a close look at the world of medical debt collection. The discussion covers how HIPAA applies to medical debt, what it really means to be a “business associate,” and common privacy challenges that can turn routine collection efforts into regulatory headaches. They also focus on key federal and state debt collection regimes, including the FDCPA, the No Surprises Act, and increasingly complex credit reporting requirements. The group provides insight on collection strategies for health care providers and third-party collectors that are both compliant and workable in practice. For anyone handling medical-related receivables, this episode serves as a practical guide to safeguarding patient information, maintaining tax-exempt status, and enhancing collections while staying within regulatory boundaries.

COPPA_1200x600_GettyImages-680846966

On April 13, 2026, Virginia Governor Abigail Spanberger signed SB338 into law, amending Virginia’s Consumer Data Protection Act (VCDPA) to prohibit controllers of personal data from selling consumers’ precise geolocation data. This ban, which takes effect on July 1, 2026, makes Virginia the third state in recent years to prohibit the sale of such data and reflects a trend that is likely to continue. Somewhat surprisingly, Virginia was the second state, behind California, to enact a comprehensive consumer privacy law and is continuing within that vein with this early expansion of privacy rights.

AI_chatbot_1200x600_GettyImages-1472037495

In Parts 1-3 of this series, we covered the mechanics of the CCPA’s new cybersecurity audit requirement: who is covered, when audits are required, what must be audited, who can perform the audit, how it fits with existing security frameworks, and what needs to be documented.

Alabama Flag

Key point: Alabama becomes the 21st state to enact a broad consumer data privacy law with a law that is one of the more business-friendly laws passed to date.

According to Privacy Daily, on April 16, 2026, Alabama Governor Kay Ivey signed the Alabama Personal Data Protection Act (HB 351) into law, making Alabama the 21st state to pass a broad consumer data privacy law and the second state to do so this year. This is the second privacy law Alabama enacted this year. The state enacted an app store law in February.

With passage of Alabama’s law, approximately 46% of the U.S. population will now be covered by a broad consumer data privacy law.

The new business-friendly law is largely unremarkable. Companies that are complying with other state consumer data privacy laws will not need to do anything new to comply with Alabama’s law. However, the law does have a few nuances that we discuss in the article below — in particular, the law’s applicability standard and its definition of “sale.”

Privacy_1200x600_GettyImages-1952157610

Key Points: An August 2025 federal court ruling has opened the door for plaintiffs to use alleged inaccuracies or misrepresentations in a company’s privacy policy and other privacy disclosures as the basis for a federal wiretapping claim under the Electronic Communications Privacy Act (“ECPA”).

Unlike state wiretapping claims like CIPA, class action plaintiffs can file ECPA claims nationwide and they can carry statutory damages of $100 per day of violation or $10,000, whichever is greater. Plaintiffs’ firms are increasingly leading with ECPA claims in demand letters and class action complaints.

Companies can take steps to help insulate themselves from litigation by assessing and modifying their privacy policy and other data processing disclosures.

Introduction

Any company with a privacy policy that operates a website using so-called tracking technologies such as pixels, cookies, software development kits, or third-party analytics tools (which is practically every company) should be aware of the real class action risk associated with the federal wiretapping law known as the Electronic Communications Privacy Act (ECPA or Wiretap Act) and its “crime-tort” exception.  We have data mined and analyzed thousands of privacy lawsuits using AI to track plaintiff lawyers’ allegations and patterns.