Privacy

Subscribe to Privacy via RSS
COPPA_1200x600_GettyImages-680846966

On April 13, 2026, Virginia Governor Abigail Spanberger signed SB338 into law, amending Virginia’s Consumer Data Protection Act (VCDPA) to prohibit controllers of personal data from selling consumers’ precise geolocation data. This ban, which takes effect on July 1, 2026, makes Virginia the third state in recent years to prohibit the sale of such data and reflects a trend that is likely to continue. Somewhat surprisingly, Virginia was the second state, behind California, to enact a comprehensive consumer privacy law and is continuing within that vein with this early expansion of privacy rights.

AI_chatbot_1200x600_GettyImages-1472037495

In Parts 1-3 of this series, we covered the mechanics of the CCPA’s new cybersecurity audit requirement: who is covered, when audits are required, what must be audited, who can perform the audit, how it fits with existing security frameworks, and what needs to be documented.

Alabama Flag

Key point: Alabama becomes the 21st state to enact a broad consumer data privacy law with a law that is one of the more business-friendly laws passed to date.

According to Privacy Daily, on April 16, 2026, Alabama Governor Kay Ivey signed the Alabama Personal Data Protection Act (HB 351) into law, making Alabama the 21st state to pass a broad consumer data privacy law and the second state to do so this year. This is the second privacy law Alabama enacted this year. The state enacted an app store law in February.

With passage of Alabama’s law, approximately 46% of the U.S. population will now be covered by a broad consumer data privacy law.

The new business-friendly law is largely unremarkable. Companies that are complying with other state consumer data privacy laws will not need to do anything new to comply with Alabama’s law. However, the law does have a few nuances that we discuss in the article below — in particular, the law’s applicability standard and its definition of “sale.”

Privacy_1200x600_GettyImages-1952157610

Key Points: An August 2025 federal court ruling has opened the door for plaintiffs to use alleged inaccuracies or misrepresentations in a company’s privacy policy and other privacy disclosures as the basis for a federal wiretapping claim under the Electronic Communications Privacy Act (“ECPA”).

Unlike state wiretapping claims like CIPA, class action plaintiffs can file ECPA claims nationwide and they can carry statutory damages of $100 per day of violation or $10,000, whichever is greater. Plaintiffs’ firms are increasingly leading with ECPA claims in demand letters and class action complaints.

Companies can take steps to help insulate themselves from litigation by assessing and modifying their privacy policy and other data processing disclosures.

Introduction

Any company with a privacy policy that operates a website using so-called tracking technologies such as pixels, cookies, software development kits, or third-party analytics tools (which is practically every company) should be aware of the real class action risk associated with the federal wiretapping law known as the Electronic Communications Privacy Act (ECPA or Wiretap Act) and its “crime-tort” exception.  We have data mined and analyzed thousands of privacy lawsuits using AI to track plaintiff lawyers’ allegations and patterns.

Cyber_1200x600_GettyImages-1987307560

In Part 1 of this series, we outlined the basics of the California Consumer Privacy Act’s (CCPA) new cybersecurity audit requirement: who is covered, when audits are required, and the key obligations to keep in mind. In Part 2, we explored the mechanics and explained what the California Privacy Protection Agency (CalPrivacy) expects the cybersecurity audit to look like in practice, including what must be evaluated, who may conduct the audit, how thorough it must be, and what goes into the audit report.

Cyber_1200x600_GettyImages-2155090853

In Part 1 of this series, we walked through the basics of the California Consumer Privacy Act’s (CCPA) new cybersecurity audit requirement: which businesses are covered, when audits are required, and the high-level obligations to have on your radar.

Security_1200x600_GettyImages-2153383852

A new discussion draft from Representative Bill Huizenga (R-MI) would significantly update Title V of the Gramm‑Leach‑Bliley Act (GLBA) to reflect how financial data is collected, shared, and monetized in today’s market. Released in connection with the March 17, 2026 House Financial Services Committee (Committee) hearing, “Updating America’s Financial Privacy Framework for the 21st Century,” the draft purports to give consumers greater control over their financial data, impose new limits on financial institutions and data aggregators, and create a more uniform national privacy regime for consumer financial information.

This five-part series provides an introductory roadmap to the California Consumer Privacy Act’s (CCPA) new cybersecurity audit requirement and the California Privacy Protection Agency’s (CalPrivacy) implementing regulations.

Privacy_1200x600_GettyImages-2154887234

This article takes the next step and focuses on what businesses can do before an incident to structure their vendor relationships and IR plans in alignment with these key legal lessons. We focus on four core IR vendor types: digital forensics vendors, restoration vendors, public relations (PR)/communications firms, and data mining/data review vendors.

In this special joint episode of The Consumer Finance Podcast and Payments Pros, Taylor Gess and Kim Phan discuss key privacy and data security risks in point-of-sale finance. They dive into regulators’ growing view that every player in the payments chain shares responsibility for protecting data, highlighting best practices for vendor management, PCI DSS oversight, and incident response planning. The episode also touches on the shifting patchwork of state privacy and breach notification laws, GLBA exemptions, and the risks of data monetization, including when packaging and selling transaction data can trigger Fair Credit Reporting Act obligations.