State Legislation

Subscribe to State Legislation via RSS
CA_StateFlag_1200x600_GettyImages-1435108815

Key point: Of the 15 privacy and AI-related bills passed by the California legislature in the 2025 session that we have been tracking, Governor Gavin Newsom signed 10 into law and vetoed five.

Throughout the 2025 legislative session, we tracked numerous privacy and AI-related bills pending in California. Fifteen of those bills passed the state legislature before the legislative session ended in September. Of the 15 total bills, Newsom signed 10 into law and vetoed five. Those 10 bills that became law consist of three laws related to privacy and seven laws related to AI.

The below article provides a summary of the 10 bills that Newsom either signed into law or vetoed.

Data-Breach_1200x600_GettyImages-2210246405

Key Point: California’s existing breach notification statute was amended to include more decisive guidelines for reporting to individuals and regulators.

On October 5, 2025, California Governor Gavin Newsom signed SB-446 into law, which bill sponsor Sen. Melissa Hurtado (D-CA) indicates is aimed at “closing a critical loophole” in California’s existing breach notification statute. Below, we first provide a brief background on the scope of the law and then discuss the amendment.

This article was republished in ALM’s Cybersecurity Law & Strategy Newsletter on October 31, 2025.

Key point: The rules provide further guidance to controllers subject to the law’s children’s privacy protections.

On October 9, 2025, the Colorado attorney general’s (AG) office announced final revisions to the proposed draft amendments to the Colorado Privacy Act (CPA) rules. The office published draft rules in July and solicited public comments. The final revisions reflect changes to the rules based on those public comments. The office has requested an AG opinion letter for these rules. After the opinion letter is received, the rules will be filed with the secretary of state for publication in the Colorado Register. The rules will become effective 20 days after publication.

In the below article, we provide a brief summary of the changes.

Key point: A federal district court judge rejected the claim that the disclosure law violates the First Amendment.

On October 8, 2025, a judge for the U.S. District Court for the Southern District of New York granted the New York attorney general’s (AG) motion to dismiss a lawsuit filed by a retail trade association claiming that New York’s Algorithmic Pricing Disclosure Act violates the First Amendment. Below, we provide a brief history and summary of the law and analysis of the court’s decision.

Key point: California lawmakers once again increase the disclosure and transparency requirements for registered data brokers.

On October 8, 2025, California Governor Newsom signed SB 361 into law. The bill amends California’s existing data broker registration law to require data brokers to provide significantly more disclosures regarding their processing activities when annually registering with the California Privacy Protection Agency (CPPA).

This amendment comes shortly after the CPPA board’s recent approval of amendments to the state’s data broker regulations to incorporate the 2023 Delete Act (SB 362), including the creation of an accessible deletion mechanism that data brokers will need to comply with starting in August 2026. Those regulations were filed with the Office of Administrative Law on September 26.

Given these developments, California data brokers will need to engage in additional compliance measures in the coming months. In the below article, we provide an overview of the changes made by SB 361.

Webinars_1200x600_GettyImages-1286694373

On September 25, attorneys from Troutman Pepper Locke’s Privacy + Cyber + AI team hosted the second of two webinars analyzing the new California Consumer Privacy Act (CCPA) regulations. This webinar focused on the CCPA’s new cybersecurity audit and insurance regulations, as well as updates to the existing regulations. The webinar recording and slide deck are now available here and here, respectively.

Blogs_PrivacyCyberAI_OG_2025StatePrivacyGuide

Key point: Our new chart identifies and analyzes the varying and changing applicability standards for the 19 state consumer data privacy laws.

The applicability standards for state consumer data privacy laws have become a complicated maze that is, at times, difficult to track and apply. These laws are no longer just based on revenue or the number of consumers whose information a controller processes. For example:

Key point: Businesses subject to the CCPA must comply with extensive new regulations.

On September 22, 2025, the California Office of Administrative Law (OAL) approved the California Privacy Protection Agency’s latest California Consumer Privacy Act (CCPA) rulemaking package. The rulemaking package covers updates to the existing regulations, automated decision-making technology (ADMT), risk assessments, cybersecurity audits, and insurance requirements.