State Legislation

Subscribe to State Legislation via RSS

Key point: Plaintiffs’ attorneys have started sending a wave of letters asserting opt-out and access rights under California’s Shine the Light law.

Over the last three months, businesses have been receiving requests from California residents seeking to exercise their rights under California’s Shine the Light law, Cal. Civ. Code § 1798.83. These requests are sent by attorneys who purport to represent a California resident who is a “customer” of, and has an “established business relationship” with, the business receiving the request. The requests seek an accounting of the customer’s personal information disclosed to third parties for direct marketing purposes within the past year.

CA_StateFlag_1200x600_GettyImages-1435108815

Key point: The California legislature closed its 2025 legislative session by passing 14 privacy and AI-related bills.

The California legislature closed for the year by passing numerous privacy and AI-related bills. The bills will next head to Governor Gavin Newsom, who will have 30 days to sign, approve without signing, or veto the bills. That is still a significant hurdle for the bills to clear, as last year, Newsom vetoed multiple privacy and AI bills. Below, we identify which of the bills passed and failed, and provide a summary for each of the bills that passed.

Webinars_1200x600_GettyImages-1286694373

At its July 24 meeting, the California Privacy Protection Agency Board authorized agency staff to finalize and submit to the Office of Administrative Law the rulemaking package for various new California Consumer Privacy Act (CCPA) regulations. Once effective, these regulations will significantly impact entities doing business in California.

Blogs_PrivacyCyberAI_OG_2025StatePrivacyGuide

Key point: Our new tracker chart identifies state privacy and AI deadlines from 2025 to 2030.

Between consumer data privacy laws, AI laws, data broker laws, and children’s privacy laws, the number of deadlines companies must track has exploded. This includes deadlines that are often buried in laws and regulations, beyond just a law’s effective date. The new California Consumer Privacy Act (CCPA) regulations will add even more dates for companies to track, including new deadlines for risk assessments, cybersecurity audits, and automated decision-making technology.

Colorado state flags waving along with the national flag of the United States of America

Key point: Unable to reach an agreement on amending the Colorado AI Act during the special session, the Colorado legislature voted to delay the law’s effective date to June 30, 2026.

On August 26, the Colorado legislature ended its special session by voting to pass SB 4, which extends the Colorado AI Act’s effective date from February 1, 2026, to June 30, 2026. The bill will next head to Governor Jared Polis, who is expected to sign it into law.