Search results for: APRA

This week, House Committee on Energy and Commerce Chair Cathy McMorris Rodgers (R-WA) and Senate Committee on Commerce, Science and Transportation Chair Maria Cantwell (D-WA) unveiled their bipartisan, bicameral discussion draft of the American Privacy Rights Act (APRA draft).[1] Chair Rodgers’ and Chair Cantwell’s announcement of the APRA draft surprised many congressional observers after comprehensive privacy legislation stalled in 2022.

Continue Reading April’s APRA: Could Draft Privacy Legislation Blossom into Law in 2024?

The 2025 legislative cycle marked a pivotal year in US privacy law, defined not only by continued nationwide expansion into Artificial Intelligence (AI) governance, children’s and teen privacy and online safety, as well as emerging data categories, but by a major restructuring of California’s privacy enforcement infrastructure. California’s introduction of the Delete Request and Opt-out Platform (DROP) system, the nation’s first centralized, statewide platform for managing consumer deletion requests; combined with sweeping reforms to the Consumer Privacy Fund, will materially increase CalPrivacy and attorney general enforcement capacity on a recurring, self-replenishing basis. These developments accompany completion of a far-reaching rulemaking package that imposes detailed obligations for Data Protection Impact Assessments (DPIAs or risk assessments), cybersecurity governance and Automated Decision-Making Technology (ADMT). At the same time, states beyond California have enacted targeted statutory reforms addressing neurotechnology, data-broker practices and minors’ online safety, underscoring that – absent federal preemption – state-driven models will continue to shape the national privacy compliance landscape in 2026. By January 2026, there will be 20 state consumer privacy laws in effect, several with unique material obligations. We detail what enterprises need to be prepared for in 2026 and explain why we believe next year will be a watershed period for consumer privacy in the US.

Continue Reading 2025 State Privacy Roundup: Key Trends and California Developments to Watch in 2026

The California Consumer Privacy Act (CCPA) requires that privacy notices be updated annually, and that the detailed disclosures it proscribes be in those notices reflect the 12-month period prior to the effective (posting) date. Interestingly, failure to make annual updates was one of several alleged CCPA violations that resulted in a recent $1.35 Million administrative civil penalty by the California Privacy Protection Agency (CPPA) against retailer Tractor Supply Company. Also, three more state consumer protection laws go into effect on January 1, 2026, which will require notice and consumer rights intake changes, if applicable. Additionally, new and amended CCPA regulations will bring new obligations for businesses starting the first of the year that need to be addressed between now and then. Also recommended is a general checkup with particular attention to enforcement priorities. Here are some things to do in preparation for 2026:

  • Assess which of the 20 state consumer privacy laws (CPLs) apply to your business, and update notices and rights request processes to identify which apply and address material differences in what each requires.
  • Consider new or modified data practices initiated in 2025, or under consideration to be introduced in 2026, complete risk assessments on them, and update the privacy notice to reflect at least the preceding 12-month period.
  • Implement a data processing risk assessment program, or revise the current process to reflect the new CCPA requirements, effective January 1.
  • Confirm you have contracts in place containing data protection terms required by CCPA and other CPLs with parties that receive (or access) your personal data – an ongoing California enforcement priority. Have these organized by service provider / processor or third party and be prepared to produce them upon regulatory inquiry.
  • Employers, especially in California, need to address use of automated decision-making tools. This will become an even more complex and time urgent matter for California employers if Governor Newsome does not veto SB-7 (the “No Robo-Bosses” Act), which would become effective January 1 and add even further requirements and restrictions on technology-assisted HR decision-making. (Note: An inadequate privacy notice and rights request process for personnel was another basis for the Tractor Supply penalty.)
  • Review your tracking technologies and cookie banner(s) and preference tool(s) to support a defense to wiretapping (e.g., CIPA) claims and comply with CPL notice and opt-out requirements, including browser privacy control signals, as explained here.
  • If you process personal data of minors, consumer health data, precise location data, biometric data, or other sensitive personal data, consider the legal requirements and limitations that have been evolving in recent years and the growing application of consumer protection law principles to limit unexpected uses.
  • Revisit and update your information governance roadmap or project plan and seek budget for 2026 initiatives. This should include:
  • Consider Privacy Powered by SPB forms, templates, and guidance materials to help support your program and conduct a stakeholder survey to assess actual practices and knowledge of policies and procedures.

Many companies go on website code lock in mid-November, and Q4 is a hectic time between year-end financial closings and the holidays, so give yourself enough time to get revisions to notices, policies, and tools updated and published. Update your information governance roadmap for 2026 to reflect new laws, regulations, and enforcement trends and be sure your budget for next year reflects these needs.

For more information, contact the author or your Squire Patton Boggs relationship partner.

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.

(Updated May 12, 2025)

Since January, the federal government has moved away from comprehensive legislation on artificial intelligence (AI) and adopted a more muted approach to federal privacy legislation (as compared to 2024’s tabled federal legislation). Meanwhile, state legislatures forge ahead – albeit more cautiously than in preceding years.

As we previously reported, the Colorado AI Act (COAIA) will go into effect on February 1, 2026. In signing the COAIA into law last year, Colorado Governor Jared Polis (D) issued a letter urging Congress to develop a “cohesive” national approach to AI regulation preempting the growing patchwork of state laws. Absent a federal AI law, Governor Polis encouraged the Colorado General Assembly to amend the COAIA to address his concerns that the COAIA’s complex regulatory regime may drive technology innovators away from Colorado. Eight months later, the Trump Administration announced its deregulatory approach to AI regulation making federal AI legislation unlikely. At that time, the Trump Administration seemed to consider existing laws – such as Title VI and Title VII of the Civil Rights Act and the Americans with Disabilities Act which prohibit unlawful discrimination – as sufficient to protect against AI harms. Three months later, a March 28 Memorandum issued by the federal Office of Management and Budget directs federal agencies to implement risk management programs designed for “managing risks from the use of AI, especially for safety-impacting and rights impacting AI.”

Continue Reading States Shifting Focus on AI and Automated Decision-Making

As we have previously detailed here, the latest generation of regulations under the California Consumer Privacy Act (CCPA), drafted by the California Privacy Protection Agency (CPPA), have advanced beyond public comments are closer to becoming final. These include regulations on automated decision-making technology (ADMT), data processing evaluation and risk assessment requirements and cybersecurity audits. Recently, Privacy World’s Alan Friel spoke at the California Lawyer’s Association’s Annual Privacy Summit at UCLA in Westwood, California (Go Bruins!) on the evaluation and assessment proposals. Separately, Privacy World’s Lydia de la Torre, a CPPA Board Member until recently, spoke on artificial intelligence laws and litigation. A transcript of Alan’s presentation follows:

Continue Reading Data Processing Evaluation and Risk Assessment Requirements Under California’s Proposed CCPA Regulations

Join us tomorrow as we kick off SPB’s Data Privacy Thought Leadership Series!

State Privacy Law Roundup
📅Thursday, October 3 | 9 – 10 a.m. PT
Speakers: Julia Jacobson, Kyle Dull

In the first half of 2024, seven new state consumer privacy laws were enacted and three state consumer privacy laws became effective (plus one on October 1, 2024). Eight more state consumer privacy laws will become effective in 2025 and the California Privacy Protection Agency (CCPA) continued its rulemaking activity. Plus, 2024’s American Privacy Rights Act could gain traction now that Congress is back in session after the August recess. Join us on October 3rd for a rundown on where we are and what’s ahead for 2025 in consumer privacy.

Register
More events in this series

Join us for our Data Privacy Thought Leadership Series, where we dive into the latest trends shaping AI, marketing, and data monetization. With new state privacy laws, evolving regulatory requirements, and AI procurement challenges, this series offers practical insights to help you navigate the complex data privacy landscape.

Learn how to manage privacy assessments, stay compliant, and strengthen your data governance strategies to keep your organization ahead of the curve.

State Privacy Law Roundup

📅Thursday, October 3 | 9 – 10 a.m. PT

Speakers: Julia Jacobson, Kyle Dull

In the first half of 2024, seven new state consumer privacy laws were enacted and three state consumer privacy laws became effective (plus one on October 1, 2024). Eight more state consumer privacy laws will become effective in 2025 and the California Privacy Protection Agency (CCPA) continued its rulemaking activity. Plus, 2024’s American Privacy Rights Act could gain traction now that Congress is back in session after the August recess. Join us on October 3rd for a rundown on where we are and what’s ahead for 2025 in consumer privacy.

Register

AI, Marketing, and Data Monetization: Understanding and Managing Consents, Opt-Outs, and Other Regulatory Requirements

📅Thursday, October 10 | Noon – 1 p.m. PT

Speakers: Kyle Fath, Niloufar Massachi

The convergence of industry trends, business needs, and significant technology advances, particularly advancements in AI, marketing, and data monetization, has led many companies to collect more personal data and do more with it. This comes at a time when regulators are actively and aggressively pursuing privacy enforcement and over twenty states have passed comprehensive privacy laws, with most of them imposing consent obligations, opt-out rights, and even outright prohibitions with respect to specific activities or certain types of data.

Please join us for a discussion on consent, opt-out, and other regulatory requirements that are relevant to AI, marketing, and data monetization. Our goal is for you to leave this session armed with information that will help you identify risks, inform business decisions and strategy, and serve as a thoughtful and resourceful partner to your organization’s GC/CLO, business stakeholders, and C-suite.

Attend virtually or join us at our LA Office for further discussion and lunch.

Register

Privacy Rulemaking and Enforcement

📅Thursday, October 17 | 9 – 10 a.m. PT

Speakers: Alan Friel, Lydia de la Torre

Join Squire Patton Boggs Global Data Chair Alan Friel and of Counsel Lydia de la Torre, and former CPPA Board member, for a discussion on the next generation of CCPA regulations, including regarding employment, ADM / Profiling / AI, and Risk Assessments and Security Audits, as well as enforcement priorities and cooperation between regulators in the states that have enacted consumer privacy laws.

Register

Privacy Assessments: A Discussion of Requirements and Risks and a Mock Assessment Exercise

📅Tuesday, October 22 | Noon – 1 p.m. PT

Speaker: Kyle Fath

State privacy laws already require, or will soon require, companies to carry out assessments – referred to as data protection assessments, risk assessments or DPIAs. These requirements extend to “high-risk” activities or those that involve a “heightened risk of harm,” including, in most cases, targeted advertising, the sale of personal data, and the processing of personal data, among other things. The Colorado Privacy Act and proposed regulations under the California Consumer Privacy Act (CCPA) lay out detailed content requirements that companies must follow, including requiring significant input from both internal teams and external stakeholders, such as vendors and other recipients of personal data. In addition to prescriptive content requirements, businesses should also be aware of regulators’ ability to request copies of assessments under the state privacy laws, and the proposed CCPA regulations that would require businesses to file certifications of compliance and abridged versions of their assessments with the California Privacy Protection Agency.

Join us for this event where we will:

  • Discuss privacy assessment requirements and risks
  • Carry out a mock assessment exercise, walking through the completion of various aspects of a privacy assessment, focused on use cases involving targeted advertising and the sale of personal data
  • Touch on available resources that you can use to carry out assessments more efficiently and effectively
Register

AI in Action: AI Procurement

📅Wednesday, October 30 | 9 – 10 a.m. PT

Speakers: Julia Jacobson

The same thing, only different. Procuring AI presents many of the same challenges as procuring any other technology. An organization seeks to harness the full potential of the technology together with a supplier contract that minimizes risks. Two key issues distinguish Al procurement: AI systems are designed to continually learn and improve and the AI legal structure is dynamic. Tune in for a trans-Atlantic view on adapting technology and data governance risk management for AI procurement.

Register

As we reported in our post about the Minnesota Customer Data Privacy Act, the Rhode Island Data Transparency and Privacy Protection Act (RI-DTPPA) was passed by the state legislature on June 13th.  Governor McKee did not either sign or veto but transmitted it to the Rhode Island Secretary of State. i.e., it is effective without the Governor’s signature. 

1. WHEN IS RI-DTPPA IN FORCE?

The RI-DTPPA effective date is January 1, 2026 – the same date as the customer privacy laws in Indiana and Kentucky. 

Since Vermont’s consumer privacy law was vetoed, the RI-DTPPA makes 20 state consumer privacy laws.  The 19 state customer privacy laws preceding RI-DTPPA (collectively, the State Customer Privacy Laws) are in force as follows.

StateState Customer Privacy Law TitleEffective Date
CaliforniaCalifornia Customer Privacy Act (CCPA)January 1, 2020; CCPA Regulations effective January 1, 2023
ColoradoColorado Privacy ActJuly 1, 2023
ConnecticutConnecticut Personal Data Privacy and Online Monitoring ActJuly 1, 2023
DelawareDelaware Personal Data Privacy ActJanuary 1, 2025
FloridaFlorida Digital Bill of RightsJuly 1, 2024
IndianaIndiana Customer Data Protection ActJanuary 1, 2026
IowaIowa’s Act Relating to Customer Data ProtectionJanuary 1, 2025
KentuckyKentucky Customer Data PrivacyJanuary 1, 2026
MarylandMaryland Online Data Privacy ActOctober 1, 2025
MinnesotaMinnesota Customer Data Privacy ActJuly 31, 2025
MontanaMontana Customer Data Privacy ActOctober 1, 2024
NebraskaNebraska’s Data Privacy ActJanuary 1, 2025
New HampshireAct Relative to the Expectation of PrivacyJanuary 1, 2025
New JerseyNew Jersey Data Protection ActJanuary 15, 2025
OregonOregon Customer Privacy ActJuly 1, 2024 (July 1, 2025, for in-scope non-profit organizations)
TennesseeTennessee Information Protection ActJuly 1, 2025
TexasTexas Data Privacy and Security ActJuly 1, 2024
UtahUtah Customer Privacy ActDecember 31, 2023
VirginiaVirginia Customer Data Protection ActJanuary 1, 2023
Continue Reading Rhode Island Makes it an Even 20

Please join us in New York, NY (or virtually) for the Association of National Advertisers (ANA) Law 1-Day Conference on June 26th. Team SPB will cover a variety of privacy topics affecting the advertising and marketing industry, including consumer privacy compliance, data assessments and advertising enforcement actions and class actions. Register soon because in-person space is limited.   

Team SPB panelists are Alan Friel, Julia Jacobson, Marisol Mork, Kristin Bryan and Kyle Dull, joined by industry leaders from Ankura Consulting Group, BECU, Curacity, and TikTok.

REGISTER HERE
Use the code LAWCODE24 to receive complimentary registration  
WHENWHERE
June 26, 2024
11:30am – 3:45pm EST
Networking reception to follow, co-sponsored by Squire Patton Boggs and Ankura!		ANA Headquarters
155 E 44th Street, 8th Floor
New York, NY 10017
-or-
Virtual
Continue Reading ANA Law One-day Conference – Join Us June 26 in New York City

Since its inception in 1998, the Children’s Online Privacy Protection Act (COPPA) has been the cornerstone of protecting the personal data of minors under the age of 13 in the United States. COPPA imposes various requirements, including parental consent, notice and transparency, and data minimization, among other things, on online services that are “directed to children [under 13]” and “mixed audience” online services, or those that have actual knowledge that they have collected personal data from a child [under 13] online.

Many organizations that previously did not have to worry about COPPA or COPPA-based standards as applied to state consumer privacy laws should be aware of the trend in state privacy legislation to expand restrictions and obligations beyond COPPA’s under age 13 standard, to minors that are at least 13 and under the age of 18 (“Teens”). This trend began in 2020 with the California Consumer Privacy Act (CCPA) requiring consent for “sale” of personal information of consumers at least age 13 but younger than 16 years of age  (the California Privacy Rights Act expanded that requirement to “sharing” as well). Consent must be given by the Teen or, if the consumer is under age 13, by the parent, using COPPA verification standards. Other relevant aspects regarding this trend, of which organizations should be aware, include:

Continue Reading Trending: Teens’ Data Subject to Heightened Restrictions Under Ten (and Counting?) State Privacy Laws