Our team members will be participating in several speaking engagements over the coming months, sharing perspectives on emerging trends, regulatory developments, and practical challenges across the global data privacy, AI, and cybersecurity landscape.
Continue Reading Upcoming Speaking Engagements: Insights on Data Privacy, AI, and Cybersecurity
Over the years, we have followed unsuccessful attempts by Congress to develop a national consumer privacy law. Each time, two key issues have frustrated passage, (1) the degree to which, if at all, a federal law should preempt state consumer privacy laws (CPLs); and (2) if there should be a private right of action. The now 22 state CPLs have all avoided a private right of action, so potentially that issue will not be as contentious this go-around. Also, the 22-state patchwork makes a case for the federal government to at least set a ceiling, if not completely occupy the field. However, California, Colorado, Connecticut, Oregon, Minnesota, Maryland and other states seem intent to maintain a higher level of privacy protection than a baseline, and the Congresspersons and Senators from these higher watermark states may well continue to resist preemption, or at least raise the national bar. The new House Republican bill, the SECURE Data Act, is at best pretty middle of the road compared to the patchwork of state CPLs and would establish a single national regime that completely overrides state CPLs: “No State or political subdivision of a State may prescribe, maintain, or enforce any law, rule, regulation, requirement, standard, or other provision having the force and effect of law, if such law, rule, regulation, requirement, standard, or other provision relates to the provisions of this Act.” It was introduced along with amendment to the Gramm-Leach-Bliley Act – the GUARD Financial Data Act. The House Committee on Energy & Commerce sums up both bills here.
Continue Reading Here We Go Again ̶ House Republicans Introduce Federal Consumer Privacy Bill
On April 16, 2026, Governor Kay Ivey signed into law the Alabama Personal Data Protection Act (“APDPA”) after a unanimous vote in favor from both chambers of the Alabama legislature. The APDPA is the 22nd state consumer privacy law overall (counting Florida) and the second one enacted in 2026, following enactment of Oklahoma’s privacy law in March (summarized here).
We highlight key features of the APDPA below. (We also offer a subscription service that offers details and comparisons (by topic) of state consumer privacy laws (“CPLs”).)
Continue Reading The “Heart of Dixie” Embraces Consumer Privacy
The Maryland Online Data Privacy Act (MODPA) is, as of April 1 of this year, now enforceable (subject to a potential cure opportunity until April 1, 2027). MODPA is amongst the strictest state consumer privacy laws (CPLs), and outright bans the sale of sensitive personal data, including precise geolocation data, as well as targeted advertising
Connecticut Attorney General William Tong recently issued an advisory memorandum (“Advisory”) to all “State Officials, Agencies and Concerned Parties” about how existing Connecticut laws apply to artificial intelligence (“AI”).
In the Advisory, Attorney General Tong hints at enforcement priorities and offers businesses a roadmap for compliance in describing how Connecticut’s civil rights, privacy and data security, competition, and consumer protection laws apply to AI system use. Businesses operating in Connecticut are reminded that, even without a statewide AI law, obligations under these laws regulate their AI system use. Those Connecticut residents who read the Advisory are reminded of their rights and encouraged to report AI related harms to the Connecticut Office of the Attorney General (“OAG”).
Continue Reading Old Laws, New Tricks: Connecticut AG Issues Advisory on How Current Connecticut Laws Apply to Artificial Intelligence
On March 20, 2026, Oklahoma Governor Stitt signed the first new comprehensive state privacy law of 2026. The “Act relating to data privacy” is in force on January 1, 2027. In this post, we compare the new Oklahoma privacy law to the other 20 state consumer privacy laws already in force below.
Continue Reading Oklahoma’s New Privacy Law Sweeps In
Following unanimous votes by the California legislature and signature by the Governor, California enacted an Age-Appropriate Design Code Act (CAADCA) in September 2022 (codified at CA Civil Code Section 1798.99.28-32), as a measure purportedly “aimed at protecting the wellbeing, data, and privacy of children [under 18] using online platforms.” Industry group NetChoice soon turned to federal court and sought an injunction seeking to prevent the law from being enforced on the grounds, among others, that it violates the First Amendment and the dormant Commerce Clause of the United States Constitution and is preempted by other federal statutes addressing online child safety, including the Children’s Online Privacy Protection Act (COPPA).
Continue Reading The Future of the CA Age-Appropriate Design Code Act: What Remains, What’s Still Open to be Contested, and What Companies Must Consider for Minors’ Online Safety
Privacy compliance has entered a new phase—one defined not only by high-profile enforcement actions but by the growing expectation that organizations implement and maintain mature information governance programs capable of validating true, system-level technical compliance rather than merely projecting the appearance of it. A spate of recent California enforcement actions makes clear that companies must be prepared to validate how privacy control’s function, including across systems, platforms, and data flows, making thoughtful, system-oriented self-assessment an increasingly important tool for aligning policy commitments with operational reality—before regulators do it for them. SPB helps client’s self-access, identify gaps and remediate issues under the cloak of privilege.
Continue Reading CalPrivacy Update: Shifting to Structural Compliance and Auditing
The Digital Services Act (DSA) has now moved from abstract framework to concrete enforcement. Two recent cases involving very large online platforms show how the same law, applied to similar types of conduct, can produce dramatically different outcomes. The difference lies less in the substance of the infringements and more in how each platform chose to respond once the EU Commission intervened.
Continue Reading Cooperation, Commitments and the Digital Services Act: A Tale of Two Platforms
The 2025 legislative cycle marked a pivotal year in US privacy law, defined not only by continued nationwide expansion into Artificial Intelligence (AI) governance, children’s and teen privacy and online safety, as well as emerging data categories, but by a major restructuring of California’s privacy enforcement infrastructure. California’s introduction of the Delete Request and Opt-out Platform (DROP) system, the nation’s first centralized, statewide platform for managing consumer deletion requests; combined with sweeping reforms to the Consumer Privacy Fund, will materially increase CalPrivacy and attorney general enforcement capacity on a recurring, self-replenishing basis. These developments accompany completion of a far-reaching rulemaking package that imposes detailed obligations for Data Protection Impact Assessments (DPIAs or risk assessments), cybersecurity governance and Automated Decision-Making Technology (ADMT). At the same time, states beyond California have enacted targeted statutory reforms addressing neurotechnology, data-broker practices and minors’ online safety, underscoring that – absent federal preemption – state-driven models will continue to shape the national privacy compliance landscape in 2026. By January 2026, there will be 20 state consumer privacy laws in effect, several with unique material obligations. We detail what enterprises need to be prepared for in 2026 and explain why we believe next year will be a watershed period for consumer privacy in the US.
Continue Reading 2025 State Privacy Roundup: Key Trends and California Developments to Watch in 2026