On March 20, 2026, Oklahoma Governor Stitt signed the first new comprehensive state privacy law of 2026. The “Act relating to data privacy” is in force on January 1, 2027. In this post, we compare the new Oklahoma privacy law to the other 20 state consumer privacy laws already in force below.Continue Reading Oklahoma’s New Privacy Law Sweeps In
Following unanimous votes by the California legislature and signature by the Governor, California enacted an Age-Appropriate Design Code Act (CAADCA) in September 2022 (codified at CA Civil Code Section 1798.99.28-32), as a measure purportedly “aimed at protecting the wellbeing, data, and privacy of children [under 18] using online platforms.” Industry group NetChoice soon turned to federal court and sought an injunction seeking to prevent the law from being enforced on the grounds, among others, that it violates the First Amendment and the dormant Commerce Clause of the United States Constitution and is preempted by other federal statutes addressing online child safety, including the Children’s Online Privacy Protection Act (COPPA).Continue Reading The Future of the CA Age-Appropriate Design Code Act: What Remains, What’s Still Open to be Contested, and What Companies Must Consider for Minors’ Online Safety
Privacy compliance has entered a new phase—one defined not only by high-profile enforcement actions but by the growing expectation that organizations implement and maintain mature information governance programs capable of validating true, system-level technical compliance rather than merely projecting the appearance of it. A spate of recent California enforcement actions makes clear that companies must be prepared to validate how privacy control’s function, including across systems, platforms, and data flows, making thoughtful, system-oriented self-assessment an increasingly important tool for aligning policy commitments with operational reality—before regulators do it for them. SPB helps client’s self-access, identify gaps and remediate issues under the cloak of privilege.Continue Reading CalPrivacy Update: Shifting to Structural Compliance and Auditing
The Digital Services Act (DSA) has now moved from abstract framework to concrete enforcement. Two recent cases involving very large online platforms show how the same law, applied to similar types of conduct, can produce dramatically different outcomes. The difference lies less in the substance of the infringements and more in how each platform chose to respond once the EU Commission intervened.Continue Reading Cooperation, Commitments and the Digital Services Act: A Tale of Two Platforms
The 2025 legislative cycle marked a pivotal year in US privacy law, defined not only by continued nationwide expansion into Artificial Intelligence (AI) governance, children’s and teen privacy and online safety, as well as emerging data categories, but by a major restructuring of California’s privacy enforcement infrastructure. California’s introduction of the Delete Request and Opt-out Platform (DROP) system, the nation’s first centralized, statewide platform for managing consumer deletion requests; combined with sweeping reforms to the Consumer Privacy Fund, will materially increase CalPrivacy and attorney general enforcement capacity on a recurring, self-replenishing basis. These developments accompany completion of a far-reaching rulemaking package that imposes detailed obligations for Data Protection Impact Assessments (DPIAs or risk assessments), cybersecurity governance and Automated Decision-Making Technology (ADMT). At the same time, states beyond California have enacted targeted statutory reforms addressing neurotechnology, data-broker practices and minors’ online safety, underscoring that – absent federal preemption – state-driven models will continue to shape the national privacy compliance landscape in 2026. By January 2026, there will be 20 state consumer privacy laws in effect, several with unique material obligations. We detail what enterprises need to be prepared for in 2026 and explain why we believe next year will be a watershed period for consumer privacy in the US.Continue Reading 2025 State Privacy Roundup: Key Trends and California Developments to Watch in 2026
We have previously covered the recent changes to the California Consumer Privacy Act (CCPA) regulations, and summarized the changes companies need to make to be 2026-ready under them and other state consumer privacy laws that have recently or will soon become effective. In a recent guidance document, CalPrivacy highlights “seven things businesses should know and prepare for,” which are:Continue Reading CalPrivacy Highlights Regulatory Changes for 2026
The California Consumer Privacy Act (CCPA) requires that privacy notices be updated annually, and that the detailed disclosures it proscribes be in those notices reflect the 12-month period prior to the effective (posting) date. Interestingly, failure to make annual updates was one of several alleged CCPA violations that resulted in a recent $1.35 Million administrative civil penalty by the California Privacy Protection Agency (CPPA) against retailer Tractor Supply Company. Also, three more state consumer protection laws go into effect on January 1, 2026, which will require notice and consumer rights intake changes, if applicable. Additionally, new and amended CCPA regulations will bring new obligations for businesses starting the first of the year that need to be addressed between now and then. Also recommended is a general checkup with particular attention to enforcement priorities. Continue Reading Your Year-end U.S. Privacy “To Do” List – don’t wait until the holiday crush to become 2026-ready
On September 25, the California Privacy Protection Agency (CPPA) Board advanced OAL-approved updates to the California Consumer Privacy Act (CCPA), the process of which we covered in detail here and here, that include long-awaited regulations on cybersecurity audits, risk assessments, and automated decision-making technology (ADMT). The CPPA Board also approved a $1.35 Million settlement with Tractor Supply Company, officially announced this week. At last week’s meeting, staff reported that there were hundreds of investigations and enforcement actions in progress, many of which were at a stage that the applicable businesses were not yet aware that they are a target. 2026 will bring new privacy obligations for businesses and greater repercussions for half-baked compliance efforts.Continue Reading California Privacy Agency Rolls Out New Regulations and Approves $1.35 Million Penalty in Latest CCPA Enforcement Action
Late yesterday afternoon, Colorado’s House of Representatives passed, in a 48-14 vote, a bill that delays the in-force date for Colorado’s landmark 2024 AI law (CO Rev Stat §§ 6-1-1701 — 6-1-1707 (COAIA)) until June 30, 2026. After first voting in favor of an amendment delaying the in-force date until October 1
Inside AI Policy reports that a survey of U.S. office workers indicates that across industries approximately half of survey respondents said that they do or would use AI contrary to company policy to make their job easier, including 42% of security sector workers. The study published on August 20, 2025 by CalypsoAI, found that while 87% of respondents indicated that their employers had AI governance policies 52% are not prepared to follow restrictions, and 28% admitted to submitting sensitive or proprietary data or documents so AI could complete a task; 29% used AI to generate something sent without, or with minimal, review; and 25% used AI without knowing if the use case was permissible. The results for highly regulated industries are not better, and in some cases worse. For instance, 60% of employees in financial services and banking indicated that they use AI tools regardless of company policy and 36% “don’t feel guilty about it.”Continue Reading Rogue AI Usage and High-risk Data Processing Runs Rampant