Photo of Lydia de la Torre

Lydia de la Torre

Contact:Read more about Lydia de la Torre

The 2025 legislative cycle marked a pivotal year in US privacy law, defined not only by continued nationwide expansion into Artificial Intelligence (AI) governance, children’s and teen privacy and online safety, as well as emerging data categories, but by a major restructuring of California’s privacy enforcement infrastructure. California’s introduction of the Delete Request and Opt-out Platform (DROP) system, the nation’s first centralized, statewide platform for managing consumer deletion requests; combined with sweeping reforms to the Consumer Privacy Fund, will materially increase CalPrivacy and attorney general enforcement capacity on a recurring, self-replenishing basis. These developments accompany completion of a far-reaching rulemaking package that imposes detailed obligations for Data Protection Impact Assessments (DPIAs or risk assessments), cybersecurity governance and Automated Decision-Making Technology (ADMT). At the same time, states beyond California have enacted targeted statutory reforms addressing neurotechnology, data-broker practices and minors’ online safety, underscoring that – absent federal preemption – state-driven models will continue to shape the national privacy compliance landscape in 2026. By January 2026, there will be 20 state consumer privacy laws in effect, several with unique material obligations. We detail what enterprises need to be prepared for in 2026 and explain why we believe next year will be a watershed period for consumer privacy in the US.Continue Reading 2025 State Privacy Roundup: Key Trends and California Developments to Watch in 2026

After what seems like forever, the most recent (and last?) public comment period for the draft California Consumer Privacy Act (CCPA) regulations finally closed on February 19, 2025. (Read Privacy World coverage here and here.) 

Following an initial public comment period on an earlier draft, the formal comment period for the current version of the proposed CPPA regulations (Proposed Regulations) began on November 22, 2024. The Proposed Regulations include amendments to the existing CCPA regulations and new regulations on automated decision-making technology, profiling, cybersecurity audits, requirements for insurance companies and data practice risk assessments. The California Privacy Protection Agency (CPPA) may either submit a final rulemaking package to the California Office of Administrative Law (OAL, which confirms statutory authority) or modify the Proposed Regulations in response to comments received during the public comment period.Continue Reading Light at the End of the Tunnel – Are You Ready for the New California Privacy and Cybersecurity Rules?

On Friday, the California Privacy Protection Agency’s Board convened to tackle some critical privacy issues, including the creation of a new state-managed platform where consumers can submit opt-out requests to data brokers. In a surprising turn of events, the Executive Director, Ashkan Sultani, announced his resignation, though the reasons behind his departure were not clear from what was shared during the meeting. The Board also covered a series of major rulemaking initiatives focused on automated decision-making technologies and data brokers. This blog post highlights the key takeaways from the discussion and provides clarity on the practical consequences of these developments—read on for a deeper dive into what they mean for you.Continue Reading Navigating California’s Evolving Privacy Landscape: Key Updates from the November 8th CPPA Board Meeting on Rulemaking and What It Means for You