CCPA

Privacy compliance has entered a new phase—one defined not only by high-profile enforcement actions but by the growing expectation that organizations implement and maintain mature information governance programs capable of validating true, system-level technical compliance rather than merely projecting the appearance of it.  A spate of recent California enforcement actions makes clear that companies must be prepared to validate how privacy control’s function, including across systems, platforms, and data flows, making thoughtful, system-oriented self-assessment an increasingly important tool for aligning policy commitments with operational reality—before regulators do it for them.  SPB helps client’s self-access, identify gaps and remediate issues under the cloak of privilege.Continue Reading CalPrivacy Update: Shifting to Structural Compliance and Auditing

A recording is now available for “California and Beyond: HR Data Risk Issues for Employers,” a highly relevant webinar covering the rapidly shifting world of HR data, privacy obligations, and AI regulation. Presented by Squire Patton Boggs Partners Alan Friel and Michael Kelly, and Associate Sam Kim, this session will give employers the clarity they need as new rules take effect and enforcement ramps up.Continue Reading A Timely Look at HR Data and AI Regulation Trends: Webinar Recording Available

We have previously covered the recent changes to the California Consumer Privacy Act (CCPA) regulations, and summarized the changes companies need to make to be 2026-ready under them and other state consumer privacy laws that have recently or will soon become effective.  In a recent guidance document, CalPrivacy highlights “seven things businesses should know and prepare for,” which are:Continue Reading CalPrivacy Highlights Regulatory Changes for 2026

The last several weeks have been eventful for online safety and age assurance, particularly with respect to U.S. app store age verification laws: Apple and Google unveiled some of their plans for addressing these laws on Oct. 8; Governor Newsom signed the Digital Age Assurance Act into law on October 13; and on October 16, an industry organization lodged a constitutional challenge against Texas’ law (SB2420).  Below, we provide a handy FAQ with questions and answers on issues that many likely have regarding these laws, the app stores’ guidance, and the legal challenge to the Texas law.

Mobile app operators: take note. Regardless of your company’s target audience, you will be required to take technical and operational steps to comply with these laws.Continue Reading App Store Age Verification Laws: Your Questions, Answered.

On July 24, the California Privacy Protection Agency Board unanimously voted to approve the May 9 draft of its proposed edits and additions to regulations under the California Consumer Privacy Act (CCPA), which we broke down in detail here.  There were 575 pages of comments from 70 commentators regarding that last set of changes, but staff concluded that no further changes were appropriate in response to these comments and the Board agreed.  So now, a final package will be prepared and presented to the Office of Administrative Law (OAL) to confirm the regulations are consistent with the CCPA and administrative procedures.  That package will include more detailed explanation of why rejected comments were rejected, with the goal of providing guidance especially regarding interpretation issues.  Assuming OAL approval, key implementation dates will be:Continue Reading New California Privacy Regulations Passed by Board

In another settlement of a cookie-related state consumer privacy law enforcement action, California reinforces contract requirements for making personal information available and raises questions about the scope of purpose limitation requirements, especially where the nature of the data and/or its use could run counter to consumer expectations. 

On July 1, 2025, the California Office of the Attorney General (OAG) announced a settlement against Healthline, which included the largest CCPA settlement to date – $1.55 million – and many “firsts” for public CCPA enforcement: the first involving a publisher, the first health information-related enforcement action, and the first time the purpose limitation principle has been invoked by California’s (or any other state’s) regulators in a public regulatory enforcement context. This enforcement action came just a week before Connecticut’s attorney general announced an $85,000 settlement under the Connecticut state privacy law explored in more detail here.Continue Reading California AG Issues Highest Fine to Date for CCPA Violations

The rulemaking process on California’s Proposed “Regulations on CCPA Updates, Cybersecurity Audits, Risk Assessments, Automated Decisionmaking Technology, and Insurance Companies” (2025 CCPA Regulations) has been ongoing since November 2024.  With the one-year statutory period to complete the rulemaking or be forced to start anew on the horizon, the California Privacy Protection Agency (CPPA) voted unanimously to move a revised set of draft regulations forward to public comment on May 1, which began May 9 and closes at 5 pm Pacific June 2, 2025.  The revisions cut back on the regulation of Automated Decision-making Technology (ADMT), eliminate the regulation of AI, address potential Constitutional deficiencies with regard to risk assessment requirements and somewhat ease cybersecurity audit obligations.  This substantially revised draft is projected by the CPPA to save California businesses approximately 2.25 billion dollars in the first year of implementation, a 64% savings from the projected cost of the prior draft.Continue Reading Revised Draft California Privacy Regulations Lessen Impact on Business

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

FCC Seeks Comment on Quiet Hours and Marketing Messages | Privacy World

New Class Action Threat: TCPA Quiet Hours and

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

CA Legislators Charge That Privacy Agency AI Rulemaking Is Beyond Its Authority

Data Processing Evaluation and Risk Assessment Requirements Under

As we have previously detailed here, the latest generation of regulations under the California Consumer Privacy Act (CCPA), drafted by the California Privacy Protection Agency (CPPA), have advanced beyond public comments are closer to becoming final. These include regulations on automated decision-making technology (ADMT), data processing evaluation and risk assessment requirements and cybersecurity audits. Recently, Privacy World’s Alan Friel spoke at the California Lawyer’s Association’s Annual Privacy Summit at UCLA in Westwood, California (Go Bruins!) on the evaluation and assessment proposals. Separately, Privacy World’s Lydia de la Torre, a CPPA Board Member until recently, spoke on artificial intelligence laws and litigation. A transcript of Alan’s presentation follows:Continue Reading Data Processing Evaluation and Risk Assessment Requirements Under California’s Proposed CCPA Regulations