The California Consumer Privacy Act (CCPA) requires that privacy notices be updated annually, and that the detailed disclosures it proscribes be in those notices reflect the 12-month period prior to the effective (posting) date. Interestingly, failure to make annual updates was one of several alleged CCPA violations that resulted in a recent $1.35 Million administrative
Inside AI Policy reports that a survey of U.S. office workers indicates that across industries approximately half of survey respondents said that they do or would use AI contrary to company policy to make their job easier, including 42% of security sector workers. The study published on August 20, 2025 by CalypsoAI, found that while 87% of respondents indicated that their employers had AI governance policies 52% are not prepared to follow restrictions, and 28% admitted to submitting sensitive or proprietary data or documents so AI could complete a task; 29% used AI to generate something sent without, or with minimal, review; and 25% used AI without knowing if the use case was permissible. The results for highly regulated industries are not better, and in some cases worse. For instance, 60% of employees in financial services and banking indicated that they use AI tools regardless of company policy and 36% “don’t feel guilty about it.”Continue Reading Rogue AI Usage and High-risk Data Processing Runs Rampant
Having a hard time managing the volume and variety of changes in the 20 state consumer privacy laws? Let us help. Check out the latest content in our U.S. State Consumer Privacy Laws Comparison Tables.
For more information or to get your copy, please contact us.
Disclaimer: PRIVACY POWERED BY SPB:™ (1) This
The Privacy Act 1988 (Cth) (Act) is one of the longest-standing pieces of national data protection legislation in the world, but – despite its name – it has been more concerned with regulating use of individuals’ personal data than granting them an actionable, stand-alone right to privacy.
However, as of June 2025, this has changed.
Announcing the July 31, 2025, effectiveness of Minnesota’s strict consumer privacy law (CPL), the Act’s author said in a press release that he will be personally making requests to a “long list of ‘data brokers’ … [to] provide a timely ‘test case’ that we can use to measure compliance….” Until January 31, 2026, businesses will have 30 days to cure violations.Continue Reading Minnesota’s Comprehensive Privacy Law Takes Effect – and Enforcement Efforts Begin Immediately
Many organizations have been working diligently to comply with the 13 state consumer privacy laws (CPLs) in effect in the first half of 2025 (14 if you count Florida). Some have chosen to comply on a state-by-state basis and others have followed the high-watermark approach of applying the strictest standard from among the CPLs to all states with CPLs or on a nationwide basis. Regardless of the chosen approach, the next six months brings a new batch of CPLs, some with material differences from the earlier generations, starting as early as July 1, 2025. In addition, amendments to CPLs already in effect will bring new obligations and requirements for many businesses during the second half of 2025. Accordingly, if these changes were not prospectively addressed, now is the time to confirm which of new CPLs are applicable, and timely revise privacy notices and compliance program procedures. Also, with the increase in CPL enforcement, and the growing size and frequency of civil penalties, now is also a good time for an overall privacy compliance checkup.
(A list of the 20 CPLs and their effective dates and applicability thresholds is included in an appendix at the end.)Continue Reading The Second Half of the Year Brings New State Privacy Obligations – Are You Ready?
State consumer privacy enforcers have been turning up the heat on recalcitrant data controllers that have incomplete, inadequate or broken consumer privacy law (CPL) protection programs. On July 8, the Office of the Attorney General of Connecticut (CT OAG) announced a settlement with TicketNetwork, Inc related to deficiencies in the company’s privacy notice and non-compliance with consumer rights requirements. This came just a week following California’s announcement of its largest consumer privacy law settlement to date — US $1.55 million, involving an online publisher known as Healthline. A post breaking that case down will follow shortly. Today we look at the Connecticut case.Continue Reading Connecticut’s Recent Privacy Settlement Shows that Organizations Should Remain Cognizant of Privacy Law Obligations Outside of California
Nineteen states have followed the lead of California and passed consumer privacy laws. Three went into effect this year and eight will become effective in 2025. The remainder become effective in 2026. Charts at the end of this post track effective dates (see Table 1) and applicability thresholds (see Table 2). While there are many similar aspects to these laws, they also diverge from each other in material ways, creating a compliance challenge for organizations. In addition, there are other privacy laws pertaining specifically to consumer health data,[1] laws specific to children’s and minors’ personal data and not part of a comprehensive consumer privacy law,[2] AI-specific laws,[3] or laws, including part of overall consumer privacy laws, regulating data brokers[4] that enterprises need to consider.
A recent article published by the authors in Competition Policy International’s TechReg Chronical details the similarities and differences between the 20 state consumer privacy laws and a chart at the end of this post provides a quick reference comparison of these laws (see Table 3).Continue Reading Are You Ready for The Latest U.S. State Consumer Privacy Laws?