Consumer Protection

Date: September 10, 2025 at 12:00 PM EDT

Format: Live Video

Duration: 1 Hour

Description: With limited federal regulation on consumer protection, data privacy, and AI, states are stepping in, creating a patchwork of laws that vary widely in scope and enforcement. While California and Colorado set high standards, other states like Maryland, Minnesota, and Oregon are introducing even stricter measures. Additional laws around consumer health data, data brokers, and child/teen online safety further complicate the landscape.

This panel will explore key differences and overlaps in state laws, highlight enforcement trends, and offer practical strategies for enterprises to implement privacy programs across states and globally. Attendees will receive comparison charts to support compliance efforts.Continue Reading State Privacy and AI Law Updates – A Live Legal Briefing You Won’t Want to Miss

Many organizations have been working diligently to comply with the 13 state consumer privacy laws (CPLs) in effect in the first half of 2025 (14 if you count Florida). Some have chosen to comply on a state-by-state basis and others have followed the high-watermark approach of applying the strictest standard from among the CPLs to all states with CPLs or on a nationwide basis. Regardless of the chosen approach, the next six months brings a new batch of CPLs, some with material differences from the earlier generations, starting as early as July 1, 2025. In addition, amendments to CPLs already in effect will bring new obligations and requirements for many businesses during the second half of 2025. Accordingly, if these changes were not prospectively addressed, now is the time to confirm which of new CPLs are applicable, and timely revise privacy notices and compliance program procedures. Also, with the increase in CPL enforcement, and the growing size and frequency of civil penalties, now is also a good time for an overall privacy compliance checkup. 

(A list of the 20 CPLs and their effective dates and applicability thresholds is included in an appendix at the end.)Continue Reading The Second Half of the Year Brings New State Privacy Obligations – Are You Ready?

State consumer privacy enforcers have been turning up the heat on recalcitrant data controllers that have incomplete, inadequate or broken consumer privacy law (CPL) protection programs.  On July 8, the Office of the Attorney General of Connecticut (CT OAG) announced a settlement with TicketNetwork, Inc related to deficiencies in the company’s privacy notice and non-compliance with consumer rights requirements. This came just a week following California’s announcement of its largest consumer privacy law settlement to date — US $1.55 million, involving an online publisher known as Healthline. A post breaking that case down will follow shortly.  Today we look at the Connecticut case.Continue Reading Connecticut’s Recent Privacy Settlement Shows that Organizations Should Remain Cognizant of Privacy Law Obligations Outside of California

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Collecting Personal Information during Checkout: Balancing Consumer Rights with Business Marketing

Singapore Strengthens Her Commitment to Responsible AI with the

Building a customer base is time-consuming and expensive. Engaging existing customers is often easier and more profitable than acquiring new customers.  In the US, email and other targeted marketing is a low-cost and high-ROI way to foster this engagement, which makes collecting customers’ email addresses (and other personal information) a high priority for marketers.  But, marketers beware: laws in California and Massachusetts that limit the collection of email addresses (and other personal information) at the point of purchase are an increasingly popular source of class action legal risk. While the laws in California and Massachusetts are popular with plaintiffs’ counsel now, several other states have similar laws, applying to different categories of information (e.g., some state laws only apply to address and telephone number) and transactions and varying enforcement mechanisms (e.g., criminal penalties or state attorney general enforcement).

Key Takeaways

  • Ensure that retail location staff understand that the collection of a customer’s personal information that is not required to complete a transaction must be the customer’s choice.  Requesting a customer email address or other contact data during the purchase process – such as for tailored discounts and rewards – is permitted as long as the customer knows it is voluntary, i.e., not required to complete the purchase transaction.  Further, to avoid errors and discourage claims clearly delineate subscriptions from transactions by separating sign-ups from purchases.
  • Check that etailer (i.e., e-commerce stores)  purchase transaction flows do not require additional personal information that is not necessary to complete the transaction and clearly disclose to customers what is and is not required. 
  • Beware of personal information collection by cookies, pixels and similar technology active on purchase transaction web pages.
  • Implement written policies and procedures – whether online or off – to document what personal information collected is mandatory vs. voluntary.

Continue Reading Collecting Personal Information during Checkout: Balancing Consumer Rights with Business Marketing

We have previously reported on the requirements, including mandatory risk assessments, of the California Age Appropriate Design Code Act, (CAADCA or Act) and that the Act was enjoined by a federal District Court as likely a violation of the publisher’s free speech rights under the First Amendment of the U.S. Constitution.  The 9th Circuit has upheld that decision, but only as to Data Protection Impact Assessments (DPIAs), and gone further to find that such assessments are subject to strict scrutiny and are facially unconstitutional.  See Netchoice, LLC v Rob Bonta, Atty General of the State of California (9th Cir., August 16, 2024) – a copy of the opinion is here.  The Court, however, overruled the District Court as to the injunction of other provisions of CAADCA, such as restrictions on the collection, use, and sale of minor’s personal data and how data practices are communicated.  Today, we will focus on what the decision means for DPIA requirements under consumer protection laws, including the 18 (out of 20) state consumer privacy laws that mandate DPIAs for certain “high-risk” processing activities.Continue Reading Are Data Practice Risk Assessments at Risk in the US?

State legislatures across the country were busy in 2023 and so far this year passing comprehensive consumer privacy laws and creating a vexing patchwork of compliance obligations.

Legislatures in Iowa, Indiana, Tennessee, Montana, Florida, Texas, Oregon, Delaware, New Jersey, New Hampshire, Kentucky, Maryland, Nebraska and Minnesota all enacted consumer privacy laws of their own with an additional consumer privacy law in Vermont awaiting action by the Governor. The fifteen laws passed in 2023 and 2024 join laws in California, Virginia, Colorado, Utah, and Connecticut which already are in effect. A chart at the end of this blog post notes each law’s effective date, three of which are effective at the end of this month.

While inspired by the EU General Data Protection Regulation and the California Consumer Privacy Act (“CCPA”), the new state consumer privacy laws take materially different approaches in many ways. States also have passed more targeted privacy laws pertaining specifically to consumer health data (beyond treating it as a category of sensitive personal data), the protection of children (beyond limiting the use of personal data), AI-specific laws (not part of a comprehensive consumer data regime) and laws regulating data brokers (typically controllers that sell personal data they do not directly collect from consumers). Congress continues to consider a federal law that would mostly preempt the state consumer privacy laws, as well as other laws specific to children’s online safety with partial preemption. In the meantime, data controllers (and to a lesser degree processors) face the challenge of determining which state consumer privacy laws apply and whether to apply applicable laws based on consumer residency or to apply a national highest standard to all consumers.

The SPB privacy team has developed a comprehensive guide on state consumer privacy laws, including comparison charts on key issues to help determine which laws apply and tips for enhancing information governance. Most of the new state consumer privacy laws require controllers to conduct and retain documentation of data privacy impact or risk assessments. Minnesota’s new consumer privacy law also requires a documented privacy compliance program reasonably designed to ensure compliance and data inventories. The most recent draft of the federal privacy law mandates privacy-by-design.

Following are some highlights of the emerging ‘high water mark’ (strictest requirement) for key aspects of consumer privacy in the United States:Continue Reading State Privacy Law Patchwork Presents Challenges

PrivacyWorld is pleased to report that the first part of a two-part article comparing Kentucky, Maryland and Nebraska’s new consumer privacy laws was published by OneTrust Data Guidance. These three state privacy laws were the 3rd, 4th and 5th laws enacted in 2024, following the new consumer privacy laws in New Hampshire and New Jersey enacted in January.Continue Reading OneTrust DataGuidance Publishes Team SPB’s Comparison of the Kentucky, Maryland and Nebraska Consumer Privacy Laws – Part 1

Privacy pros know that tracking all the US consumer privacy laws is a challenge. The Privacy World team is here to help. In this post, we’ve collated information and resources regarding the consumer privacy laws in Texas, Oregon and Florida – all three of which are effective as of July 1, 2024. While the Florida privacy law’s status as an “omnibus” consumer privacy law is debatable given its narrow applicability and numerous carveouts, we’ve included it in this post for completeness. We’ve also provided a list of effective dates for the other state consumer privacy laws enacted but not yet in effect and some compliance approaches for your consideration.Continue Reading Are You Ready for July 1? Florida, Oregon, and Texas on Deck

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

In Narrow Vote California Moves Next Generation Privacy Regs Forward | Privacy World

EDPB Versus Ireland? Does the Opinion on