The California Consumer Privacy Act (CCPA) requires that privacy notices be updated annually, and that the detailed disclosures it proscribes be in those notices reflect the 12-month period prior to the effective (posting) date. Interestingly, failure to make annual updates was one of several alleged CCPA violations that resulted in a recent $1.35 Million administrative
On July 24, the California Privacy Protection Agency Board unanimously voted to approve the May 9 draft of its proposed edits and additions to regulations under the California Consumer Privacy Act (CCPA), which we broke down in detail here. There were 575 pages of comments from 70 commentators regarding that last set of changes, but staff concluded that no further changes were appropriate in response to these comments and the Board agreed. So now, a final package will be prepared and presented to the Office of Administrative Law (OAL) to confirm the regulations are consistent with the CCPA and administrative procedures. That package will include more detailed explanation of why rejected comments were rejected, with the goal of providing guidance especially regarding interpretation issues. Assuming OAL approval, key implementation dates will be:Continue Reading New California Privacy Regulations Passed by Board
In another settlement of a cookie-related state consumer privacy law enforcement action, California reinforces contract requirements for making personal information available and raises questions about the scope of purpose limitation requirements, especially where the nature of the data and/or its use could run counter to consumer expectations.
On July 1, 2025, the California Office of the Attorney General (OAG) announced a settlement against Healthline, which included the largest CCPA settlement to date – $1.55 million – and many “firsts” for public CCPA enforcement: the first involving a publisher, the first health information-related enforcement action, and the first time the purpose limitation principle has been invoked by California’s (or any other state’s) regulators in a public regulatory enforcement context. This enforcement action came just a week before Connecticut’s attorney general announced an $85,000 settlement under the Connecticut state privacy law explored in more detail here.Continue Reading California AG Issues Highest Fine to Date for CCPA Violations
State consumer privacy enforcers have been turning up the heat on recalcitrant data controllers that have incomplete, inadequate or broken consumer privacy law (CPL) protection programs. On July 8, the Office of the Attorney General of Connecticut (CT OAG) announced a settlement with TicketNetwork, Inc related to deficiencies in the company’s privacy notice and non-compliance with consumer rights requirements. This came just a week following California’s announcement of its largest consumer privacy law settlement to date — US $1.55 million, involving an online publisher known as Healthline. A post breaking that case down will follow shortly. Today we look at the Connecticut case.Continue Reading Connecticut’s Recent Privacy Settlement Shows that Organizations Should Remain Cognizant of Privacy Law Obligations Outside of California
(Updated May 12, 2025)
Since January, the federal government has moved away from comprehensive legislation on artificial intelligence (AI) and adopted a more muted approach to federal privacy legislation (as compared to 2024’s tabled federal legislation). Meanwhile, state legislatures forge ahead – albeit more cautiously than in preceding years.
As we previously reported, the Colorado AI Act (COAIA) will go into effect on February 1, 2026. In signing the COAIA into law last year, Colorado Governor Jared Polis (D) issued a letter urging Congress to develop a “cohesive” national approach to AI regulation preempting the growing patchwork of state laws. Absent a federal AI law, Governor Polis encouraged the Colorado General Assembly to amend the COAIA to address his concerns that the COAIA’s complex regulatory regime may drive technology innovators away from Colorado. Eight months later, the Trump Administration announced its deregulatory approach to AI regulation making federal AI legislation unlikely. At that time, the Trump Administration seemed to consider existing laws – such as Title VI and Title VII of the Civil Rights Act and the Americans with Disabilities Act which prohibit unlawful discrimination – as sufficient to protect against AI harms. Three months later, a March 28 Memorandum issued by the federal Office of Management and Budget directs federal agencies to implement risk management programs designed for “managing risks from the use of AI, especially for safety-impacting and rights impacting AI.”Continue Reading States Shifting Focus on AI and Automated Decision-Making
In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.
Companies in all industries take note: regulators are scrutinizing how companies offer and manage privacy rights requests and looking into the nature of vendor processing in connection with application of those requests. This includes applying the proper verification standards and how cookies are managed. Last month, the California Privacy Protection Agency (“CPPA” or “Agency”) provided
As reported previously, the California Privacy Protection Agency (“CPPA”) closed the public comment period for its proposed cybersecurity audit, risk assessment and automated decision-making technology (“ADMT”) regulations (the “Proposed Regulations”) in late February. In advance of the CPPA’s April 4 meeting, the CPPA released a new draft of the Proposed Regulations, which proposed relatively minor substantive changes, but pushed back the dates for when certain obligations would become effective. The Agency’s Board met on April 4, 2025, to discuss the new proposals and comments received, as well as the potential for some very different alternatives, especially related to ADMT. Members of the CPPA Board debated the staff’s approach and ultimately sent the staff back to narrow the scope of the Proposed Regulations, clarify what was in and out of scope with more examples, and to further consider how to reduce the costs and burdens on businesses. While it is unclear exactly what staff will come back with, the alternatives discussed provide some hints on what a more constrained approach may look like.Continue Reading The Future for California’s Latest Generation of Privacy Regulations is Uncertain
As we have covered, the public comment period closed on February 19th for the California Privacy Protection Agency (CPPA) draft regulations on automated decision-making technology, risk assessments and cybersecurity audits under the California Consumer Privacy Act (the “Draft Regulations”). One comment that has surfaced (the CPPA has yet to publish the comments), in particular, stands out — a letter penned by 14 Assembly Members and four Senators. These legislators essentially charged the CPPA for being over its skis, calling out “the Board’s incorrect interpretation that CPPA is somehow authorized to regulate AI.” Continue Reading CA Legislators Charge That Privacy Agency AI Rulemaking Is Beyond Its Authority
We are pleased to announce that we will be participating in the California Lawyers Association Privacy Law Section’s 2025 Annual Privacy Summit in Los Angeles, CA.
Join Alan Friel for a session on CA Rulemaking: Unpacking the CCPA cybersecurity audit, privacy risk assessment regulations, and ADMT. The panel will review the draft ADMT regulations, interpret