Litigation

On September 25, the California Privacy Protection Agency (CPPA) Board advanced OAL-approved updates to the California Consumer Privacy Act (CCPA), the process of which we covered in detail here and here, that include long-awaited regulations on cybersecurity audits, risk assessments, and automated decision-making technology (ADMT). The CPPA Board also approved a $1.35 Million settlement with Tractor Supply Company, officially announced this week. At last week’s meeting, staff reported that there were hundreds of investigations and enforcement actions in progress, many of which were at a stage that the applicable businesses were not yet aware that they are a target. 2026 will bring new privacy obligations for businesses and greater repercussions for half-baked compliance efforts.

Continue Reading California Privacy Agency Rolls Out New Regulations and Approves $1.35 Million Penalty in Latest CCPA Enforcement Action

On June 30, 2025, the California Civil Rights Council (CRC) secured final approval for regulations addressing employment discrimination resulting from the use of artificial intelligence and other algorithms it collectively refers to as Automated-Decision Systems. Shortly after that, on July 24, 2025, the California Privacy Protection Agency Board approved its own long-anticipated regulations on cybersecurity

On July 24, the California Privacy Protection Agency Board unanimously voted to approve the May 9 draft of its proposed edits and additions to regulations under the California Consumer Privacy Act (CCPA), which we broke down in detail here.  There were 575 pages of comments from 70 commentators regarding that last set of changes, but staff concluded that no further changes were appropriate in response to these comments and the Board agreed.  So now, a final package will be prepared and presented to the Office of Administrative Law (OAL) to confirm the regulations are consistent with the CCPA and administrative procedures.  That package will include more detailed explanation of why rejected comments were rejected, with the goal of providing guidance especially regarding interpretation issues.  Assuming OAL approval, key implementation dates will be:

Continue Reading New California Privacy Regulations Passed by Board

In another settlement of a cookie-related state consumer privacy law enforcement action, California reinforces contract requirements for making personal information available and raises questions about the scope of purpose limitation requirements, especially where the nature of the data and/or its use could run counter to consumer expectations. 

On July 1, 2025, the California Office of the Attorney General (OAG) announced a settlement against Healthline, which included the largest CCPA settlement to date – $1.55 million – and many “firsts” for public CCPA enforcement: the first involving a publisher, the first health information-related enforcement action, and the first time the purpose limitation principle has been invoked by California’s (or any other state’s) regulators in a public regulatory enforcement context. This enforcement action came just a week before Connecticut’s attorney general announced an $85,000 settlement under the Connecticut state privacy law explored in more detail here.

Continue Reading California AG Issues Highest Fine to Date for CCPA Violations

On 21 May 2025, the European Commission published a proposal for a new regulation aimed at simplifying several EU legal instruments, including targeted amendments to the General Data Protection Regulation (GDPR). The announced objective is to ease compliance obligations for small and medium-sized enterprises (SMEs) and extend certain regulatory benefits to small mid-cap companies (SMCs) (a category of businesses that often face comparable regulatory burdens to large corporations but lack equivalent resources). In the field of data protection, the proposal focuses on revising the obligation to maintain records of processing activities under Article 30 GDPR. It suggests raising the employee threshold for this obligation and clarifying that record-keeping would only be required when processing is likely to pose a high risk to individuals’ rights and freedoms.

Continue Reading GDPR Relief for SMEs? EDPB and EDPS Weigh in on the EU’s Simplification Plans

State consumer privacy enforcers have been turning up the heat on recalcitrant data controllers that have incomplete, inadequate or broken consumer privacy law (CPL) protection programs.  On July 8, the Office of the Attorney General of Connecticut (CT OAG) announced a settlement with TicketNetwork, Inc related to deficiencies in the company’s privacy notice and non-compliance with consumer rights requirements. This came just a week following California’s announcement of its largest consumer privacy law settlement to date — US $1.55 million, involving an online publisher known as Healthline. A post breaking that case down will follow shortly.  Today we look at the Connecticut case.

Continue Reading Connecticut’s Recent Privacy Settlement Shows that Organizations Should Remain Cognizant of Privacy Law Obligations Outside of California

In a much-awaited decision, the U.S. Supreme Court (Supreme Court) has ruled that in civil enforcement proceedings under the Telephone Consumer Protection Act (TCPA), whether brought by the Government or in private civil suits, the Federal district courts (District Courts) are not bound by the Federal Communications Commission’s (FCC) interpretation of the TCPA. Rather, the District Courts may independently assess whether the FCC’s interpretation of the TCPA is correct while giving the FCC interpretation “appropriate respect.”

Continue Reading District Courts Empowered to Independently Analyze FCC TCPA Interpretations

(Updated May 12, 2025)

Since January, the federal government has moved away from comprehensive legislation on artificial intelligence (AI) and adopted a more muted approach to federal privacy legislation (as compared to 2024’s tabled federal legislation). Meanwhile, state legislatures forge ahead – albeit more cautiously than in preceding years.

As we previously reported, the Colorado AI Act (COAIA) will go into effect on February 1, 2026. In signing the COAIA into law last year, Colorado Governor Jared Polis (D) issued a letter urging Congress to develop a “cohesive” national approach to AI regulation preempting the growing patchwork of state laws. Absent a federal AI law, Governor Polis encouraged the Colorado General Assembly to amend the COAIA to address his concerns that the COAIA’s complex regulatory regime may drive technology innovators away from Colorado. Eight months later, the Trump Administration announced its deregulatory approach to AI regulation making federal AI legislation unlikely. At that time, the Trump Administration seemed to consider existing laws – such as Title VI and Title VII of the Civil Rights Act and the Americans with Disabilities Act which prohibit unlawful discrimination – as sufficient to protect against AI harms. Three months later, a March 28 Memorandum issued by the federal Office of Management and Budget directs federal agencies to implement risk management programs designed for “managing risks from the use of AI, especially for safety-impacting and rights impacting AI.”

Continue Reading States Shifting Focus on AI and Automated Decision-Making

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

State Privacy Enforcement Updates: CPPA Extracts Civil Penalties in Landmark Case; State Regulators Form Consortium for Privacy Enforcement Collaboration |