Search results for: Colorado Privacy Act

The 2025 legislative cycle marked a pivotal year in US privacy law, defined not only by continued nationwide expansion into Artificial Intelligence (AI) governance, children’s and teen privacy and online safety, as well as emerging data categories, but by a major restructuring of California’s privacy enforcement infrastructure. California’s introduction of the Delete Request and Opt-out Platform (DROP) system, the nation’s first centralized, statewide platform for managing consumer deletion requests; combined with sweeping reforms to the Consumer Privacy Fund, will materially increase CalPrivacy and attorney general enforcement capacity on a recurring, self-replenishing basis. These developments accompany completion of a far-reaching rulemaking package that imposes detailed obligations for Data Protection Impact Assessments (DPIAs or risk assessments), cybersecurity governance and Automated Decision-Making Technology (ADMT). At the same time, states beyond California have enacted targeted statutory reforms addressing neurotechnology, data-broker practices and minors’ online safety, underscoring that – absent federal preemption – state-driven models will continue to shape the national privacy compliance landscape in 2026. By January 2026, there will be 20 state consumer privacy laws in effect, several with unique material obligations. We detail what enterprises need to be prepared for in 2026 and explain why we believe next year will be a watershed period for consumer privacy in the US.

Continue Reading 2025 State Privacy Roundup: Key Trends and California Developments to Watch in 2026

We have previously covered the recent changes to the California Consumer Privacy Act (CCPA) regulations, and summarized the changes companies need to make to be 2026-ready under them and other state consumer privacy laws that have recently or will soon become effective.  In a recent guidance document, CalPrivacy highlights “seven things businesses should know and prepare for,” which are:

Continue Reading CalPrivacy Highlights Regulatory Changes for 2026

The California Consumer Privacy Act (CCPA) requires that privacy notices be updated annually, and that the detailed disclosures it proscribes be in those notices reflect the 12-month period prior to the effective (posting) date. Interestingly, failure to make annual updates was one of several alleged CCPA violations that resulted in a recent $1.35 Million administrative civil penalty by the California Privacy Protection Agency (CPPA) against retailer Tractor Supply Company. Also, three more state consumer protection laws go into effect on January 1, 2026, which will require notice and consumer rights intake changes, if applicable. Additionally, new and amended CCPA regulations will bring new obligations for businesses starting the first of the year that need to be addressed between now and then. Also recommended is a general checkup with particular attention to enforcement priorities.

Continue Reading Your Year-end U.S. Privacy “To Do” List – don’t wait until the holiday crush to become 2026-ready

On September 25, the California Privacy Protection Agency (CPPA) Board advanced OAL-approved updates to the California Consumer Privacy Act (CCPA), the process of which we covered in detail here and here, that include long-awaited regulations on cybersecurity audits, risk assessments, and automated decision-making technology (ADMT). The CPPA Board also approved a $1.35 Million settlement with Tractor Supply Company, officially announced this week. At last week’s meeting, staff reported that there were hundreds of investigations and enforcement actions in progress, many of which were at a stage that the applicable businesses were not yet aware that they are a target. 2026 will bring new privacy obligations for businesses and greater repercussions for half-baked compliance efforts.

Continue Reading California Privacy Agency Rolls Out New Regulations and Approves $1.35 Million Penalty in Latest CCPA Enforcement Action

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Attention Privacy World Readers! Do you need CLE? We have some options for you!

State Privacy and AI Law Updates – A Live Legal Briefing You Won’t Want to Miss

Colorado Legislature Passes a Five-Month Delay for Colorado’s AI Act

Date: September 10, 2025 at 12:00 PM EDT

Format: Live Video

Duration: 1 Hour

Description: With limited federal regulation on consumer protection, data privacy, and AI, states are stepping in, creating a patchwork of laws that vary widely in scope and enforcement. While California and Colorado set high standards, other states like Maryland, Minnesota, and Oregon are introducing even stricter measures. Additional laws around consumer health data, data brokers, and child/teen online safety further complicate the landscape.

This panel will explore key differences and overlaps in state laws, highlight enforcement trends, and offer practical strategies for enterprises to implement privacy programs across states and globally. Attendees will receive comparison charts to support compliance efforts.

Continue Reading State Privacy and AI Law Updates – A Live Legal Briefing You Won’t Want to Miss

Late yesterday afternoon, Colorado’s House of Representatives passed, in a 48-14 vote, a bill that delays the in-force date for Colorado’s landmark 2024 AI law (CO Rev Stat §§ 6-1-1701 — 6-1-1707 (COAIA)) until June 30, 2026.  After first voting in favor of an amendment delaying the in-force date until October 1, 2026, the Colorado House joined the Colorado Senate by voting in favor of SB25B-004 with the June 30, 2026, in-force date.  The bill was signed by the Speaker of the Colorado House and President of the Colorado Senate and sent to Governor Polis last night. 

The COAIA amendment was the result of an extraordinary session of the Colorado General Assembly convened by Colorado Governor Jared Polis when he signed Executive Order D 2025 009 on August 6, 2025.  The Executive Order called for consideration of the “fiscal and implementation impacts” on businesses of the COAIA, as well the budget shortfalls created by the cost-shifting effects of Public Law No: 119-21 (07/04/2025), among other issues.

The Executive Order and resulting amendment delaying the COAIA’s in-force date are not particularly surprising.  Since signing the COAIA, Governor Polis has called for the Colorado General Assembly to amend the COAIA to address his concerns that its complex regulatory regime would drive technology innovators away from Colorado.  On April 28, 2025, two of the COAIA’s original sponsors heeded Governor Polis’ call by introducing an amendment in the form of SB 25-318 that was not considered before the legislative session ended on May 7, 2025.  (Read more here.)  Since SB25B-004 does not address the substantive concerns with the COAIA, the General Assembly may revisit the COAIA when the second regular session of the 75th General Assembly begins on January 14, 2026.

Governor Polis signed SB25B-004 to allow the legislature time to consider amendments when it reconvenes in 2026. Please watch Privacy World for updates.  The current Colorado AI Act is summarized here .

(The authors are grateful for the assistance of Mary Aldrich, Paralegal (New York).)

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only and is not intended to constitute or be relied upon as legal advice.

Many organizations have been working diligently to comply with the 13 state consumer privacy laws (CPLs) in effect in the first half of 2025 (14 if you count Florida). Some have chosen to comply on a state-by-state basis and others have followed the high-watermark approach of applying the strictest standard from among the CPLs to all states with CPLs or on a nationwide basis. Regardless of the chosen approach, the next six months brings a new batch of CPLs, some with material differences from the earlier generations, starting as early as July 1, 2025. In addition, amendments to CPLs already in effect will bring new obligations and requirements for many businesses during the second half of 2025. Accordingly, if these changes were not prospectively addressed, now is the time to confirm which of new CPLs are applicable, and timely revise privacy notices and compliance program procedures. Also, with the increase in CPL enforcement, and the growing size and frequency of civil penalties, now is also a good time for an overall privacy compliance checkup. 

(A list of the 20 CPLs and their effective dates and applicability thresholds is included in an appendix at the end.)

Continue Reading The Second Half of the Year Brings New State Privacy Obligations – Are You Ready?

As companies begin to move beyond large language model (LLM)-powered assistants into fully autonomous agents—AI systems that can plan, take actions, and adapt without human-in-the-loop—legal and privacy teams must be aware of the use cases and the risks that come with them.

What is Agentic AI?
Agentic AI refers to AI systems—often built using LLMs but not limited to them—that can take independent, goal-directed actions across digital environments. These systems can plan tasks, make decisions, adapt based on results, and interact with software tools or systems with little or no human intervention.

Agentic AI often blends LLMs with other components like memory, retrieval, application programming interfaces (APIs), and reasoning modules to operate semi-autonomously. It goes beyond chat interfaces and can initiate real actions—inside business applications, internal databases, or even external platforms.

For example:

  • An agent that processes inbound email, classifies the request, files a ticket, and schedules a response—all autonomously.
  • A healthcare agent that transcribes provider dictations, updates the electronic health record , and drafts follow-up communications.
  • A research agent that searches internal knowledge bases, summarizes results, and proposes next steps in a regulatory analysis.

These systems aren’t just helping users write emails or summarize docs. In some cases, they’re initiating workflows, modifying records, making decisions, and interacting directly with enterprise systems, third-party APIs, and internal data environments. Here are a handful of issues that legal and privacy teams should be tracking now.

Continue Reading What is Agentic AI? A Primer for Legal and Privacy Teams

The rulemaking process on California’s Proposed “Regulations on CCPA Updates, Cybersecurity Audits, Risk Assessments, Automated Decisionmaking Technology, and Insurance Companies” (2025 CCPA Regulations) has been ongoing since November 2024.  With the one-year statutory period to complete the rulemaking or be forced to start anew on the horizon, the California Privacy Protection Agency (CPPA) voted unanimously to move a revised set of draft regulations forward to public comment on May 1, which began May 9 and closes at 5 pm Pacific June 2, 2025.  The revisions cut back on the regulation of Automated Decision-making Technology (ADMT), eliminate the regulation of AI, address potential Constitutional deficiencies with regard to risk assessment requirements and somewhat ease cybersecurity audit obligations.  This substantially revised draft is projected by the CPPA to save California businesses approximately 2.25 billion dollars in the first year of implementation, a 64% savings from the projected cost of the prior draft.

Continue Reading Revised Draft California Privacy Regulations Lessen Impact on Business