On September 23, 2025, the California Privacy Protection Agency confirmed that their cyber audit regulations will at long last go into effect on January 1, 2026. 

You can be forgiven for losing track since these were first proposed in September 2023, but now is the time to start considering how they will apply to your company and budgeting for that impact. 

150 consumer complaints per week. A consortium of privacy regulators. “Hundreds of open investigations.” 

In a major move signaling the growing power of multi-state cooperation on privacy enforcement, the California Privacy Protection Agency (CPPA), alongside the Attorneys General of California, Colorado, and Connecticut (collectively, the “Coalition”), announced an investigative sweep targeting businesses that fail to honor

California’s legislature has once again taken center stage in the national privacy conversation, passing a flurry of privacy bills during a marathon session that stretched into the night of September 12. 

On August 25, 2025, the Federal Trade Commission filed a complaint against Air AI, alleging the company and its owners made overblown claims about the availability and capabilities of its artificial intelligence (AI) tools to replace human sales representatives, as well as deceptive claims about the busi

After years of drafting, discussions, and debates, the California Privacy Protection Agency (CPPA) Board reached a significant milestone in its efforts to bring to fruition regulations that have been in discussion by the CPPA Board for several years. 

With 2025 more than half over and many state legislatures adjourned for the year, we look back at significant legislative developments concerning state comprehensive consumer privacy laws. 

As the 2025 summer heat continues and as state privacy laws continue to mature, enforcement actions are beginning to shape the compliance landscape for businesses nationwide—from the coast of California to the shores of Connecticut. 

In May 2025, Montana enacted Senate Bill 163 (SB 163), amending that state’s Genetic Information Privacy Act (MGIPA) to include protections for neurotechnology data—namely, data collected from the activity of the central or peripheral nervous system.

Going into the Friday, April 4, 2025, meeting, the CPPA seemed poised to move forward far-reaching privacy regulations on RAs, cybersecurity audits, and ADMT.

As we close out the first quarter of 2025, one thing is unmistakable: California’s regulatory efforts continue to center on data brokers. 

This year saw significant enforcement activity from the Federal Trade Commission on privacy, data security, and related technology topics, particularly with respect to location information, health, and other sensitive data; data brokers; children’s privacy and online safety; and consumer protection issues related to artificial intelligence. State-level privacy enforcers, such as those in T