The Connecticut Governor signed SB 1295 into law on June 25, 2025, again amending the Connecticut Data Privacy Act (CTDPA). 

As the 2025 summer heat continues and as state privacy laws continue to mature, enforcement actions are beginning to shape the compliance landscape for businesses nationwide—from the coast of California to the shores of Connecticut. 

In May 2025, Montana enacted Senate Bill 163 (SB 163), amending that state’s Genetic Information Privacy Act (MGIPA) to include protections for neurotechnology data—namely, data collected from the activity of the central or peripheral nervous system.

Going into the Friday, April 4, 2025, meeting, the CPPA seemed poised to move forward far-reaching privacy regulations on RAs, cybersecurity audits, and ADMT.

As we close out the first quarter of 2025, one thing is unmistakable: California’s regulatory efforts continue to center on data brokers. 

Continued cyberthreats drove expanded data security and breach notification requirements in 2024. Although sectors deemed high-risk saw significant activity, we also saw proposed regulations that stand to have a significant impact on a wide swath of private companies in the year to come.

This Update outlines highlights of data security law in 2024.

After much anticipation, on November 8, the California Privacy Protection Agency (CPPA) Board voted to advance proposed regulations for insurance, cybersecurity audits, risk assessments, and automated decision-making technology (ADMT) to formal rulemaking. 

This year, the blossoming of spring is accompanied by a pair of noteworthy California Privacy Protection Agency (CPPA) updates. 

Last month, Senators Richard Blumenthal (D-Conn.) and Marsha Blackburn (R-Tenn.) reintroduced the Kids Online Safety Act (KOSA), initially introduced last term, noting that the bill now has 62 cosponsors, bipartisan support, and is poised to pass in the Senate.