On June 3, 2025, the California Senate unanimously voted to amend the California Invasion of Privacy Act (“CIPA”) to exclude cookies and other commonly used internet tracking technologies from CIPA under certain circumstances. The bill, Senate Bill 690, if passed by the other chamber and signed by the governor, will exempt companies who use tracking technologies for a “commercial business purpose” from the wiretapping provisions of CIPA.Continue Reading Emerging Defense in CIPA Lawsuits: Potent Yet Constrained by Legal and Technical Limitations

Alicia A. Baiardo
Ali, a partner in the San Francisco office of McGuireWoods, is a commanding commercial litigator trusted by three of the largest U.S. banks and numerous Fortune Global 500 companies to defend multimillion-dollar class actions and other complex litigation. She defends nationwide consumer class actions brought on behalf of millions of class members, California-wide cases alleging unfair competition, fraud, and violation of various consumer protection statutes, and complex Ponzi-scheme matters brought against banks.

First CCPA Enforcement Action Shows Accepting User-Enabled Global Privacy Controls Is Mandatory
On Wednesday, August 24, 2022, the California Attorney General released a public statement addressing its first enforcement action under the California Consumer Privacy Act (“CCPA”) against Sephora. The Attorney General alleged that Sephora failed to disclose to consumers that it was selling personal information, it failed to honor requests submitted through Global Privacy Controls (“GPC”), and it failed to cure these violations within the 30-day period. The parties settled for a $1.2M fine and injunctive relief requiring Sephora to comply with the CCPA and accept GPC.
Continue Reading First CCPA Enforcement Action Shows Accepting User-Enabled Global Privacy Controls Is Mandatory
New Utah Privacy Law Largely Overlaps with Existing State Statutes

The Utah Consumer Privacy Act (“UCPA”) passed by the Utah legislature was signed into law by Governor Spencer Cox on March 24, 2022 and becomes effective December 31, 2023. While companies conducting business in Utah will need to familiarize themselves with the law in order to become complaint if they are covered by the statute, the good news is that the UCPA creates only marginally different obligations than those found in California, Colorado, and Virginia’s data privacy laws.
Continue Reading New Utah Privacy Law Largely Overlaps with Existing State Statutes
U.S. Biometrics Laws Part II: What to Expect in 2021
As we discussed in Part I, the United States does not have a single, comprehensive federal law governing biometric data. However, we have recently seen an increasing number of states focusing on this issue. Part I summarized legislative activity on this issue in 2020. In this Part II, we discuss noteworthy legislation to monitor in 2021.
What to Expect in 2021
At least two states—New York and Maryland—have already introduced biometrics legislation in this first month of 2021.
New York – AB 27
On January 6, 2021, the New York Assembly introduced the Biometric Privacy Act (BPA), a New York state biometric law aimed at regulating businesses handling biometric data. BPA will prohibit businesses from collecting biometric identifiers or information without first receiving informed consent from the individual, prohibit profiting from the data, and will require a publicly available written retention and destruction policy. As proposed, the statute contains a private right of action; and if passed, it will permit consumers to sue businesses for improperly collecting and using their biometric data. The statute follows Illinois’s BIPA, allowing recovery of $1,000 per negligent violation and $5,000 per intentional violation, or actual damages, whichever is greater, along with attorney’s fees and costs, and injunctive relief.Continue Reading U.S. Biometrics Laws Part II: What to Expect in 2021
U.S. Biometrics Laws Part I: An Overview of 2020
Data privacy laws have made significant breakthroughs in recent years, making it a top priority for businesses. From the adoption of the European Union’s General Data Protection Regulation (GDPR) in 2016 to the enactment of the California Consumer Privacy Act (CCPA) in 2018 and the latest ballot approval of the California Privacy Rights Act (CPRA) in 2020, we continue to see data privacy laws develop and garner interest from consumers, businesses, and legislators alike.
Specific biometric privacy laws, in particular however, are often overshadowed by more general data privacy laws. As we discussed in our prior article, biometrics are physical and behavioral human characteristics (i.e., face, eye, fingerprint, and voice features) that can be used to digitally identify a person. As the collection and use of biometric data become more common in daily life and its applications in different industries continue to expand, new privacy considerations will emerge in this field. Biometrics laws, in their own right, require separate recognition because of the nuanced application of these specific laws.
The United States does not have a single, comprehensive federal law governing biometric data. Recently, we have seen an increasing number of individual states focus on this issue, and the recent introduction of legislation in a number of states specifically aimed at protecting the collection, retention, and use of biometric data. In Part I, we summarize some of the legislative activity on biometric laws from 2020. We will describe other noteworthy legislation to monitor for 2021 in Part II.Continue Reading U.S. Biometrics Laws Part I: An Overview of 2020
California Privacy Rights Act: A Move Closer to GDPR? Part II
In Part II of this series, California-based Ali Baiardo, and London-based Alice O’Donovan, continue their comparison of the GDPR and California privacy law. To view Part I in the series, click here.
NEW DATA PROTECTION PRINCIPLES AND OBLIGATIONS ON BUSINESSES
a. Key data protection principles
The GDPR revolves around seven key data protection principles:
- Lawfulness, fairness and transparency;
- Purpose limitation;
- Data minimisation;
- Accuracy;
- Storage limitation;
- Integrity and confidentiality (security); and
- Accountability
Continue Reading California Privacy Rights Act: A Move Closer to GDPR? Part II
California Privacy Rights Act: A Move Closer to GDPR? Part I
The recently-passed California Privacy Rights Act (CPRA) augments and supplements California’s existing privacy law, the California Consumer Privacy Act (CCPA). We are sure many practitioners are wondering how it stacks up with the European Union’s General Data Protection Regulation (GDPR). See below for Part I of our two part series comparing the CPRA and the GDPR (and see Part II here).
HOW DOES THE CPRA CHANGE THE CCPA?
The CPRA makes several significant changes to the CCPA:
- It introduces the concept of “sensitive personal data”;
- It introduces new obligations on businesses, and GDPR-style “principles”;
- It introduces new rights for consumers; and
- It creates a new supervisory authority for data protection and privacy in California — the California Privacy Protection Agency.
These changes are very significant – but do they represent a move closer to GDPR, or a move away?Continue Reading California Privacy Rights Act: A Move Closer to GDPR? Part I
You’re CCPA Compliant. So Now What? Top Tips for Companies Looking Ahead to the Recently-Passed CPRA
The November 2020 election left a lot of questions. Among them, companies doing business in California are now asking about compliance with yet another California data privacy law, this time the California Privacy Rights and Enforcement Act of 2020 (the “CPRA”). This article gives an overview addressing the what, when, and how of the CPRA. (We won’t hazard a guess as to the why—we leave that to the backers of the new law.)
What is the CPRA?
The CPRA builds on the California Consumer Privacy Act of 2018 (the “CCPA”) in a number of key ways. It includes: new consumer rights, new requirements for businesses, and a number of other miscellaneous changes. Some parts of the CCPA will remain in effect, and others are rephrased or clarified. We provide below a high-level overview of topics we believe businesses should be thinking about now as they look ahead to building-out their CPRA compliance programs.Continue Reading You’re CCPA Compliant. So Now What? Top Tips for Companies Looking Ahead to the Recently-Passed CPRA
Frenemies Video Series – Season 3: Pivot! Pivot! Pivot! What Marketers Need to Know About the California Consumer Privacy Act
The third season in Frenemies has been released — watch these episodes.
- The One Where California Falls in Love With Privacy: The California Consumer Privacy Act in 10 Minutes (featuring Bethany Lukitsch and Justin Yedor)
- The One Where “Sale” Doesn’t Mean What You Think: What Is a Sale and Why Does it Matter? (featuring Ali
…
Finally Final: CCPA Regulations Take Effect
On August 14, 2020, the California Attorney General announced final approval of the California Consumer Privacy Act Regulations by the Office of Administrative Law. The Regulations take effect immediately.
While the revisions made to the Final Regulations mostly consist of “non-substantive changes” to correct grammatical errors or clarify the wording of various provisions, business should be aware of the “global modifications” made in a few key areas. These are summarized below along with our take on what they may mean for businesses:Continue Reading Finally Final: CCPA Regulations Take Effect