On April 1, 2026, the U.S. Court of Appeals for the Seventh Circuit, which consolidated three interlocutory appeals, issued a significant ruling in Clay v. Union Pacific Railroad Co., that resolves the question of whether Illinois’s 2024 amendment to the Biometric Information Privacy Act (“BIPA”) applies retroactively to cases pending when it was enacted.
CalPrivacy Ramps Up Privacy Enforcement
The California Privacy Protection Agency (CalPrivacy) is entering an aggressive new phase of privacy regulation and enforcement, of which companies doing business in California should be aware. CalPrivacy already brought enforcement actions against many companies, maintains over 100 active investigations and has signaled an increased pace of enforcement.
Continue Reading CalPrivacy Ramps Up Privacy Enforcement
Data Privacy Day 2026: What Changed on Jan. 1 — And What to Watch Next
Data Privacy Day offers a natural checkpoint to take stock of a fast‑moving legal landscape. As of January 1, 2026, several significant U.S. state privacy laws and regulatory updates are now live, with additional U.S. and global milestones queued up throughout 2026. Below we summarize important changes already in effect and highlight issues to monitor as the year unfolds.
Continue Reading Data Privacy Day 2026: What Changed on Jan. 1 — And What to Watch NextCalifornia’s CIPA Jurisprudence Is Unworkable: The Legislature Should Fix It—Starting With SB 690
California’s Invasion of Privacy Act (CIPA) is a 1967 criminal wiretapping statute being stretched to govern 2025-era internet technologies. The result has been a patchwork of conflicting decisions that turn on hair-splitting distinctions about what it means to “read” a communication “in transit,” whether URLs and clickstream data constitute “contents,” and how third-party service providers fit within a statute that never contemplated real-time web analytics, session replay tools, or ad technology.
Continue Reading California’s CIPA Jurisprudence Is Unworkable: The Legislature Should Fix It—Starting With SB 690New CCPA Rules Are Here: Is Your Business Ready for What’s Next?
In a significant step toward strengthening consumer privacy protections, the California Privacy Protection Agency (CPPA) board has officially adopted a comprehensive set of updates to the California Consumer Privacy Act (CCPA) regulations. These long-anticipated regulations—covering cybersecurity audits, risk assessments, and automated decision-making technology (ADMT)—mark a pivotal shift in the state’s data privacy enforcement landscape.
Continue Reading New CCPA Rules Are Here: Is Your Business Ready for What’s Next?If Passed, New California Law May Require Universal Opt-Out Mechanisms On Internet Browsers and Mobile Operating Systems
Regulators of data privacy laws have expressed a desire in recent months to intensify enforcement around opt-out preference signals, also known as universal opt-out mechanisms (the “Opt-Out Signals”).
Opt-Out Signals allow consumers to automatically opt-out of the sale and sharing of personal information for targeted advertising across all websites they may visit through an internet
Emerging Defense in CIPA Lawsuits: Potent Yet Constrained by Legal and Technical Limitations
On June 3, 2025, the California Senate unanimously voted to amend the California Invasion of Privacy Act (“CIPA”) to exclude cookies and other commonly used internet tracking technologies from CIPA under certain circumstances. The bill, Senate Bill 690, if passed by the other chamber and signed by the governor, will exempt companies who use tracking technologies for a “commercial business purpose” from the wiretapping provisions of CIPA.
Continue Reading Emerging Defense in CIPA Lawsuits: Potent Yet Constrained by Legal and Technical LimitationsBroad Interpretation of CCPA’s Private Right of Action Increases Business Risk to Tracking Technologies Lawsuits
In a recent decision, the U.S. District Court for the Northern District of California has construed the private right of action provision under the California Consumer Privacy Act (CCPA) broadly, which increases business risk to tracking technologies lawsuits that are already rampant.
Continue Reading Broad Interpretation of CCPA’s Private Right of Action Increases Business Risk to Tracking Technologies LawsuitsBusinesses Beware: The California Privacy Protection Agency Is Taking a Strict View on CCPA Compliance and Seeking to Impose Maximum Fines for Non-Compliance
On March 7, 2025, the California Privacy Protection Agency (“CPPA”), which is tasked with enforcing the California Consumer Privacy Act (“CCPA”) entered a Stipulated Final Order (“Order”) with American Honda Motor Co., Inc. (“Honda”), fining Honda $632,500. This Order is instructive as to CPPA’s views on various topics covered by the CCPA. Among other things, the Order makes clear that:
Continue Reading Businesses Beware: The California Privacy Protection Agency Is Taking a Strict View on CCPA Compliance and Seeking to Impose Maximum Fines for Non-ComplianceNew Jersey Becomes the Latest State to Enact a Comprehensive Data Privacy Law
On January 16, 2024, New Jersey became the thirteenth state to enact a comprehensive data privacy law, named the New Jersey Data Privacy Act (the “NJDPA”).
The NJDPA, which will take effect on January 15, 2025, includes some provisions that are different from other data privacy laws, thereby requiring entities that fall within its scope to examine their compliance obligations with respect to those provisions.
Continue Reading New Jersey Becomes the Latest State to Enact a Comprehensive Data Privacy Law