California’s Invasion of Privacy Act (CIPA) is a 1967 criminal wiretapping statute being stretched to govern 2025-era internet technologies. The result has been a patchwork of conflicting decisions that turn on hair-splitting distinctions about what it means to “read” a communication “in transit,” whether URLs and clickstream data constitute “contents,” and how third-party service providers fit within a statute that never contemplated real-time web analytics, session replay tools, or ad technology.Continue Reading California’s CIPA Jurisprudence Is Unworkable: The Legislature Should Fix It—Starting With SB 690
New CCPA Rules Are Here: Is Your Business Ready for What’s Next?
In a significant step toward strengthening consumer privacy protections, the California Privacy Protection Agency (CPPA) board has officially adopted a comprehensive set of updates to the California Consumer Privacy Act (CCPA) regulations. These long-anticipated regulations—covering cybersecurity audits, risk assessments, and automated decision-making technology (ADMT)—mark a pivotal shift in the state’s data privacy enforcement landscape.Continue Reading New CCPA Rules Are Here: Is Your Business Ready for What’s Next?
If Passed, New California Law May Require Universal Opt-Out Mechanisms On Internet Browsers and Mobile Operating Systems
Regulators of data privacy laws have expressed a desire in recent months to intensify enforcement around opt-out preference signals, also known as universal opt-out mechanisms (the “Opt-Out Signals”).
Opt-Out Signals allow consumers to automatically opt-out of the sale and sharing of personal information for targeted advertising across all websites they may visit through an internet
Emerging Defense in CIPA Lawsuits: Potent Yet Constrained by Legal and Technical Limitations
On June 3, 2025, the California Senate unanimously voted to amend the California Invasion of Privacy Act (“CIPA”) to exclude cookies and other commonly used internet tracking technologies from CIPA under certain circumstances. The bill, Senate Bill 690, if passed by the other chamber and signed by the governor, will exempt companies who use tracking technologies for a “commercial business purpose” from the wiretapping provisions of CIPA.Continue Reading Emerging Defense in CIPA Lawsuits: Potent Yet Constrained by Legal and Technical Limitations
Broad Interpretation of CCPA’s Private Right of Action Increases Business Risk to Tracking Technologies Lawsuits
In a recent decision, the U.S. District Court for the Northern District of California has construed the private right of action provision under the California Consumer Privacy Act (CCPA) broadly, which increases business risk to tracking technologies lawsuits that are already rampant.Continue Reading Broad Interpretation of CCPA’s Private Right of Action Increases Business Risk to Tracking Technologies Lawsuits
Businesses Beware: The California Privacy Protection Agency Is Taking a Strict View on CCPA Compliance and Seeking to Impose Maximum Fines for Non-Compliance
On March 7, 2025, the California Privacy Protection Agency (“CPPA”), which is tasked with enforcing the California Consumer Privacy Act (“CCPA”) entered a Stipulated Final Order (“Order”) with American Honda Motor Co., Inc. (“Honda”), fining Honda $632,500. This Order is instructive as to CPPA’s views on various topics covered by the CCPA. Among other things, the Order makes clear that:Continue Reading Businesses Beware: The California Privacy Protection Agency Is Taking a Strict View on CCPA Compliance and Seeking to Impose Maximum Fines for Non-Compliance
New Jersey Becomes the Latest State to Enact a Comprehensive Data Privacy Law
On January 16, 2024, New Jersey became the thirteenth state to enact a comprehensive data privacy law, named the New Jersey Data Privacy Act (the “NJDPA”).
The NJDPA, which will take effect on January 15, 2025, includes some provisions that are different from other data privacy laws, thereby requiring entities that fall within its scope to examine their compliance obligations with respect to those provisions.Continue Reading New Jersey Becomes the Latest State to Enact a Comprehensive Data Privacy Law
Analog Law with Digital Teeth: Litigation Under the Video Privacy Protection Act and Potential Liability for Businesses
Over the past year, website operators have experienced a proliferation of lawsuits under the Federal Video Privacy Protection Act (“VPPA”), a Reagan-era statute prohibiting the nonconsensual disclosure of an individual’s video tape rental history. Despite its nondigital origin, litigation under the VPPA has successfully targeted the ubiquitous use of tracking technologies on businesses’ websites, creating a risk of significant class-action damages under VPPA’s $2,500 per violation statutory-damages clause. Read on for more details about the risk of litigation under the VPPA and how best to avert it.Continue Reading Analog Law with Digital Teeth: Litigation Under the Video Privacy Protection Act and Potential Liability for Businesses
Failing to Comply With the Slew of New Data Privacy Laws Can Be Costly to Companies
Over the past few years, data privacy and security has been the focus of many state legislatures. CA, CO, CT, IA, UT and VA have already passed comprehensive data privacy laws. Indiana joined them on May 1, 2023 when the Governor signed the latest consumer privacy bill into law. Many other states have bills in the legislatures that are likely to become law, including FL, MT and TN (where the bills are awaiting the governors’ signatures). Though most of these laws apply to businesses that control or process personal data of 100,000 or more residents in each of those states, California’s data privacy law applies to any business that has gross annual revenue of over $25M if it collects the personal data of any California resident, which includes employees and business contacts.Continue Reading Failing to Comply With the Slew of New Data Privacy Laws Can Be Costly to Companies
Iowa Joins Data Privacy Vanguard
On March 29, 2023, Iowa became the latest in a small but growing number of states to enact comprehensive data privacy legislation. Like its counterpart laws in California, Connecticut, Colorado, Utah and Virginia, Iowa’s data privacy law – formally titled “An Act Relating to Consumer Data Protection, Providing Civil Penalties, and Including Effective Date Provisions” (“IDPL”) – provides a detailed framework regulating the collection and use of consumer personal data, and affords consumers various rights as to data collected about them. Fortunately, many of the requirements imposed by the IDPL, which goes into effect on January 1, 2025, are largely similar to those applicable in the other five states, and especially those in Connecticut, Colorado, Utah and Virginia.[1]Continue Reading Iowa Joins Data Privacy Vanguard