In a significant step toward strengthening consumer privacy protections, the California Privacy Protection Agency (CPPA) board has officially adopted a comprehensive set of updates to the California Consumer Privacy Act (CCPA) regulations. These long-anticipated regulations—covering cybersecurity audits, risk assessments, and automated decision-making technology (ADMT)—mark a pivotal shift in the state’s data privacy enforcement landscape.Continue Reading New CCPA Rules Are Here: Is Your Business Ready for What’s Next?
State AGs Step Up Enforcement: Recent Lessons from Privacy Law Enforcement in Connecticut and Nebraska
In 2020, California was the first mover in state comprehensive privacy law legislation, a distinction it held for approximately three years before other states took similar action. Indeed, eighteen additional states have passed their own privacy bills, along with many complementary laws related to children’s privacy, consumer health data privacy, biometric data privacy, and data broker practices. Notwithstanding these efforts, California has retained its reputation as the most formidable state enforcer of privacy law protections—until now, at least. As we explain, recent enforcement actions by the Attorneys General of Connecticut and Nebraska highlight an important shift: states beyond California are not only enacting laws aimed at safeguarding privacy, they are taking action to demonstrate that those laws have teeth.Continue Reading State AGs Step Up Enforcement: Recent Lessons from Privacy Law Enforcement in Connecticut and Nebraska
Emerging Defense in CIPA Lawsuits: Potent Yet Constrained by Legal and Technical Limitations
On June 3, 2025, the California Senate unanimously voted to amend the California Invasion of Privacy Act (“CIPA”) to exclude cookies and other commonly used internet tracking technologies from CIPA under certain circumstances. The bill, Senate Bill 690, if passed by the other chamber and signed by the governor, will exempt companies who use tracking technologies for a “commercial business purpose” from the wiretapping provisions of CIPA.Continue Reading Emerging Defense in CIPA Lawsuits: Potent Yet Constrained by Legal and Technical Limitations
Broad Interpretation of CCPA’s Private Right of Action Increases Business Risk to Tracking Technologies Lawsuits
In a recent decision, the U.S. District Court for the Northern District of California has construed the private right of action provision under the California Consumer Privacy Act (CCPA) broadly, which increases business risk to tracking technologies lawsuits that are already rampant.Continue Reading Broad Interpretation of CCPA’s Private Right of Action Increases Business Risk to Tracking Technologies Lawsuits
En Banc 11th Circuit Joins Sister Circuits, Deeming One Text Message Enough for TCPA Standing
Once an outlier, the 11th U.S. Circuit Court of Appeals recently joined seven other Circuit Courts in holding that receipt of a single, unwanted text message constitutes the concrete injury required for standing in class actions filed under the Telephone Consumer Protection Act. Read on for details about this development and implications for TCPA class
Analog Law with Digital Teeth: Litigation Under the Video Privacy Protection Act and Potential Liability for Businesses
Over the past year, website operators have experienced a proliferation of lawsuits under the Federal Video Privacy Protection Act (“VPPA”), a Reagan-era statute prohibiting the nonconsensual disclosure of an individual’s video tape rental history. Despite its nondigital origin, litigation under the VPPA has successfully targeted the ubiquitous use of tracking technologies on businesses’ websites, creating a risk of significant class-action damages under VPPA’s $2,500 per violation statutory-damages clause. Read on for more details about the risk of litigation under the VPPA and how best to avert it.Continue Reading Analog Law with Digital Teeth: Litigation Under the Video Privacy Protection Act and Potential Liability for Businesses
The Door Opens for Astronomical Damages Under BIPA
An Illinois Supreme Court ruling on February 17, 2023 opened the door to astronomical damages under the Illinois Biometric Information Privacy Act (“BIPA”). Enacted in 2008, BIPA provides for a private right of action against an entity that collects or discloses a person’s biometric identifier without opt-in consent.Continue Reading The Door Opens for Astronomical Damages Under BIPA
TCPA Defendants Defeat Class Certification, Novel Autodialer Arguments; Lose Supreme Court Bid
Federal courts in recent Telephone Consumer Protection Act cases served up two victories and one disappointment for the defense. Siding with the defense, the 7th U.S. Circuit Court of Appeals ruled that defendants do not carry the burden of proof at class certification, and the 8th Circuit joined other courts in maintaining a narrow autodialer
Colleges Should Brace for Next Phase of COVID-19 Class Actions
Almost exactly a year ago, the first COVID-19 tuition reimbursement lawsuits were filed against higher education institutions across the United States and we warned of the continued onslaught of such litigation. With the filing of those reimbursement class actions decreasing, higher education institutions should be cognizant of a potential new wave of COVID-19 class actions: privacy class action lawsuits related to the COVID-19 vaccine.
Continue Reading Colleges Should Brace for Next Phase of COVID-19 Class Actions
U.S. Supreme Court Adopts Narrow Autodialer Definition in 9-0 Defense Victory
On April 1, 2021, the U.S. Supreme Court issued its long-awaited opinion in Facebook v. Duguid, which resolved a circuit split regarding the meaning of “automatic telephone dialing system” (autodialer or ATDS) under the Telephone Consumer Protection Act (TCPA). In a decision authored by Justice Sonia Sotomayor, the court adopted the narrow, pro-defendant definition of autodialer.
Continue Reading U.S. Supreme Court Adopts Narrow Autodialer Definition in 9-0 Defense Victory