Category Archives: U.S. State Privacy Laws

White House’s AI Action Plan: Winning the Race in a Patchwork Regulatory Era

By Joshua Ashley Klayman, Ieuan JollyJeffrey Cohen, and Caitlin Potratz Metcalf

Left to right: Joshua Ashley Klayman, Ieuan Jolly, Jeffrey Cohen, and Caitlin Potratz Metcalf (photos courtesy of Linklaters)

On July 23, 2025, the White House published Winning the AI Race: America’s AI Action Plan (the AI Action Plan), a comprehensive effort aimed to solidify United States leadership in artificial intelligence. The AI Action Plan acknowledges the U.S.’ uniquely complex—and, at times, conflicting—regulatory landscape, including the patchwork of state-level laws that impact innovation, compliance, and policy predictability. The Action Plan calls for national leadership and seeks a unified, pro-innovation regulatory approach, with an understanding that states will continue to develop their own laws. Businesses should prepare for both the opportunities and the compliance challenges that will arise as the Action Plan is implemented.

Continue reading

CPPA Adopts Long Awaited Rulemaking Package

by Avi Gesser, Johanna N. Skrzypczyk, HJ Brehmer, and Melyssa Eigen

Left to right: Avi Gesser, Johanna N. Skrzypczyk, HJ Brehmer, and Melyssa Eigen (photos courtesy of Debevoise & Plimpton LLP)

The California Privacy Protection Agency (the “CPPA”) Board met on July 24, 2025, to decide whether to adopt its comprehensive rulemaking package covering cybersecurity audits, automated decision-making technology, and other adjustments to its existing regulations (collectively, the “Draft Regulations”). We have written about these topics in December 2024, February 2025, and May 2025 respectively. Ultimately, after its initial 45-day comment period and additional revisions, the Board decided to finalize the text of the rulemaking package (the “Regulations”).

Continue reading

CPPA Fines Honda $632,500 for CCPA Violations

by Jenna N. Rode

Photo courtesy of the author

On March 12, 2025, the California Privacy Protection Agency (“CPPA”) announced that it reached a settlement with American Honda Motor Co. (“Honda”) in which Honda will pay a $632,500 fine to resolve claims that the company violated the CCPA. The enforcement action comes as part of the CPPA’s ongoing investigation into connected vehicle manufacturers, which began in 2023.

Continue reading

Children’s Online Privacy: Recent Actions by the States and the FTC

by Amber C. Thomson, Howard W. Waltzman, Kathryn Allen, and Megan P. Von Borstel

Photos of authors.

Amber C. Thomson, Howard W. Waltzman, Kathryn Allen, and Megan P. Von Borstel (Photos courtesy of Mayer Brown)

As the digital world becomes an integral part of children’s lives, state legislatures are placing greater emphasis on regulating how companies handle children’s personal information. This article explores the recent developments in state and federal children’s privacy legislation, examining how states are shaping the future of online safety for minors and shedding light on amendments to the federal Children’s Online Privacy Protection Act.

As social media companies and digital services providers increasingly cater to younger audiences, state legislatures are placing greater emphasis on regulating how companies handle children’s personal information. This Legal Update explores the recent developments in state and federal children’s privacy legislation, examining how states are shaping the future of online safety for minors and shedding light on amendments to the federal Children’s Online Privacy Protection Act (“COPPA”).

Continue reading

New York Data Breach Notification Law Updated

by Jenna Rode and Emilie Galper

Photos of the authors

Jenna Rode and Emilie Galper (Photos courtesy of Hunton Andrews Kurth LLP)

New York Governor Kathy Hochul recently signed into law several bills (S2659B and S2376B) modifying the state’s data breach notification law. The amendments revise the timing requirements for notice to affected individuals, expand the list of regulators to be notified, and add new data elements to New York’s definition of “private information.”

Continue reading

California’s Privacy Regulator Issues Enforcement Guidance on How To Avoid “Dark Patterns” in Obtaining Consumer Consent

by David L. Rice and Christopher W. Savage

Photos of the authors

Left to Right: David L. Rice and Christopher W. Savage (photos courtesy of Davis Wright Tremaine LLP)

On September 4, 2024, the California Privacy Protection Agency (“CPPA”) announced that it issued an Enforcement Advisory (“Advisory”) providing guidance on how to avoid using prohibited “Dark Patterns” to obtain consent from consumers. Businesses subject to the California Consumer Privacy Act (CCPA) routinely request consent from consumers related to their personal information and in handling consumer requests to exercise their statutory rights regarding their personal information. The CPPA’s advisory is a strong signal that the time for businesses to identify and remove Dark Patterns in these processes is now—before the CPPA commences enforcement—by reviewing user interfaces to ensure the language and interface design offering consumers privacy choices is clear and symmetrical.

Continue reading

Does California’s Delete Act Have the “DROP” on Data Brokers?: Updates and Insights from the Recent Stakeholder Session

 by Christine E. Lyon, Christine Chong, Jackson Myers, and Ortal Isaac

Photos of the authors

From left to right: Christine E. Lyon, Christine Chong and Jackson Myers. (Photos courtesy of Freshfields Bruckhaus Deringer LLP)

The California Delete Act will make it easier for California consumers to request deletion of their personal information by so-called “data brokers,” a term that is much broader than companies may expect (see our prior blog post here). In particular, the Delete Act provides for a universal data deletion mechanism—known as the Data Broker Delete Requests and Opt-Out Platform, or “DROP”—that will allow any California consumer to make a single request for the deletion of their personal information by certain, or all, registered data brokers. In turn, by August 2026, data brokers will be required to regularly monitor, process, and honor deletion requests submitted through the DROP.

While the DROP’s policy objectives are fairly straightforward, it is less clear how the DROP will work in practice. For example, what measures will be taken to verify the identity of the consumer making the request, to ensure that the requesting party is the consumer they claim to be? What measures will be taken to verify that a person claiming to act as an authorized agent for a consumer actually has the right to request deletion of that consumer’s personal information? Unauthorized deletion of personal information may result in inconvenience or even loss or harm to individuals, which raises the stakes for the California Privacy Protection Agency (CPPA) as the agency responsible for building the DROP.

Continue reading

Recently Enacted AI Law in Colorado: Yet Another Reason to Implement an AI Governance Program

by Avi GesserErez Liebermann, Matt KellyMartha HirstAndreas Constantine PavlouCameron Sharp, and Annabella M. Waszkiewicz

Photos of the authors.

Top left to right: Avi Gesser, Erez Liebermann, Matt Kelly, and Martha Hirst. Bottom left to right: Andreas Constantine Pavlou, Cameron Sharp, and Annabella M. Waszkiewicz. (Photos courtesy of Debevoise & Plimpton LLP)

On May 17, 2024, Colorado passed Senate Bill 24-205 (“the Colorado AI Law” or “the Law”), a broad law regulating so-called high-risk AI systems that will become effective on February 1, 2026.  The law imposes sweeping obligations on both AI system deployers and developers doing business in Colorado, including a duty of reasonable care to protect Colorado residents from any known or reasonably foreseeable risks of algorithmic discrimination.

Continue reading

Land of 10,000 Data Lakes: Minnesota Consumer Data Privacy Act Signed into Law

by Nancy Libin, John D. Seiver, and Jevan Hutson

Photo of the authors.

From left to right: Nancy Libin, John D. Seiver, and Jevan Hutson. (Photos courtesy of Davis Wright Tremaine LLP)

Minnesota is the 18th state to enact a consumer data privacy law.

On May 25, 2024, Minnesota Governor Tim Walz signed the Minnesota Consumer Data Privacy Act (the “Act”), which takes effect on July 31, 2025, for most controllers and on July 31, 2029, for certain postsecondary educational institutions. Minnesota is the 18th state to enact a comprehensive consumer data privacy law.

The Act adopts the same framework as most other state privacy laws but includes several novel provisions, including broader rights for Minnesota residents who are subject to profiling in furtherance of decisions that produce legal or similarly significant effects.

We highlight key aspects of the Act below.

Continue reading

Maryland Legislature Passes State Privacy Bill with Robust Requirements and Broad Threshold for Application

by Marshall Mattera and Amanda Pervine

Photo of the author

Marshall J. Mattera (photo courtesy of Hunton Andrews Kurth)

The Maryland legislature recently passed the Maryland Online Data Privacy Act of 2024 (“MODPA”), which was delivered to Governor Wes Moore for signature and, if enacted, will impose robust requirements with respect to data minimization, the protection of sensitive data, and the processing and sale of minors’ data.

Continue reading