As we close out the first quarter of 2025, one thing is unmistakable: California’s regulatory efforts continue to center on data brokers. 

Earlier this year, the U.S. Department of Health and Human Services Office for Civil Rights adopted a new proposal to strengthen the Health Insurance Portability and Accountability Act security standards. The proposed changes mark the first update to the security rule in more than a decade. 

The Federal Trade Commission announced long-awaited amendments to the Children’s Online Privacy Protection Act Rule on January 16, 2025, marking the first changes to the COPPA Rule since 2013. The amendments are the output of a rule review process that began in 2019 and a notice of proposed rulemaking announced in December 2023.

This year saw significant enforcement activity from the Federal Trade Commission on privacy, data security, and related technology topics, particularly with respect to location information, health, and other sensitive data; data brokers; children’s privacy and online safety; and consumer protection issues related to artificial intelligence. State-level privacy enforcers, such as those in T

U.S. privacy law continued to expand in 2024, both geographically and substantively.  We now have 19 states with comprehensive consumer privacy laws (some of which are already in effect, while others become effective in 2025 and 2026). This recap focuses on the 10 state laws that were enacted or took effect this year, as well as the states that enacted meaningful updates.

In recent months, a wave of lawsuits has swept across the nation, targeting websites for allegedly violating state wiretapping laws through their use of tracking software.

After much anticipation, on November 8, the California Privacy Protection Agency (CPPA) Board voted to advance proposed regulations for insurance, cybersecurity audits, risk assessments, and automated decision-making technology (ADMT) to formal rulemaking.