As we close out the first quarter of 2025, one thing is unmistakable: California’s regulatory efforts continue to center on data brokers. 

This year saw significant enforcement activity from the Federal Trade Commission on privacy, data security, and related technology topics, particularly with respect to location information, health, and other sensitive data; data brokers; children’s privacy and online safety; and consumer protection issues related to artificial intelligence. State-level privacy enforcers, such as those in T

U.S. privacy law continued to expand in 2024, both geographically and substantively.  We now have 19 states with comprehensive consumer privacy laws (some of which are already in effect, while others become effective in 2025 and 2026). This recap focuses on the 10 state laws that were enacted or took effect this year, as well as the states that enacted meaningful updates.

Continued cyberthreats drove expanded data security and breach notification requirements in 2024. Although sectors deemed high-risk saw significant activity, we also saw proposed regulations that stand to have a significant impact on a wide swath of private companies in the year to come.

This Update outlines highlights of data security law in 2024.

In recent months, a wave of lawsuits has swept across the nation, targeting websites for allegedly violating state wiretapping laws through their use of tracking software.

After much anticipation, on November 8, the California Privacy Protection Agency (CPPA) Board voted to advance proposed regulations for insurance, cybersecurity audits, risk assessments, and automated decision-making technology (ADMT) to formal rulemaking.