On Friday, October 17, 2025, U.S. District Court Judge Vince Chhabria issued a biting Order granting defendant Eating Recovery Center, LLC’s (“ERC”) motion for summary judgment on the plaintiff Jane Doe’s California Invasion of Privacy Act (CIPA) claims, a law enacted in 1967 to address the increasing use of wiretapping to eavesdrop on private phone
On July 24, 2025, the California Privacy Protection Agency (“CPPA”) unanimously voted to adopt a package of Proposed Regulations for the California Consumer Privacy Act (“CCPA”), marking a significant development in California privacy law. These cover Automated Decision-making Technology (“ADMT”), mandatory Cybersecurity Audits, Risk Assessments, and clarifications for the CCPA’s applicability to Insurance Companies. The package will move into its final review stage before formal enactment, once filed with the California Office of Administrative Law.
This is a clear signal that privacy compliance expectations in California are trending toward a more operational phase. The new rules are designed to give Californians greater control over how their personal information is used while pushing businesses toward higher levels of transparency and accountability, especially when automated decision-making and high-risk data processing is involved. For companies, this is more than just a theoretical update – it’s a clarion call to ensure these requirements are built into day-to-day governance, technology and process design, and vendor management practices.Continue Reading California Privacy Protection Agency (CPPA) Finally Voted to Adopt Much Debated Update to CCPA Regulations: What Your Business Should Know
On June 3, 2025, the California Senate unanimously passed Senate Bill 690 (SB 690), a bill that seeks to add a “commercial business purposes” exception to the California Invasion of Privacy Act (CIPA).
After multiple readings on the Senate floor, SB 690 passed as amended, and will now proceed to the California State Assembly. SB
On May 19, 2025, the California Senate Appropriations Committee, which handles budgetary and financial matters, held a hearing on California Senate Bill 690 (SB 690). The proposed bill would amend the California Invasion of Privacy Act (CIPA) by adding an exception to the statute which has the effect of permitting use of tracking technologies for
California Senate Bill 690 (SB 690), introduced by Senator Anna Caballero, is continuing to proceed through the California state legislative process. The proposed bill would amend the California Invasion of Privacy Act (CIPA) by adding an exception to the statute which has the effect of permitting use of tracking technologies for “commercial business purposes.” CIPA
The California Privacy Protection Agency (“CPPA”) has made it abundantly clear: privacy compliance isn’t just about publishing the right disclosures – it’s about whether your systems actually work. On May 6, the agency fined Todd Snyder, Inc. $345,178 for failures that highlight a growing regulatory focus on execution of California Consumer Privacy Act (“CCPA”) compliance. The action sends a powerful message: even well-resourced companies are not insulated from enforcement if they don’t actively test and manage how privacy rights are honored in practice.
The action against Todd Snyder was rooted in executional failure. The company had a portal in place for consumer rights requests, but it wasn’t processing opt-out submissions – a failure that lasted for roughly 40 days, according to the CPPA. The cookie banner that should have enabled consumers to opt out of cookie tracking would disappear prematurely, preventing users from completing their requests.
The company further required users to verify their identity before opting out and requested sensitive personal information, such as a photograph of their driver’s license. The CPPA determined this was not only unnecessary, but a violation in itself. The allegations around improper verification reflect concerns raised in a CPPA Enforcement Advisory issued last year, which cautioned businesses against collecting excessive information from consumers asserting their privacy rights.Continue Reading CPPA Underscores That Businesses Own CCPA Compliance – Even When Privacy Management Tools Fail
The California Privacy Protection Agency (“CPPA”) issued and discussed draft regulations on Cybersecurity Audits and Risk Assessments late in the summer. The CPPA Board plans to discuss the draft regulations at its upcoming December 8th public meeting, along with a presentation on the regulations. Continue Reading CPPA Considers Next Set of CPRA Regulations Covering Cybersecurity Audits and Risk Assessments
It’s been no doubt a week of mixed emotions at the California Privacy Protection Agency (“CPPA”) which last week had its final CCPA regulations (“Regulations”) approved and filed with the California Secretary of State by the Office of Administrative Law. The final regulations have been stated to be “effective immediately”. The result is that California employers are now going to have a significant burden around compliance with California privacy law which they didn’t have previously.
Taken on its face, “effective immediately” would mean that enforcement of the regulations would be available (if not acted upon) immediately. However, as with much about the CCPA, this may not be definitive.
First, the California Administrative Procedure Act (“APA”) provides that regulations become effective on one of four quarterly dates based on when the final regulations are filed with the Secretary of State. Under the APA the enforcement date would still be July 1, because the regulation was filed between March 1 and May 31. See Cal. Gov. Code §11343.4(a)(3).
Second, Proposition 24 (the actual amendment to the CCPA) itself provides timing of enforcement of the new provisions of the CCPA. Specifically, Cal. Civ. Code §1798.185(d) states “Notwithstanding any other law, civil and administrative enforcement of the provisions of law added or amended by this act shall not commence until July 1, 2023.”Continue Reading CCPA Regulations Are Here – We Think
This just in….March 30, 2023. The California Office of Administrative Law has approved the CCPA Regulations and they are effective immediately. The text has not changed substantively since the modifications proposed late last year.
Without further ado, please read the CPPA’s announcement here.
At printing time, the final documents were to “be made available
In a January 11, 2023 op-ed published in the Wall Street Journal, President Joe Biden urged “Democrats and Republicans to come together to pass strong bipartisan legislation to hold Big Tech accountable.” He warned that the “risks Big Tech poses for ordinary Americans are clear. Big Tech companies collect huge amounts of data” about