California appears to be changing its approach to how it regulates artificial intelligence, likely reflecting its reaction to challenges seen recently in other states. Namely, the California Privacy Protection Agency recently released an update to its draft regulations which change how the Agency plans to regulate Automated Decisionmaking Technology, or ADMT. This comes after the Agency’s original proposal faced intense opposition from industry groups, state lawmakers and Governor Newsom.Continue Reading California Regulator Releases Updated Draft Regulations, Scales Back Proposed AI Privacy Rules

The Michigan Attorney General has filed a complaint against Roku, a popular TV content platform, alleging, among other things, violations of the Children’s Online Privacy Protection Act and the Video Privacy Protection Act (and a similar Michigan law). As most are aware, COPPA requires prior parental consent before collecting information from children online. It gives standing to both the FTC and to states’ attorneys general, but no private right of action. Most cases brought since COPPA’s passage have been brought by the FTC, however, and not by states. This current Michigan case comes after a group of 43 states, including Michigan, sent a letter to the FTC urging it to strengthen and update its COPPA Rule.Continue Reading Michigan AG Sues Roku Over Alleged Privacy Violations

Virginia’s governor recently signed into law a bill that amends the Virginia Consumer Data Protection Act. As revised, the law will include specific provisions impacting children’s use of social media. Unless contested, the changes will take effect January 1, 2026. Courts have struck down similar laws in other states (see our posts about those in Arkansas, California, and Utah) and thus opposition seems likely here as well. Of note, the social media laws that have been struck down in other states attempted to require parental consent before minors could use social media platforms. This law is different, as it allows account creation without parental consent. Instead, it places restrictions on account use for both minors and social media platforms.Continue Reading Virginia Will Add to Patchwork of Laws Governing Social Media and Children (For Now?) 

The Belgian Data Protection Authority recently ruled that a Belgian government entity, FPS Finance, cannot transfer the personal data of “accidental Americans” to the IRS. According to the decision, the transfers needed to cease for several reasons.Continue Reading Belgian DPA Finds Certain Tax Information Transfers to IRS Unlawful

In a landmark ruling, the Ninth Circuit expanded the application of specific personal jurisdiction principles to the realm of nationwide e-commerce. On April 21, 2025, an en banc panel issued a 10–1 decision ruling that allegations that Shopify embedded cookies that tracked a California consumer’s location data were sufficient to establish specific personal jurisdiction over Shopify in California (reversing the Court’s prior opinion on this exact issue). In the wake of this decision, businesses may face increased legal challenges in various states. To protect against far-flung lawsuits in unwanted jurisdictions, e-commerce businesses should, if practicable, refrain from collecting location data and engaging in other online activities that may be seen as targeting consumers of a particular state.Continue Reading Ninth Circuit Upends Internet Personal Jurisdiction Law–Briskin v. Shopify

The FTC’s settlement with Cleo AI gives some indication as to what we might see from the agency in the coming months. The FTC alleged, among other things, that Cleo AI’s actions violated Section 5 of the FTC Act. In particular, as reported in our sister blog, Cleo AI required people to enroll in a paid subscription plan, even though they marketed their services as free. It also made it difficult for people to cancel their subscription and made it hard to stop recurring charges. The company also failed to disclose material terms.Continue Reading Lessons from the FTC: The Cleo AI Settlement

The California Privacy Protection Agency announced this month that it, along with six other states, will be forming a new group called the “Consortium of Privacy Regulators.” (The other states are Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon.) Members include the Attorneys General from these states, as well as California’s privacy regulator (the CPPA).Continue Reading New Era of Collaboration? States Team Up to Coordinate on Privacy Laws

The U.S. Department of Justice (DOJ)’s new data security rule went into effect April 8, 2025. This rule requires companies to take measures to prevent U.S. sensitive personal and government-related data from falling into the hands of foreign adversaries. The rule targets transactions (including data brokerage, vendor agreements, employment agreements, and investment agreements) involving access to bulk sensitive personal data or government-related data when those transactions involve identified covered persons or countries of concern (China, Russia, Iran, North Korea, Cuba, and Venezuela). Continue Reading DOJ Announces 90-Day Grace Period for Companies to Comply with New Data Security Rules on Foreign Adversary Access to U.S. Sensitive Data

Over half of US states require annual compliance certifications from insurance providers. While the filing time frames for this year draw to a close, companies may want to keep them in mind not only for next year, but as a reminder of the information security programs that are expected to be in place.Continue Reading Insurance Cybersecurity Certifications: An (Updated) State Roundup

Arkansas’ second attempt at regulating minor’s access to social media – in the form of the Social Media Safety Act (SB 689) – has again been struck down as unconstitutional. The court permanently enjoined the state from enforcing the law. It was a modified version of Arkansas’ 2023 SB 396, that was also blocked. The plaintiff in both challenges was NetChoice, a group familiar to anyone following kids’ social media laws. As a result of NetChoice’s efforts, similar laws have been blocked in California, Utah, Maryland, Mississippi, Ohio, and Texas. Courts in those states, as in Arkansas, found that the laws were unduly burdensome on free speech, with overly broad content restrictions not tailored to prevent harm to minors.Continue Reading Arkansas’ Kids Social Media Law: Another One Bites the Dust