Can we take any insights from Connecticut’s first settlement under the state’s Data Privacy Act, reached with TicketNetwork, an online ticket marketplace? The AG concerns mirrored priorities outlined in Connecticut’s 2025 CTDPA Enforcement Report. This suggests that future cases may also draw from that report.Continue Reading Privacy Compliance Insights from Connecticut’s First Privacy Law Settlement
Texas is getting into the AI action, with a new law (the Texas Responsible Artificial Intelligence Governance Act) that will place restrictions not only on AI use by government agencies, but businesses as well. In particular, it will apply to businesses (a) operating in Texas, (b) those that have products or services used by those in the state, or (c) those that develop or deploy AI systems in Texas. The requirements of the law will take effect January 1, 2026. Some things for companies to keep in mind about the law’s requirements:Continue Reading Countdown to 2026: What Will the Texas AI Law Mean for Businesses?
Minnesota has a new law that, beginning a year from now, will require that social media companies warn users of the potential negative mental health effects of social media use each time a user accesses a social media platform. The warning label will need to include specific content, including information about mental health resources (like the national suicide prevention and mental health crisis hotline). The law also specifically prohibits including “extraneous information” in the warning label. It must be on-screen (not in a company’s website terms) and remain on screen until the user either acknowledges and agrees to it, or leaves the site.Continue Reading Minnesota May Be First to Require Social Media Warning Label
Oregon will begin to regulate the use of minors’ information and sale of users’ location data (regardless of age) with an update to its Oregon Consumer Privacy Act. These revisions will go into effect January 1, 2026. As amended, those subject to the law will not be able to profile or serve targeted advertising to anyone under 16. This includes both those the company knows are under that age, as well as those that they should know are under that age. (Currently, restriction that applies to consumers that are at least thirteen but not older than fifteen without their consent.)Continue Reading Oregon’s Privacy Law Update Adds to Patchwork Approach to Minors and Location Data
Vermont has joined the list of states attempting to regulate the use of children’s information collected online, passing an Age-Appropriate Design Code Act. This law mirrors ones we have seen in other US states as well as the UK, and applies to online services reasonably accessed by minors, that collect personal data. We expect it to be challenged, but if it is not, it would go into effect January 1. Among other things, the law provides the following:Continue Reading Growing List of States Attempting to Regulate Kids’ Online Privacy: Vermont Joins the Group
North Dakota recently passed a law establishing new rules for certain financial companies operating in the state – specifically “financial corporations.” The new obligations will take effect on August 1, 2025. They will apply to businesses that the North Dakota department of financial institutions regulates. Financial institutions (like banks and loan companies) and credit unions are not regulated by that entity.Continue Reading North Dakota Passes New Data Security Law for “Financial Corporations”
Nebraska’s governor signed a bill into law that, among other things, creates the Parental Rights in Social Media Act. The provisions of the law will go into effect July 1, 2026, unless challenged. The law is similar to several other states, most of which have been challenged (including Arkansas, California, and Utah) and some struck down.Continue Reading Growing List of States Attempting to Regulate Kids’ Social Media Accounts: Nebraska Husks Up
The Michigan Attorney General has filed a complaint against Roku, a popular TV content platform, alleging, among other things, violations of the Children’s Online Privacy Protection Act and the Video Privacy Protection Act (and a similar Michigan law). As most are aware, COPPA requires prior parental consent before collecting information from children online. It gives standing to both the FTC and to states’ attorneys general, but no private right of action. Most cases brought since COPPA’s passage have been brought by the FTC, however, and not by states. This current Michigan case comes after a group of 43 states, including Michigan, sent a letter to the FTC urging it to strengthen and update its COPPA Rule.Continue Reading Michigan AG Sues Roku Over Alleged Privacy Violations
Montana recently revised its Genetic Information Privacy Act to address neural data. The law went into effect in 2023, and applies to both entities that offer genetic testing services as well as entities that use genetic data.Continue Reading Montana Amends Law to Cover Collection and Use of Neural Data
Virginia’s governor recently signed into law a bill that amends the Virginia Consumer Data Protection Act. As revised, the law will include specific provisions impacting children’s use of social media. Unless contested, the changes will take effect January 1, 2026. Courts have struck down similar laws in other states (see our posts about those in Arkansas, California, and Utah) and thus opposition seems likely here as well. Of note, the social media laws that have been struck down in other states attempted to require parental consent before minors could use social media platforms. This law is different, as it allows account creation without parental consent. Instead, it places restrictions on account use for both minors and social media platforms.Continue Reading Virginia Will Add to Patchwork of Laws Governing Social Media and Children (For Now?)
The FTC’s settlement with Cleo AI gives some indication as to what we might see from the agency in the coming months. The FTC alleged, among other things, that Cleo AI’s actions violated Section 5 of the FTC Act. In particular, as reported in our sister blog, Cleo AI required people to enroll in a paid subscription plan, even though they marketed their services as free. It also made it difficult for people to cancel their subscription and made it hard to stop recurring charges. The company also failed to disclose material terms.Continue Reading Lessons from the FTC: The Cleo AI Settlement