In a landmark ruling, the Ninth Circuit expanded the application of specific personal jurisdiction principles to the realm of nationwide e-commerce. On April 21, 2025, an en banc panel issued a 10–1 decision ruling that allegations that Shopify embedded cookies that tracked a California consumer’s location data were sufficient to establish specific personal jurisdiction over Shopify in California (reversing the Court’s prior opinion on this exact issue). In the wake of this decision, businesses may face increased legal challenges in various states. To protect against far-flung lawsuits in unwanted jurisdictions, e-commerce businesses should, if practicable, refrain from collecting location data and engaging in other online activities that may be seen as targeting consumers of a particular state.Continue Reading Ninth Circuit Upends Internet Personal Jurisdiction Law–Briskin v. Shopify

The California Privacy Protection Agency announced this month that it, along with six other states, will be forming a new group called the “Consortium of Privacy Regulators.” (The other states are Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon.) Members include the Attorneys General from these states, as well as California’s privacy regulator (the CPPA).Continue Reading New Era of Collaboration? States Team Up to Coordinate on Privacy Laws

The California privacy regulator recently settled with a data broker (Key Marketing Advantage LLC) that it alleged had violated the state’s data broker law. Under the Delete Act, data brokers must, among other things, register annually by January 31 and pay an annual fee. According to the agency, the company failed to register or pay the fee. The broker agreed to pay $55,800 as part of the settlement.Continue Reading New Year, Old Tradition: CPPA Focuses on Unregistered Data Brokers

The Ninth Circuit continued the pause on California’s SB 976 (Protecting Our Kids from Social Media Addiction Act) as of late January 2025. The law was signed by Governor Newsom in September 2024, and challenged by NetChoice shortly thereafter.Continue Reading California’s Kids’ Social Media Law Wrangling Continues, and Maryland Too!

In the fifth in our series of California developments, we turn to data broker obligations. There are two of note. First, the California privacy agency is moving forward Delete Act regulations it proposed earlier this year. (Its board voted to move regulations addressing data broker requirements to the Office of Administrative Law for review and approval last month.) Second, it announced an investigative sweep of compliance with the Act.Continue Reading California’s Privacy Regulator Had a Busy November, Data Broker Edition: What Does It Mean for Businesses?

In the fourth in our series of new CCPA regulations from California, we look at both cybersecurity audit obligations as well as the impact of the CCPA on the insurance industry.Continue Reading California’s Privacy Regulator Had a Busy November, Cybersecurity Audits and Insurance Edition: What Does It Mean for Businesses?

In the third in our series of new CCPA regulations from California, we look at obligations for conducting risk assessments under CCPA. CCPA had called on the California agency to promulgate rules to address such assessments, and when they would be needed.Continue Reading California’s Privacy Regulator Had a Busy November, Risk Assessment Edition: What Does It Mean for Businesses?

In the second in our series of new CCPA regulations from California, we look at proposed rules for use of automated decisionmaking technology. As a reminder, CCPA discusses these technologies in relation to profiling, namely “any form of automated processing of personal information” to analyze or predict people’s work performance, health, and personal preferences, among other things.Continue Reading California’s Privacy Regulator Had a Busy November, Automated Decisionmaking Edition: What Does It Mean for Businesses?

The California Privacy Protection Agency released proposed CCPA rules for a variety of topics in November, as well as announcing an investigative sweep for compliance with the Delete Act. Topics include the following, which we cover in this week’s California-focused blog posts:Continue Reading California’s Privacy Regulator Had a Busy November: What Does It Mean for Businesses?

The dust is beginning to settle from the raft of AI-related bills Governor Newsom signed last month in California. (See for example, our post about neural data.) Most of the provisions will not go into effect for another few months. Before they do, it is worth examining the impact they will have on companies’ privacy and data security practices. Most, as we outline below, may not change fundamental practice, but instead serve as a reminder to take into account privacy and data security considerations when assessing and implementing AI tools:Continue Reading The Privacy and Data Security Impact of California’s Recent AI Bills

California’s governor has signed an amendment to CCPA, the state’s well-known privacy law. While California was the first to pass a “comprehensive” privacy law, it is the second -with this new amendment- to include “neural data” to the definition of sensitive personal information. It follows Colorado, which added this information to its law earlier this year. Unlike Colorado, the modification will not go into effect until January 1, 2025. (Colorado’s amendment, on the other hand, became effective at the beginning of August.)Continue Reading California Joins Colorado in the Brain Wave Action