California Privacy

Subscribe to California Privacy via RSS

A recent settlement with an education service provider and three states – California, Connecticut, and New York – serves as a reminder to deactivate the credentials of departed employees. The case arose following a data breach suffered by Illuminate Education, which provides assessment software to K-12 school systems. As part of its services, the company stores sensitive details like students’ special education and accommodation needs.Continue Reading The Ghost of Employees Past: The Data Breach Risks from User-Credential Management

The Southern District of California recently reminded companies that it has concerns about steps to take to make online terms binding. The case arose from a putative class action over alleged false pricing practices brought against Maggy London International Ltd. an online clothing retailer.Continue Reading Are Your Online Terms Enforceable?: Lessons from California

The Consortium of Privacy Regulators is growing. Meanwhile, CalPrivacy has announced a new program, a data broker “strike force.”Continue Reading State Privacy Action Grows: Consortium Expands, California Launches Data Broker Strike Force

California has set what may be an emerging trend with AB 45, restricting collection and use of personal information collected near family planning facilities. The law was signed recently by h Governor Newsom and is set to go into effect January 1, 2027. It provides for penalties of $25,000 fine per violation.Continue Reading Keep Out! California Draws the Privacy Fence Around Health Data

If you thought social media needed a warning label, many state regulators agree. California recently passed a new warning label law, which will take effect on January 1, 2027. That is, unless it is challenged. Meanwhile, Colorado is fighting to keep alive a similar law following a NetChoice challenge. Other states (like Arkansas, California, Florida, Utah, Maryland, Mississippi, Ohio, and Texas) have not been successful, seeing similar laws stopped on First Amendment grounds.Continue Reading Warning! States Continue to Worry About Social Media and Teens

California is getting serious about age checks online, and businesses should pay attention. Thanks to the passage of AB 1043, starting January 1, 2027, software makers and app stores will need to know the user’s age (or at least their age bracket) and signal it to apps every time a download or launch happens. For businesses that may be unclear whether COPPA or CCPA’s provisions for teenagers apply to their app, this law is aimed at clarifying that ambiguity.Continue Reading “How Old Are You, Anyway?” California’s New Law Makes Apps Ask… And Remember!

California recently passed an amendment accelerating how quickly businesses must notify following a data breach. Previously, the requirement was to notify affected individuals “without unreasonable delay.” Beginning January 1, 2026, the law mandates that businesses notify individuals within 30 calendar days after the discovery or notification of a breach. (New York also shortened its reporting this earlier this year). While some flexibility remains for law enforcement needs or to fully investigate the incident and restore data systems, this change places a clear emphasis on prompt action and accountability. Businesses in California will also face a new requirement when a data breach impacts over 500 residents. The law also calls for a copy of the notice sent to consumers to be submitted to the California Attorney General within 15 days of notifying individuals. Previously, there were no specific deadlines for sending a copy of the notice to the AG office.Continue Reading 2026 Data Breach Law Updates – California and Oklahoma

Companies are become increasingly concerned about being viewed as “selling” personal data. In the midst of these worries, California’s governor signed SB 361, which will change the California Delete Act starting January 1, 2026. The law applies to those who sell personal information about consumers with whom they do not have a direct relationship. For covered entities, the amendment will add to compliance complexities.Continue Reading California Continues to Expand Data Broker Requirements

California appears to be changing its approach to how it regulates artificial intelligence, likely reflecting its reaction to challenges seen recently in other states. Namely, the California Privacy Protection Agency recently released an update to its draft regulations which change how the Agency plans to regulate Automated Decisionmaking Technology, or ADMT. This comes after the Agency’s original proposal faced intense opposition from industry groups, state lawmakers and Governor Newsom.Continue Reading California Regulator Releases Updated Draft Regulations, Scales Back Proposed AI Privacy Rules

In a landmark ruling, the Ninth Circuit expanded the application of specific personal jurisdiction principles to the realm of nationwide e-commerce. On April 21, 2025, an en banc panel issued a 10–1 decision ruling that allegations that Shopify embedded cookies that tracked a California consumer’s location data were sufficient to establish specific personal jurisdiction over Shopify in California (reversing the Court’s prior opinion on this exact issue). In the wake of this decision, businesses may face increased legal challenges in various states. To protect against far-flung lawsuits in unwanted jurisdictions, e-commerce businesses should, if practicable, refrain from collecting location data and engaging in other online activities that may be seen as targeting consumers of a particular state.Continue Reading Ninth Circuit Upends Internet Personal Jurisdiction Law–Briskin v. Shopify