Virginia amended its Telephone Privacy Protection Act, effective at the start of January. Among other changes, the law removes the word “call” in many places that impose requirements on telephone solicitations. As a reminder, the definition of telephone solicitation already included texts, under an amendment from 2020.Continue Reading Virginia Legislature Emphasizes Its “Little” TCPA Applies to Texts
How and when to get consent for cross-device tracking has been a worry for many companies subject to GDPR and similar regimes. The French data protection authority, CNIL, adopted recommendations about this practice in 2020, and has just updated those recommendations to provide greater detail and more examples and use cases for multi-device consent.Continue Reading French CNIL Provides Guidance on Cross-Device Cookie Consent
New changes are on the horizon for GDPR enforcement across the European Union. At the very end of 2025, the EU adopted a regulation intended to address procedures around GDPR enforcement (Regulation (EU) 2025/2518). The regulation sets out timelines for how data protection authorities (DPAs) handle complaints. It went into force this month, but will apply to GDPR enforcement actions opened after April 2, 2027.Continue Reading Looking Forward to GDPR Enforcement
For those operating in the European Union, the list of digital technology laws is becoming daunting. Compliance with GDPR to the AI Act — with stops along the way for the ePrivacy Directive and many more – is a significant undertaking. To simplify this confusion, the European Commission is proposing modifications to many of its data laws. It released the first attempt of these changes in the Digital Omnibus Regulation Proposal. Continue Reading Might We See a Streamlining of EU Digital Compliance?
The Consortium of Privacy Regulators is growing. Meanwhile, CalPrivacy has announced a new program, a data broker “strike force.”Continue Reading State Privacy Action Grows: Consortium Expands, California Launches Data Broker Strike Force
Companies are become increasingly concerned about being viewed as “selling” personal data. In the midst of these worries, California’s governor signed SB 361, which will change the California Delete Act starting January 1, 2026. The law applies to those who sell personal information about consumers with whom they do not have a direct relationship. For covered entities, the amendment will add to compliance complexities.Continue Reading California Continues to Expand Data Broker Requirements
Many courts have held that that information gathered by video-related pixels are not “personal” for purposes of the Video Privacy Protection Act. Nevertheless, plaintiff class action attorneys continue to file these VPPA actions in federal court.Continue Reading Behind the Pixel: Not Always Personal Information Under VPPA
Now is the time that many are putting together their 2026 budgets and considering how much to allocate next year to address the constantly evolving privacy and data security landscape. In the last article in this series we looked at three change management tools that can help effectuate privacy compliance. Here are three more, and things to consider -and potentially budget for- in the new year.Continue Reading More Privacy Compliance Considerations for the 2026 Budget Process
Today’s compliance landscape is more crowded—and more complex—than ever. As the pace of regulatory change accelerates, companies need to find effective paths forward. As I detailed in a Law360 article from earlier this year, change management tools can help. Here are three areas to consider as you begin to think about your compliance plans (and budget) for 2026.Continue Reading Setting Your Privacy Compliance Strategy in Advance of the 2026 Budget Process
Can we take any insights from Connecticut’s first settlement under the state’s Data Privacy Act, reached with TicketNetwork, an online ticket marketplace? The AG concerns mirrored priorities outlined in Connecticut’s 2025 CTDPA Enforcement Report. This suggests that future cases may also draw from that report.Continue Reading Privacy Compliance Insights from Connecticut’s First Privacy Law Settlement
Minnesota has a new law that, beginning a year from now, will require that social media companies warn users of the potential negative mental health effects of social media use each time a user accesses a social media platform. The warning label will need to include specific content, including information about mental health resources (like the national suicide prevention and mental health crisis hotline). The law also specifically prohibits including “extraneous information” in the warning label. It must be on-screen (not in a company’s website terms) and remain on screen until the user either acknowledges and agrees to it, or leaves the site.Continue Reading Minnesota May Be First to Require Social Media Warning Label