Global privacy & cybersecurity law center

Featured

Explore our additional insights for practical guidance on the latest developments shaping data privacy and cybersecurity around the world.

All insights
All events

FTC finalizes amendments to Children’s Online Privacy Protection Rule

Insight

Privacy Framework 1.1 gets a tune-up in NIST’s latest draft update

Insight

Navigating the DOJ’s Final Rule on preventing access to bulk US sensitive data by countries of concern

Insight

Preparing for CIRCIA’s reporting requirements and avoiding its harsh penalties

Special Report

Creating a cyber volunteer force: Strategy and options

Insight

Get in touch

Michael G. Morgan

Partner | Los Angeles, Silicon Valley

Email / +1 310 551 9366 / +1 650 815 7529
View Profile >

California

Click below to download a full summary of the law.

Download now

At a glance:

Title of Law (and Acronym)

California Consumer Privacy Act of 2018 as amended by California Privacy Rights Act of 2020 (CCPA As Amended)

Statute Cite

CAL. CIV. CODE §§ 1798.100-1798.199.100 (West 2023)

Regulation Cite

Cal. Code Regs. tit. 11, §§ 7000-7304 (2023)

Effective Date

01/01/2020

Applicability Thresholds

For-profit entity that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that:

(1) As of January 1 of the calendar year, had annual gross revenues in excess of $26,625,000 in the preceding calendar year;

(2) Alone or in combination, annually buys, sells, or shares the personal information of 100,000 or more consumers or households; or

(3) Derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information.

Applicable to Employees and Business Contacts?

Yes

Statutory Penalties

Up to $7,500 for each intentional violation and each violation involving the personal information of minor consumers

Private Right of Action

Yes (limited to data breach claims)

McDermott Resources

State regulators step up enforcement of new privacy laws, August 8, 2023

Ruling delays enforcement of latest CCPA regulations, July 5, 2023

California Privacy Protection Agency approves CCPA regulations, February 10, 2023

California Privacy Rights Act takes effect…sort of, January 4, 2023

California voters approve the California Privacy Rights Act, November 4, 2020

Colorado

Click below to download a full summary of the law.

Download now

At a glance:

Title of Law (and Acronym)

Colorado Privacy Act of 2021 (CPA)

Statute Cite

COLO. REV. STAT. § 6-1-1301 to -1313 (2022)

Regulation Cite

Colo. Code Regs. Tit. 4, § 904-3 (2023)

Effective Date

07/01/2023

Applicability Thresholds

A business that conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado, and satisfies one or both of the following thresholds:

(1) Controls or processes the personal data of 100,000 consumers or more during a calendar year;

(2) Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more; or

(3) Controls or processes any amount of biometric identifiers or biometric data regardless of the amount of biometric identifiers or biometric data controlled or processed annually (effective July 1, 2025).

Applicable to Employees and Business Contacts?

Statutory Penalties

Not more than $20,000 per violation

Private Right of Action

McDermott Resources

State regulators step up enforcement of new privacy laws, August 8, 2023

Colorado finalizes sweeping new privacy rules; Iowa joins the fray, March 21, 2023

Preparing for new consumer privacy laws in Colorado, Connecticut, and Utah, February 3, 2023

‘Tis the season: Colorado attorney general releases new draft CPA regulations, December 22, 2022

Colorado attorney general’s office issues draft Colorado Privacy Act regulations, October 3, 2022

State privacy patchwork spreads with signing of Colorado Privacy Act, July 9, 2021

Connecticut

Click below to download a full summary of the law.

Download now

At a glance:

Title of Law (and Acronym)

Connecticut Data Privacy Act of 2022 (CTDPA)

Statute Cite

CONN. GEN. STAT. §§ 42-515 to -525 (2022)

Regulation Cite

N/A

Effective Date

07/01/2023

Items marked with “*” are effective 07/01/2026

Applicability Thresholds

Companies that conduct business in Connecticut or companies that produce products or services that are targeted to residents of this state and that during the preceding calendar year:

(1) Controlled or processed the personal data of not less than 100,000 (35,000*) consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or

(2) Controlled or processed the personal data of not less than 25,000 consumers and derived more than 25 percent of their gross revenue from the sale of personal data. (Provision deleted and replaced by “control or process consumers’ sensitive data, excluding personal data controlled solely for payment transactions and (3) Offer consumers’ personal data for sale.”*)

Applicable to Employees and Business Contacts?

Statutory Penalties

Up to $5,000 per violation

Private Right of Action

McDermott Resources

Connecticut can’t help itself, amends consumer privacy law again, June 13, 2025

Nevada and Connecticut pass consumer health data laws, June 28, 2023

Connecticut steps up to the consumer privacy law plate, May 2, 2022

Delaware

Click below to download a full summary of the law.

Download now

At a glance:

Title of Law (and Acronym)

Delaware Personal Data Privacy Act (DPDPA)

Statute Cite

DEL. CODE ANN. tit. 6, §§ 12D-101 to -111 (2023)

Regulation Cite

N/A

Effective Date

01/01/2025

Applicability Thresholds

Any person that conducts business in Delaware or provides products or services to Delaware residents and:

(1) Controls or processes personal data of 35,000 or more Delaware consumers (excluding data controlled or processed solely for the purpose of completing a payment transaction); or

(2) Controls or processes personal data of 10,000 or more Delaware consumers and derives over 20% of gross revenue from the sale of that data.

Applicable to Employees and Business Contacts?

Statutory Penalties

Up to $10,000 per violation

Private Right of Action

McDermott Resources

Baker’s dozen: Delaware becomes 13th state to enact state consumer privacy law, September 13, 2023

Florida

Click below to download a full summary of the law.

Download now

At a glance:

Title of Law (and Acronym)

Florida Digital Bill of Rights (FDBR)

Statute Cite

FLA. STAT. §§ 501.702–72 (2023)

Regulation Cite

N/A

Effective Date

07/01/2024

Applicability Thresholds

Most of the FDBR applies to for-profit entities that conduct business in Florida and collect personal data about Florida consumers (or are the entity on behalf of which such information is collected) that meet the following requirements:

(1) Make in excess of $1 billion in global gross annual revenues; and

(2) Satisfy at least one of the following:

(a) Derive 50% or more of its global gross annual revenues from the sale of advertisements online, including providing targeted advertising or the sale of ads online;

(b) Operate a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation. For purposes of this sub-subparagraph, a consumer smart speaker and voice command component service does not include a motor vehicle or speaker or device associated with or connected to a vehicle that is operated by a motor vehicle manufacturer or a subsidiary or affiliate thereof; or

(c) Operate an app store or a digital distribution platform that offers at least 250,000 different software applications for consumers to download and install.

However, under § 501.715(1), even companies that do not meet the requirements of (1) and (2) are required to obtain consent before selling sensitive data if they are a for-profit entity conducting business in Florida and collecting personal data from Florida residents.

Applicable to Employees and Business Contacts?

Statutory Penalties

Up to $15,000 per violation, with the possibility of treble damages for any of the following violations:

A violation involving a known child
Failure to delete or correct personal data after receiving an authenticated consumer request, unless an exception applies to the request
Continuing to sell personal data after a consumer opts-out

Private Right of Action

McDermott Resources

Florida adds a new twist to consumer privacy patchwork, May 10, 2023

Indiana

Click below to download a full summary of the law.

Download now

At a glance:

Title of Law (and Acronym)

Indiana Consumer Data Protection Act of 2023 (Indiana CDPA)

Statute Cite

IND. CODE § 24-15 (2023)

Regulation Cite

N/A

Effective Date

01/01/2026

Applicability Thresholds

A company that conducts business in Indiana or produces products or services that are targeted to residents of Indiana and that during a calendar year:

(1) Controls or processes personal data of at least 100,000 consumers who are Indiana residents; or

(2) Controls or processes personal data of at least 25,000 consumers who are Indiana residents and derives more than 50 percent of gross revenue from the sale of personal data.

Applicable to Employees and Business Contacts?

Statutory Penalties

Up to $7,500 per violation

Private Right of Action

McDermott Resources

And then there were seven: Indiana passes consumer privacy bill, April 14, 2023

Iowa

Click below to download a full summary of the law.

Download now

At a glance:

Title of Law (and Acronym)

Iowa Consumer Data Protection Act of 2023 (Iowa CDPA)

Statute Cite

IOWA CODE § 715D.1–9 (2023)

Regulation Cite

N/A

Effective Date

01/01/2025

Applicability Thresholds

A company conducting business in Iowa or producing products or services that are targeted to consumers who are residents of Iowa and that during a calendar year does either of the following:

(1) Controls or processes personal data of at least 100,000 consumers; or

(2) Controls or processes personal data of at least 25,000 consumers and derives over 50 percent of gross revenue from the sale of personal data.

Applicable to Employees and Business Contacts?

Statutory Penalties

Up to $7,500 per violation

Private Right of Action

McDermott Resources

Iowa’s new privacy law: The basics, April 10, 2023

Kentucky

Click below to download a full summary of the law.

Download now

At a glance:

Title of Law (and Acronym)

Kentucky act relating to consumer data privacy

Statute Cite

KY. REV. STAT. ANN. § 367.3611–29 (2024)

Regulation Cite

N/A

Effective Date

01/01/2026

Applicability Thresholds

Persons that conduct business in Kentucky or produce products or services that are targeted to residents of Kentucky and that, during a calendar year:

(1) Control or process the personal data of at least 100,000 consumers; or

(2) Control or process the personal data of at least 25,000 consumers and derived over 50% of their gross revenue from the sale of personal data.

Applicable to Employees and Business Contacts?

Statutory Penalties

Up to $7,500 per violation

Private Right of Action

McDermott Resources

The list grows: Kentucky lawmakers close in on comprehensive privacy law, March 20, 2024

Maryland

Click below to download a full summary of the law.

Download now

At a glance:

Title of Law (and Acronym)

Maryland Online Data Privacy Act of 2024

Statute Cite

MD. CODE ANN., COM. LAW § 14-4701 (2024)

Regulation Cite

N/A

Effective Date

10/01/2025; applies to processing activities on or after 04/01/2026

Applicability Thresholds

Persons that conduct business in Maryland or provide services or products that are targeted to residents of Maryland and that, during the immediately preceding calendar year, did either of the following:

(1) Controlled or processed the personal data of at least 35,000 consumers, excluding the personal data controlled or processed solely for the purpose of completing a payment transaction; or

(2) Controlled or processed the personal data of at least 10,000 consumers and derived more than 20% of their gross revenue from the sale of personal data.

Applicable to Employees and Business Contacts?

Statutory Penalties

Up to $10,000 per violation and up to $25,000 per repeat violation

Private Right of Action

McDermott Resources

Maryland joins growing ranks and passes its own consumer data privacy law, April 10, 2024

Minnesota

Click below to download a full summary of the law.

Download now

At a glance:

Title of Law (and Acronym)

Minnesota Consumer Data Privacy Act (MCDPA)

Statute Cite

MINN. STAT. §§ 325M.10-21 (2024)

Regulation Cite

N/A

Effective Date

07/31/2025; applies to postsecondary institutions on or after 07/31/2029

Applicability Thresholds

Any person that conducts business in Minnesota or provides products or services that are targeted to Minnesota residents and, during the immediately preceding calendar year, either:

(1) Controlled or processed the personal data of at least 100,000 Minnesota consumers (excluding that personal data controlled or processed solely for the purpose of completing a payment transaction); or

(2) Controlled or processed the personal data of at least 25,000 Minnesota consumers and derives more than 25% of their gross revenue from the sale of personal data.

Applicable to Employees and Business Contacts?

Statutory Penalties

Up to $7,500 per violation

Private Right of Action

McDermott Resources

The Gopher State goes for it: Minnesota passes consumer data privacy law, May 22, 2024

Montana

Click below to download a full summary of the law.

Download now

At a glance:

Title of Law (and Acronym)

Montana Consumer Data Privacy Act of 2023 (MCDPA)

Statute Cite

MONT. CODE ANN. §§ 30-14-2801–17 (2023)

Regulation Cite

N/A

Effective Date

10/01/2024

Applicability Thresholds

Companies that conduct business in Montana or persons that produce products or services that are targeted to residents of Montana and:

(1) Control or process the personal data of not less than 25,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or

(2) Control or process the personal data of not less than 15,000 consumers and derive more than 25% of gross revenue from the sale of personal data.

Applicable to Employees and Business Contacts?

Statutory Penalties

Up to $10,000 per willful violation per Mont. Code Ann. § 30-14-142, Unfair Trade Practices

Private Right of Action

McDermott Resources

Consumer privacy law comes to Big Sky Country as Montana passes new law, April 25, 2023

Nebraska

Click below to download a full summary of the law.

Download now

At a glance:

Title of Law (and Acronym)

Nebraska Data Privacy Act (NEDPA)

Statute Cite

NEB. REV. STAT. §§ 87-1101–30 (2024)

Regulation Cite

N/A

Effective Date

01/01/2025

Applicability Thresholds

Companies that:

(1) Conduct business in Nebraska or produces a product or service consumed by Nebraska residents;

(2) Process or engage in the sale of personal data; and

(3) Are not a small business as determined under the federal Small Business Act.

Applicable to Employees and Business Contacts?

Statutory Penalties

Up to $7,500 per violation

Private Right of Action

McDermott Resources

Go Big Red! Nebraska passes consumer data privacy law, April 18, 2024

Nevada

Click below to download a full summary of the law.

Download now

At a glance:

Title of Law (and Acronym)

Nevada’s Consumer Health Data Privacy Law

Statute Cite

S.B. 370, 2023 Leg., 82nd Sess. (Nev. 2023)

Regulation Cite

N/A

Effective Date

03/31/2024

Applicability Thresholds

Any legal entity that:

(1) Conducts business in Nevada, or produces or provides products or services that are target to consumers in Nevada; and

(2) Alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of consumer health data.

Applicable to Employees and Business Contacts?

Statutory Penalties

Via the Nevada Deceptive Trade Practices Act which can impose, among other things, a civil penalty of up to $12,500 per violation.

Private Right of Action

McDermott Resources

Nevada and Connecticut pass consumer health data laws, June 28, 2023

New Hampshire

Click below to download a full summary of the law.

Download now

At a glance:

Title of Law (and Acronym)

New Hampshire Data Privacy Act (NHDPA)

Statute Cite

N.H. REV. STAT. ANN. §§ 507-H:1 to H:12 (2023)

Regulation Cite

N/A

Effective Date

01/01/2025

Applicability Thresholds

Businesses or persons that produce products or services that are targeted to residents of New Hampshire that, during a one-year period:

(1) Controlled or processed the personal data of not less than 35,000 unique consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or

(2) Controlled or processed the personal data of not less than 10,000 unique consumers and derived more than 25% of their gross revenue from the sale of personal data.

Applicable to Employees and Business Contacts?

Statutory Penalties

Up to $10,000 per violation

Private Right of Action

McDermott Resources

And another: New Hampshire passes new consumer privacy law, January 24, 2024

New Jersey

Click below to download a full summary of the law.

Download now

At a glance:

Title of Law (and Acronym)

New Jersey Data Privacy Act (NJDPA)

Statute Cite

N.J. STAT ANN. §§ 56:8-166.4 to -166.19 (2023)

Regulation Cite

N/A

Effective Date

01/15/2025

Applicability Thresholds

Any person that conducts business in New Jersey or provides products or services to New Jersey residents and:

(1) Controls or processes personal data of 100,000 or more New Jersey consumers (excluding data controlled or processed solely for the purpose of completing a payment transaction); or

(2) Controls or processes personal data of 25,000 or more New Jersey consumers and derives revenue or receives a discount on the price of any good or services from the sale of data.

Applicable to Employees and Business Contacts?

Statutory Penalties

Up to $10,000 per violation

Private Right of Action

McDermott Resources

And we’re back: New Jersey kicks off 2024 with new consumer privacy law, January 10, 2024

New York

Click below to download a full summary of the law.

Download now

At a glance:

Title of Law (and Acronym)

New York Health Information Privacy Act (NYHIPA)

Statute Cite

S.B. S929

Regulation Cite

N/A

Effective Date

To be determined (awaiting signature by the governor)

Applicability Thresholds

Any legal entity that:

(1) Controls the processing of regulated health information of an individual who is a New York resident;

(2) Controls the processing of regulated health information of an individual who is physically present in New York while that individual is in New York; or

(3) Is located in New York and controls the processing of regulated health information.

Applicable to Employees and Business Contacts?

Yes

Statutory Penalties

Up to $15,000 per violation, or 20% of revenue obtained from New York consumers within the past fiscal year, whichever is greater, as well as other forms of relief.

Private Right of Action

Yes

McDermott Resources

New York Assembly passes restrictive Health Information Privacy Act, January 24, 2025

Oregon

Click below to download a full summary of the law.

Download now

At a glance:

Title of Law (and Acronym)

Oregon Consumer Privacy Act (OCPA)

Statute Cite

OR. REV. STAT. §§ 646A.570–589 (2023)

Regulation Cite

N/A

Effective Date

07/01/2024 (HB 2008 effective 01/01/2026)

Applicability Thresholds

Any person that conducts business in Oregon or provides products/services to Oregon residents and:

(1) Controls or processes personal data of 100,000 or more Oregon consumers (excluding personal data controlled or processed solely for the purpose of completing a payment transaction); or

(2) Controls or processes personal data of 25,000 or more Oregon consumers and derives over 25% of gross revenue from the sale of that data.

Applicable to Employees and Business Contacts?

Statutory Penalties

Up to $7,500 per violation

Private Right of Action

McDermott Resources

Oregon joins the consumer privacy trend, June 26, 2023

Rhode Island

Click below to download a full summary of the law.

Download now

At a glance:

Title of Law (and Acronym)

Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)

Statute Cite

R.I. G.L. 6-48.1-1 et. seq

Regulation Cite

N/A

Effective Date

01/01/2026

Applicability Thresholds

Website privacy policy requirements:

Any operator of a commercial website or internet service provider conducting business in Rhode Island or with Rhode Island consumers or otherwise subject to Rhode Island jurisdiction.

All other requirements:

Any for-profit entities that conducts business in Rhode Island or provides products or services that are targeted to Rhode Island residents and, during the immediately preceding calendar year, either:

(1) Controlled or processed the personal data of at least 35,000 Rhode Island consumers (excluding that personal data controlled or processed solely for the purpose of completing a payment transaction); or

(2) Controlled or processed the personal data of at least 10,000 Rhode Island consumers and derives more than 20% of their gross revenue from the sale of personal data.

Applicable to Employees and Business Contacts?

No

Statutory Penalties

Up to $10,000 per violation

Private Right of Action

No

McDermott Resources

No longer adrift in the Ocean State: Rhode Island enacts consumer data privacy law, July 1, 2024

Tennessee

Click below to download a full summary of the law.

Download now

At a glance:

Title of Law (and Acronym)

Tennessee Information Protection Act of 2023 (TIPA)

Statute Cite

TENN. CODE ANN. §§ 47-18-3301 to -3315 (2023)

Regulation Cite

N/A

Effective Date

07/01/2025

Applicability Thresholds

Companies that conduct business in Tennessee or target products or services to residents of Tennessee and:

(1) Have more than $25,000,000 in “revenue;” and

(2) Control or process personal information of 175,000 or more Tennessee consumers; or

(3) Control or process personal information of 25,000 or more Tennessee consumers and derive over 50 percent of gross revenue from the sale of that data.

Applicable to Employees and Business Contacts?

No

Statutory Penalties

Up to $15,000 per violation

Private Right of Action

No

McDermott Resources

Tennessee joins the fray as legislature passes consumer privacy law, April 25, 2023

Texas

Click below to download a full summary of the law.

Download now

At a glance:

Title of Law (and Acronym)

Texas Data Privacy and Security Act (TDPSA)

Statute Cite

TEX. BUS. & COM. CODE ANN. §§ 541.001–205 (2023)

Regulation Cite

N/A

Effective Date

07/01/2024

Applicability Thresholds

A for-profit business or person that:

(1) Does business in Texas or produces a product or service consumed by a Texas resident;

(2) Processes or engages in the sale of personal data; and

(3) Is not considered a “small business” by the US Small Business Administration (except to the extent that the small business sells sensitive personal data).

Applicable to Employees and Business Contacts?

No

Statutory Penalties

Up to $7,500 per violation

Private Right of Action

No

McDermott Resources

Texas consumer privacy law nears governor’s signature, May 31, 2023

Utah

Click below to download a full summary of the law.

Download now

At a glance:

Title of Law (and Acronym)

Utah Consumer Privacy Act of 2022 (UCPA)

Statute Cite

UTAH CODE ANN. §§ 13-61-101 to -404

Regulation Cite

N/A

Effective Date

12/31/2023

Applicability Thresholds

A company that conducts business in Utah or produces a product or service that is targeted to consumers in Utah, has annual revenue of $25,000,000 or more, and satisfies one or more of the following thresholds:

(1) During a calendar year, controls or processes personal data of 100,000 or more consumers; or

(2) Derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.

Applicable to Employees and Business Contacts?

No

Statutory Penalties

Up to $7,500 per violation

Private Right of Action

No

McDermott Resources

Utah poised to enact consumer privacy law, March 4, 2022

Vermont

The governor vetoed the Vermont Data Privacy Act and the veto was sustained by the Vermont State Senate on June 17, 2024.

McDermott Resources

Mixing Things Up Like a Certain Ice Cream Maker: Vermont Passes Consumer Data Privacy Law, May 29, 2024

Virginia

Click below to download a full summary of the law.

Download now

At a glance:

Title of Law (and Acronym)

Virginia Consumer Data Protection Act of 2021 (VCDPA)

Statute Cite

VA. CODE ANN. §§ 59.1-571 to -585 (West 2023)

Regulation Cite

N/A

Effective Date

01/01/2023

Applicability Thresholds

Companies that conduct business in Virginia or produce products or services that are targeted to residents of Virginia and that:

(1) During a calendar year, control or process personal data of at least 100,000 consumers; or

(2) Control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.

Applicable to Employees and Business Contacts?

No

Statutory Penalties

Up to $7,500 per violation

Private Right of Action

No

McDermott Resources

Virginia Consumer Data Protection Act: A growing wave of comprehensive state privacy laws, February 23, 2021

Washington

Click below to download a full summary of the law.

Download now

At a glance:

Title of Law (and Acronym)

My Health My Data Act

Statute Cite

WASH. REV. CODE §§ 19.373.005–900 (2023)

Regulation Cite

N/A

Effective Date

07/23/2023 (but most provisions come online 03/31/2024)

Applicability Thresholds

Any legal entity that:

(1) Conducts business in Washington, or produces or provides products or services that are target to consumers in Washington; and

(2) Alone or jointly with others, determines the purpose and means of collecting, processing, sharing or selling of consumer health data.

Applicable to Employees and Business Contacts?

No

Statutory Penalties

Via the Washington Consumer Protection Act.
Civil penalties for unfair or deceptive trade acts and unfair competition under the CPA can rise to $7,500 per violation. Additionally, consumers bringing civil actions can recover actual damages, attorney’s fees and costs. The court can treble damages.

Private Right of Action

Yes

McDermott Resources

Washington legislature passes My Health My Data Act, April 13, 2023

California rulemaking activity

The CPPA released proposed updates to the CCPA regulations and draft updates to the Risk Assessment and Automated Decisionmaking Technology (ADMT) regulations. We are tracking the developments and impacts in the insights below.

Updating compliance programs to address the CPPA’s regulations on ADMT and risk assessments, September 17, 2025

CPPA moves closer to finalizing amended CCPA regulations, July 24, 2025

Unpacking the latest proposed CCPA regulations, May 13, 2025

CPPA releases updates to proposed CCPA regulations, March 28, 2025

CPPA opens public comment period for proposed CCPA regulations, November 26, 2024

California amends key CCPA definitions, October 2, 2024

Draft CCPA regulations stalled as agency struggles with applicability of ADMT rules, July 22, 2024

CPPA releases proposed updates to CCPA regulations and unveils new draft privacy assessment and ADM rules, March 1, 2024

New cybersecurity, privacy and automated decisionmaking rules coming soon to California, December 12, 2023

California reveals draft regulations requiring onerous cybersecurity audits and privacy risk assessments, September 1, 2023

Colorado rulemaking activity

The Colorado Attorney General’s Office published proposed draft amendments to the CPA rules. We are tracking the developments and impacts in the insights below.

CPA changes address consent for minors’ use of addictive features, October 14, 2025

Colorado remains active, proposes amendments to CPA rules, August 5, 2025

Colorado advances privacy act regulations, December 10, 2024

Trick or treat: Colorado AG announces public hearing on proposed CPA regulations, October 31, 2024

Colorado AG proposes draft amendments to the Colorado Privacy Act rules, September 17, 2024

New Jersey rulemaking activity

New Jersey’s Office of Consumer Protection prepared proposed rules for the NJDPA. Check out our insights into the proposed rules below.

New Jersey proposes rules for the New Jersey Data Privacy Act, June 3, 2025

Global Privacy & Cybersecurity Law

Resource Center

Mapping consumer privacy

How to prepare for new privacy legislation

Privacy Legislation in 2025: What’s New and What’s Next

Privacy Legislation: What to Know from 2024 and Predictions for 2025

Let’s Look at the Progress: 2023 State Privacy Laws Recap

Practical Tips for Employers Navigating State Privacy Law Compliance

Navigating State Privacy Law Applicability for Healthcare and Financial Services Organizations

Coming Soon to a State Near You: New Privacy Laws and Evolving Best Practices

Cookies and online tracking technologies

California continues privacy enforcement streak with order against Tractor Supply Company

California attorney general’s $1.55 million Healthline CCPA settlement continues cookie focus and signals increasing enforcement

Navigating Cookie Compliance in 2025: Insights and Strategies

FTC finalizes amendments to the Children’s Online Privacy Protection Rule

CPPA puts the brakes on Honda’s data privacy practices

Data privacy and cybersecurity in 2025: Website tracking

Cookie Deep Dive: Maximizing Value While Minimizing Risk

OCR withdraws appeal in AHA v. Becerra

OCR files Notice of Appeal in online tracking technologies case

New York attorney general issues cookie guidance and enforcement warnings

Federal court invalidates key part of HHS OCR Bulletin regarding application of HIPAA to online tracking technologies

OCR update on tracking technologies provides little relief for HIPAA-regulated entities

3 questions healthcare provider organizations need to consider when implementing pixel tracking technologies

For the General Counsel’s desk: Managing enforcement risks involving cookies, pixels, and other tracking technologies

FTC and HHS-OCR spotlight use of tracking tech by healthcare providers

European Digital Package

Europe’s cybersecurity puzzle: NIS2 progress in 30 pieces

Unpacking the European Digital Package webinar series

How the EU Digital Strategy is Relevant to You

EU Digital Strategy | E-commerce, Internet of Things, and Platforms

EU Digital Strategy | Cybersecurity

Final CMMC Rule

CMMC from the bottom up: A detailed review of Level 1

CMMC Level 2: The good, the bad, and the ugly

CMMC Level 3: Strict scoping and expansive requirements

CMMC: Final DFARS rule kicks off phased implementation

Navigating the final CMMC rule

Are we there yet? DoD issues final rule establishing CMMC program

DoD issues proposed DFARS Rule to implement CMMC 2.0

DoD rings in 2024 with proposed Cybersecurity Maturity Model Certification Rule

PCI DSS 4.0

Steer clear of fines: Check your PCI DSS 4.0 compliance

New PCI DSS 4.0 credit card compliance requirements effective April 1, 2025

Data privacy and cybersecurity in 2025: PCI DSS 4.0

New PCI DSS 4.0 will impact the digital health and healthcare industries

How the new PCI DSS 4.0 will impact the automotive industry

PCI DSS 4.0 introduces transformational change: New risk analysis, governance requirements, and alternative customized approach

Featured

FTC finalizes amendments to Children’s Online Privacy Protection Rule

Privacy Framework 1.1 gets a tune-up in NIST’s latest draft update

Navigating the DOJ’s Final Rule on preventing access to bulk US sensitive data by countries of concern

Preparing for CIRCIA’s reporting requirements and avoiding its harsh penalties

Creating a cyber volunteer force: Strategy and options

Get in touch

Michael G. Morgan

California rulemaking activity

Colorado rulemaking activity

New Jersey rulemaking activity