Litigation targeting website tracking technologies—such as cookies, pixels, session replay, and analytics tools—remains a major risk for businesses in 2025 and beyond. Courts continue to shape the boundaries of liability, consent, and compliance, with California and federal courts issuing several pivotal decisions this year. The legal landscape is evolving, with new theories, defenses, and legislative proposals emerging.
California continues to set the pace for digital privacy reform, enacting three groundbreaking laws that will reshape how personal information is handled across the state. On October 8, 2025, Governor Newsom signed three new privacy bills, which will allow California consumers to gain greater control over their personal information, while businesses, data brokers, and social media platforms will face new transparency and compliance obligations.
Key point: Recent legislative efforts in Massachusetts, seeking to add another comprehensive data privacy law to the national patchwork of state laws, and in California enacting a law to regulate AI development, occurred this week when the Massachusetts Senate unanimously sent Senate Bill 2608 to the state House, and California enacted the nation’s second substantive state law regulating AI.
Key point: The California Legislature is considering a bill that would impose comprehensive requirements on the development, deployment, and use of artificial intelligence (AI) systems, with a focus on transparency, accountability, and risk mitigation.
Key point: The European General Court has upheld the European Commission’s adequacy decision for the EU-U.S. Data Privacy Framework, confirming that the United States ensures an adequate level of protection for personal data transfers.
Key point: CMMC took another step towards reality, with OIRA clearing for publication the DFARS proposed rule that will add CMMC requirements as a condition of award for new contracts.