employee-scaled.jpeg

With three new state privacy laws that took effect on January 1, 2026 (Indiana, Kentucky, and Rhode Island), adding to an extensive list of others, many organizations are discovering that their website privacy practices haven’t kept pace. Even those that updated their websites recently are finding hidden gaps, often due to unnoticed changes in technological tools and files, such as first and third-party cookies, third-party analytics software, and/or third-party scripts, tags, and pixels. A website audit can prevent enforcement issues and potential litigation or arbitration demands.

In October 2023, California passed the Delete Act, which, in addition to requiring data brokers to register with the state, directed Cal Privacy (f/k/a the California Privacy Protection Agency or CPPA) to create a data deletion software tool by January 1, 2026. This deletion software tool, now called the Delete Request and Opt-Out Platform (DROP), allows California residents to submit a single request to require all registered data brokers to 1) delete their personal information, and 2) stop selling or sharing that information through one verified, government‑administered process, rather than contacting hundreds of companies individually.

Key point: Historically, civilian‑agency contractors who handled Controlled Unclassified Information (CUI) enjoyed an informal compliance environment, with a requirement to adhere to NIST SP 800‑171 often framed as self‑attestation. That world is now decisively over, with the GSA following a path similar, but not identical, to the DoD’s CMMC requirements.

Litigation targeting website tracking technologies—such as cookies, pixels, session replay, and analytics tools—remains a major risk for businesses in 2025 and beyond. Courts continue to shape the boundaries of liability, consent, and compliance, with California and federal courts issuing several pivotal decisions this year. The legal landscape is evolving, with new theories, defenses, and legislative proposals emerging.

Privacy Litigation Image

In this post: (1) Courts find cookie banners and sign-in banners place users on notice of privacy policy; (2) but policy must explicitly notify users of practice to establish consent; (3) Courts disagree whether disclosure of Facebook ID violates VPPA; (4) Courts dismiss wiretapping claims after finding messages not received while “in transit”; (5) Defendants forced to litigate in Plaintiffs’ chosen forum as three courts deny motions to transfer venue.

Key point: Recent legislative efforts in Massachusetts, seeking to add another comprehensive data privacy law to the national patchwork of state laws, and in California enacting a law to regulate AI development, occurred this week when the Massachusetts Senate unanimously sent Senate Bill 2608 to the state House, and California enacted the nation’s second substantive state law regulating AI.

Healthcare blog post image

Four federal courts issued decisions in August involving claims that healthcare companies violated the Electronic Communications Privacy Act (ECPA) by deploying tracking technologies—such as the Meta Pixel and Google Analytics—on their websites.[1] The decisions highlight an emerging split on what it takes to invoke the ECPA’s “crime-tort exception,” and provide important guidance for healthcare organizations operating online.