Keypoint: In this post: (1) Standing may depend on how specific plaintiffs’ complaint is; (2) the 2nd Circuit adopts the 3rd and 9th Circuit’s narrower interpretation of PII under the VPPA; (3) Promises in privacy policies not to share user data can defeat consent defenses; (4) class action waivers in privacy agreements may face enforceability challenges in California; (5) courts closely scrutinize technical specifics in claims involving PHI.

This is our twenty-fourth installment in our data privacy litigation report covering decisions from the previous month. If you have any thoughts on what you’d like to see (either in content or form) from these posts, please don’t hesitate to reach out and let us know.

There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.

Finally, for an overview of current U.S. data privacy litigation trends and issues, click here.

Keypoint: Last week, the Vermont Governor signed the Vermont Age-Appropriate Design Code Act into law.

Below is the twenty third weekly update on the status of proposed state privacy legislation in 2025. As always, the contents provided below are time-sensitive and subject to change.

Table of Contents

  1. What’s New
  2. AI Bills
  3. Bill Tracker Chart

1.

Keypoint: Last week, the Connecticut legislature passed an amendment to the state’s consumer data privacy law and bills advanced in Oregon, California, Texas, Nevada, Louisiana, and New York.

Below is the twenty second weekly update on the status of proposed state privacy legislation in 2025. As always, the contents provided below are time-sensitive and subject

Keypoint: Last week, governors in Colorado, Oregon, Nebraska, and Texas signed bills into law while bills advanced in Maine, Oregon, Vermont, and Texas.

Below is the twenty first weekly update on the status of proposed state privacy legislation in 2025. As always, the contents provided below are time-sensitive and subject to change.

Table of Contents

Keypoint: Last week, Oregon and New Jersey advanced bills to amend their state’s consumer data privacy laws, California committees advanced several bills, Nebraska enacted a social media law, and Texas advanced several social media bills.

Below is the twentieth weekly update on the status of proposed state privacy legislation in 2025. As always, the contents

Keypoint: Last week, Oregon’s legislature passed a bill to amend the state’s consumer data privacy law, the Connecticut Senate passed two bills, and there were developments with bills in New Jersey, Nebraska, Texas, Massachusetts, and Louisiana.

Below is the nineteenth weekly update on the status of proposed state privacy legislation in 2025. As always, the

Keypoint: Last week, the Colorado legislature passed an amendment to the state’s data privacy law, the Texas legislature passed a bill regulating app stores, and there were developments with bills in Connecticut, Maine, New York and South Carolina.

Below is the eighteenth weekly update on the status of proposed state privacy legislation in 2025. As

Keypoint: In this post: (1) The Ninth Circuit holds essentially any website can be sued in California; (2) two courts limit pen registry claims; (3) courts split on whether privacy policies establish consent for wiretapping claims; (4) Arizona court rejects “spy pixel” theory; and (5) courts continue to expand what is “content” for wiretapping claims.

This is our twenty-third installment in our data privacy litigation report covering decisions from the previous month. If you have any thoughts on what you would like to see (either in content or form) from these posts, please don’t hesitate to reach out and let us know.

There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn. Finally, for an overview of current U.S. data privacy litigation trends and issues, see Part 2 here.

KeypointIn its second non-data broker enforcement action for violations of the CCPA, the California Privacy Protection Agency entered into a stipulated final order with a retailer for a $345,178 administrative fine and other remedial measures.

On May 6, 2025, the California Privacy Protection Agency (Agency) announced its second non-data broker enforcement action, requiring a national retailer to pay a $345,178 administrative fine and implement certain remedial actions for violations of the California Consumer Privacy Act (CCPA). The Agency’s enforcement action comes just two months after its first enforcement action in which it required a vehicle manufacturer to pay a $632,500 administrative fine and implement remedial actions. It also follows remarks from the Agency’s Deputy Director of Enforcement, Michael Macko, at last month’s IAPP Global Privacy Summit indicating that the Agency is enforcing CCPA violations across a wide range of industries.

In the below post, we provide an overview of the violations and penalties.