Keypoint: Section 500.17(b) of 23 NYCRR Part 500 (“Part 500”) requires all non-exempt Covered Entities regulated by the New York Department of Financial Services to submit their annual notices of compliance by April 15th.

Businesses that are subject to the NYDFS Cybersecurity Regulations have four weeks left to submit their annual notices of compliance or acknowledge their noncompliance. When the regulations were amended in 2023, several of the new requirements were phased in over two years. Businesses cannot simply re-use their notice from last year, without confirming that the new obligations were met and preparing for the requirements going into effect in 2025.  

In this short on-demand webinar, David Stauss provides an overview of the California Privacy Protection Agency’s first non-data broker enforcement action under the CCPA. The webinar provides an overview of the alleged violations, fine and remedial measures, and takeaways.

The webinar is available exclusively to Byte Back AI subscribers and to Husch privacy clients through

Keypoint: It was a busy week with the Kentucky legislature passing a bill to amend the state’s consumer data privacy law, bills crossing chambers in Vermont, Washington and Arkansas, and movement with bills in numerous other states.

Below is the tenth weekly update on the status of proposed state privacy legislation in 2025. As always, the contents provided below are time-sensitive and subject to change.

Keypoint: The California Privacy Protection Agency settled its first non-data broker enforcement action with a $632,500 fine and other remedial measures.

On March 12, 2025, the California Privacy Protection Agency (Agency) announced its first non-data broker enforcement action requiring a vehicle manufacturer to pay an administrative fine of $632,500 in connection with the Agency’s review of connected vehicle manufacturers and related technologies’ privacy practices. The manufacturer also agreed to implement certain remedial actions.

In the below post, we provide an overview of the alleged violations and the penalties.

Keypoint: In this post: (1) How a privacy policy can defeat a plaintiff’s “delayed discovery” argument; (2) Two CA state courts reject plaintiffs’ allegations concerning personal jurisdiction; (3) Three courts dismiss PR/TT claims due to lack of harm; (4) Two courts diverge on certifying VPPA classes; and (5) First MHMD case filed in Washington.

This is our twenty-first installment in our monthly data privacy litigation report. As we forecast last month, we are tweaking the format of these posts to hopefully provide readers with the most helpful information in the easiest to digest manner. If you have any thoughts on what you’d like to see (either in content or form) from these posts, please don’t hesitate to reach out!

There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.

Keypoint: Last week, the Utah legislature passed two bills prior to closing while Georgia’s Senate passed a consumer data privacy bill and the Arizona House passed a social media bill.

Below is the ninth weekly update on the status of proposed state privacy legislation in 2025. As always, the contents provided below are time-sensitive and subject to change.

Keypoint: Last week, consumer data privacy amendment bills crossed chambers in Montana and Kentucky, a social media bill crossed chambers in Colorado, and there were movements with numerous other bills.

Below is the eighth weekly update on the status of proposed state privacy legislation in 2025. As always, the contents provided below are time-sensitive and subject to change.

image

Keypoint: New York has amended its data breach notification law twice in the last 60 days to (1) add a 30-day deadline for notifying affected residents, (2) clarify that covered financial entities must still notify the New York Department of Financial Services (NYDFS) in accordance with existing NYDFS cybersecurity regulations, and (3) expand the prior definition of “private information” to include medical and health insurance information.

In the last sixty days, the New York legislature twice amended its data breach notification law. In the below article, we discuss the amendments and takeaways for covered businesses.

Keypoint: Last week, the Virginia legislature passed a VCDPA amendment, kid’s privacy bills crossed chambers in South Carolina and Utah, and lawmakers continued to introduce new bills on various topics.

Below is the seventh weekly update on the status of proposed state privacy legislation in 2025. As always, the contents provided below are time-sensitive and subject to change.

Keypoint: Virginia becomes the second legislature – after Colorado – to pass an algorithmic discrimination bill – although the bill still needs to get through the state’s Republican governor to become law.

On February 20, Virginia’s Democrat-controlled legislature passed the Virginia High-Risk Artificial Intelligence Developer and Deployer Act (HB 2094). The bill next