California continues to set the pace for digital privacy reform, enacting three groundbreaking laws that will reshape how personal information is handled across the state. On October 8, 2025, Governor Newsom signed three new privacy bills, which will allow California consumers to gain greater control over their personal information, while businesses, data brokers, and social media platforms will face new transparency and compliance obligations.
Key point: Recent legislative efforts in Massachusetts, seeking to add another comprehensive data privacy law to the national patchwork of state laws, and in California enacting a law to regulate AI development, occurred this week when the Massachusetts Senate unanimously sent Senate Bill 2608 to the state House, and California enacted the nation’s second substantive state law regulating AI.
Four federal courts issued decisions in August involving claims that healthcare companies violated the Electronic Communications Privacy Act (ECPA) by deploying tracking technologies—such as the Meta Pixel and Google Analytics—on their websites.[1] The decisions highlight an emerging split on what it takes to invoke the ECPA’s “crime-tort exception,” and provide important guidance for healthcare organizations operating online.
Key point: The California Legislature is considering a bill that would impose comprehensive requirements on the development, deployment, and use of artificial intelligence (AI) systems, with a focus on transparency, accountability, and risk mitigation.
In this post: (1) The 9th Circuit tightens what “harm” a plaintiff must suffer to have standing; (2) the D.C. Circuit adds to growing circuit split on defining “consumers”; (3) Three courts find plaintiffs consented via website terms; (4) Courts split on whether software that captures content and address information qualifies as “pen register”; and (5) Daniel’s Law receives first decision narrowing statute.
Key point: Beginning November 10, 2025, DoD contracting officers will begin adding Cybersecurity Maturity Model Certification (CMMC) requirements to solicitations, and contracting officers “shall not award a contract, task order, or delivery order to a [contractor] that does not have a current CMMC status at the CMMC level required by the solicitation.”
Key point: The European General Court has upheld the European Commission’s adequacy decision for the EU-U.S. Data Privacy Framework, confirming that the United States ensures an adequate level of protection for personal data transfers.
Key point: CMMC took another step towards reality, with OIRA clearing for publication the DFARS proposed rule that will add CMMC requirements as a condition of award for new contracts.
Key point: During Colorado’s legislative special session, which aimed to address budgetary shortfalls resulting from this year’s federal appropriations act, lawmakers approved a delay in the Colorado AI Act’s effective dates.
Key point: With the Cybersecurity Information Sharing Act of 2015 (CISA 2015) scheduled to sunset on September 30, 2025, Congress will need to act quickly to renew the law and maintain, if not improve, the liability protections for industry when sharing cyber threat indicators and defensive measures.