KeypointIn its second non-data broker enforcement action for violations of the CCPA, the California Privacy Protection Agency entered into a stipulated final order with a retailer for a $345,178 administrative fine and other remedial measures.

On May 6, 2025, the California Privacy Protection Agency (Agency) announced its second non-data broker enforcement action, requiring a national retailer to pay a $345,178 administrative fine and implement certain remedial actions for violations of the California Consumer Privacy Act (CCPA). The Agency’s enforcement action comes just two months after its first enforcement action in which it required a vehicle manufacturer to pay a $632,500 administrative fine and implement remedial actions. It also follows remarks from the Agency’s Deputy Director of Enforcement, Michael Macko, at last month’s IAPP Global Privacy Summit indicating that the Agency is enforcing CCPA violations across a wide range of industries.

In the below post, we provide an overview of the violations and penalties.

Keypoint: The Colorado legislature is considering significant amendments to the nation’s first algorithmic discrimination law.

On April 28, 2025, Colorado Senator Robert Rodriguez and Representative Brianna Titone introduced SB 318, which makes significant amendments to the Colorado AI Act (SB 205). The bill is currently pending in the Senate. The Colorado legislature closes Wednesday, May 7. In the below article, we provide an overview of the more significant proposed amendments.

In addition, because SB 318 is only a redline of the sections of the Colorado AI Act for which amendments were proposed, it does not show the changes in the full context of the existing law. We prepared a complete redline of the law, which is available to Byte Back AI subscribers here.

Keypoint: Last week, Alabama’s House passed a consumer data privacy bill, the Colorado Senate passed a bill to amend the Colorado Privacy Act, Oklahoma’s consumer data privacy bill advanced in the House, several bills advanced out of California committees, and the Texas and California Senates passed bills to amend their state’s data broker laws.

Below is the sixteenth weekly update on the status of proposed state privacy legislation in 2025. As always, the contents provided below are time-sensitive and subject to change.

Keypoint: A new Virginia law prohibits the collection, use, or sharing of reproductive or sexual health information without consent and provides Virginians with a private right of action for at least $500 per violation.

As we previously reported, on March 24, 2025, Virginia Governor Glenn Youngkin signed SB 754 into law, adding Virginia to the list of states that restrict the use or disclosure of certain health information. Importantly, this is not an amendment to Virginia’s well-known Consumer Data Protection Act (“VCDPA”). Rather, SB 754 amends Sections 59.1-198 and 59.1-200 of the Virginia Consumer Protection Act (“VCPA”), Virginia’s general consumer protection law.

In the article below, we provide an overview of the new law and identify some of its potential implications, including the law’s creation of a private right of action that includes statutory damages.

Keypoint: Last week, bills passed the Montana and Arkansas legislatures while bills advanced in Alabama, Florida, Oregon, and Texas.

Below is the fifteenth weekly update on the status of proposed state privacy legislation in 2025. As always, the contents provided below are time-sensitive and subject to change.

Keypoint: If signed by the governor, the Arkansas bill will create new obligations for the collection and processing of personal information for Arkansas children and teens under 16 years of age, however, compliance may prove difficult given ambiguity in the bill’s provisions.

On April 15, 2025, the Arkansas legislature passed HB 1717 – the Arkansas Children and Teens’ Online Privacy Protection Act. If signed by the governor, Arkansas will be the latest state to legislate in the teens’ privacy space but with a bill unlike any other passed to date.

In the below article, we provide a summary of the bill and its requirements.

Keypoint: In this post: (1) California considers a “commercial exception” to wiretapping and pen registry laws; (2) a rise in federal wiretapping claims against websites; (3) more courts impose “knowledge or intent” requirement for Section 631(a); and (4) the Ninth and Seventh Circuits limit and expand the VPPA’s application.

This is our twenty-second installment in our data privacy litigation report covering decisions from the previous month. If you have any thoughts on what you’d like to see (either in content or form) from these posts, please don’t hesitate to reach out and let us know.

Will you be at the IAPP Global Privacy Summit 2025 in Washington DC on April 23-24? If so reach out!

There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.

Keypoint: Last week, Montana’s legislature inched closer to significantly revising its consumer data privacy law, Oregon’s consumer data privacy amendment bills advanced, and there were numerous developments with Arkansas’ bills in advance of its upcoming adjournment.

Below is the fourteenth weekly update on the status of proposed state privacy legislation in 2025. As always, the contents provided below are time-sensitive and subject to change.