In this post: (1) California courts split on personal jurisdiction post-Briskin; (2) District courts dismiss VPPA claims against movie theaters & online platforms; (3) ND Cal courts find “crime-tort” exception met in non-healthcare cases; (4) Jury returns verdict against Flo Health in privacy case; and (5) Privacy Plaintiffs find new theory in Colorado law.

Key point: Colorado’s Department of Law is soliciting public comments through September 5, 2025, on revised privacy rules to protect minors’ personal data and online privacy.

On July 29, the Colorado Department of Law issued a notice of proposed rulemaking to revise the state’s privacy rules following the legislature’s 2024 amendments to the Colorado Privacy Act (“CPA”). The revised rules include new protections for the personal data of minors and are currently open to public comment. Written comments should be submitted via the CPA rulemaking comment portal by September 5, 2025. Additional comments may be submitted at a public hearing scheduled for September 10, 2025.

Forward part of cargo ship.

Key point: The US Coast Guard’s new cybersecurity rule will transform the security standards and reporting requirements for vessels and marine facilities nationwide over the next three years.

On July 16, 2025, the US Coast Guard’s (USCG) final rule, Cybersecurity in the Marine Transportation System, codified at 33 C.F.R. § 101.600 et seq., went into effect. The final rule establishes cybersecurity requirements for the critical infrastructure owners and operators (CI/OO) of regulated entities (e.g., U.S.-flagged vessels, Outer Continental Shelf (OCS) facilities, and facilities regulated under the Maritime Transportation Security Act of 2002). See 90 Fed. Reg. 6298 (Jan. 17, 2025). These entities were already required to have a Vessel or Facility Security Plan (VSP/FSP) as defined by 33 C.F.R. §§ 104-106. Under the final rule, the CI/OO for these entities have incident reporting obligations, must develop Cybersecurity and Cyber Incident Response Plans, and designate a Cybersecurity Officer charged with implementing the plans. The regulation will be introduced in stages over the next three years, with certain provisions taking effect immediately.

AI Illustration

Key point: “Winning the Race: America’s AI Action Plan,” the Trump Administration’s summary approach to federal artificial intelligence (AI) policy, and three new Executive Orders (EO) propose a wide-ranging federal strategy intended to solidify U.S. leadership in AI. For business leaders and public sector stakeholders, the Action Plan and EOs may be a double-edged sword: catalyzing AI innovation through deregulation, but in turn creating a complex, opaque compliance environment that demands careful navigation.

In this post: (1) Website tracking litigation risk remains as SB 690 is designated “two-year bill”; (2) Second Circuit reinforces narrower interpretation of PII to “shut the door for Pixel-based VPPA claims”; (3) Courts require individualized harm to establish standing; (4) Dismissals increase where plaintiffs fail to provide detailed allegations; and (5) Courts split on whether commercial intent can defeat application of “crime-tort exception” under federal ECPA.

State of Connecticut Waving Flag in 3D

Keypoint: Connecticut once again moves the needle on state privacy laws while at the same time integrating changes from other state laws.

On June 25, Connecticut Governor Lamont signed Senator James Maroney’s SB 1295 into law. The bill makes several notable changes to Connecticut’s existing consumer data privacy law, including modifying its applicability standard, exemptions, definitions, consumer rights, data minimization provisions, and children’s privacy sections. The bill also significantly modifies the law’s approach to profiling that will impact the use of artificial intelligence in some contexts.

In the below post, we provide a summary of the more notable changes. For each of the changes, we also provide the context for the change, including what the change means, its potential consequences, and how it fits into the larger landscape of state data privacy laws.

Keypoint: In this post: (1) Standing may depend on how specific plaintiffs’ complaint is; (2) the 2nd Circuit adopts the 3rd and 9th Circuit’s narrower interpretation of PII under the VPPA; (3) Promises in privacy policies not to share user data can defeat consent defenses; (4) class action waivers in privacy agreements may face enforceability challenges in California; (5) courts closely scrutinize technical specifics in claims involving PHI.

This is our twenty-fourth installment in our data privacy litigation report covering decisions from the previous month. If you have any thoughts on what you’d like to see (either in content or form) from these posts, please don’t hesitate to reach out and let us know.

There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.

Finally, for an overview of current U.S. data privacy litigation trends and issues, click here.