State & Local Laws & Regulation

California Governor Signs Age Verification Law

In a significant move aimed at protecting minors online, California Governor Gavin Newsom recently authenticated the California Digital Age Assurance Act, set to take effect on January 1, 2027. This law imposes new requirements on organizations that develop, license, or control device operating systems, mandating the inclusion of an age-verification interface during user account setup. Users will need to provide their date of birth, age, or both, while app developers will need to utilize one of four age-range indicators: under 13, 13-15, 16-17, or 18+.

Crucially, the law also includes protections against anti-competitive practices by preventing operating system providers from utilizing compliance data in harmful ways. Existing accounts set up before the law’s commencement will need to be compliant by July 1, 2027, while allowances for technical errors are to be included. Enforcement rests with the California Attorney General, who can seek civil penalties ranging from $2,500 for negligent infractions to $7,500 for intentional breaches impacting minors.

Massachusetts Senate Passes Data Privacy Act

In another significant legislative move, the Massachusetts Senate recently passed the Massachusetts Data Privacy Act (MDPA) with unanimous support. Governed by its aim to protect consumer data, the MDPA applies to entities that manage data for at least 60,000 consumers annually, or 20,000 consumers if data sales account for over 20% of revenue. This law targets not only regular consumer data but also sensitive reproductive and sexual health information.

The MDPA emphasizes consumer rights, allowing individuals to access, correct, delete, and port their personal data. Additionally, residents will have the ability to opt out of targeted advertising and data sales. The Act also limits the collection of sensitive data and mandates that businesses issue clear privacy notices. The enforcement of this law will also fall to the Attorney General, who has the authority to pursue injunctions, damages, and civil penalties, potentially reaching $5,000 for each violation. If approved by the House, the MDPA is projected to take effect on January 1, 2027.

Pennsylvania Approves Consumer Data Privacy Act

Not to be left behind, the Pennsylvania House of Representatives has recently approved House Bill 78, also known as the Consumer Data Privacy Act. This law aligns with contemporary privacy trends by providing individuals with robust rights concerning their personal data. Consumers will gain access to their data, the ability to correct inaccuracies, and options for data deletion and portability.

Businesses earning over $10 million annually will be especially impacted, as they’re required to minimize data collection practices, ensure procedural transparency, and secure consent for processing sensitive data. The enforcement of this Act will also be undertaken by the Attorney General, deeming certain non-compliance scenarios as unfair competition or deceptive practices.

NYDFS Issues Guidance on Third-Party Service Provider Risk Management

The New York Department of Financial Services (NYDFS) recently issued essential guidance aimed at muting risks associated with third-party service providers (TPSPs). This guidance clarifies existing regulatory expectations and encourages best practices for managing TPSP-related risks. It encourages entities to adopt a proactive, risk-based approach, emphasizing thorough due diligence when selecting TPSPs.

Key recommendations include ensuring robust contract provisions on data handling, monitoring TPSPs through audits, and maintaining secure data return or destruction protocols during the termination of relationships. This guidance underscores the principle that compliance responsibilities rest firmly with the principal entity, not the TPSPs, positioning third-party risk management as a crucial element of regulatory examinations.

Minnesota and New Hampshire Join Regulatory Consortium

In a milestone for privacy protection, Minnesota and New Hampshire have joined the bipartisan Consortium of Privacy Regulators, now expanding this cooperative body to ten states. This Consortium seeks to strengthen cross-jurisdictional enforcement of privacy laws, which includes Minnesota’s Consumer Data Privacy Act and New Hampshire’s Data Privacy Act. The Consortium aims to streamline investigations of potential violations and coordinate resources for common consumer protections.

With this development, accountability mechanisms are bolstered and aligned, where regulators can share expertise on consumer rights regarding data handling, data sales, and more. The collaboration serves to enhance the efficacy of data regulation, benefiting both consumers and businesses alike.

Federal Laws & Regulation

Federal Cybersecurity Initiatives Lapse During Shutdown

Meanwhile, the federal government faces notable challenges amid congressional gridlock, resulting in a shutdown that has led to the expiration of key cybersecurity initiatives. The Cybersecurity Information Sharing Act (CISA) and the State and Local Cybersecurity Grant Program, both designed to bolster cybersecurity defenses, have lapsed since Congress failed to reauthorize them. This lapse could significantly hinder state and local government capacity to defend against escalating cyber threats and foster information sharing.

FTC Consumer Protection Services Unavailable

Compounding the challenges, multiple consumer protection services via the Federal Trade Commission (FTC) are currently unavailable due to the ongoing government shutdown. Services such as the National Do Not Call Registry and platforms for reporting fraud and identity theft are offline, leaving consumers without critical tools to report and manage these issues. These disruptions underscore the far-reaching consequences of the government’s inability to operate effectively and maintain essential consumer safeguards.

Joint Commission Issues Guidance on AI Use in Healthcare

In a more positive development, the Joint Commission, alongside the Coalition for Health AI (CHAI), has issued guidelines aimed at promoting responsible use of artificial intelligence (AI) tools in healthcare. The guidelines present seven core elements essential for the responsible deployment of AI, covering everything from governed policies to ongoing quality monitoring.

Key recommendations emphasize patient privacy, data security, and the importance of continuous evaluation for AI tools to ensure safety and mitigate biases. These guidelines serve as an essential roadmap for ensuring that AI technology in healthcare is utilized responsibly and effectively.

Bipartisan GUARD Act Introduced for AI Chatbots

In a notable bipartisan effort to protect minors online, U.S. senators have introduced the GUARD Act, aimed at regulating the use of AI chatbots by children. This legislation seeks to implement age verification and prohibit companies from exposing minors to harmful AI interactions.

If passed, the GUARD Act introduces stringent requirements for companies, including safeguarding user data and preventing exploitative practices. This aligns with broader concerns regarding the online environments children navigate, ensuring they are not only protected but informed about the technology they use.

U.S. Litigation

Dismissal of 2nd VPPA Case Against NBA

In a recent judicial decision, U.S. District Judge Jennifer L. Rochon dismissed a putative class action against the NBA under the Video Privacy Protection Act (VPPA). The case questioned whether the NBA’s data-sharing practices, particularly via Meta Pixel integration on their website, constituted a breach of privacy.

The court determined that the disclosed information did not meet the VPPA’s criteria for "personally identifiable information." This decision reinforces existing legal interpretations regarding digital privacy disclosures and remains significant for the ongoing discourse around consumer privacy in the digital landscape.

Challenge to New York Algorithmic Pricing Law Dismissed

A lawsuit challenging New York’s Algorithmic Pricing Disclosure Act was also dismissed, with the Southern District of New York affirming that required disclosures about algorithm-set prices do not violate First Amendment rights. The court upheld that disclosing the use of algorithms to set prices based on personal data is factual and justifies the law’s intention to promote consumer awareness.

New Jersey Supreme Court to Review Daniel’s Law

In a noteworthy case, the New Jersey Supreme Court has agreed to examine Daniel’s Law, which restricts the release of personal information for specific public servants. This review will clarify the liability standards for violations of the law and is poised to influence enforcement dynamics regarding personal data disclosures in sensitive sectors.

U.S. Enforcement

FTC Takes Action Against Anonymous Messaging App

The Federal Trade Commission has recently acted against Iconic Hearts Holdings, operator of the Sendit anonymous messaging app, for noncompliance with the Children’s Online Privacy Protection Act. The allegations highlight failures in protecting minors who used the app and underscore the essential need for stricter regulations governing children’s online experiences.

Florida Attorney General Sues Roku for Privacy Violations

In a critical enforcement action, the Florida Attorney General has sued Roku for breaches of children’s privacy laws and deceptive practices. The legal action centers on Roku’s collection and selling of sensitive information from minors without proper consent, emphasizing the importance of adhering to privacy laws, especially concerning data collected from children.

NYC Lawsuit Against Social Media Platforms

The City of New York has filed a lawsuit against several major social media companies, alleging that they intentionally created addictive features targeting minors. The lawsuit claims these designs contribute to serious mental health ramifications for youth, framing the issue as both a public nuisance and a negligence issue.

OCR Settles with Healthcare Providers

In settlement news, Cadia Healthcare Facilities reached an agreement with the Office for Civil Rights regarding violations of HIPAA rules for sharing patient information without consent. This settlement highlights the importance of compliance within healthcare regarding patient data protections and reinforces the ongoing scrutiny healthcare entities are under for ensuring data privacy.

International Laws & Regulation

New Zealand’s Privacy Amendment Act 2025 Enacted

On the international front, New Zealand’s Privacy Amendment Act 2025 introduces new responsibilities for organizations collecting data indirectly from individuals. The law mandates that entities notify individuals when collecting their personal data from external sources, providing them with necessary information about the collection’s purpose and their data rights.

EDPB and European Commission Guidance on GDPR and DMA

The European Data Protection Board and the European Commission published guidelines addressing the intersection of the General Data Protection Regulation (GDPR) and the Digital Markets Act (DMA). These guidelines aim to ensure collaborative and effective applications of both regulations, fostering a coherent approach to data protection and market fairness across Europe.

European AI Strategic Initiatives Unveiled

Lastly, the European Commission has launched two strategic initiatives to enhance the adoption of artificial intelligence: the Apply AI Strategy and AI in Science Strategy. These initiatives aim to bolster AI integration across multiple sectors and elevate Europe’s standing in AI-driven research. Investments of over €1 billion support programming focused on advancing AI in societal applications, workforce preparedness, and fostering innovation across industries.

This increasingly complex landscape of laws and regulations underscores the global commitment to addressing privacy, data protection, and the responsible development of emerging technologies.