State & Local Laws & Regulation
California Governor Signs Age Verification Law
In a significant move, California Governor Gavin Newsom has enacted the California Digital Age Assurance Act, officially marking a new chapter in the realm of digital privacy and child safety. Set to take effect on January 1, 2027, this legislation aims to provide a framework for verifying the ages of users accessing digital platforms. Under the Act, developers and entities that control operating system software must implement an interface at the account setup stage, allowing users to indicate their birth date or age. This must culminate in providing applications with one of four age-range signals: under 13, 13–15, 16–17, or 18+.
One key aspect of the law is its prohibition against the anti-competitive use of compliance data by operating system providers and app stores. Application developers are required to rely on these age-range signals to fulfill their obligations concerning child privacy and safety, ensuring that children’s data is handled appropriately. It’s also important to note that for accounts set up before the law’s effective date, operating systems will need to comply by July 1, 2027, including provisions for technical errors. Enforcement of the Act will lie with the California Attorney General, who can levy civil penalties ranging from $2,500 for negligent violations to $7,500 for intentional breaches concerning child data.
Massachusetts Senate Passes Massachusetts Data Privacy Act
Following suit, the Massachusetts Senate has unanimously passed the Massachusetts Data Privacy Act (MDPA), an initiative that aims to bolster consumer rights in data handling by businesses. This law, which will come into effect on January 1, 2027, targets entities that handle data from at least 60,000 consumers annually, or 20,000 if data sales constitute at least 20% of revenue.
The MDPA is designed to give consumers rights to access, correct, delete, and port their personal data. Additionally, it requires clear privacy notices and mandates data protection assessments for high-risk processing activities. The legislation sets strict guidelines on the collection and use of sensitive data and gives enforcement authority exclusively to the Attorney General, who can pursue civil penalties of up to $5,000 per violation. This law also aligns closely with provisions similar to those found in the Maryland Privacy Act, effectively enhancing data protection across sensitive demographics.
Pennsylvania House of Representatives Approves the Consumer Data Privacy Act
Continuing the trend in robust data privacy legislation, the Pennsylvania House of Representatives has greenlit House Bill 78, known as the Consumer Data Privacy Act. This Act is noteworthy as it focuses on empowering individuals with rights concerning their personal data, including access, correction, deletion, and data portability. It also allows consumers to opt out of targeted advertising and the sale of personal data.
Businesses with annual revenues exceeding $10 million, along with data processors, will need to optimize their data collection practices, ensuring transparency, security, and consent for processing sensitive data. The enforcement of this Act will rest with the Attorney General, effectively treating violations as unfair competition under the state’s Unfair Trade Practices and Consumer Protection Law.
NYDFS Issues Guidance on Managing Third-Party Service Provider Risk
The New York Department of Financial Services (NYDFS) has recently issued guidance aimed at managing risks associated with third-party service providers (TPSPs). This guidance is essential as it seeks to clarify regulatory requirements without imposing new obligations. Instead, it advocates for a proactive, risk-based approach to TPSP governance, including oversight from senior governing bodies.
Highlighting best practices, the NYDFS encourages covered entities to conduct thorough due diligence while selecting TPSPs and to include specific provisions in TPSP contracts. These provisions should cover access controls, data encryption, breach notifications, and even AI usage. Ongoing monitoring and secure data return or destruction are crucial components of the recommended protocol. The guidance underscores a non-delegable compliance responsibility for entities, which NYDFS will consider in its examinations and enforcement actions.
Minnesota and New Hampshire Join Regulatory Enforcement Consortium
Significant progress is being made in cross-jurisdictional enforcement of state privacy laws, as Minnesota and New Hampshire have joined the bipartisan Consortium of Privacy Regulators. This expanded consortium now includes ten regulators and is dedicated to collaborative enforcement of consumer data privacy laws, such as Minnesota’s Consumer Data Privacy Act and New Hampshire’s Data Privacy Act.
The Consortium’s primary goal is to establish coordinated investigations into potential violations, share resources, and foster expertise in ensuring compliance with consumer protection laws. The move is aligned with recent efforts to implement and enforce privacy regulations actively. Both states are taking further steps, with New Hampshire establishing a Data Privacy Unit and Minnesota expanding its Consumer Protection Division to support enforcement operations.
Federal Laws & Regulation
Federal Cybersecurity Initiatives Lapse During Shutdown
As U.S. cybersecurity continues to be a pressing concern, two significant initiatives, the Cybersecurity Information Sharing Act (CISA) of 2015 and the State and Local Cybersecurity Grant Program, have expired due to congressional stagnation. CISA was vital for providing legal protections to entities sharing cyber threat data. In the context of a federal government shutdown, this lapse raises alarms regarding the preparedness of localities and states to defend against cyber threats.
FTC Do Not Call List and Other Consumer Protection Services Unavailable During Shutdown
Compounding the issues, the Federal Trade Commission (FTC) has announced a shutdown of its consumer protection services, effective October 1, 2025, as a result of halted government funding. This means that important platforms, including those for reporting fraud and identity theft complaints, are offline. The National Do Not Call Registry also faces interruption, rendering both consumers and telemarketers unable to access these crucial services during the shutdown.
Joint Commission and Coalition for Health AI Issue Guidance on Responsible Use of AI in Healthcare
A pivotal development in the healthcare sector comes from the Joint Commission and the Coalition for Health AI, which have collaborated to create guidance for the responsible use of artificial intelligence in healthcare. This guidance emphasizes seven core elements crucial for the effective and ethical implementation of AI technologies. These include governance structures for AI policies, patient privacy and transparency measures, continuous quality monitoring, and risk assessments for bias in AI tools. Workforce training to enhance AI literacy among health professionals is also highlighted, ensuring safe and effective deployment of these advanced technologies.
Bipartisan Bill to Regulate Minor Use of Chatbots Introduced
In an effort to protect minors from potential risks associated with AI chatbots and companions, a bipartisan group of U.S. senators has introduced the GUARD Act. This legislation aims to establish stringent requirements for companies engaging with minors through AI technologies. Should the Act pass, it would mandate age verification and restrict harmful content, ensuring that children have a safe online experience. The bill also proposes penalties reaching up to $100,000 for non-compliance.
U.S. Litigation
2nd VPPA Case Against NBA Tossed
A recent ruling in the Southern District of New York has led to the dismissal of a class action lawsuit against the NBA under the Video Privacy Protection Act (VPPA). The plaintiff alleged that the NBA disclosed his viewing information via the Meta Pixel. However, the court determined that the information shared does not meet the VPPA’s criteria for personally identifiable information, thus reinforcing the precedent on such digital disclosures.
Court Dismisses Challenge to New York Algorithmic Pricing Transparency Law
In another noteworthy ruling, the Southern District of New York has dismissed a challenge from the National Retail Federation against New York’s Algorithmic Pricing Disclosure Act. This law mandates merchants to disclose when prices are set using algorithms based on consumer data. The court held that such disclosures fall within the realm of factual information, emphasizing the state’s interest in enhancing consumer awareness.
New Jersey Supreme Court Agrees to Review Daniel’s Law
The New Jersey Supreme Court is set to examine Daniel’s Law, which restricts the disclosure of specific personal information regarding judges and law enforcement. The Court’s review aims to clarify the mental state needed to establish liability under the law, a development that could significantly impact data brokers and entities subject to compliance.
U.S. Enforcement
FTC Files Complaint Against Operator of Anonymous Messaging App
The FTC has taken action against Iconic Hearts Holdings, the operator of the Sendit app, for multiple violations related to children’s online safety. Allegations include the unauthorized collection of personal information from children and deceptive marketing practices, highlighting the stringent regulatory approach toward protecting minors in digital spaces.
Florida Attorney General Sues Streaming Device Company for Violations of Children’s Privacy
In a pressing move, the Florida Attorney General has filed a lawsuit against Roku, Inc. for purported violations of the Florida Digital Bill of Rights. The allegations assert that Roku collected and sold sensitive data from children without requisite parental consent, including precise geolocation and other private information.
NYC Sues Major Social Media Platforms for Addictive Features
The city of New York has initiated a lawsuit against major social media platforms, claiming that features designed to be addictive exploit minors and contribute to mental health crises among youth. This lawsuit underscores the growing scrutiny of technology companies and their impact on public health.
OCR Settles with Healthcare Provider for Sharing Patient Stories in Violation of HIPAA
Cadia Healthcare Facilities have settled with the U.S. Department of Health and Human Services for sharing patient information without consent. The settlement highlights the critical importance of adherence to HIPAA regulations, especially concerning patient privacy.
New York Attorney General Settles with Auto Insurers for Data Breach
The New York Attorney General has reached a settlement over data breaches involving several car insurance companies. The breaches, which impacted hundreds of thousands of residents, emerged from vulnerabilities in online quoting tools.
New York Attorney General Settles with Accounting Firm for Data Breaches
A similar settlement was achieved with Wojeski & Company following multiple data breaches. The firm is now mandated to improve its cybersecurity protocols and enhance transparency regarding data protection practices.
International Laws & Regulation
New Zealand’s Privacy Amendment Act 2025 Signed Into Law
New Zealand’s recent Privacy Amendment Act 2025 introduces critical changes to its privacy framework. Set to take effect in 2026, this law mandates that organizations collecting data indirectly must notify affected individuals about the data collection, its purpose, and their rights. This development signals a progressive approach to privacy in the region.
EDPB and European Commission Issue Guidance on Interplay of GDPR and DMA
The European Data Protection Board and the European Commission have collaborated to provide guidance on the relationship between the GDPR and the Digital Markets Act (DMA). This guidance aims to ensure that cooperative enforcement occurs across these regulatory frameworks, enhancing consumer protection while regulating digital market competitiveness.
European Launches Two AI Strategic Initiatives
The European Commission has recently announced two strategic initiatives focused on advancing AI integration in industry and research. By allocating significant funding, the Commission aims to position Europe at the forefront of AI-driven innovation in critical sectors, emphasizing workforce readiness and strategic data utilization.
This article outlines the evolving landscape of state, federal, and international regulations affecting data privacy, cybersecurity, and consumer protection. Each legislative move signifies a robust commitment to safeguarding individual rights in an increasingly digital world.
