After attempting to amend its first-in-the-nation AI law for two years and three legislative sessions, on May 9, 2026, the Colorado legislature passed SB 26-189. It now awaits the governor’s signature and is expected to be signed into law, which will go into effect January 1, 2027.
On April 22, 2026, the House Energy & Commerce Committee released the “Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act” (the “SECURE Data Act”). The SECURE Data Act seeks to establish a comprehensive federal framework for consumer privacy rights and the protection of personal data. Subject to certain exemptions, the SECURE Data
Following the release of the Trump Administration’s new National Cyber Strategy, National Cyber Director Sean Cairncross noted in a virtual interview that the administration is considering changes to the existing cyber incident reporting rules previously promulgated by the Cybersecurity and Infrastructure Security Agency (CISA). According to Cairncross, the administration wants to ensure the rules
In the span of just a couple days, the California Privacy Protection Agency (CalPrivacy) announced two significant privacy enforcement actions, highlighting the increasing scrutiny on companies’ handling of personal data. These actions underscore the agency’s commitment to ensuring that businesses comply with privacy laws designed to protect individuals’ rights, particularly focusing on transparency and ease
The past year set up a clear clash between federal deregulatory efforts and state-level AI rulemaking, and 2026 is poised to be the year that conflict materializes in earnest. The Trump Administration signaled a strong preference for scaling back AI-specific rules while exploring avenues to preempt state and local measures, even as a growing number
On June 4, 2025, the Digital Advertising Alliance (“DAA”), the self-regulatory body that sets and enforces privacy standards for digital advertising, announced it is launching a process to determine if it is necessary to issue new guidance to address how the DAA’s Self-Regulatory Principles apply to the use of artificial intelligence systems and tools that
The State of Texas and Meta Platforms Inc. (“Meta”) have agreed to a $1.4 billion settlement, to be paid out over five years, to resolve claims relating to Meta’s alleged use of facial recognition technology without user consent. This settlement marks the largest privacy settlement obtained by a single state and is the first one
The California Privacy Protection Agency (“CPPA”) discussed at its July 16 meeting new enforcement focuses in addition to current goals. While the new focuses are largely in line with general trends, they also serve as a reminder that specific and nuanced compliance decisions can make a big difference.
As the CPPA has made clear in
Minnesota becomes the latest state to move to pass legislation regulating the processing and controlling of personal data (HF 4757 / SF 4782). If signed into law by Governor Tim Walz, the Minnesota Consumer Data Privacy Act, or MCDPA, would go into effect on July 31, 2025 and provide various consumer data privacy
The FTC published guidance warning companies that “[i]t may be unfair or deceptive for a company to adopt more permissive data practices—for example, to start sharing consumers’ data with third parties or using that data for AI training—and only inform consumers of this change through a surreptitious, retroactive amendment to its terms of service or