Posts

Showing posts with the label CCPA

Louisiana Enacts Consumer Data Privacy Law

Key point: Louisiana becomes the 22nd state — and third this year — to enact a consumer data privacy law, adopting a law similar to Texas’ law. On May 29, 2026, Louisiana Governor Jeff Landry signed the Louisiana Data Privacy Act ( SB 386 ) into law. Louisiana is the 22nd state to pass a broad consumer data privacy law. It is the third state — following Oklahoma and Alabama — to pass a law this year. The new law largely tracks Texas’ law but with some notable differences we identify below. Applicability Although the law generally follows the Texas Data Privacy and Security Act, one of the notable ways in which it differs from that law — as well as other Washington Privacy Act model consumer data privacy laws — is its applicability standard. The law applies to controllers and processors that conduct business in Louisiana and satisfy one or more of the following thresholds: (1) have annual gross revenue in excess of $25 million; (2) annually buy, receive for the business’s commercial p...

Is a CCPA Risk Assessment Required When Using Productivity Management and Monitoring Platforms?

Key Takeaways Outlines key considerations for businesses using productivity management and monitoring platforms – such as, Teramind, ActivTrak, and Insightful – and whether their use may require a CCPA risk assessment. Identifies the specific CCPA risk assessment triggers most relevant to such productivity technologies. Productivity management and monitoring platforms have become a fixture of the modern workplace—particularly for remote and hybrid workforces. These tools can track application usage, keystrokes, website visits, active and idle time, and even capture periodic screenshots of employee screens. Some platforms go further, using artificial intelligence to generate productivity scores, assess engagement levels, and flag behavioral anomalies. Businesses subject to the California Consumer Privacy Act (CCPA) and deploying this type of technology, should carefully consider whether a risk assessment is required before or during that use. The first question is always whether the CC...

California Privacy Agency Cracks Down on Another Business For Deficient Opt-Out Practices: 3 Action Steps For Your Company

For the second time in a week, California privacy regulators announced a significant fine against a business for failing to satisfy California Consumer Privacy Act’s (CCPA) “clear and conspicuous” opt-out requirements. T he California Privacy Protection Agency fined Ford Motor Company $375,000 fine on March 5, finding that the automaker’s process for letting consumers opt out of having their personal information sold or shared created “unnecessary friction” in violation of the CCPA . These back-to-back enforcement actions should serve as a wake-up call for businesses to ensure their opt-out policies can withstand regulators’ scrutiny. What happened in this matter, and what lessons can you learn from the fine? What Happened? The agency found that Ford’s opt-out process required consumers to verify their email address prior to opting out of the sale and/or sharing of their personal information . If consumers did not complete the email verification step, Ford did not process their opt-ou...

The Future of Privacy Enforcement? California Introduces Privacy Whistleblower Law

On February 17, 2026, California Assembly Member Pilar Schiavo introduced  California Assembly Bill 2021  (AB 2021), which would amend the California Consumer Privacy Act of 2018 (CCPA) to create a formal whistleblower complaint and award program administered by the California Privacy Protection Agency (CalPrivacy). The concept of a whistleblower program was first discussed at CalPrivacy’s Board meeting in late 2025 and could have significant implications for companies doing business in California. AB 2021’s Whistleblower Regime If passed, AB 2021 would establish a program for individuals to submit whistleblower complaints to CalPrivacy regarding companies’ privacy practices. CalPrivacy could then designate those complaints for administrative enforcement. If the administrative enforcement process were to result in a monetary settlement or penalty, an eligible whistleblower could potentially receive an award between 15 and 33 percent of collected fines or settlement proceeds. N...

A MoFo Privacy Minute Q&A: Key Steps in 2026 to Comply with State Privacy Assessment Requirements

Question:  Do I need to complete state privacy risk assessments in 2026? I know some CCPA deadlines aren’t until next year, but how can I prepare my team to comply with state privacy assessment requirements? Answer:   The start of the year is an excellent time to review and update your organization’s privacy assessment process, particularly in light of new regulations under the CCPA . It is likely that you will need to conduct privacy assessments in 2026 , though it depends on your organization’s data processing activities and which state consumer privacy laws apply to your organization. The CCPA’s new requirements include: Undertaking a risk assessment if the organization is “selling” or “sharing” personal data, processing sensitive data (with limited exceptions), using automated decision-making technology (ADMT) for a “significant decision,” or engaged in other types of processing that present a “significant risk” to consumers’ privacy. Conducting the risk assessment per the...

Looking Ahead to Privacy (and Similar) Issues for 2026

Privacy law evolved at a dizzying pace in 2025. Regulators brought headline-making enforcement actions, courts continued to shape the boundaries of existing statutes, and state legislatures advanced new laws. Much of that activity centered on familiar pressure points: privacy notices and opt-out mechanisms, telemarketing and text messaging practices, and the collection and use of sensitive data, particularly biometric information, health data (such as the Healthline CCPA enforcement), and children’s and teen’s personal information (including actions against Roku in multiple jurisdictions). Newly effective laws echoed those same priorities. For example, Maryland’s comprehensive privacy law and several children’s privacy statutes in states like New York and Colorado place new limits on how children’s data may be used for advertising and related purposes, while Colorado also expanded consent requirements for certain biometric processing affecting both consumers and employees. In parallel,...

Effective Jan. 1: California Regulatory Updates, New State Privacy Laws, and Opt-Out Signal Requirements

A significant set of U.S. state privacy law developments, all effective Jan. 1, will expand compliance obligations for companies operating nationwide. These developments fall into three principal categories: (1) new regulatory requirements adopted by the California Privacy Protection Agency (CPPA) under California‘s Consumer Privacy Act of 2018 (CCPA), which includes enforcement of privacy and security risk assessment requirements; (2) new comprehensive consumer privacy statutes in Indiana, Kentucky, and Rhode Island; and (3) statutory requirements in Delaware and Oregon mandating recognition of universal opt-out preference signals. Together, these changes reflect the continued maturation of state privacy regimes and reinforce the need for scalable, multi-jurisdictional privacy compliance programs, including clear risk assessment protocols. We start first with the CCPA Amendments and Regulatory Updates, given that many companies benchmark their compliance programs as a differential of ...