On April 17, 2026, the Governor of Alabama signed HB 351, Alabama Personal Data Protection Act (ALDPA), into law. The law resembles Connecticut’s data privacy statute, but omits certain requirements, such as a data protection impact assessment. Alabama follows Oklahoma as the second state to enact a comprehensive privacy
Continue Reading Alabama Enacts Comprehensive Privacy Law
Seventh Circuit Holds that BIPA Amendment Applies Retroactively
On April 1, 2026, the Seventh Circuit in Clay v. Union Pacific Railroad Company held that an amendment to the Illinois Biometric Information Privacy Act (BIPA), limiting damages to a per-person basis, applies retroactively to cases pending when the amendment was enacted in 2024. This decision limits the potential statutory damages plaintiffs may obtain for pending BIPA cases.
Continue Reading Seventh Circuit Holds that BIPA Amendment Applies RetroactivelyUtah and South Dakota Enact Genetic Privacy Laws as Other States Advance Bills
At the state level, genetic privacy remains a fast-moving topic, and states continue to introduce and advance bills regulating genetic data.
Continue Reading Utah and South Dakota Enact Genetic Privacy Laws as Other States Advance BillsCalPrivacy Fines PlayOn Sports for Insufficient Opt-Out Process
On February 27, 2026, CalPrivacy and PlayOn settled a CCPA claim for $1.1 million. PlayOn is a digital ticketing platform used by schools and other organizations for ticketing, streaming, fundraising, concessions, merchandise sales, and website management. The settlement resolves allegations that PlayOn unlawfully “sold” and “shared” users’ personal information without providing sufficient opt-outs and notice, in violation of the CCPA. This marks the agency’s first enforcement action involving students’ data privacy.
Continue Reading CalPrivacy Fines PlayOn Sports for Insufficient Opt-Out ProcessConnecticut Attorney General Releases 2025 CTDPA Enforcement Report
The Connecticut Office of the Attorney General (“OAG”) issued an updated Enforcement Report (“Enforcement Report”) under the Connecticut Data Privacy Act (“CTDPA”). The Enforcement Report discusses the OAG’s enforcement actions in 2025 and suggests some areas of focus from the regulator, summarized below.
Continue Reading Connecticut Attorney General Releases 2025 CTDPA Enforcement ReportNew Jersey Enacts Amendment to its Comprehensive Privacy Law
On his last day in office, January 20, 2026, former New Jersey Governor Phil Murphy signed an amendment to the New Jersey Data Privacy Act, A5017. The bill amends the state’s comprehensive privacy law to add new data- and entity-level exemptions and to expand the definition of de-identified data. The amendment took effect immediately.
Continue Reading New Jersey Enacts Amendment to its Comprehensive Privacy LawSeveral States Introduce New Genetic Privacy Bills in Early 2026
Following a trend from the past few years, several states have introduced bills related to genetic privacy in recent months. These bills have focused on a range of issues, including the privacy practices of direct-to-consumer (“DTC”) genetic testing companies, the national security implications of “foreign adversaries” accessing genetic information, and other topics related to genetic privacy and testing. We summarize a subset of such recently introduced bills below.
Continue Reading Several States Introduce New Genetic Privacy Bills in Early 2026CalPrivacy Announces $45,000 Fine Against Data Broker for Delete Act Violations
On January 8, 2026, the California Privacy Protection Agency (“CalPrivacy”) announced an enforcement action against Rickenbacher Data LLC (d/b/a “Datamasters”), an information reseller, for failing to register as a data broker under the California Delete Act. Datamasters agreed to pay a $45,000 administrative fine, among other remedial measures. In November, CalPrivacy launched a Data Broker Enforcement Strike Force within its enforcement division to investigate violations of the law in the data broker industry, which builds upon a 2024 investigative sweep into data broker compliance.
Continue Reading CalPrivacy Announces $45,000 Fine Against Data Broker for Delete Act ViolationsCalifornia AG Announces $1.4 Million Settlement with Mobile App Gaming Developer Over CCPA Violations
On November 21, 2025, California Attorney General Rob Bonta announced a $1.4 million settlement with Jam City, Inc. (“Jam City”), a mobile app gaming company, for alleged violations of the California Consumer Privacy Act (“CCPA”) and Unfair Competition Law (“UCL”). The Jam City settlement marks Attorney General Bonta’s sixth settlement obtained under the CCPA and reflects a continued focus on how businesses present opt-out rights mechanisms to California consumers, including minors.
Continue Reading California AG Announces $1.4 Million Settlement with Mobile App Gaming Developer Over CCPA ViolationsNew York Governor Vetoes Restrictive Health Privacy Law
On December 19, 2025, New York Governor Kathy Hochul vetoed the New York Health Information Privacy Act (“NYHIPA”). While NYHIPA bore similarities to Washington’s My Health My Data Act (“MHMD”) and Nevada’s Health Privacy Law (“SB 370”), it had several provisions that would have raised novel compliance and legal questions.
Continue Reading New York Governor Vetoes Restrictive Health Privacy Law