On September 30, 2025, the California Privacy Protection Agency (“Agency”) announced a decision and $1.35 million fine to resolve allegations that Tractor Supply Co. (“Tractor Supply”) violated the California Consumer Privacy Act (“CCPA”). The settlement comes after the Agency filed a petition to enforce an investigative subpoena against Tractor Supply. In addition to imposing the Agency’s largest fine to date, the settlement also marks the Agency’s first enforcement action related to job applicant personal data. Similar to the enforcement actions against American Honda Motor Co., Inc. and Todd Snyder, Inc., the Agency continues to focus on how businesses facilitate consumer rights under the CCPA.
Continue Reading California Privacy Agency Fines Tractor Supply $1.35 Million Over CCPA Violations
Oregon DOJ Publishes Enforcement Report on the Oregon Consumer Privacy Act
On August 29, the Oregon Department of Justice (DOJ) issued an enforcement report and press release covering its first year of enforcement of the Oregon Consumer Privacy Act (OCPA). The OCPA took effect on July 1, 2024, and the cure period sunsets on January 1, 2026. We previously summarized some of requirements in the OCPA here. This blog summarizes notable takeaways from the enforcement report.
Continue Reading Oregon DOJ Publishes Enforcement Report on the Oregon Consumer Privacy ActOregon Amends Its Comprehensive Privacy Statute
Following the approach taken by the Kentucky and Connecticut legislatures this spring, Oregon has amended its comprehensive privacy statute to implement changes to the law. Specifically, the amendment extends the statutory cure period to July 1, 2026, but this extension is limited to certain controllers. Beginning on January 1, 2026, the statute’s cure provision will only apply to controllers that are a “noncommercial educational broadcast station, as defined in 47 U.S.C. 397” and that (1) receive funding from the Corporation for Public Broadcasting and (2) distribute the entity’s journalism content without cost to recipients.
Continue Reading Oregon Amends Its Comprehensive Privacy StatuteTexas Enacts AI Consumer Protection Law
On June 22, Texas Governor Greg Abbott (R) signed the Texas Responsible AI Governance Act (“TRAIGA”) (HB 149) into law. The law, which takes effect on January 1, 2026, makes Texas the second state to enact comprehensive AI consumer protection legislation, following the 2024 enactment of the Colorado
Continue Reading Texas Enacts AI Consumer Protection LawConnecticut Legislature Amends Its Privacy Statute
On June 24, 2025, the Connecticut governor signed SB 1295, which amends the state’s comprehensive privacy statute, the Connecticut Data Privacy Act (“CTDPA”). SB 1295 takes effect on July 1, 2026.
Continue Reading Connecticut Legislature Amends Its Privacy StatuteNew Jersey Division of Consumer Affairs Proposes Draft Regulations
On June 2, 2025, the New Jersey Division of Consumer Affairs published draft regulations to implement the New Jersey Data Protection Act, which went into effect on January 1, 2025. The draft regulations propose detailed requirements, including for privacy notices, consent, and consumer rights. Interested parties may submit written
Continue Reading New Jersey Division of Consumer Affairs Proposes Draft RegulationsClothing Retailer, Todd Snyder, Inc., Settles CPPA Allegations Regarding California Consumer Privacy Act Violations
On May 6, 2025, the California Privacy Protection Agency (“CPPA”) announced a decision and $345,178 fine related to allegations that Todd Snyder, Inc. violated the California Consumer Privacy Act (“CCPA”) and requirements to change its business practices.
Continue Reading Clothing Retailer, Todd Snyder, Inc., Settles CPPA Allegations Regarding California Consumer Privacy Act ViolationsMontana Passes Amendments to Consumer Data Privacy Act
On April 15, 2025, the Montana legislature unanimously passed Montana SB 297, a bill that would amend the Montana Consumer Data Privacy Act (“MTCDPA”) with provisions expanding online data protections for minors, narrowing the exemptions under the Gramm-Leach-Bliley Act, and removing a controller’s right to cure, among others. We outline some key provisions below.
Continue Reading Montana Passes Amendments to Consumer Data Privacy ActUtah Enacts App Store Accountability Act
On March 26, 2025, Utah Governor Spencer Cox signed into law SB 142, the App Store Accountability Act (the “Act”), enacting the country’s first state law that requires app store providers to verify the age of all users and places obligations on app developers. An “app store provider” is defined as “a person that owns, operates, or controls an app store that allows users in [Utah] to download apps onto a mobile device.” A “developer” is defined as “a person that owns or controls an app made available through the app store in the state.”
The law goes into effect on May 7, 2025, and the obligations on app store providers and developers are not effective until May 6, 2026. Some key provisions are outlined below.
Continue Reading Utah Enacts App Store Accountability ActHonda Settles CPPA Allegations Regarding California Consumer Privacy Act Violations
On March 12, 2025, the California Privacy Protection Agency (“CPPA”) announced a decision and $632,500 fine related to allegations that American Honda Motor Co., Inc. (“Honda”) violated the California Consumer Privacy Act (“CCPA”).
Continue Reading Honda Settles CPPA Allegations Regarding California Consumer Privacy Act Violations