The US “comprehensive” law landscape continues to expand, with two more states—Tennessee (July 1) and Minnesota (July 31) —joining the “comprehensive” privacy law club. Five of these -Delaware, Iowa, Nebraska, New Hampshire, and New Jersey- took effect in January. As the patchwork of state-level “comprehensive” privacy laws expands, what should business keep in mind? As outlined below, perhaps the biggest takeaway is that the laws add to a patchwork, one which consists of many overlapping requirements. Here are a few highlights from these two latest laws:…
Continue Reading US Privacy Footprint Continues to Expand: Tennessee and Minnesota Join the State Law Club

Vermont has joined the list of states attempting to regulate the use of children’s information collected online, passing an Age-Appropriate Design Code Act. This law mirrors ones we have seen in other US states as well as the UK, and applies to online services reasonably accessed by minors, that collect personal data. We expect it to be challenged, but if it is not, it would go into effect January 1. Among other things, the law provides the following:…
Continue Reading Growing List of States Attempting to Regulate Kids’ Online Privacy: Vermont Joins the Group

On 11 June 2025, the UK Parliament passed the Data (Use and Access) Act 2025 (“DUAA”), which received Royal Assent on 19 June 2025. This legislation marks a significant and targeted overhaul of the UK’s data protection framework, introducing reforms of the UK GDPR, the Data Protection Act 2018 (DPA), and the Privacy and Electronic Communications Regulations 2003 (PECR). In addition, it lays the groundwork for future regulation of AI, launches new initiatives to support smart data access and the development of a digital identity infrastructure.
Continue Reading The UK’s Data (Use and Access) Act 2025: Key points to note for businesses

Montana’s privacy law has received a refresh and updates will go into effect October 1, 2025 – exactly one year since the law took effect. The law was modified with SB 297, and changes include coverage, approach with minors, and more:…
Continue Reading Big Sky State Makes Big Privacy Updates

In ongoing tweaks to state privacy laws, Oregon has amended its state privacy law to cover auto manufacturers. Specifically, those that process or control personal information that they get from a person’s use of a car. As most are aware, the law requires disclosures when collecting personal information, provision of rights to consumers (including the ability to delete and port personal information), and limits on profiling among other things. While the Oregon law, like most state “comprehensive” laws, includes applicability thresholds, there are no thresholds for this new applicability to car manufacturers. The law is slated to go into effect…
Continue Reading Oregon Extends Privacy Law to Specifically List Auto Makers

North Dakota recently passed a law establishing new rules for certain financial companies operating in the state – specifically “financial corporations.” The new obligations will take effect on August 1, 2025. They will apply to businesses that the North Dakota department of financial institutions regulates. Financial institutions (like banks and loan companies) and credit unions are not regulated by that entity.
Continue Reading North Dakota Passes New Data Security Law for “Financial Corporations”

Nebraska’s governor signed a bill into law that, among other things, creates the Parental Rights in Social Media Act. The provisions of the law will go into effect July 1, 2026, unless challenged. The law is similar to several other states, most of which have been challenged (including Arkansas, California, and Utah) and some struck down.
Continue Reading Growing List of States Attempting to Regulate Kids’ Social Media Accounts: Nebraska Husks Up

The Michigan Attorney General has filed a complaint against Roku, a popular TV content platform, alleging, among other things, violations of the Children’s Online Privacy Protection Act and the Video Privacy Protection Act (and a similar Michigan law). As most are aware, COPPA requires prior parental consent before collecting information from children online. It gives standing to both the FTC and to states’ attorneys general, but no private right of action. Most cases brought since COPPA’s passage have been brought by the FTC, however, and not by states. This current Michigan case comes after a group of 43 states,…
Continue Reading Michigan AG Sues Roku Over Alleged Privacy Violations

California appears to be changing its approach to how it regulates artificial intelligence, likely reflecting its reaction to challenges seen recently in other states. Namely, the California Privacy Protection Agency recently released an update to its draft regulations which change how the Agency plans to regulate Automated Decisionmaking Technology, or ADMT. This comes after the Agency’s original proposal faced intense opposition from industry groups, state lawmakers and Governor Newsom.
Continue Reading California Regulator Releases Updated Draft Regulations, Scales Back Proposed AI Privacy Rules

Montana recently revised its Genetic Information Privacy Act to address neural data. The law went into effect in 2023, and applies to both entities that offer genetic testing services as well as entities that use genetic data.
Continue Reading Montana Amends Law to Cover Collection and Use of Neural Data

Virginia’s governor recently signed into law a bill that amends the Virginia Consumer Data Protection Act. As revised, the law will include specific provisions impacting children’s use of social media. Unless contested, the changes will take effect January 1, 2026. Courts have struck down similar laws in other states (see our posts about those in Arkansas, California, and Utah) and thus opposition seems likely here as well. Of note, the social media laws that have been struck down in other states attempted to require parental consent before minors could use social media platforms. This law is different,…
Continue Reading Virginia Will Add to Patchwork of Laws Governing Social Media and Children (For Now?) 

The Belgian Data Protection Authority recently ruled that a Belgian government entity, FPS Finance, cannot transfer the personal data of “accidental Americans” to the IRS. According to the decision, the transfers needed to cease for several reasons.
Continue Reading Belgian DPA Finds Certain Tax Information Transfers to IRS Unlawful

In a landmark ruling, the Ninth Circuit expanded the application of specific personal jurisdiction principles to the realm of nationwide e-commerce. On April 21, 2025, an en banc panel issued a 10–1 decision ruling that allegations that Shopify embedded cookies that tracked a California consumer’s location data were sufficient to establish specific personal jurisdiction over Shopify in California (reversing the Court’s prior opinion on this exact issue). In the wake of this decision, businesses may face increased legal challenges in various states. To protect against far-flung lawsuits in unwanted jurisdictions, e-commerce businesses should, if practicable, refrain from collecting location data and engaging…
Continue Reading Ninth Circuit Upends Internet Personal Jurisdiction Law–Briskin v. Shopify