Connecticut has enacted a sweeping new data broker law (SB 4, as amended by HB 5222), making it one of a growing number of states to regulate the collection, sale, and licensing of third‑party personal data. Effective October 1, 2026, the law requires data brokers to register with the state, imposes detailed compliance obligations, and, like California’s DELETE Act, creates a centralized mechanism for consumers to request deletion of their data. At the same time, Connecticut takes a more tailored…More

If you list cellphone numbers in a directory for a commercial purpose without consent, you could be liable under the Colorado Prevention of Telemarketing Fraud Act, Colo. Rev. Stat. § 6-1-304(4)(a)(I). A new class action filed in federal court in Colorado pursues exactly this claim, the latest in a wave of similar complaints filed against companies over the last couple of years. What the law says Under the Colorado statute: On or after September 1, 2005, a person commits an unlawful telemarketing…More

New York just is set to become the first state in the US to outright prohibit certain AI companion features for minors. The bill has passed both houses and is headed to the Governor. Unsafe AI Companion Features The law, NY SB S9051B, applies to AI companions that provide ongoing, adaptive responses to user inputs and prohibits, for individuals under 18, features, called “Unsafe AI Companion Features” that generate outputs that: suggest the AI is human or are deceptive regarding the non-sentient nature…More

Last week, Governor Phil Scott signed Act 138, amending Vermont’s data broker law. The operative provisions go into effect January 1, 2027. So what should companies be focusing on? Different Scope The law revises several core definitions that determine when companies fall in scope. The most significant change is to “brokered personal information,” which now effectively covers all personal information, subject to a carve-out for publicly available data. Vermont has moved away from a narrow list of data elements and toward something closer to…More

A nationwide call recording and analytics service, uniformly deployed nationwide, that merely operates in California is not sufficient, standing alone, to establish specific personal jurisdiction under the California Invasion of Privacy Act (CIPA), according to a recent decision from the Central District of California. At issue was a wiretapping allegation arising out of call tracking and analytics technology used across a car dealership network. The plaintiff alleged that the deployment of call recording and analytics constituted unlawful interception of communications. The…More

A recent decision by Hungary’s Data Protection Authority (NAIH) offers a deceptively modest outcome, a €5,000 fine, but sends a much stronger signal on the evolving expectations around data minimization under the GDPR and ultimately, the US State Privacy laws. The decision reflects a strict, controller-centric approach, making clear that the key question in a data minimization analysis is whether the data actually retained by the controller is necessary and proportionate to the stated purpose. not whether individuals were…More

Data processing begins even before the data is received. A recent ruling of the Supreme Court of Spain clarifies the scope of GDPR obligations and the implications extend to the United States as well. In STS 1590/2026 (Judgment No. 390/2026, dated March 26, 2026), the Spanish Supreme Court held that the obligations of a data controller do not arise upon receipt of personal data, but beforehand, at the moment the controller decides what data to request from an individual, for what…More

An estimated 87% of companies now using AI-driven tools in their recruitment processes, and that figure has nearly doubled in just two years. AI-powered platforms can ingest millions of candidate profiles, enrich them with publicly available data, and deliver algorithmically ranked shortlists to employers far faster than a human recruiter. But, with that capability comes significant legal risk. In Kistler v. Eightfold AI Inc., two job applicants filed a class action lawsuit alleging that Eightfold AI, a company that uses a…More

Among US states, California is the only one that treats employees as full “consumers,” providing them the right to an employee notice and an applicant notice and employee rights. While California enforcement has not yet focused squarely on employer practices, a fresh call for public comments from CalPrivacy on how to strengthen employee privacy notices and rights signals this may soon change—and employers should take note. That Was Then: The California Consumer Privacy Act (CCPA) imposes meaningful privacy obligations on employers, not…More

The plaintiffs’ bar has been ramping up lawsuits under the California Invasion of Privacy Act (CIPA) and federal and state wiretapping statutes for years, and the wave is not receding. Tens of thousands of claims have been filed since 2022, with CIPA wiretapping continuing to accelerate in recent months. Meanwhile, plaintiffs are branching out beyond California to Florida, Pennsylvania, and Illinois, and increasingly relying on the federal Electronic Communications Privacy Act (ECPA) to reach companies nationwide. Companies outside of California are…More