Insights
Search Results
Alerts
6.05.26
Connecticut Updates Its Data Privacy Act, Imposing Significant New Privacy Requirements
Last month, the Connecticut legislature passed two bills that amend and expand the Connecticut Data Privacy Act (CTDPA): Senate Bill 4 (SB 4) and House Bill 5222 (HB 5222). SB 4 (which was signed into law on May 27, 2026) and HB 5222 (which amends parts of SB 4 and was signed into law on June 2, 2026) contain new requirements for businesses and data brokers operating in the Constitution State.
Alerts
10.16.25
California Enacts Nearly a Dozen Key Privacy and AI Bills into Law
On October 13, 2025, California concluded a busy legislative term by enacting a slew of key privacy and AI-related bills, aimed at enhancing consumer protection and regulating emerging AI technology applications. These measures address a range of critical issues, including consumer opt-out signals, data broker transparency requirements, age assurance, minors’ safety, companion chatbots, and AI development. We summarize some of the most significant of these privacy and AI bills that were signed into law by California Governor Gavin Newsom, below.
Alerts
9.10.25
State AGs Unveil Investigation Sweep Targeting Businesses Ignoring Consumer Opt-Out Signals
On September 9, 2025, the attorneys general of California, Colorado, and Connecticut and the California Privacy Protection Agency (CPPA) announced a joint investigative sweep of potential failures by businesses to honor consumers’ rights to opt out of the sale and sharing of their personal information and targeted advertising under state comprehensive privacy laws. Notably, the sweep takes specific aim at whether companies are fulfilling consumer opt out requests sent via Global Privacy Control (GPC) signals.
Alerts
9.04.25
U.S. Federal Court Allows CIPA Class Action Against AI Customer Service Provider to Proceed
On August 11, 2025, the U.S. District Court for the Northern District of California denied a motion to dismiss a California Invasion of Privacy Act (CIPA) class action lawsuit filed against ConverseNow Technologies, Inc.
Alerts
7.30.25
CPPA Approves New CCPA Regulations on AI, Cybersecurity, and Risk Governance, and Advances Updated Data Broker Regulations
On July 24, 2025, the California Privacy Protection Agency (CPPA) Board voted to approve a long-awaited rulemaking package imposing substantial new compliance obligations on businesses subject to the California Consumer Privacy Act (CCPA). The package contains finalized rules on AI-related, automated decision-making technologies (ADMT), cybersecurity audits, and risk assessments, as well as updates to existing CCPA regulations. These regulations will impact a broad swath of businesses handling personal information of California residents.
Client Highlights
6.06.25
Wilson Sonsini Advises Plus on Business Combination with Churchill IX
On June 5, 2025, Plus Automation (Plus), a physical AI company commercializing AI-based virtual driver software for autonomous trucks, and Churchill Capital Corp IX (Churchill IX), a special purpose acquisition company, announced that they have entered into a definitive agreement to effect a business combination. Wilson Sonsini Goodrich & Rosati advised Plus on the transaction.
Alerts
5.08.25
CPPA Board Opens Draft Regulations for Public Comment
On May 1, 2025, the California Privacy Protection Agency (CPPA) Board met again to discuss updates to the latest draft California Consumer Privacy Act (CCPA) regulations related to automated decision-making technology (ADMT), cybersecurity audits, risk assessments, and an assortment of other updates to existing regulations. These latest updates come after the CPPA first released draft regulations on these topics in July 2024 and initiated the formal rulemaking in November 2024, as analyzed in a prior alert. In April 2025, the Board continued to grapple with public concerns and received hundreds of public comments on the prior draft regulations, an analysis of which can be found in this recent client alert. At the CPPA meeting last week, CPPA staff proposed significant changes to the prior draft, on which the Board provided more feedback and agreed to open the regulations for public comment as soon as this week and closing June 2, 2025.
Alerts
4.16.25
CPPA Board Grapples with Public Concerns: Key Updates on Upcoming AI, Risk Assessment, and Cybersecurity Regulations
On April 4, 2025, the California Privacy Protection Agency (CPPA) Board met to discuss the latest draft California Consumer Privacy Act (CCPA) regulations related to cybersecurity audits, risk assessments, automated decision-making technology (ADMT), and an assortment of other updates to existing regulations. These revisions come after the CPPA first released draft regulations on these topics in July 2024 and initiated the formal rulemaking in November 2024, as analyzed in a prior alert. The board meeting turned out to be quite contentious, with board member Alastair Mactaggart emphasizing some of the serious concerns raised in the unusually large volume of public comments—totaling 630 comments and 1,664 pages of feedback—expressing his own concerns that those comments lay out “the very explicit blueprints” for others to challenge the constitutionality of the draft regulations. Ultimately, the Board provided extensive feedback on the draft regulations to CPPA staff, going beyond the issues that staff had prepared for discussion.
Alerts
3.19.25
Lessons from the CPPA’s $632,500 Settlement with Connected Vehicle Manufacturer
On March 12, 2025, the California Privacy Protection Agency (CPPA) announced a settlement with American Honda Motor Co. (Honda) over alleged violations of the California Consumer Privacy Act (CCPA). The CPPA investigated Honda as part of its investigative sweep into the data privacy practices of connected vehicles and related technologies, announced in July 2023. The CPPA specifically alleged, among other things, that Honda engaged in practices that made it difficult for Californians to exercise their out-opt rights and shared consumers’ personal information with ad tech service providers without proper contractual protections.
Alerts
3.12.25
CPPA Votes Out Proposed Delete Request and Opt-Out Platform (DROP) Data Broker Regulations
On March 7, 2025, the California Privacy Protection Agency (CPPA) Board met to discuss its proposed data broker regulations concerning the Delete Request and Opt-Out Platform (DROP) and voted to authorize CPPA staff to advance the regulations to formal rulemaking. As mandated by the Delete Act (discussed in a previous alert), the DROP will allow California residents to submit a single request to delete all personal information held by all data brokers operating in the state via an accessible mechanism. Data brokers would be required to access the DROP for updates every 45 days and delete the personal information of any state resident that matched the data broker’s records unless a deletion exception set forth in the California Consumer Privacy Act (CCPA) applies. These regulations also follow the CPPA’s November 2024 meeting, during which CPPA staff provided an update on the development of the DROP.
Alerts
11.18.24
California’s Privacy Regulatory Odyssey Continues: Formal CCPA Rulemaking on the Horizon Amidst Expanded Data Broker Requirements
On November 8, 2024, the California Privacy Protection Agency (CPPA) Board met to discuss
and vote on various proposed California Consumer Privacy Act (CCPA) regulations related to cybersecurity audits, automated decision-making technology (e.g., artificial intelligence (AI)), privacy risk assessments, and a wide assortment of other updates to existing CCPA regulations; data broker registration regulations; and the development of the Delete Request and Opt-Out Platform (DROP) required by the Delete Act. The CPPA Board also voted to approve settlements with two data brokers for allegedly failing to register and pay an annual fee as required by the Delete Act.
and vote on various proposed California Consumer Privacy Act (CCPA) regulations related to cybersecurity audits, automated decision-making technology (e.g., artificial intelligence (AI)), privacy risk assessments, and a wide assortment of other updates to existing CCPA regulations; data broker registration regulations; and the development of the Delete Request and Opt-Out Platform (DROP) required by the Delete Act. The CPPA Board also voted to approve settlements with two data brokers for allegedly failing to register and pay an annual fee as required by the Delete Act.
Alerts
10.17.24
Subscription and Auto-Renew Offerings Face New Hurdles: FTC Issues Broad “Click-to-Cancel” Rule Imposing Nationwide Requirements
Companies that automatically renew customers’ subscriptions or memberships, take note. On October 16, 2024, the Federal Trade Commission (FTC) announced sweeping amendments to the Negative Option Rule, which would apply to a host of subscription-based products and services that have an auto-renewal feature (i.e., a negative option offering), including those directed to businesses. The Rule includes specific and prescriptive requirements, such as requirements to 1) obtain consumers’ affirmative consent to an auto renewal feature “separate from any other portion of the transaction,” 2) present all material terms of the transaction “immediately adjacent to” the means of recording consumer consent, and 3) allow for simple cancellation in the same medium the consumer used to consent, noting that a chatbot cancellation method would not be acceptable unless the initial transaction was made through a chatbot. Violations of the Rule would be subject to $51,744 in civil penalties per violation.