California’s most recent revisions to the California Consumer Privacy Act (CCPA) regulations mark a significant expansion of the State’s privacy framework.
On September 22, 2025, the California Office of Administrative Law...more
1/28/2026
/ Automated Decision Systems (ADS) ,
California ,
California Consumer Privacy Act (CCPA) ,
California Privacy Protection Agency (CPPA) ,
Compliance ,
Cybersecurity ,
Data Privacy ,
Data Protection ,
New Regulations ,
Popular ,
Privacy Laws ,
Reporting Requirements ,
Risk Assessment ,
Risk Management ,
State Data Privacy Laws ,
State Privacy Laws
A recent decision from the U.S. District Court for the Western District of Michigan, Goodman v. Hillsdale College (No. 1:25-cv-417, Oct. 17, 2025), denied Hillsdale College’s motion to dismiss a proposed class action brought...more
10/27/2025
/ Class Action ,
Cookies ,
Data Privacy ,
Data Protection ,
Data Security ,
Data-Sharing ,
Discovery ,
Educational Institutions ,
Liability ,
Litigation Strategies ,
Online Platforms ,
Prior Express Consent ,
Video Privacy Protection Act ,
Web Tracking ,
Websites
As part of our Accountability in 2025 focus, TC’s Cybersecurity, Privacy and Data Governance team is examining how a recent whistleblower suit against Meta is shifting the regulatory conversation—away from paper policies and...more
10/17/2025
/ Consumer Information ,
Consumer Privacy Rights ,
Corporate Culture ,
Cybersecurity ,
Data Management ,
Data Privacy ,
Data Protection ,
Data Security ,
Enforcement Actions ,
Facebook ,
Information Governance ,
Information Technology ,
Online Platforms ,
Policies and Procedures ,
Regulatory Requirements ,
Sensitive Personal Information ,
Social Media ,
WhatsApp ,
Whistleblowers
California Attorney General Rob Bonta announced a settlement between the State of California and DoorDash on February 21, 2024, regarding allegations that DoorDash violated the California Consumer Privacy Act (CCPA) and the...more
2/29/2024
/ Attorney General ,
California ,
California Consumer Privacy Act (CCPA) ,
CalOPPA ,
Consumer Privacy Rights ,
Data Selling ,
Data-Sharing ,
DoorDash ,
Opt-Outs ,
Personal Information ,
Settlement
The California Chamber of Commerce filed a petition to the California Supreme Court on February 20, 2024, seeking review of a February 9, 2024 appellate decision that paved the way for the state’s privacy enforcement agency,...more
On Friday, July 14, the California Privacy Protection Agency (“CPPA”) Board held a public meeting to address a broad, fourteen-point agenda that ranged from updates on the Agency’s budget to the status of ongoing rulemaking...more
California, like most other states, applies the “reasonable consumer” test to deceptive advertising or labeling claims. California’s Attorney General Rob Bonta recently weighed in on a Ninth Circuit appeal involving the...more
The Federal Trade Commission (“FTC”) has kicked off what may be a new wave of digital health compliance enforcement. On February 1, 2023, the FTC announced its first enforcement action under the Health Breach Notification...more
Zelle, the peer-to-peer money transfer platform owned and operated by a group of some of the largest American banks, offers speed and ease to customers who want to transfer money quickly to family and friends. That speed and...more
The CPRA amends key provisions of the existing law, the California Consumer Privacy Act (CCPA), including to create new consumer rights and impose new obligations on businesses. The chair of Thompson Coburn’s Cybersecurity...more
On October 24, 2022, the Transportation Security Administration (“TSA”) released Security Directive 1580/82-2022-01 regarding “Rail Cybersecurity Mitigation Actions and Testing.” The directive is applicable to freight...more
On August 24, 2022, California Attorney General Rob Bonta announced a $1.2 million settlement with cosmetics retailer Sephora resolving alleged violations of the California Consumer Privacy Act (CCPA). Although the CCPA has...more
On August 22, 2022, the Federal Trade Commission (“FTC”) published an advance notice of proposed rulemaking (“ANPR”) that requests “public comment on the prevalence of commercial surveillance and data security practices that...more
9/30/2022
/ Advanced Notice of Proposed Rulemaking (ANPRM) ,
Comment Period ,
Consumer Information ,
Data Collection ,
Data Privacy ,
Data Protection ,
Data Security ,
Federal Trade Commission (FTC) ,
Public Comment ,
Surveillance ,
Unfair or Deceptive Trade Practices
Connecticut and Utah both enacted comprehensive privacy laws this spring. On March 24, 2022, Utah became the fourth state to enact a comprehensive data privacy law when Governor Spencer Cox signed Senate Bill 227, known as...more
Members of Thompson Coburn’s Cybersecurity practice, including chair Jim Shreve, Los Angeles-based litigation partner Luke Sosnicki, and Chicago-based litigation associate Dremain Moore, will discuss primary sources of cyber...more
4/8/2022
/ Business Litigation ,
Continuing Legal Education ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Protection ,
Data Security ,
Incident Response Plans ,
Popular ,
Risk Mitigation ,
Webinars
Multiple privacy bills were introduced in California on or just before February 18, 2022, the last day for bills to be introduced in the legislature’s current session.
CCPA/CPRA Revisions -
The most noteworthy of the...more
3/7/2022
/ California Consumer Privacy Act (CCPA) ,
California Privacy Rights Act (CPRA) ,
Consumer Privacy Rights ,
Data Collection ,
Data Privacy ,
Educational Institutions ,
Online Safety for Children ,
Personally Identifiable Information ,
Private Right of Action ,
Proposed Legislation ,
State Privacy Laws
On February 9, 2022, the SEC announced proposed rules under the Investment Advisers Act of 1940 and the Investment Company Act of 1940. The proposed rule is available...
The SEC’s fact sheet on the proposed rule notes that...more
On October 27th, the FTC issued the final version of the agency’s Gramm-Leach-Bliley Act Safeguards Rule. Although the rule is new, its primary source, the New York Department of Financial Services cybersecurity regulation,...more
2/4/2022
/ Continuing Legal Education ,
Cybersecurity ,
Data Security ,
Federal Trade Commission (FTC) ,
Financial Institutions ,
Financial Services Industry ,
Gramm-Leach-Blilely Act ,
New Rules ,
NYDFS ,
Popular ,
Safeguards Rule ,
Webinars
On October 27, 2021, the Federal Trade Commission (“FTC”) announced significant updates to the Safeguards Rule. The FTC asked for comments on the Rule in 2019, and held a public workshop on the Rule in 2020. The Final Rule...more
12/21/2021
/ Comment Period ,
Customer Information ,
Cybersecurity ,
Data Breach ,
Data Security ,
Federal Trade Commission (FTC) ,
Financial Institutions ,
Financial Services Industry ,
Information Security ,
Popular ,
Public Comment ,
Safeguards Rule
The Federal Deposit Insurance Corporation, Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency (the “prudential banking regulators”) issued a final rule regarding the...more
12/16/2021
/ Banking Sector ,
Cyber Incident Reporting ,
Cybersecurity ,
Data Breach ,
Data Security ,
FDIC ,
Federal Reserve ,
Final Rules ,
Notification Requirements ,
OCC ,
Reporting Requirements
On October 27th, the FTC issued the final revised version of the agency's Gramm-Leach-Bliley Act Safeguards Rule. The revised Safeguards Rule has been years in the making and marks a significant change in how the agency will...more
11/11/2021
/ Continuing Legal Education ,
Cybersecurity ,
Data Security ,
Educational Institutions ,
Federal Trade Commission (FTC) ,
Financial Institutions ,
Financial Services Industry ,
Gramm-Leach-Blilely Act ,
New Rules ,
Popular ,
Safeguards Rule ,
Webinars
The Second Circuit recently joined a growing number of federal courts to decide when a data breach of personally identifiable information (“PII”) is actionable. According to the Second Circuit, plaintiffs do not have standing...more
The California Privacy Rights and Enforcement Act (“CPRA”), formerly known as Proposition 24, passed on November 3, 2020. The CPRA is intended to supplement privacy protections for Californians that were first established by...more
The U.S. Supreme Court’s 5-4 decision in TransUnion LLC v. Ramirez may make the road to privacy class actions harder. But recent decisions in the wake of Ramirez suggest the full impact of the decision remains to be seen....more
10/14/2021
/ Article III ,
Class Action ,
Class Members ,
Credit Reporting Agencies ,
Credit Reports ,
Fair Credit Reporting Act (FCRA) ,
FDCPA ,
Injury-in-Fact ,
Invasion of Privacy ,
Putative Class Actions ,
SCOTUS ,
Spokeo v Robins ,
Standing ,
TransUnion ,
TransUnion LLC v Ramirez
The U.S. Supreme Court’s 5-4 decision in TransUnion LLC v. Ramirez may make the road to privacy class actions harder. But recent decisions in the wake of Ramirez suggest the full impact of the decision remains to be...more
10/11/2021
/ Article III ,
Class Action ,
Class Members ,
Credit Reporting Agencies ,
Credit Reports ,
Fair Credit Reporting Act (FCRA) ,
Injury-in-Fact ,
SCOTUS ,
Standing ,
TransUnion ,
TransUnion LLC v Ramirez