Heads up to entities doing business in California: your breach notification obligations are changing.  Joseph Lazzarotti of JacksonLewis explains: Governor Gavin Newsom recently signed SB 446 into law, introducing significant changes to California’s data breach notification requirements. The bill establishes deadlines for notifying consumers and the state’s Attorney General when personal information of California residents has been...

Source

How many readers would think about moving to California because of this regulation? It sounds great. Hunton Andrews Kurth writes: On September 26, 2025, following a public comment period, the California Privacy Protection Agency (“CPPA”) adopted its regulations concerning the Delete Request and Opt-Out Platform (“DROP”). The DROP is a tool developed to address the California Delete Act’s requirement...

Scott Holland reports that a California state appeals court agreed with a hospital that it should not be held liable for employee misbehavior if they had a clear policy in place but the employee knowingly violated it: A state appeals panel has agreed hospitals can’t be sued if one of their employees posts confidential patient...

Nada Hassanein reports: Louisiana has issued an arrest warrant for a California doctor for allegedly mailing abortion pills to a Louisiana woman — the latest legal volley in an ongoing fight between states with abortion bans and those that have enacted protections for abortion providers who use telemedicine to send abortion medication over state lines....

Zack Whittaker reports: Sen. Ted Cruz (R-TX) has blocked an effort to pass legislation that would have extended data privacy protections for federal lawmakers and public officials to everyone in the United States. On Monday night, Sen. Ron Wyden (D-OR) asked the U.S. Senate for unanimous consent from fellow senators to pass his legislation, S.2850, or...

Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with five health care providers, collectively known as Cadia Healthcare Facilities, for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Breach Notification Rules. The Cadia Healthcare Facilities are rehabilitation, skilled...

Heerea Rikhraj reports: Health tech company Verily is facing a lawsuit filed by former employee Ryan Sloan alleging that the company wrongly terminated him after he escalated complaints that the team engaged in practices that violated the Health Insurance Portability and Accountability Act (HIPAA). Sloan was employed as the chief commercial officer for Onduo —...

Allison Grande reports: Rural lifestyle retailer Tractor Supply Co. will pay a $1.35 penalty and overhaul its data privacy practices to resolve the California privacy agency’s claims that it failed to properly notify consumers and job applicants of their privacy rights, maintain adequate agreements with service providers and provide consumers with an effective way to...

Aidan Radnedge reports: Harrods has warned some customers that their personal data could have been taken in an IT systems breach – in the latest cyber-attack to hit a major UK firm. The luxury department store based in London’s Knightsbridge said information, such as names and contact details, of its e-commerce customers was taken after...

Source

Hunton Andrews Kurth writes: The U.S. Department of Health and Human Services (“HHS”) recently delegated authority to the HHS Office for Civil Rights (“OCR”) to enforce new privacy rules governing substance use disorder treatment records, which are set to take effect in early 2026. In a Statement of Delegation of Authority, HHS assigned OCR the responsibility...

Conor Duffy of Robinson + Cole writes: On September 10, 2025, the U.S. Court of Appeals for the Fifth Circuit dismissed an appeal of the federal court ruling vacating key provisions of the HIPAA reproductive health care regulations, which appears to signal the end of the Purl case (previously discussed here) and to confirm the end of provisions...

Anna Rudawski of A&O Shearman writes*: Wearable tech is everywhere: smart rings that track our every move, medical devices that can time and dose meds, luxury smartwatches… But as we obsess over our step counts and sleep scores, bigger questions arise. Are unseen eyes—doctors, developers, data brokers—also watching? Who’s protecting our data, and what boundaries—if...

Hunton Andrews Kurth writes: On September 5, 2025, President Trump signed into law the Homebuyers Privacy Protection Act, H.R. 2808 (the “Act”), which amends the Fair Credit Reporting Act (“FCRA”) by restricting consumer reporting agencies (“CRAs”) from furnishing “trigger leads” except in certain limited circumstances.  A “trigger lead” occurs when a lender pays a CRA to produce...

Wayne Jones reports: A report by the Financial Times revealed that the Securities and Exchange Commission (SEC) plans to issue crypto firms notices of technical violations before taking action. The move is a shift away from the aggressive enforcement approach that was pursued under former President Joe Biden. Trump-appointed SEC Chair Paul Atkins told the Financial Times...

Source

Paul Kunert reports: Beijing will soon expect Chinese network operators to ‘fess up to serious cyber incidents within an hour of spotting them – or risk penalties for dragging their feet. From November 1, the Cyberspace Administration of China (CAC) will enforce its new National Cybersecurity Incident Reporting Management Measures, a sweeping set of rules that tighten...

Source

Cory Santos reports: A lawsuit in Illinois accuses Home Depot of collecting customer data without consent. The plaintiff, Benjamin Jankowski, filed the class action suit against Home Depot on August 1 in US District Court, alleging violations of the state’s consumer privacy laws. Jankowski, a regular shopper at Home Depot, claims that when checking out...

Jeremy Hays, Stephen Riga, and Leah Shepherd of Ogletree Deakins write: Entities regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), including employer-sponsored health plans, have until February 16, 2026, to comply with additional privacy protections for patient records related to substance use disorder. A separate permission is required for disclosing information...

Google organized business owners against California legislation to force its Chrome web browser to safeguard personal data. By: Khari Johnson and Yue Stella Yu In April, Rhode Island resident Navah Hopkins received a plea for her help to defeat  legislation thousands of miles away in California. The ask came from Google, maker of the world’s...

A joint investigative sweep across three states kicked off this week aimed at identifying companies that aren’t following opt-out laws for collecting consumer data.

The efforts, led by the state attorneys general, the California Privacy Protection Agency and other state regulators, will involve contacting businesses across all three states who may not be processing opt-out requests or using Global Privacy Control (GPC), and ensuring they start following the required regulations.

“Californians have the important right to opt-out and take back control of their personal data — and businesses have an obligation to honor this request,” Attorney General Rob Bonta said in a statement. “Today, along with our law enforcement partners throughout the country, we have identified businesses refusing to honor consumers’ requests to stop selling their personal data and have asked them to immediately come into compliance with the law.”

California, Connecticut and Colorado all have laws requiring companies to adopt GPC, a browser extension that allows consumers to automatically and universally opt out of invasive data collection. The use of GPC is also required in other states, such as Texas, that aren’t part of this week’s enforcement actions.

According to the Privacy Tech Lab at Wesleyan University in Connecticut, GPC will “automatically send a signal or raise a privacy flag from your browser every time you visit a website.”

“This signal tells the website that you want to opt out of having your personal data sold or used for targeted advertising,” the lab noted.

Some browsers, like Mozilla’s Firefox, have this feature built into their product, while others, like Google’s Chrome, require a third-party extension to use it. But in most cases, it only takes a few minutes to set the protections up on your device or browser.

Connecticut Attorney General William Tong said in a statement that while “many businesses have been diligent in understanding these new protections and complying with the law,” the sweep was about “putting violators on notice today that respecting consumer privacy is non-negotiable.”

In response to questions about the scope of the joint investigation, when it began and whether noncompliant firms would face fines or other sanctions, a spokesperson for the California Department of Justice said in a statement to CyberScoop that the state has used the California Consumer Privacy Act in the past to get court orders and fine privacy offenders, including companies that failed to follow opt-out laws, citing a $1.2 million state fine paid by Sephora in 2022. The spokesperson described the current investigative sweep as “ongoing.”

“We’ve enforced the CCPA against companies, including for failing to honor opt-out requests via the GPC, and obtained both injunctive relief and civil penalties,” the spokesperson said. “Beyond this, to protect their integrity, we’re unable to comment on, even to confirm or deny, any potential or ongoing investigations.”

The sweep represents one of the larger nationwide efforts by states to enforce data privacy opt-out laws — one of the few legal protections U.S. consumers have to prevent wanton data collection and targeted advertising by companies.

Many states have privacy laws that require businesses to give consumers the option to opt-out of having their data being collected or sold to third parties. However, some businesses that profit from buying and selling data simply don’t comply with those laws or make the opt-out process so complicated that it can frustrate and discourage consumers from exercising their rights. 

Last year, the CPPA conducted its own sweep of data brokers out of compliance with state laws amid evidence that at least 40% of the companies on the state’s data broker registry were not complying — or flat out ignoring — requests from consumers to delete their data or opt out of collection.

In April regulators from California, Colorado and Connecticut — along with four other states — formed a bipartisan consortium to work together on implementing and enforcing common privacy laws across state borders. The other states in the coalition are Delaware, Indiana, New Jersey and Oregon.

This story was updated Sept. 11, 2025, with comments from the California Department of Justice.

The post Three states team up in investigative sweep of companies flouting data opt-out laws appeared first on CyberScoop.

There’s an update to Farley v Equiniti. Ann Bevitt and Morgan McCormack of Cooley write: The English Court of Appeal has handed down an important judgment in Farley v. Paymaster (Equiniti) [1] on when compensation may be claimed for nonmaterial damage (such as distress or anxiety) arising out of breaches of the General Data Protection Regulation (GDPR) and the...

Source