Full-Service Law Firm solving complex challenges through bold thinking, precise execution, and shared purpose.

Full Service Law Firm | Michael Best & Friedrich LLP

Specializing in the Intersection of Business &amp; Government

Meet our team of trusted advisors, strategic thinkers, and community builders dedicated to client success.

Learn about our full-service legal and business solutions, designed to address complex challenges for leading organizations across industries.

Access thought leadership, news, and resources to stay informed about the latest trends, legal developments, and industry innovations.

Discover how partnership, bold thinking, and precise execution drive results for clients nationwide.

Explore how our national reach and local expertise support clients across the United States and beyond.

Grow at a firm designed to bring out your best.

Data privacy is no longer a static compliance checkbox—it’s a dynamic and rapidly evolving field. As legislation continues to shift and customer demographics change, privacy policies must be regularly reviewed and updated to reflect the current scope of your business operations and services.

core/paragraph

For instance, California requires annual updates to privacy policies, and regulators can easily see if your privacy policy is out of date. Enforcement minded state attorneys general are working together to enforce new privacy requirements. At Michael Best, we’re closely monitoring these developments to help our clients stay ahead of regulatory changes and bolster compliance. Below are key trends and recent legal updates that may impact your organization’s privacy obligations.

core/heading

States like Maryland, Delaware, New Hampshire, New Jersey, and Rhode Island now apply at 35,000 consumers, making mid-sized businesses subject to compliance.

core/list-item

core/list

For instance, Maryland, Connecticut, and New Jersey prohibit the sale of sensitive personal information without prior consent. Sensitive data includes data elements such as biometric, health, racial/ethnic origin, and neural data.

Maryland takes it one step further and prohibits the sharing or sale of sensitive data of minors, including those between 13 and 18. This is a significant risk for certain businesses that serve mixed audiences such as retailing or video-gaming.

3. Profiling &amp; Automated Decision-Making

Connecticut, Minnesota, and Delaware grant consumers rights to:

For instance, California CPPA adds ADMT rules (effective January 1, 2026, with phased reporting over 2027) requiring pre-use notice, opt-out rights, and transparency for significant decisions.

All states with comprehensive consumer privacy laws now include rights to access, correct, delete, and port data, plus most states require companies to honor opt-out rights for sale of personal information, targeted ads, and profiling.

Minnesota and Oregon require disclosure of specific third parties, not just categories.

Cure periods are shrinking or eliminated (e.g., Montana), signaling stricter enforcement.

Coordinated sweeps by state AGs on a variety of disclosure requirements, including those which can be identified in your privacy policy (e.g., CA, CT, CO).

6. California Security Audit and Certification Regulations

CPPA regulations (Sept 2025) mandate annual cybersecurity audits for businesses with:

Specific Requirements: Audits must include a system overview, gap analysis, breach review, and executive certification.

Tiered Implementation: First compliance phase starts January 2026, audit certifications for more than $100 million in annual revenues due in April 2028; companies with more than $50-100 million must complete audit by April 2029; and companies subject to CCPA with annual revenues less than $50 million must certify to audit completion by April 2030.

7.  Universal Opt-out Mandates in several states

(i.e., California, Colorado, Connecticut, Delaware, Montana, New Jersey, Oregon, and Texas).

State AGs for CO, CA, and CT have publicly announced sweeps to detect compliance with Universal Opt-Out Mechanisms.

For instance, Healthline Media LLC was fined $1.55 million by CA AG Bonta, including for non-compliance with Opt-Outs. (July 2025).

8. California Invasion of Privacy Act (“CIPA”)

CIPA and other state wiretapping laws have given rise to class action suits claiming failure to have clear and working cookies consent that properly effectuate opt outs can lead to violations of pen register and trap and trace laws. While different courts are at odds over whether there is standing for these cases, there are some trends that re-enforce the need for having transparent opt-outs and compliant processes to ensure your website is compliant with these policies.

Courts are Split. For example, Gabrielli v. Motorola Mobility LLC,<a title="" name="_ftnref1" href="#_ftn1">[1]</a> the court denied a motion to dismiss finding potential violation of CIPA where defendant’s cookies banner offered opt out of all tracking cookies, but some trackers remained active after plaintiff opted out. Whereas in Rodriguez v. Autotrader.com, Inc.<a title="" name="_ftnref2" href="#_ftn2">[2]</a>, a federal court held a plaintiff that “tested” the website could not demonstrate injury in fact and lacked standing.

Compliance matters. Companies must recognize opt outs and ensure tools can effectively stop use of cookies for customers who are declining. State privacy regulations that prohibit dark patterns, and mandate frictionless opt-out procedures must be followed if your website is engaged in targeted advertising.

Privacy laws are growing and maturing— so should your policies and compliance programs. If you haven’t reviewed your policies this year, now’s the time. Reach out to the authors of this post to make sure your business is ready for what’s next.

core/separator

<a title="" href="#_ftnref1" name="_ftn1">[1]</a> 24-cv-09533-JST (N.D. Cal. Jul. 14, 2025).

<a title="" href="#_ftnref2" name="_ftn2">[2]</a> 762 F. Supp. 3d 921 (C.D. Cal. 2025).

Digital padlock icon at the center of a glowing circular network pattern in blue and purple tones.

Abstract purple and blue digital background with curved dotted lines and glowing light particles.

Privacy Policy and Program Updates to Address Regulatory and Enforcement Trends

Related People

Related Capabilities

You may also be interested in these

USTR Announces President Trump’s 2026 “America First” Trade Policy Agenda

From Idea to Asset: Turning a Business Name into a Protectable Brand

Merging Missions: What Religious Non-Profits Need to Know Before Joining Forces