News

Data privacy is no longer a static compliance checkbox—it’s a dynamic and rapidly evolving field. As legislation continues to shift and customer demographics change, privacy policies must be regularly reviewed and updated to reflect the current scope of your business operations and services.

For instance, California requires annual updates to privacy policies, and regulators can easily see if your privacy policy is out of date. Enforcement minded state attorneys general are working together to enforce new privacy requirements. At Michael Best, we’re closely monitoring these developments to help our clients stay ahead of regulatory changes and bolster compliance. Below are key trends and recent legal updates that may impact your organization’s privacy obligations.

1. Lower Applicability Thresholds

• States like Maryland, Delaware, New Hampshire, New Jersey, and Rhode Island now apply at 35,000 consumers, making mid-sized businesses subject to compliance.
   

2. Sensitive Data Restrictions

• For instance, Maryland, Connecticut, and New Jersey prohibit the sale of sensitive personal information without prior consent. Sensitive data includes data elements such as biometric, health, racial/ethnic origin, and neural data.
•  Maryland takes it one step further and prohibits the sharing or sale of sensitive data of minors, including those between 13 and 18. This is a significant risk for certain businesses that serve mixed audiences such as retailing or video-gaming.
   

3. Profiling & Automated Decision-Making

• Connecticut, Minnesota, and Delaware grant consumers rights to:
  • Know if profiling occurs
  • Access logic and data used in profiling and automated decision making
  • Contest ADMT decisions and request human review
• For instance, California CPPA adds ADMT rules (effective January 1, 2026, with phased reporting over 2027) requiring pre-use notice, opt-out rights, and transparency for significant decisions.
   

4. Expanded Consumer Rights

• All states with comprehensive consumer privacy laws now include rights to access, correct, delete, and port data, plus most states require companies to honor opt-out rights for sale of personal information, targeted ads, and profiling.
• Minnesota and Oregon require disclosure of specific third parties, not just categories.
   

5. Enforcement Trends

• Cure periods are shrinking or eliminated (e.g., Montana), signaling stricter enforcement.
• Coordinated sweeps by state AGs on a variety of disclosure requirements, including those which can be identified in your privacy policy (e.g., CA, CT, CO).
   

6. California Security Audit and Certification Regulations

• CPPA regulations (Sept 2025) mandate annual cybersecurity audits for businesses with:
  • Revenue > $25M AND
  • Processing PI of ≥ 250,000 residents or sensitive PI of ≥ 50,000 residents.
• Specific Requirements: Audits must include a system overview, gap analysis, breach review, and executive certification.
• Tiered Implementation: First compliance phase starts January 2026, audit certifications for more than $100 million in annual revenues due in April 2028; companies with more than $50-100 million must complete audit by April 2029; and companies subject to CCPA with annual revenues less than $50 million must certify to audit completion by April 2030.
   

7.  Universal Opt-out Mandates in several states (i.e., California, Colorado, Connecticut, Delaware, Montana, New Jersey, Oregon, and Texas).

• State AGs for CO, CA, and CT have publicly announced sweeps to detect compliance with Universal Opt-Out Mechanisms.
• For instance, Healthline Media LLC was fined $1.55 million by CA AG Bonta, including for non-compliance with Opt-Outs. (July 2025).
   

8. California Invasion of Privacy Act (“CIPA”) and other state wiretapping laws have given rise to class action suits claiming failure to have clear and working cookies consent that properly effectuate opt outs can lead to violations of pen register and trap and trace laws. While different courts are at odds over whether there is standing for these cases, there are some trends that re-enforce the need for having transparent opt-outs and compliant processes to ensure your website is compliant with these policies.

• Courts are Split. For example, Gabrielli v. Motorola Mobility LLC,[1] the court denied a motion to dismiss finding potential violation of CIPA where defendant’s cookies banner offered opt out of all tracking cookies, but some trackers remained active after plaintiff opted out. Whereas in Rodriguez v. Autotrader.com, Inc.[2], a federal court held a plaintiff that “tested” the website could not demonstrate injury in fact and lacked standing.
• Compliance matters. Companies must recognize opt outs and ensure tools can effectively stop use of cookies for customers who are declining. State privacy regulations that prohibit dark patterns, and mandate frictionless opt-out procedures must be followed if your website is engaged in targeted advertising.

Privacy laws are growing and maturing— so should your policies and compliance programs. If you haven’t reviewed your policies this year, now’s the time. Reach out to the authors of this post to make sure your business is ready for what’s next.