The landscape of data privacy is rapidly changing as various states and federal agencies grapple with the implications of recent legislative and regulatory developments. In early May 2025, a significant shift occurred when the California Privacy Protection Agency (CPPA) voted to revise its proposed regulations on artificial intelligence (AI) and automated decision-making technology (ADMT). Amid mounting pressure from business groups and lawmakers, the agency's board unanimously agreed to water down the rules, which had been in development for over three years. This decision has raised concerns among consumer advocacy groups about the potential for diminished protections for Californians' data privacy.
The revisions to the proposed rules are projected to reduce compliance costs for businesses from an estimated $834 million to approximately $143 million in the first year of enforcement. Furthermore, it is anticipated that 90% of businesses initially required to comply with the regulations will no longer be subject to them. The changes come in the wake of a series of leadership shifts within the CPPA, including the departure of key figures who were seen as champions of consumer protection.
Governor Gavin Newsom intervened in the process, expressing concerns that the original rules overstepped the agency's authority and supported a rollback of the regulations. Critics argue that the amendments to the rules, which eliminate the regulation of behavioral advertising and narrow the definition of automated decision-making, may weaken safeguards intended to protect consumers from potential harms associated with AI technologies.
In a related development, the California Senate introduced S.B. 690, aimed at stopping lawsuits for violations of the California Invasion of Privacy Act (CIPA) based on the use of cookies and other online tracking technologies. This legislative move comes as a response to a trend of class-action lawsuits under CIPA, where plaintiffs claim that the use of tracking technologies violates privacy laws.
Meanwhile, the California Privacy Protection Agency has opened a public comment period on its proposed regulations for a Delete Request and Opt-Out Platform, allowing consumers to request the deletion of personal information from registered data brokers through a single submission. The comment period will remain open until June 10, 2025, providing an opportunity for stakeholders to weigh in on these important privacy issues.
On the federal level, the National Security Division of the U.S. Department of Justice (DOJ) released a compliance guide and FAQ to assist entities in adhering to new regulations aimed at protecting sensitive data from foreign adversaries. The DOJ announced a limited enforcement policy through July 8, 2025, indicating that it will not prioritize civil enforcement actions for violations occurring during this period, provided entities demonstrate good faith efforts to comply.
In another significant case, the Federal Trade Commission (FTC) expressed concerns regarding the bankruptcy proceedings of consumer genetics company 23andMe, which filed for bankruptcy in late March 2025. The FTC Chairman, Andrew N. Ferguson, emphasized the importance of safeguarding consumer data during the sale or transfer of personal information amidst the bankruptcy process. This situation has sparked a broader conversation about the adequacy of existing data privacy laws in managing consumer data during corporate bankruptcies.
Additionally, the U.S. District Court for the Western District of Arkansas struck down the Arkansas Social Media Safety Act (SMSA), which sought to limit minors' access to social media platforms. In response, the Arkansas Legislature passed S.B. 611 to amend the SMSA, expanding its scope and including additional online platforms while narrowing the age of applicability to users under 16.
Consumer advocacy groups are closely monitoring these developments, as they highlight the ongoing tension between regulatory efforts to protect consumer privacy and the interests of businesses seeking to innovate and operate in a competitive environment. The revised regulations and legislative proposals demonstrate the complex interplay between privacy rights and technological advancements.
In the wake of these changes, the Oregon Department of Justice reported a significant increase in complaints regarding the use of personal data by government entities, with over 250 complaints received in the first quarter of 2025 alone. This spike in complaints underscores the growing scrutiny of data privacy practices across various sectors.
As states continue to navigate the evolving landscape of privacy laws, the implications of these regulatory changes will likely reverberate beyond California, influencing national discussions on data protection and consumer rights. With public comment periods and ongoing legislative efforts, stakeholders have the opportunity to shape the future of data privacy regulations in the United States.
In summary, as states and federal agencies grapple with the complexities of data privacy, the balance between consumer protection and business interests remains a contentious issue. The recent amendments to the CPPA's proposed regulations, alongside legislative efforts like S.B. 690 and responses to the 23andMe bankruptcy, illustrate the dynamic nature of privacy law in an increasingly digital world.
