Data Privacy Update

• California CCPA Amendments, Rulemaking, and Enforcement Update
• Texas Vigorously Pursuing Privacy Law Enforcement 
• New York – New Child and Teen Online Safety Bills
• U.S. State Privacy Laws Developments
• FTC Data Privacy Enforcement Activity

California Bills, Rulemaking, and Enforcement Update

CPPA automated decision-making technology

On November 22, 2024, the California Privacy Protection Agency (CPPA) opened the formal public comment period on its proposed regulations for cybersecurity audits, risk assessments, automated decision-making technology (ADMT) and insurance companies; the comment period ended on January 14, 2025.

California's proposed ADMT regulations have garnered particular interest, as they would give consumers the right to know when automated decisions were made using their data—and to opt out—for such key areas as employment, loans, education and healthcare. The regulations would cover businesses that use ADMT to make "significant decisions" impacting consumers, such as decisions to provide or deny financial services, employment, educational opportunities or healthcare services. Also covered would be businesses using ADMT for "extensive profiling" to analyze consumers' conduct at work or at school, in public places or for behavioral advertising. You can read the CPPA fact sheet here.

California 2024 CCPA amendment recap

At the end of its legislative session in August, the legislature passed six amendments to the California Consumer Privacy Act (CPRA), two of which Governor Newsom vetoed. Notably,

• Two bills, which Newsom signed into law, amended the CCPA to clarify that "personal information" can include digital and abstract digital formats, such as from artificial intelligence; and that "sensitive personal information" includes neural data, which is defined as "information that is generated by measuring the activity of a consumer's central or peripheral nervous system, and that is not inferred from nonneural information."
• A bill requiring that companies acquiring personal data through a merger or acquisition must comply with opt-out requests made by consumers to the transferring entity was also signed into law.
• Governor Newsom vetoed one CCPA amendment that would have imposed new restrictions on the collection of personal data from consumers under the age of 18, and another that would have required businesses to incorporate opt-out mechanisms into online browsers and platforms.

CPPA Enforcement Actions

• CPPA Enforcement Advisory on dark patterns. In September, the CPPA issued an Enforcement Advisory declaring that deploying "dark patterns," which it defined as "[u]ser interfaces or choice architectures that have the substantial effect of subverting or impairing a consumer's autonomy, decision-making or choice," is a "privacy-averse practice." The Advisory provides some fact scenarios to explain how this applies in practice; read the full advisory here.
• Data broker registration sweep. In October, the CPPA launched an investigative sweep of data broker registration compliance with the Delete Act. With a January 31, 2025 deadline of registering as a data broker approaching, the CPPA reminded data brokers of their obligations to register and to follow reporting and disclosure obligations. The agency adopted data broker regulations in November, which include provisions that clarify registration requirements, require disclosures about exempt data collection practices, and clarify procedures for registration changes. Read the press release here.

Texas vigorously enforcing consumer and privacy protections

The office of Texas Attorney General Ken Paxton has undertaken a series of major enforcement actions in 2024, reaching notable settlements in some cases.

In December, the AG's office announced a new probe into more than ten technology companies, including Discord and Reddit, for potential violations of children's privacy under the state's Securing Children Online through Parental Empowerment (SCOPE) Act and the Texas Data Privacy and Security Act. These laws require companies to obtain parental consent before collecting or sharing minors' personal information and mandate tools for parents to manage privacy settings. "Technology companies are on notice that my office is vigorously enforcing Texas's strong data privacy laws," Paxton said of this latest probe.

In August, the Texas AG sued General Motors for allegedly unlawfully collecting and selling more than 1.8 million Texans' private driving data to insurance companies and other third parties without their consent. The lawsuit alleges that GM used vehicle technology to secretly gather detailed driving data, misled customers during vehicle onboarding, and sold this information, including "driving scores," for profit. This action is part of Paxton's broader initiative to enforce data privacy laws and protect Texans from "invasive" business practices.

The state recently reached an unprecedented settlement with Pieces Technologies, Inc., a healthcare artificial intelligence (AI) company, over allegedly deceptive claims about the accuracy and safety of its Generative AI products used in hospitals. The company's technology is used to summarize patient conditions and draft clinical notes. The AG alleged that the company violated the Texas Deceptive Trade Practices – Consumer Protection Act by making false and misleading claims about the accuracy and low hallucination rates of its AI output. Under the settlement, Pieces must now provide accurate disclosures of its AI product's performance, including hallucination rates, and ensure that hospital staff are properly trained on the AI's limitations and appropriate use.

The Texas AG has also secured a US$1.4 billion settlement with aglobal social media company over its allegedly unauthorized capture of biometric data, marking the largest privacy settlement ever obtained by a single state. The lawsuit, filed in 2022, accused the social media company of collecting facial recognition data from millions of Texans without their consent, violating Texas's "Capture or Use of Biometric Identifier" Act. The settlement includes a "safe harbor" provision that allows the social media company to seek advance guidance from the AG's office on the application of Texas biometric data laws to its conduct and curtails the state's ability to take enforcement action against conduct that it fails to object to.

New York child and teen online safety bills

New York State in 2024 enacted two new laws aimed at protecting the online safety of children and teens. The New York Child Data Protection Act (NYCDPA) protects users of online sites or services that are primarily directed to minors and users who the operator of any site or service knows to be under the age of 18. Operators may not process the personal data of these users without consent. There are exemptions for data processing that is "strictly necessary" for certain enumerated purposes for children ages 13 to 17 or that otherwise is permitted under the federal Children's Online Privacy Protection Rule (COPPA) for kids under the age of 13. It will go into effect on June 20, 2025.

The Stop Addictive Feeds Exploitation (SAFE) for Kids Act is intended to address concerns that children in New York are experiencing a mental health crisis caused by harmful social media use. The SAFE for Kids Act prohibits social media platforms from providing minors with an "addictive feed" that uses data related to that child to personalize the content they are shown. The Act also restricts social media platforms from sending notifications "concerning an addictive feed" to a known child between the hours of 12 and 6 a.m. without parental consent. The NY Attorney General's office is still finalizing the implementing regulations; the SAFE for Kids Act will enter into force 180 days after regulations are finalized.

Continuing with measures directed at online child safety, the legislature in November introduced the New York Children's Online Safety Act for consideration in the 2025 session. This bill applies to online gaming and social media platforms and would restrict interactions between minors and users they are not connected with, which could be overridden only with parental consent.

US state data privacy law developments

The US state privacy law landscape continues to evolve, with several comprehensive data privacy laws enacted and entering into force in 2024 and 2025 ,and some states with existing laws passing amendments. Some noteworthy state developments include:

• Several new data privacy laws became effective January 1, 2025: Delaware, Iowa, Nebraska and New Hampshire.
  • The Delaware law is largely consistent with other state data privacy laws, except that it does not exempt nonprofits and academic institutions from its coverage.
  • The Iowa law does exempt nonprofits and academic institutions (and other entity types typically excluded in privacy laws, such as HIPAA-covered entities), but Iowa does not have a minimum revenue threshold for entities to be subject to the law.
  • Similar to the Texas Data Privacy and Security Act, the Nebraska Data Privacy Act does not contain a revenue threshold nor a minimum number of consumers whose personal data is processed or sold for the law to apply. As such, the Act will sweep up a broader array of businesses under its jurisdiction.
  • Unlike some other state data privacy laws that sunset their cure provisions after an initial period, the New Hampshire Attorney General will have continuing discretion after January 1, 2026 to provide an opportunity to rectify alleged deficiencies.
• The 2024 Oregon law adds new categories of "sensitive data," including status as a crime victim and status as transgender or non-binary; the Texas law has a "sensitive data" definition that includes information revealing "sexuality" rather than specifically sexual orientation.
• The 2024 Florida law applies mostly to large corporations with more than US$1 billion in revenue. It provides special protections for children: online platforms that are predominantly accessed by children are prohibited from processing the personal information of children, if the online platform has actual knowledge or willfully disregards that such processing poses a substantial risk of harm to their privacy.
• New Hampshire has formed a Data Privacy Unit that will sit within the Consumer Protection and Antitrust Bureau and have primary responsibility for enforcing the state's Data Privacy Act.
• In October, amendments to the Connecticut Data Privacy Act, which create a "duty of confidentiality" to avoid a "heightened risk of harm" to minors using their services, took effect.

The chart below lists states with laws going into effect in the second half of 2024 and beyond. Click on the links in the state names below to access our detailed White & Case client alerts for each state.

FTC data privacy and cybersecurity enforcement activity

The Federal Trade Commission (FTC) brought four enforcement actions in 2024 that addressed sensitive location data. These enforcement actions underscore the need to establish appropriate information security practices and to obtain affirmative consent for the sharing of sensitive data. The FTC further required companies to establish a sensitive location data program and address consumer rights requests.

• The FTC charged X-Mode/Outlogic with transferring consumer data that revealed visits to sensitive locations such as medical clinics or places of worship, without anonymizing the data.
• The FTC charged Verkada, a security camera firm, with failing to use appropriate information security practices, allowing a threat actor to access customer support accounts, view customer cameras, and access personal information relating to customers and consumers, including health and location data.
• The FTC charged Mobilewalla, a data broker, with selling raw location data that could identify individuals and track them to sensitive locations, collecting consumers' information from real-time-bidding exchanges and using it for non-advertising purposes, and failing to take reasonable steps to confirm with other data suppliers that consumers consented to the collection and use of their information.
• The FTC charged Gravy Analytics and Venntel with disclosing consumers' precise geolocation information; selling data that is individually identifiable; collecting, using, or selling mobile location data without consumer consent and failing to take reasonable steps to confirm consent; and targeting consumers based on sensitive characteristics and behaviors.

It's important to note that although there were not a large number of FTC actions involving sensitive personal data, the FTC was still very active in 2024, enforcing data privacy and cybersecurity protections in 22 matters.

White & Case’s Data Privacy and Cybersecurity team will continue to provide updates on this law and any related rules and regulations. Please reference our US Data Privacy Guide and other client alerts for general steps to take to comply with US State Data Privacy Laws.

_{White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.}

_{This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.}

_{© 2025 White & Case LLP}