California

Subscribe to California via RSS

An ongoing issue many of our clients are dealing with are claims under the California Information Privacy Act (CIPA). This is actually a criminal statute and should not be confused with the California Consumer Privacy Act (CCPA).

A cottage industry of California plaintiffs’ firms are sending demand letters, filing suits, and initiating arbitrations for alleged CIPA violations. Here at Taft, we are seeing 1-2 new claims a week.Continue Reading What to Know: Your Company Website and the California Information Privacy Act

On July 24, 2025, the California Privacy Protection Agency (CPPA) approved a sweeping set of amendments to the California Consumer Privacy Act (CCPA) regulations. These updates introduce new compliance obligations for businesses around automated decision making, cybersecurity audits, risk assessments, and more.

Below, we discuss some of these new requirements.Continue Reading California Finalizes Major CCPA Amendments

On July 1, 2025, the California Attorney General, Rob Bonta, announced that the California Privacy Protection Agency (CPPA) entered into a settlement with Healthline Media LLC (Healthline), which included a fine of $1,550,000, the largest fine by the CPPA to date, for various alleged violations of the California Consumer Privacy Act (CCPA). This settlement and fine follow the CCPA’s $632,500 fine against American Honda Motor Co. in March of this year. These actions continue to show California’s increased focus on CCPA enforcement.

Per the announcement, Healthline.com is a health and wellness information website that is one of the top 40 most visited websites in the world and generates revenue by showing advertisements on the website.Continue Reading California Privacy Enforcement Continues: CPPA’s Largest Fine To Date

The California Privacy Protection Agency (“CPPA”) recently issued a decision requiring American Honda Motor Co. to pay a $632,500 fine and change certain business practices related to alleged violations under the California Consumer Privacy Act (“CCPA”). While not specifically related to connected vehicles, this decision comes after the CPPA’s announcement in 2023 that it would be focusing on connected vehicle manufacturers’ compliance with the CCPA.Continue Reading California Privacy Enforcement Update: Verifying Consumer Requests and Banners Must Be Symmetrical

A new year means new effective dates for state privacy legislation.  On January 1, 2025, four states witnessed consumer privacy protection laws take effect:  Delaware, Iowa, Nebraska, and New Hampshire. 

These four states join another 16 that have comprehensive data privacy laws in place. Although there are similarities in the approaches of these 20 states, each law carries unique provisions that companies must navigate in building a data governance program. This blog is intended to give a high-level overview of 2025’s newest consumer privacy laws.Continue Reading New Year Rings in New State Privacy Laws

Last week, Vermont Governor Phil Scott vetoed one of the most-watched pieces of privacy legislation in the United States: the Vermont Data Privacy Act (VDPA). Described in H.121 as “an act relating to enhancing consumer privacy and the age-appropriate design code,” was passed by the Vermont legislature in the early morning hours on May 11, 2024. The act represented a seismic change in domestic consumer privacy rights. However, Governor Scott returned H.121 without signature, effectively vetoing the would-be watershed bill.Continue Reading Not So Fast: Vermont Governor VETOES Private Right of Action for Consumer Privacy Violations

Just past midnight on May 11, 2024, the Vermont legislature passed the Vermont Data Privacy Act (VDPA). VDPA, if signed by Governor Phil Scott, will take effect on July 1, 2025, and will make Vermont the 18th state to establish consumer privacy rights in the same vein as the California Consumer Privacy Act (CCPA). Although many state consumer privacy laws feel cookie cutter at this point, VDPA contains nuances that will require companies to strategize data management intake and processing.Continue Reading While You Were Sleeping, Vermont Passed One of the Most Stringent State Consumer Privacy Laws Yet

Yesterday, the California Privacy Protection Agency (CPPA) issued its first enforcement advisory regarding the California Consumer Privacy Act (CCPA).  Enforcement Advisory No. 2024-01(the Advisory) is solely devoted to data minimalization, which the CPPA describes as “a foundational principle in the CCPA.” An enforcement advisory is not an implementing rule, regulation, or law; it is not even an interpretation of the law or legal advice. Instead, CPPA enforcement advisories are intended to be informational bulletins to inform the public about nascent legal privacy issues that CPPA is engaging with at a given time. Continue Reading California Privacy Protection Agency Issues “Minimal” Guidance on CCPA in First Enforcement Advisory

On Wednesday, February 21, 2024, California Attorney General Rob Bonta announced that his office reached a settlement with DoorDash, which addresses allegations that the company facilitated several violations of both the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA).

Following an investigation by the California Department of Justice, the CA AG’s office determined that DoorDash sold the personal information of California customers without requisite notice or an opportunity to opt-out of that sale.  The sale took place through marketing cooperatives, which are networks of businesses that share the personal information of their respective customers with one another in order for participating businesses to advertise to those same customers, regardless of any prior relationship.  In other words, by participating in marketing cooperatives and disclosing consumer personal information as part of its membership, DoorDash was able to reach new customers; in turn, the other businesses participating in the cooperative also gained the opportunity to market to DoorDash customers.Continue Reading California Delivers to DoorDash $375,000 Civil Penalty: California AG Announces Second CCPA Settlement

Late last week, the California Third District Court of Appeal (the “Court”) overturned a lower court decision delaying the enforcement of amended privacy regulations. On Friday, February 9, 2024, the Court held that the California Privacy Protection Agency (the “Agency”) had the authority to enforce its amended California Privacy Rights Act (CPRA) regulations effective immediately, meaning all businesses regulated by the CPRA are expected to be in full compliance today. Continue Reading California Appeals Court Holds CPRA’s Implementing Rules Are Immediately Enforceable