Data Privacy Laws

Subscribe to Data Privacy Laws via RSS

On May 27, 2026, Connecticut Governor Ned Lamont signed Senate Bill 4, now Public Act No. 26-64 (the “Act”),[1] significantly expanding the Connecticut Data Privacy Act (CTDPA).

The Act creates a California Delete Act-style, but Connecticut-specific, data broker registration and deletion-mechanism regime. It also restricts the sale, sharing, transfer, and provision of access to precise geolocation data;[2] imposes facial recognition transparency requirements; adds surveillance-pricing prohibitions and disclosure obligations; narrows the CTDPA’s “publicly available information” exclusion; adds rules for certain employment-related processing and profiling decisions; expands consumer deletion rights; and regulates direct-to-consumer (DTC) genetic testing companies.

At a high level, the Act adds compliance obligations for data brokers, CTDPA controllers and processors, retailers, third-party delivery services, and DTC genetic testing companies.[3]

These amendments follow shortly after the July 1, 2026 effective date for separate CTDPA amendments enacted in 2025 through SB 1295, which expanded coverage thresholds, added profiling impact assessment obligations, and imposed minors-related requirements. Companies should thus treat SB 4 as part of a broader 2026 Connecticut compliance cycle, rather than a standalone update.

The rapid expansion of biometric technologies in sports has created both significant opportunities and complex legal challenges. The proliferation of wearable devices and data collection tools has ushered in what amounts to a “gold rush” for athletes, teams, universities, and companies seeking to use or commercialize biometric data. Heart rate

Wire transfer fraud has long been a popular target for cyber criminals.   

A case of first impression decided by the California Court of Appeal, Fourth Appellate District demonstrates the high stakes for victims of this crime. Specifically, on May 27, 2025, the Court of Appeal released an opinion addressing the issue of who bears the loss when settlement funds are fraudulently diverted via a wire transfer scam.

Key Takeaways

  • In a recent decision by the Ninth Circuit in Briskin, the court ruled that e-commerce platform Shopify purposefully directed its conduct toward California because of its nationwide operations, rejecting the need for differential targeting of a forum state.
  • Notably, the court found a direct causal nexus between Shopify’s conduct and Briskin’s claims, deeming an exercise of specific jurisdiction over Shopify in California fair and reasonable.
  • Legal scholars are concerned that the decision could broadly expand the scope of specific personal jurisdiction and increase litigation risks for online platforms.
  • Companies should reassess their data practices and anticipate forum shopping by plaintiffs following Briskin.

UPDATE (April 17, 2025): The below reflects a development occurring after our publication of the original post.

On April 11, 2025, the National Security Division (the “NSD”) released several documents setting out initial guidance on how to comply with the Rule, which the NSD refers to as the Data Security

2024 marked another significant year for privacy law, with new state legislation and high-stakes litigation reshaping the landscape. Legal battles over tracking technologies, biometric data, and children’s privacy intensified, while federal agencies, including the Federal Trade Commission (“FTC”) and the U.S. Department of Health and Human Services Office for Civil Rights (“HHS OCR”), ramped up their efforts through major enforcement actions and high-profile settlements, marking a new era of increased accountability.

  • Amazon faces allegations of unauthorized data collection in violation of federal and state privacy laws, including a first-of-its-kind claim under Washington’s My Health My Data Act (“MHMDA”).
  • The MHMDA restricts businesses from collecting, sharing, or selling any-health related information about a consumer without their consent of “valid authorization”, going

On May 16, 2024, the U.S. Securities and Exchange Commission announced the adoption of amendments to Regulation S-P that were proposed last year. The Final Amendments impose enhanced requirements on registered investment advisers, investment companies, broker dealers and transfer agents with respect to handling of consumer financial information.

Read the