First, while the federal government de-prioritizes privacy regulation, US states are filling the gap, as evidenced by eight state regulators’ Bipartisan Consortium on privacy regulation and enforcement: “We’re proud to collaborate with states across the country to advance consistent, streamlined enforcement of privacy protections to address real-world privacy harms.”1
To that end, a number of states have recently expanded their existing law’s applicability as well as reduced exemptions, and all indications are that many states will be ramping up their enforcement efforts, with the growing prospects of multistate enforcement looming large.
Additionally, the federal government, particularly the Federal Trade Commission, and state legislators continue to prioritize children’s privacy. Most recently, Vermont, Utah, and Texas have passed robust amendments to their privacy laws with the aim of furthering children’s privacy and mitigating the risks associated with children’s internet use.
These statutory changes are also happening against a backdrop of increased privacy-related litigation – particularly new plaintiffs’ theories brought under wiretapping statutes and the Video Privacy Protection Act.
Finally, rising geopolitical instability has heightened the risk of state-sponsored cyber threats, which in turn intensifies regulatory activity on cybersecurity and resiliency, both in the US and abroad.
Limited Removal of Entity-Level GLBA Exemptions: Connecticut and Montana
To expand the reach of their privacy laws, Connecticut and Montana have narrowed their respective Gramm-Leach-Bliley Act (GLBA) exemptions, although not so much as to bring highly regulated financial services companies in scope as the California Consumer Privacy Act (CCPA) has done.
Connecticut’s and Montana’s recent amendments to their GLBA exemptions continue to exclude most banks, insurance companies, and other financial institutions from, respectively, the Connecticut Data Privacy Act (CTDPA) and the Montana Consumer Data Privacy Act (MCDPA) privacy laws, but non-depository financial institutions like online lenders, consumer loan companies, credit counseling agencies, and auto finance companies may need to reassess. Previously, the CTDPA and MCDPA provided a blanket, entity-level exemption for all financial institutions such that if any data processed by a financial institution was covered by the GLBA, the entire organization, and all of its data, was exempt from CTDPA requirements.
But no longer. Recent amendments narrow this exemption to the data-level approach. For companies like online lenders, consumer loan companies, credit counseling agencies, and auto-finance companies, only the data specifically governed by the GLBA is exempt, while other data processed by the same institution may be subject to CTDPA or MCDPA obligations.
Worth noting, California is at odds with Connecticut, Montana, and most other states in its attempts to modernize its insurance privacy laws to add new consumer rights. This year it attempted to pass California Senate Bill 354 (SB 354), also known as the Insurance Consumer Privacy Protection Act of 2025, which would mandate that insurance licensees obtain explicit consumer consent before collecting, processing, or sharing personal information for any purposes beyond what is directly necessary for an insurance transaction, subject to minimal exceptions. Currently SB 354 is stalled in the State Assembly, where its future is uncertain.
Expanded Application to Vehicle Manufacturers
Oregon and Connecticut both expand coverage to include vehicle manufacturers and data generated by connected vehicle services, perhaps because of the Federal Communications Commission’s 2024 announcement and proposed rulemaking aimed at addressing the privacy implications for abuse survivors using connected vehicles. Given the unique context of privacy concerns for abuse survivors, these amendments impose compliance requirements distinct from typical consumer rights requests.
Connecticut’s CTDPA now applies to motor vehicle manufacturers or an affiliate that provides “connected vehicle services,” defined as “any capability provided by or on behalf of a motor vehicle manufacturer that enables a person to remotely obtain data from, or send commands to, a covered vehicle.” The new provisions allow a survivor of trafficking or a crime described in the Violence Against Women Act of 1994 to submit a connected vehicle service request to a motor vehicle manufacturer to terminate or otherwise modify a connected vehicle services account. It also instructs motor vehicle manufacturers to deny requests made by abusers (as defined by Connecticut law) to obtain any information generated by the connected vehicle service. These obligations are distinct from other consumer privacy law consumer requests and will require motor vehicle manufacturers to update privacy disclosures and reevaluate compliance policies.
The Oregon Consumer Privacy Act (OCPA) amendments focus on motor vehicle manufacturers and their affiliates, requiring them to comply with OCPA regulations when collecting or processing personal data from vehicle use, including data from vehicle components. Due to prior broad exemptions and the inclusion of affiliates, some businesses may need to quickly establish OCPA-compliant consumer privacy programs.
Increased Consumer Protection for Sensitive Data
This year’s amendments also reflect a growing concern for and regulation of consumers’ sensitive data, which effectively expands the situations in which businesses must obtain affirmative consumer consent. For example, Connecticut joined California and Colorado in including neural data—generally defined as information generated by measuring the activity of an individual’s nervous system—in the definition of sensitive data.
Significantly, some US states’ definitions of “sensitive data” are now more comprehensive than the GDPR’s definition. Although businesses compliant with the GDPR are often largely compliant with US privacy laws, this may no longer be the case when it comes to sensitive data. Additionally, businesses should continue to monitor the definitions of “sensitive data” because sensitive data processing typically requires opt-in consent rather than an opt-out regime.
Increased Regulations for Businesses Processing Minors’ Data
Across the US in the first half of 2025, lawmakers and regulators are increasingly prioritizing the protection of minors’ personal data, particularly in response to growing concerns about online safety, digital addiction, and the mental health impacts of certain platform designs and data practices. As privacy and safety converge around minors, states are also expanding the range of businesses and types of information subject to these regulations; but states, perhaps ironically, are imposing obligations that could prove very privacy invasive for the rest of the population.
At the federal level, the Federal Trade Commission has sharpened its focus on children’s privacy. In 2025, it adopted the first updates to the Children’s Online Privacy Protection Act (COPPA) Rule since 2013. As outlined in our previous legal alert, the amendments impose new obligations on operators of websites or online services directed to children under 13, including detailed notice and consent requirements, stricter data retention and deletion rules, and heightened security obligations.
Maryland, Montana, Connecticut, Oregon, and Virginia have simultaneously moved to address these risks, embedding new protections for minors directly into their general consumer privacy laws, requiring businesses to reevaluate their default practices around collecting and processing data, particularly for marketing purposes and social media.
Distinct from current opt-out regimes for consumers, some states now require age verification prior to interacting with the consumer. Virginia, for example, now requires commercially reasonable age verification for social media platforms and a default daily usage limit of one hour for users under 16 unless a parent provides verifiable consent to extend that limit. Maryland, in addition to restricting the collection of precise geolocation for minors unless strictly necessary, has imposed a blanket prohibition on the processing of personal data for targeted advertising to anyone under 18 if the business “knew or should have known” they were a minor, driving businesses to deploy age verification tools to identify users under 18 and revert to other advertising methods for such users, such as contextual advertising.
Utah and Texas also are imposing age verification requirements and parental consent requirements— this time on app stores— which could have the result of requiring app stores to collect far more sensitive personal information than they otherwise would need to. For example, how would they verify ages without collecting age-verifying information from everyone, not just children? And what about individuals, like children, the indigent, or the disabled, who don’t have driver’s licenses or passports? Will biometrics be used?
These practical realities open these state laws to formidable challenges, including on several constitutional theories. In the meantime, however, businesses must grapple with these new requirements.
Other state amendments in the first half of 2025 reflect growing concerns about whether minors’ use of social media and other websites is harmful and addictive. Connecticut, for example, now prohibits system designs that significantly increase the time minors spend on a platform or service absent certain safeguards, and Montana prohibits the practice without consent. Both states also require controllers to exercise reasonable care to avoid a heightened risk of harm to minors, notably including physical violence, harassment via an online service or product, or sexual abuse or exploitation. The CTDPA’s new requirement for social media safety centers, cyberbullying policies, and mental health resources directly on social media platforms most poignantly reflect concerns about the impact of the internet on minors. Given the intense regulatory focus on these issues, compliance with these new provisions is of the utmost importance, even if challenging from a technical perspective.
In addition to these comprehensive privacy laws, several states have introduced stand-alone legislation focused solely on online youth protection. Vermont, for example, passed the Vermont Age-Appropriate Design Code Act, which applies to online services likely to be accessed by minors. The law requires these companies to prioritize the best interests of minors by imposing a minimum duty of care, ensuring that online platforms do not cause foreseeable emotional distress, compulsive use, or discrimination. It also mandates that default privacy settings be configured to the highest level and requires age verification of minors.
Wiretapping Litigation Continues
Plaintiffs have filed upwards of 800 wiretapping claims this year alone. Wiretapping laws were originally enacted to prohibit unconsented wiretapping that intercepts or records a communication via a pen register or trap and trace device. Today, plaintiffs allege that website analytics tools such as pixels, cookies, and session replay software are illegal pen registers or trap and trace devices. These claims are most frequently brought pursuant to the California Invasion of Privacy Act (CIPA), which provides for $5,000 in damages per violation.
Recently, federal courts have struck down CIPA claims for lack of standing and denied class certification in some instances. For example, two putative class actions brought early this year in the Southern District of New York were dismissed for lack of standing.2 In both actions, the courts held that a statutory violation of CIPA alone was insufficient to confer Article III standing, and that plaintiffs’ IP addresses, without more, did not amount to personal information for purposes of an invasion of privacy.
Plaintiffs, however, are more successful in state courts and, most recently, mass arbitrations. Mass arbitrations require only that plaintiffs meet the much lower arbitrability standard. This not only presents a lower barrier to entry, but also incentivizes settlements. Most recently, a 2,408 consumer mass arbitration was brought against clothing retailer Janie & Jack.
Given the continued popularity of wiretapping claims, it is crucial that businesses understand how third parties may access and share consumers’ data. Additionally, businesses should ensure that their use of analytics tools conforms to privacy notice disclosures. Informed opt-in consent remains the best way to guard against wiretapping claims. To that end, it is essential that consent managers function as advertised and prevent analytics tools from functioning until after the user provides affirmative consent.
VPPA Litigation
As lawmakers and regulators increasingly prioritize data privacy, the Video Privacy Protection Act (VPPA or the Act) has reemerged as a key legal tool. Enacted in 1988 to protect the confidentiality of video rental records, the VPPA is now being applied to modern digital contexts, where concerns over the collection and sharing of viewing data have intensified. In particular, the VPPA has become a focal point in litigation involving the unauthorized disclosure of video viewing data, often through technologies like Meta’s data-tracking Pixel, highlighting how legacy privacy laws are being reinterpreted to address modern digital surveillance practices.
At the heart of recent litigation under the VPPA is a fundamental question: Who qualifies as a “consumer”? This definition is critical because only consumers are entitled to the Act’s protections against the unauthorized disclosure of video viewing information. As courts grapple with how this term applies in the digital age, the outcome can determine whether plaintiffs have standing to sue under the VPPA.
A recent decision by the Sixth Circuit narrowed the scope of the Act by holding that a “consumer” must subscribe specifically to audiovisual goods or services.3 Under this interpretation, a plaintiff who merely subscribed to an online sports newsletter, which included links to publicly available videos, did not qualify for protection. This contrasts sharply with broader interpretations by other courts. In Salazar v. NBA, for example, the Second Circuit found that a newsletter subscription was sufficient to establish consumer status under the VPPA.4 The Seventh Circuit has taken a similarly expansive view.5 These conflicting rulings have created a circuit split, prompting a petition for certiorari to the US Supreme Court in Salazar v. NBA (Docket No. 24-994), filed on March 18, 2025. The Court has not yet decided whether to hear the case.
As this legal uncertainty continues, especially amid rising scrutiny of tracking technologies and data-sharing practices, businesses must closely examine how they collect and share user data. This includes reviewing consent mechanisms and the privacy practices of any companies they acquire or merge with, to mitigate potential VPPA liability.
US and Global Regulatory Shifts
In response to the rapidly evolving cyber threat landscape, the United States has taken significant steps at both the federal and state levels to modernize and strengthen its cybersecurity posture. In June 2025, President Donald Trump signed Executive Order 14306 to focus on securing third-party software supply chains, advancing post-quantum cryptography, managing vulnerabilities in artificial intelligence (AI) systems, and enhancing the security of Internet of Things (IoT) devices. It also introduces sanctions targeting foreign cyber actors while limiting their application to avoid domestic misuse. The order emphasizes technical rigor and transparency, including the development of machine-readable cybersecurity policies and formal trust designations for consumer IoT products.
Complementing this executive action, the National Institute of Standards and Technology (NIST) has updated two cornerstone frameworks: SP 800-53 and SP 800-218. These updates include new controls for identity and access management, cryptographic key protection, and secure software development practices. NIST is also tasked with publishing guidance on AI vulnerability management and secure patch deployment by late 2025. Meanwhile, the Office of the National Cyber Director released its 2024 Cybersecurity Posture Report, which calls for a shift from reactive to proactive defense strategies. The report underscores the need for a whole-of-nation approach, reallocating cybersecurity responsibilities from end users to the most capable public and private sector actors, and promoting long-term investments in resilience.
At the state level, the New York Department of Financial Services implemented significant amendments to its Cybersecurity Regulation (23 NYCRR Part 500) effective May 2, 2025. These amendments introduce tiered obligations based on entity classification—small businesses, Class A companies, and covered entities—with exemptions for captive insurers and firms not handling nonpublic information. The regulation now mandates annual risk assessments, enhanced governance, and third-party oversight, reflecting a broader trend toward resilience-focused compliance.
Globally, regulatory momentum is accelerating. In the European Union, the NIS2 Directive entered into force on January 16, 2023, requiring EU member states to transpose it into national law by October 17, 2024. NIS2 builds on the original NIS Directive (2016/1148), which was the EU’s first horizontal cybersecurity law. NIS2 significantly expands the scope to include more sectors (e.g., public administration, space, and digital infrastructure), introduces stricter incident reporting timelines (within 24 hours), and strengthens third-party risk management and executive accountability.
Meanwhile, the Digital Operational Resilience Act (DORA), enforceable from January 17, 2025, introduces harmonized Information and Communication Technology risk management requirements for financial institutions and their technology providers. DORA mandates resilience testing, incident reporting, and oversight of critical third-party providers, with penalties for noncompliance.
In the Asia-Pacific region, Singapore passed the Cybersecurity (Amendment) Act 2024, which expands regulatory oversight beyond critical infrastructure to include digital service providers and foundational digital infrastructure. The law introduces new designations for entities of special cybersecurity interest and mandates stronger accountability for third-party-owned systems. Australia also amended its Security of Critical Infrastructure Act in December 2024 to clarify the inclusion of data storage systems, broaden government response powers, and integrate telecommunications security obligations. These changes aim to enhance national resilience and streamline cross-sector collaboration.
Together, these developments reflect a global shift toward proactive, risk-based cybersecurity governance. As cyber threats grow more sophisticated and geopolitically charged, regulatory frameworks are evolving to demand not only technical defenses but also strategic foresight, operational resilience, and cross-border coordination.
Conclusion
Privacy and cybersecurity regulation has seen significant transformation, with US states and global jurisdictions intensifying efforts to address evolving digital risks. States like Connecticut, Montana, and California have refined privacy laws to close gaps and strengthen protections, particularly for minors, while federal and international initiatives have advanced cybersecurity through updated frameworks, executive actions, and harmonized regulations like the EU’s NIS2 and DORA. The rise in privacy-related litigation, including wiretapping and VPPA claims, highlights the critical need for businesses to implement transparent data practices and robust consent mechanisms. Amid escalating geopolitical cyber threats, these regulatory developments reflect a global shift toward proactive, resilience-focused governance, requiring organizations to adapt swiftly to ensure compliance and maintain consumer trust in a complex digital landscape.
__________
1 https://cppa.ca.gov/announcements/2025/20250416.html
2 Zhizhi Xu v. Reuters News & Media Inc., No. 1:2024cv02466, 2025 WL 488501 (S.D.N.Y. Feb. 13, 2025); Gabrielli v. Insider, Inc., No. 1:2024cv01566, 2025 WL 522515 (S.D.N.Y. Feb. 18, 2025).
3 Salazar v. Paramount Global, 133 F.4th 642 (6th Cir. 2025).
4 Salazar v. National Basketball Association, 118 F.4th 533 (2d Cir. 2024).
5 Gardner v. MeTV Nat’l Ltd. P’ship, No. 24-1290 (7th Cir. 2025).
