California Consumer Privacy Act (CCPA)

Subscribe to California Consumer Privacy Act (CCPA) via RSS

California regulators have announced a major privacy settlement with General Motors (GM) over allegations that the company unlawfully sold the location and driving data of hundreds of thousands of Californians to two data brokers: Verisk Analytics and LexisNexis Risk Solutions. The settlement, subject to court approval, requires GM to pay $12.75 million in civil penalties

The Driver’s Privacy Protection Act (DPPA) may not draw as much regular attention as statutes like the VPPA, CCPA, or TCPA, but it remains a source of privacy litigation risk where motor vehicle record information is involved. The DPPA is a federal law that limits how personal information from state motor vehicle records may be

California companies may have less time than they think to prepare for privacy audits. The California Privacy Protection Agency’s (CPPA) new Audits Division, created in February 2026, is expected to begin assessing companies’ compliance with the California Consumer Privacy Act (CCPA) this year, according to Executive Director Tom Kemp. This is a notable remark because—while

The California Consumer Privacy Act (CCPA) continues to stand apart as the only comprehensive state privacy law in the U.S. that applies to personal information relating to employees, job applicants, and independent contractors. Since that coverage expanded in January 2023, many employers have had to navigate the difficult task of applying a consumer privacy framework

The Office of California Attorney General Rob Bonta announced the largest settlement for violations of the California Consumer Privacy Act (CCPA) to date, imposing a $2.75 million civil penalty and injunctive relief focused on how Disney implements consumer opt-outs across its streaming ecosystem. Disney must pay the penalty within 30 days of the judgment’s effective

States are weighing in on whether grocery stores, hotel chains, and retailers should be using personal consumer information such as “browsing history” and “location data” to decide what price you see, when someone else might see something different. Pioneering this inquiry is California, approaching this individualized pricing as a potential privacy problem. At the end

A new California trial court decision offers website operators some long-awaited relief in the ongoing wave of website privacy suits under the California Invasion of Privacy Act (CIPA). In early December, the Los Angeles County Superior Court, rejected an increasingly common theory that routine website analytics and tracking tools function as illegal “pen registers” or “trap

The recent decision in Wiley v. Universal Music Group highlights how courts are scrutinizing website operators’ privacy controls and representations, particularly regarding cookie banners and opt-out tools. 2025 WL 3654085 (N.D. Cal. Dec. 17, 2025). In a recent decision, although Universal Music Group (UMG) dodged most of the putative class claims over its handling of

Overview of Commonwealth v. Kurtz

On December 16, 2025, the Pennsylvania Supreme Court held that individuals do not have a reasonable expectation of privacy in general, unprotected Google search records. Commonwealth v. Kurtz, No. 98 MAP 2023 (Pa. Dec. 16, 2025). In this criminal case, law enforcement obtained a so-called “reverse keyword search warrant” from