STATE & LOCAL LAWS & REGULATIONS

Vermont Governor Signs Vermont Kids Code Into Law: Vermont Governor Phil Scott signed SB 69, the Vermont Kids Code, into law. The Vermont Kids Code imposes privacy and safety requirements on businesses offering online services likely to be accessed by minors under the age of 18. Covered businesses must use age-assurance methods to verify users’ ages and configure default privacy settings to the highest level for minors. The law prohibits displaying minors’ accounts or content to adults without explicit consent, restricts adult interactions with minors on social media, and bans push notifications to minors, especially overnight. It also limits the collection, use, and retention of minors’ personal data to what is strictly necessary, mandates clear privacy disclosures, and requires a mechanism for prompt account deletion. The Vermont Kids Code will become effective on January 1, 2027. The Vermont Kids Code will likely face legal challenges, as similar laws passed in Maryland and California have been successfully challenged on First Amendment grounds.

New Jersey’s Attorney General Publishes Regulations for the New Jersey Data Privacy Act: The New Jersey Attorney General published proposed rules implementing the New Jersey Data Privacy Act (“NJDPA”). The proposed rules, among other things, provide content requirements for privacy notices and requirements for obtaining and documenting consent, including for processing sensitive data and the personal data of children between the ages of 13 and 17 for purposes of selling the data, targeted advertising, and/or profiling in furtherance of decisions that produce legal or similarly significant effects. The proposed rules also require controllers to provide user-friendly mechanisms for exercising data rights and prohibit the use of dark patterns. Additionally, the proposed rules include data security, data minimization, and recordkeeping requirements, and specify what must be included in data protection assessments for high-risk processing activities. The proposed rules further provide the framework for universal opt-out mechanisms and special rules around loyalty programs and profiling. The public comment period for the proposed rules will end on August 1, 2025.

Texas Passes AI Law: Texas Governor Greg Abbot signed HB 149, the Texas Responsible Artificial Intelligence Governance Act (“TRAIGA” or “the Act”), TRAIGA, effective on January 1, 2026, imposes certain restrictions regarding artificial intelligence (“AI”) system development and deployment. TRAIGA categorically prohibits AI systems intended for behavioral manipulation, unlawful discrimination, infringement of constitutional rights, and the creation or distribution of child pornography or unlawful deepfakes. The Texas Attorney General is responsible for enforcing TRAIGA and can impose substantial penalties for violations, with fines ranging from $10,000 to $200,000 per violation and up to $40,000 per day for ongoing violations. The Act provides a 60-day cure period for violators and offers affirmative defenses for self-identified and remediated violations, especially if compliant with frameworks like National Institute of Standards and Technology’s (“NIST”) AI Risk Management Framework. TRAIGA also establishes a regulatory sandbox for AI innovation and an advisory council to guide state AI policy, though the council cannot issue binding regulations.

Connecticut Passes Amendment to the Connecticut Data Privacy Act: The Connecticut Legislature has passed amendments to the Connecticut Data Privacy Act (“CTDPA”). The amendments lower the applicability thresholds, making the CTDPA applicable to entities that control or process personal data of at least 35,000 Connecticut consumers, offer personal data for sale to the CTDPA, or control or process sensitive data unless solely for payment transactions. The definition of sensitive data now includes disability, nonbinary or transgender status, neural data, and certain financial and government ID numbers. The amendments also remove the entity-level exemption for GLBA-regulated entities, replacing it with specific exemptions for financial and insurance institutions, and add a political activities exemption. Consumer rights are broadened to include explicit access to inferences and profiling information, and the right to obtain a list of third parties to whom data was sold. Requirements regarding data minimization, privacy notice, processing minors’ personal data, and secondary processing have been strengthened, and profiling opt-out rights have been expanded.

California Senate Pass Amendments to California Invasion of Privacy Act (“CIPA”): The California Senate has passed SB 690, which would amend the California Invasion of Privacy Act (“CIPA”) to significantly limit lawsuits under CIPA against businesses using standard online technologies. Over the last several years, CIPA, originally enacted to address wiretapping and eavesdropping, has been repurposed by plaintiffs’ attorneys to target businesses for their use of tracking technologies such as cookies, pixels, chatbots, and session replay tools on their websites. SB 690 proposes to address this problem by introducing exemptions for activities conducted for “commercial business purposes” from several core CIPA provisions. Perhaps most significantly, SB 690 would bar private lawsuits for the processing of personal information for a commercial business purpose, effectively eliminating the private right of action for a wide range of CIPA claims related to online business activities. For additional information on SB 690, please see Blank Rome’s Client Alert on this bill here.

Utah Enacts Three AI Laws: Utah Governor Spencer J. Cox signed three AI bills into law. SB 226 amends Utah’s AI disclosure law, which requires businesses to inform users that they are interacting with AI. While the law previously applied broadly to entities doing business in Utah, SB 226 amends the law to only apply when users engage in “high-risk artificial intelligence interactions,” which involve the collection of sensitive personal information or give recommendations or advice that users may rely on for significant decisions. HB 452 requires similar disclosures to those required in SB 226, but for providers of mental health chatbots that use generative AI. HB 452 also sets forth data protection requirements and restrictions on advertisements. SB 271 amends Utah’s Abuse of Personal Identity Act, which prohibits using an individual’s identity to imply endorsement or approval of an advertisement without consent, to apply to the imitation of an individual’s identity through generative AI, and other technological means.

Colorado Attorney General Announces Colorado Privacy Act Rulemaking for Children’s Data: The Colorado Attorney General has announced rulemaking to implement the Colorado Privacy Act (“CPA”) with respect to the personal data of minors under the age of 18. The CPA was amended by S.B. 24-041 to add enhanced protections when processing the personal data of minors, including requiring consent to: (1) process minors’ personal data for the purpose of targeted advertising, sale, or profiling; (2) use any feature to significantly increase, sustain, or extend a minor’s use of the covered controller’s online service; or (3) collect minors’ precise geolocation, except in certain instances. The Colorado Attorney General is considering amendments to the CPA’s implementing rules to clarify and enact these amendments. As part of that process, the Colorado Attorney General is accepting public input on targeted pre-rulemaking questions.

Texas Passes Changes to Telemarketing Law: Texas Governor Greg Abbot signed SB 140 into law, which will dramatically expand telemarketing regulations in the state. SB 140 broadens the definition of “telephone call” and “telephone solicitation” to include text messages, image messages, virtually any other transmission intended to sell goods or services, and traditional voice calls. SB 140 subjects Short Message Service (“SMS”), Multimedia Messaging Service (“MMS”), or similar marketing campaigns to the same strict standards as voice calls. SB 140 also introduces a private right of action under the Texas Deceptive Trade Practices and Consumer Protection Act. Statutory damages range from $500 to $5,000 per violation. The new telemarketing requirements and expanded enforcement provisions will take effect on September 1, 2025. For more information on SB 140, please see Blank Rome’s Client Alert on the bill here.

FEDERAL LAWS & REGULATIONS

Senate Removes AI Law Moratorium from Consideration: The Senate voted 99-1 to remove from the federal budget bill the proposed moratorium on state and local government AI legislation. The moratorium, originally proposed as a complete 10-year ban on AI law enactment and enforcement, had been reduced to five years with exceptions for children’s online safety. The proposal also tied compliance with the ban to the ability to receive federal broadband funding. The moratorium had faced growing opposition from a bipartisan group of state regulators and legislators, with 40 state attorneys general writing in opposition of the proposal in May, and a group of 260 state lawmakers urging Congress to drop the AI preemption proposal in June.

Trump Issues Cybersecurity Executive Order Revoking Parts of Biden and Obama-era Executive Orders: The Trump administration issued an Executive Order that revokes “problematic elements” of Obama and Biden-era Executive Orders, including portions of a Biden administration executive order promoting federal digital identity initiatives by encouraging the use of digital ID documents. The Trump Order also revokes requirements that software vendors must attest to secure development guidelines created by the National Institute of Standards and Technology. The Trump Order now emphasizes collaboration by directing NIST to work with the software industry to develop practical guidance on secure software development and to update relevant frameworks. Additionally, the Trump Order directs department and agency-level actions on post-quantum cryptography to ensure protection against threats that may leverage next-generation compute architectures.

NIST Releases Zero Trust Architecture Guidance: NIST released newly finalized guidance entitled “Implementing a Zero Trust Architecture” (NIST Special Publication (SP) 1800-35) that provides 19 example implementations of zero trust architectures using commercial, off-the-shelf technologies. The guidance uses the examples in the guidance to show organizations how to implement zero trust architecture. The new guidance augments NIST’s 2020 publication Zero Trust Architecture (NIST SP 800-207), a high-level document that describes zero trust at the conceptual level. While the earlier publication discussed how to deploy zero trust architecture and offered models, the new publication is intended to provide users with more guidance in addressing their own needs.

FTC Issues FAQ on Safeguards Rule to Automobile Dealers: The Federal Trade Commission released an FAQ to help automobile dealers comply with the Gramm-Leach-Bliley Act and the FTC’s Safeguards Rule. The FAQ provides answers to both high-level questions about the general scope and requirements of the Safeguards Rule, as well as questions intended to address automobile dealer-specific situations, such as whether an automobile dealer may send vehicle Original Equipment Manufacturer (“OEM”) customer lists and retail delivery reports.

U.S. LITIGATION

Supreme Court Empowers District Courts to Challenge FCC TCPA Interpretations: The Supreme Court issued a decision in McLaughlin Chiropractic Associates, Inc. v. McKesson Corporation, which may fundamentally alter the landscape for businesses subject to the Telephone Consumer Protection Act (“TCPA”). In a 6–3 ruling, the Court held that district courts are not required to follow the Federal Communications Commission’s (“FCC”) interpretations of the TCPA in enforcement proceedings, unless Congress has expressly stated otherwise. This marks a significant departure from the longstanding practice in many jurisdictions, where district courts treated FCC orders as binding in TCPA litigation. See Blank Rome’s Client Alert here for an in-depth analysis of this decision.

Court Rules Use of Copyrighted Works to Train AI Is Fair Use: Judge William Alsup of the Northern District of California ruled that Anthropic’s use of books to train its large language model for the purpose of creating new text outputs is fair use of those works. Anthropic used millions of copyrighted books to train its Claude large language models. As part of that training, Anthropic compiled a collection of millions of books in a “central library.” The Anthropic library contained both purchased and pirated content. Judge Alsup concluded that use of the books at issue to train Anthropic’s AI was “exceedingly transformative” and a fair use under Section 107 of the U.S. Copyright Act. Specifically, the Court noted that authors cannot exclude others from using their works to learn, noting that, for centuries, people have read and re-read books. The Court also stated that the training was for the purpose of creating something different, not to supplant the work. The Court also held that the digitization of purchased books in the library was also fair use, but that the use of pirated copies was not. The case marks a significant win for AI developers. 

Supreme Court Upholds Texas Law Requiring Age Verification for Websites with Sexually Explicit Content: In Free Speech Coalition et al. v. Ken Paxton, the U.S. Supreme Court upheld a Texas law requiring pornographic websites to conduct age checks on visitors. The Texas law requires entities that publish or distribute material on a website, more than one-third of which is “sexual material harmful to minors,” to verify that visitors are 18 years of age or older. The Court held that the law is subject to intermediate scrutiny under the First Amendment and determined that the law survived that level of scrutiny. Justice Thomas wrote for the majority that “Adults have no First Amendment right to avoid age verification, and the statute can readily be understood as an effort to restrict minors’ access,” and that “Any burden experienced by adults is therefore only incidental to the statute's regulation of activity that is not protected by the First Amendment.” The Texas law requires users of such covered websites to verify their age by either (1) providing digital identification (i.e., information stored on a digital network that serves as proof of the individual’s identity) or (2) complying with a commercial age verification system that verifies age using either government-issued identification or transactional data.

Florida Court Blocks Enforcement of Florida Law Restricting Children’s Access to Social Media: U.S. District Court Judge Mark E. Walker blocked enforcement of a Florida law that would ban children 13 and under and restrict 14- and 15-year-olds from social media. The challenge was brought by technology industry associations, NetChoice and the Computer and Communications Industry Association, on the basis that the law violated the First Amendment. The Court found that the groups were substantially likely to succeed on their First Amendment challenge. The court stated, “Each application of the law burdens substantially more protected speech than necessary because it imposes the same sweeping burden on the rights of youth under 16 despite the availability, in each case, of substantially less burdensome alternatives.” NetChoice has successfully challenged similar laws in Utah, Arkansas, California, Mississippi, Ohio, and Texas. The Florida Attorney General filed notice of its intention to appeal the ruling to the United States Court of Appeals for the Eleventh Circuit. 

23andMe Founder’s Bid Beats Out Regeneron for Bankrupt Company’s Assets: TTAM Research Institute (“TTAM”), a nonprofit controlled by 23andMe founder Ann Wojcicki, won over Regeneron in the final round of bidding in the bankruptcy sale of 23andMe. TTAM’s bid of $305 million for substantially all of the assets of 23andMe, including the DNA testing and research services portions of the business, topped the $256 million in a previously announced agreement with Regeneron to acquire the company. TTAM’s deal must still be approved by the bankruptcy court. The privacy ombudsman in the bankruptcy case has recommended that users’ consent be obtained before the sale of 23andMe’s genetic data is approved. 23andMe and the bankruptcy case have garnered significant regulatory attention. 28 state attorneys general have filed a lawsuit on behalf of consumers objecting to the proposed sale of genetic information by 23andMe. The lawsuit aims to stop 23andMe from auctioning off the private genetic data of consumers without the consumers’ knowledge or consent.

Texas Court Invalidates HHS Abortion Privacy Rule: The U.S. District Court for the Northern District of Texas vacated a Biden-era U.S. Department of Health and Human Services (“HHS”) rule designed to protect the privacy of patients seeking abortion and gender affirming care. U.S. District Judge Matthew J. Kacsmaryk held that the rule exceeds the authority of the HHS under the Health Insurance Portability and Accountability Act (“HIPAA”). The rule specifically prohibited HIPAA regulated entities from disclosing PHI for purposes of conducting “a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided” and “The identification of any person for the purpose of conducting such investigation or imposing such liability.” HHS stated following Dobbs v. Jackson Women’s Health Organization in 2022 that HIPAA permits, but does not require, organizations to disclose PHI related to reproductive health for law enforcement and in response to a subpoena. Healthcare providers must also comply with healthcare laws in the states in which they operate.

U.S. ENFORCEMENT

California Attorney General Announces Largest CCPA Enforcement Penalty to Date: California Attorney General Rob Bonta announced his office entered into a settlement with Healthline Media (“Healthline”) to resolve allegations that Healthline violated the California Consumer Privacy Act (“CCPA”). As part of the settlement, Healthline will pay a civil penalty of $1.55 million. The Attorney General alleged that Healthline failed to opt consumers out of the sharing of their personal information for targeted advertising, violated the CCPA’s purpose limitation principle by sharing titles of articles available on the Healthline website that suggested a consumer may have been diagnosed with a medical condition to advertise to that consumer, and failed to maintain contracts with its advertising partners that contain privacy protections required by the CCPA. The enforcement action is the first to address the CCPA’s purpose limitation principle, signaling to companies that they should carefully review the business purposes for which data is being collected and used to determine whether those purposes have been properly disclosed and meet the reasonable expectations of consumers. Companies should also take note of the Attorney General’s emphasis on the oversight of third-party advertising partners. CCPA is the only state comprehensive privacy law that has specific requirements for contractual terms in contracts with all third parties, including those that are processing personal information on behalf of the company that disclosed the personal information. 

Nebraska Attorney General Files Lawsuit Against Chinese E-Commerce Company Alleging Unlawful Data Practices: Nebraska Attorney General Mike Hilgers announced he had filed a lawsuit against Chinese e-commerce company Temu and its affiliates, alleging the companies engaged in unlawful data practices and other consumer protection violations. The Nebraska attorney general stated that Temu unlawfully harvests data, including from children; utilizes multiple deceptive practices to encourage purchases; allows infringement and counterfeits to thrive; and engages in deceptive marketing to greenwash its image. Examples of alleged unlawful data practices cited in the announcement include employing malware that bypasses device security and grants the app unrestricted access to everything on users’ phones, allowing Temy to secretly collect user data, and sharing Nebraskan data with the Chinese Communist Party.

North Carolina Attorney General Issues Civil Investigative Demand to EdTech Provider: North Carolina Attorney General Jeff Jackson announced his office has issued a civil investigative demand (“CID”) to educational technology provider, PowerSchool, relating to a 2024 data breach experienced by the company. The data breach impacted more than 62 million people nationwide. The Attorney General stated in its announcement that, despite PowerSchool paying ransom to the hacker to delete the stolen information, North Carolina school districts were contacted by the hacker after the payment, who attempted to extort more money from the districts. The CID seeks information on the exact number of North Carolinians impacted by the 2024 data breach, details about cybersecurity measures in place at the time of the breach, what security flaws may have contributed to the breach, and information about PowerSchool’s response to the breach.

INTERNATIONAL LAWS & REGULATIONS

Statutory Tort for Privacy Harms Now Available in Australia: Changes to the Australian Privacy Act that provide for a right of action in tort for serious invasions of privacy commenced on June 10, 2025. As further detailed in an announcement by the Office of the Australian Information Commissioner, under the new statutory tort afforded by Schedule 2 of the Australian Privacy Act, an individual may have a cause of action against another person or organization who has invaded their privacy by (1) intruding upon the individual’s seclusion – for example, by physically intruding into their private space or (2) misusing information that relates to the plaintiff, in instances where the plaintiff would have had a reasonable expectation of privacy.

New Mandatory Ransomware Payment Disclosures in Australia in Effect: As of May 30, 2025, organizations qualifying as reporting business entities as defined under Part 3 of the Australian Cyber Security Act of 2024 are required to report ransomware and cyber extortion payments. Reporting business entities are organizations with an annual revenue of AUD $3 million (USD $1.957 million) or more within the last financial year of the organization. Reporting businesses have 72 hours to report the payment. Information required to be reported includes details of the cybersecurity incident to which the payment relates, the impact of the incident on the reporting business, the amount of ransom demanded and paid, and the nature and timing of any communications with the threat actor, among other information.

Japan Passes AI Law to Promote Research and Development: Japan’s National Diet has passed a bill aimed at fostering AI innovation while requiring compliance with existing laws to prevent potential harms relating to the use of AI. The new legislation establishes a framework for the government to support AI development and research. It also mandates that AI operators adhere to current laws and regulations to mitigate risks associated with AI technologies. This move is part of Japan's broader strategy to balance technological advancement with safety and ethical considerations. The bill also indicates that further guidance and detailed regulations will be developed to support the implementation of the law.

U.S. International Trade Administration Launches Two International Privacy Certifications: The U.S. International Trade Administration (“ITA”) announced the launch of two international privacy certifications: the Global Cross-Border Privacy Rules (“CBPR”) and the Global Privacy Recognition for Processors (“PRP”) Systems. The CBPR certification is designed for organizations that handle personal data across borders. It is designed to provide assurance that these organizations adhere to a set of privacy principles that protect personal data during international transfers. The PRP certification is targeted at data processors, which are entities that process personal data on behalf of other organizations. This PRP certification is intended to ensure that data processors comply with rigorous privacy standards and practices, providing assurance to their clients that their data is handled securely and responsibly. Organizations can obtain these certifications after completing assessments conducted by designated accountability agents. 

Daniel R. Saeedi, Rachel L. Schaller, Gabrielle N. Ganze, Ana Tagvoryan, P. Gavin Eastgate, Timothy W. Dickens, Jason C. Hirsch, Adam J. Landy, Amanda M. Noonan, and Karen H. Shin also contributed to this article.