Edward Holman

Subscribe to Edward Holman's Posts

On October 13, 2025, California concluded a busy legislative term by enacting a slew of key privacy and AI-related bills, aimed at enhancing consumer protection and regulating emerging AI technology applications. These measures address a range of critical issues, including consumer opt-out signals, data broker transparency requirements, age assurance, minors’ safety, companion chatbots, and AI development. We summarize some of the most significant of these privacy and AI bills that were signed into law by California Governor Gavin Newsom, below.Continue Reading California Enacts Nearly a Dozen Key Privacy and AI Bills into Law

On September 9, 2025, the attorneys general of California, Colorado, and Connecticut and the California Privacy Protection Agency (CPPA) announced a joint investigative sweep of potential failures by businesses to honor consumers’ rights to opt

Continue Reading State AGs Unveil Investigation Sweep Targeting Businesses Ignoring Consumer Opt-Out Signals

On August 11, 2025, the U.S. District Court for the Northern District of California denied a motion to dismiss a California Invasion of Privacy Act (CIPA) class action lawsuit filed against ConverseNow Technologies, Inc. ConverseNow

Continue Reading U.S. Federal Court Allows CIPA Class Action Against AI Customer Service Provider to Proceed

On July 24, 2025, the California Privacy Protection Agency (CPPA) Board voted to approve a long-awaited rulemaking package imposing substantial new compliance obligations on businesses subject to the California Consumer Privacy Act (CCPA). The package contains finalized rules on AI-related, automated decision-making technologies (ADMT), cybersecurity audits, and risk assessments, as well as updates to existing CCPA regulations. These regulations will impact a broad swath of businesses handling personal information of California residents.

The CPPA Board’s approval of the new regulations is the culmination of a year-long process that began when the agency first released draft regulations on these topics in July 2024 and initiated the formal rulemaking in November 2024 (analyzed in prior Wilson Sonsini client alerts). In April and May 2025, the Board grappled with public concerns from hundreds of public comments on the draft regulations, analyses of which can be found in these recent client alerts.

In addition, the CPPA Board approved modifications to the proposed data broker regulations concerning the Delete Request and Opt-Out Platform (DROP) mandated by the Delete Act (discussed in a prior post). These modifications will be subject to a new 15-day public comment period once the agency publishes official notice of the changes.Continue Reading CPPA Approves New CCPA Regulations on AI, Cybersecurity, and Risk Governance, and Advances Updated Data Broker Regulations

Key Changes to Upcoming AI, Risk Assessment, and Cybersecurity Regulations

On May 1, 2025, the California Privacy Protection Agency (CPPA) Board met again to discuss updates to the latest draft California Consumer Privacy Act (CCPA) regulations related to automated decision-making technology (ADMT), cybersecurity audits, risk assessments, and an assortment of other updates to existing regulations. These latest updates come after the CPPA first released draft regulations on these topics in July 2024 and initiated the formal rulemaking in November 2024, as analyzed in a prior alert. In April 2025, the Board continued to grapple with public concerns and received hundreds of public comments on the prior draft regulations, an analysis of which can be found in this recent client alert. At the CPPA meeting last week, CPPA staff proposed significant changes to the prior draft, on which the Board provided more feedback and agreed to open the regulations for public comment as soon as this week and closing June 2, 2025.Continue Reading CPPA Board Opens Draft Regulations for Public Comment

On April 4, 2025, the California Privacy Protection Agency (CPPA) Board met to discuss the latest draft California Consumer Privacy Act (CCPA) regulations related to cybersecurity audits, risk assessments, automated decision-making technology (ADMT), and an assortment of other updates to existing regulations. These revisions come after the CPPA first released draft regulations on these topics in July 2024 and initiated the formal rulemaking in November 2024, as analyzed in a prior alert. The board meeting turned out to be quite contentious, with board member Alastair Mactaggart emphasizing some of the serious concerns raised in the unusually large volume of public comments—totaling 630 comments and 1,664 pages of feedback—expressing his own concerns that those comments lay out “the very explicit blueprints” for others to challenge the constitutionality of the draft regulations. Ultimately, the Board provided extensive feedback on the draft regulations to CPPA staff, going beyond the issues that staff had prepared for discussion.Continue Reading CPPA Board Grapples with Public Concerns: Key Updates on Upcoming AI, Risk Assessment, and Cybersecurity Regulations

On March 12, 2025, the California Privacy Protection Agency (CPPA) announced a settlement with American Honda Motor Co. (Honda) over alleged violations of the California Consumer Privacy Act (CCPA). The CPPA investigated Honda as part of its investigative sweep into the data privacy practices of connected vehicles and related technologies, announced in July 2023. The CPPA specifically alleged, among other things, that Honda engaged in practices that made it difficult for Californians to exercise their out-opt rights and shared consumers’ personal information with ad tech service providers without proper contractual protections.Continue Reading Lessons from the CPPA’s $632,500 Settlement with Connected Vehicle Manufacturer