Effective September 12, 2025, the EU Data Act introduced new rules on access to and sharing of data from certain products and services in business-to-consumer (B2C), business-to-business (B2B), and business-to-government (B2G) contexts. This alert highlights the key obligations. The EU Data Act applies to any business offering products or services in the EU, regardless of its location.Continue Reading EU Data Act Enters into Force

On September 9, 2025, the attorneys general of California, Colorado, and Connecticut and the California Privacy Protection Agency (CPPA) announced a joint investigative sweep of potential failures by businesses to honor consumers’ rights to opt

Continue Reading State AGs Unveil Investigation Sweep Targeting Businesses Ignoring Consumer Opt-Out Signals

On August 11, 2025, the U.S. District Court for the Northern District of California denied a motion to dismiss a California Invasion of Privacy Act (CIPA) class action lawsuit filed against ConverseNow Technologies, Inc. ConverseNow

Continue Reading U.S. Federal Court Allows CIPA Class Action Against AI Customer Service Provider to Proceed

On September 3, 2025, the EU General Court (the General Court) (the second-highest court in the European Union (EU)) upheld the validity of EU-U.S. Data Privacy Framework (DPF) in Philippe Latombe v European Commission (T-553/23).

Continue Reading EU Court Upholds the Validity of the EU-U.S. Data Privacy Framework

On July 24, 2025, the California Privacy Protection Agency (CPPA) Board voted to approve a long-awaited rulemaking package imposing substantial new compliance obligations on businesses subject to the California Consumer Privacy Act (CCPA). The package contains finalized rules on AI-related, automated decision-making technologies (ADMT), cybersecurity audits, and risk assessments, as well as updates to existing CCPA regulations. These regulations will impact a broad swath of businesses handling personal information of California residents.

The CPPA Board’s approval of the new regulations is the culmination of a year-long process that began when the agency first released draft regulations on these topics in July 2024 and initiated the formal rulemaking in November 2024 (analyzed in prior Wilson Sonsini client alerts). In April and May 2025, the Board grappled with public concerns from hundreds of public comments on the draft regulations, analyses of which can be found in these recent client alerts.

In addition, the CPPA Board approved modifications to the proposed data broker regulations concerning the Delete Request and Opt-Out Platform (DROP) mandated by the Delete Act (discussed in a prior post). These modifications will be subject to a new 15-day public comment period once the agency publishes official notice of the changes.Continue Reading CPPA Approves New CCPA Regulations on AI, Cybersecurity, and Risk Governance, and Advances Updated Data Broker Regulations

On July 23, 2025, the White House announced its long-awaited comprehensive AI Action Plan titled “Winning the AI Race: America’s AI Action Plan” (the Plan). The Plan is aimed at positioning the U.S. as the global leader in AI and is a follow up to President Donald Trump’s January 23, 2025, Executive Order on “Removing Barriers to American Leadership in Artificial Intelligence,” which revoked the Biden Administration’s prior AI Executive Order (Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence). The AI Action Plan contains more than 90 policy actions related to three key pillars: 1) Accelerating AI Innovation, 2) Building American AI Infrastructure, and 3) Leading in International AI Diplomacy and Security. This alert touches on all three pillars with a focus on the first, which outlines the Trump Administration’s strategic vision and policy recommendations to drive innovation in the American AI sector.Continue Reading White House Releases America’s AI Action Plan