ARTICLE
26 December 2025

Hashed & Salted: Vol. 4, Issue 5

LL
Loeb & Loeb LLP

Contributor

Loeb & Loeb LLP logo

Loeb & Loeb is a premier law firm focused on helping organizations and individuals innovate, grow and evolve in a changing world. Our market-leading practice and industry teams deliver practical insight and strategic solutions in complex deals, high profile disputes, cutting-edge regulatory issues and other matters critical to our clients’ success. The firm has approximately 450 lawyers across eight offices in the United States and Asia. This material may be considered attorney advertising.

Explore Firm Details
As another year winds down, a look back at 2025's privacy landscape shows that attempts at passing federal comprehensive and sector-specific privacy laws continue to stall...
Worldwide California Privacy
Jessica B. Lee,Robyn Mohr,Allison Cohen
+2 Authors
Loeb & Loeb LLP are most popular:
  • within Tax, Consumer Protection and Employment and HR topic(s)

Hashed & Salted | A Privacy and Data Security Update

In 2025, California once again led the way in enacting major consumer privacy regulations

As another year winds down, a look back at 2025's privacy landscape shows that attempts at passing federal comprehensive and sector-specific privacy laws continue to stall, while states continue to forge ahead on their own legislation. At the same time, multinational businesses must comply with foreign data privacy regulations, some of which are imposing increasingly strict requirements.

This past year, numerous states enacted regulations focused on data minimization, algorithmic assessments, and children and youth privacy protections. These new initiatives are creating increasingly complex compliance obligations for businesses confronted with a growing patchwork of different requirements.

Unsurprisingly, California continues to lead the way, with the California Privacy Protection Agency (CPPA) beating the administrative buzzer and finalizing major regulations under the California Consumer Protection Act (CCPA) just before the rulemaking clock reset. Through new regulations and amendments to existing regulations, many of which go into effect starting Jan. 1 of next year, the CPPA sought to enhance consumer privacy rights around opt-out mechanisms, data accuracy and transparency and to address cybersecurity audits, risk assessments and artificial intelligence tools. California's new regulations are likely to shape other states' initiatives in 2026. Whether they inspire movement on federal proposals is anyone's guess.

In our first article, "California Privacy Regulations Requiring Cybersecurity Audits and Risk Assessments: What To Know and What To Do," Jessica Lee, Loeb's chief privacy and security partner and chair of the firm's Privacy, Security & Data Innovations practice, looks at two new sets of regulations the CPPA passed in July that impose stringent annual cybersecurity audit and risk assessment obligations on businesses as early as Jan. 1, 2026.

In our second article, "California's ADMT Regulations: Shaping the Future of Responsible AI," Allison Cohen, of counsel at Loeb, explains California's new regulations governing automated decision-making technology (ADMT), the regulations' rigorous compliance requirements and how businesses can use the coming year to prepare for the Jan. 1, 2027, effective date.

One area where California isn't leading the state law charge—but isn't far behind either—is app store age verification legislation. Starting in January, state laws imposing obligations on app stores and app developers to designate suitable age range categories for apps and implement technology to track age-related data on users begin to take effect. The first is Texas' App Store Accountability Act (effective Jan. 1), followed by Utah's App Store Accountability Act (effective May 7) and Louisiana's App Store Accountability Act (effective July 1). California enacted its own app store age verification law, AB 1043, the Digital Age Assurance Act, in September 2025; it takes effect Jan. 1, 2027.

In her article "App Store Age Verification Laws Trigger New Federal and State Children's Privacy Requirements," Loeb partner Nerissa Coyle McGinn explains the significant affirmative obligations the laws impose on app developers, the potential far-reaching legal impact they may have and guidance on compliance best practices.

We're also pleased to have an article by Christopher Victory, a second-year law student at George Mason University – Antonin Scalia School of Law. Christopher interned this summer with both Loeb & Loeb and the Future of Privacy Forum through the Federal Communications Bar Association's Pipeline Program. In his article, "An Overview of South Korea and Japan Privacy Enforcement (2020 – Present)," Christopher discusses the impact of global privacy laws on U.S. multinational businesses, spotlighting laws and enforcement trends in South Korea and Japan, the obligations and penalties businesses need to understand, and the impact they have on the way businesses process personal information.

In our team member spotlight, Litigation partner J.D. Taliaferro talks about his work as a young lawyer on consumer protection issues and litigation before the Federal Trade Commission that laid the foundation for his current focus on regulatory enforcement and class action litigation, why burgeoning litigation over the impact of social media and technology on minors has his attention—both as a lawyer and as a parent—and how a legal practice focused on high-tech hasn't diminished his skill with more low-tech equipment.

In This Issue:

California Privacy Regulations Requiring Cybersecurity Audits and Risk Assessments: What To Know and What To Do

Earlier this year, the CPPA finalized a package of new and amended regulations under the CCPA that impose new cybersecurity audit and risk assessment requirements on certain businesses. The regulations, which start taking effect on Jan. 1, 2026, outline what businesses need to know about conducting annual cybersecurity audits, from timing and scope to documentation and report content. They also set out risk assessment requirements, such as stakeholder involvement, timing and annual submissions.

Read more here.

California's ADMT Regulations: Shaping the Future of Responsible AI

ADMT can impact consumers' lives in a wide variety of areas, including hiring, lending, housing, health care and education. To protect consumers, new CPPA regulations require businesses to use automated tools fairly, transparently and responsibly. Businesses that use ADMT for "significant decisions" have until Jan. 1, 2027, to comply with the regulations and should use the coming year to get ready by identifying which systems qualify as ADMT, mapping data inputs and updating privacy policies.

Read more here.

App Store Age Verification Laws Trigger New Federal and State Children's Privacy Requirements

Starting next year, state app store age verification laws start to take effect, beginning with Texas' App Store Accountability Act (Jan. 1), followed by Utah's App Store Accountability Act (May 7) and Louisiana's App Store Accountability Act (July 1). California's Digital Age Assurance Act, passed in September, will take effect on Jan. 1, 2027. While their names suggest they are focused on regulating app stores, these laws also impose significant affirmative requirements on app developers. They also have the potential to trigger far-reaching legal obligations and liabilities under federal and state children's privacy laws.

Read more here.

An Overview of South Korea and Japan Privacy Enforcement (2020 – Present)

Privacy laws in South Korea and Japan have been shaping the way multinational businesses process personal information for the past five years, with raised expectations and stricter oversight. Enforcement actions have resulted in multimillion-dollar fines against U.S. businesses for collecting data without proper consent, security failures and undisclosed overseas processing. Understanding South Korea's and Japan's respective regulations, including their scope, administration and penalties, is key in navigating complex compliance challenges in an evolving global privacy landscape.

Read more here.

Team Member Spotlight: J.D. Taliaferro

How did you develop your area of focus?

I developed my area of focus in an old-fashioned way. At my prior firm, two partners had been at the Federal Trade Commission, and they had a practice advising clients on consumer protection issues and defending litigation in the consumer protection area. I began working on their matters. In particular, I defended a company that had sold about $100 million in dietary supplements. We reached a favorable settlement with the FTC and that company is still a client today.

What is exciting you/grabbing your attention right now?

Obviously, the regulation of Big Tech and privacy considerations continue to be at the forefront of the FTC's actions. Both as a parent and as a lawyer, burgeoning litigation over the impact of social media and technology on minors is grabbing my attention. Finally, the politicization of consumer protection enforcement actions (both from the left and from the right) is creating regulatory uncertainty for clients. Navigating those actions requires both political understanding and legal skills.

What would people be surprised to learn about you?

I grew up in a large-scale cash grain farming and brokerage family business in southern Virginia. My cousin runs it today, and although I've been reduced to a passive landlord, I can still operate the machinery.

Events Spotlight

  • Jessica Lee, Loeb's chief privacy and security partner and chair of the firm's Privacy, Security & Data Innovations practice, spoke on the panel "Retail Media Networks' Expanding Role in the AdTech Ecosystem" on Nov. 13 at the IAB State Privacy Law Summit in New York, sponsored by Loeb & Loeb LLP.
  • Caroline Hudson, deputy chair of the firm's Privacy, Security & Data Innovations practice, moderated the IAB's Commerce Media Network Workshop on Nov. 12, hosted at Loeb & Loeb LLP in New York. The event offered participants a practical and strategic deep dive into the legal frameworks shaping the development and operation of commerce media networks, which employ first-party data to power targeted, measurable campaigns.
  • Loeb & Loeb sponsored the 2025 ANA Masters of Advertising Law Conference in Chicago Nov. 3 – 5. Liz Allen, chair of the Emerging Technologies practice, and partner John Monterubio gave the mainstage presentation, "When the Ad Writes Itself: Legal Implications of Agentic AI in Advertising." Associate Sarah Rubenstein Polak and Emerging Technologies Specialist Gian Pastore presented the breakout session panel "The Genius Act Playbook: Unlocking Stablecoin Issuance for Non-Financial Brands."
  • Jessica Lee participated in the panel "Beyond the Buzz: Practical Approaches to Governing AI in Adtech" at the second annual IAB Privacy Compliance Salon in San Diego on Oct. 29, sponsored by Loeb & Loeb LLP. She also spoke at the breakout session "Auditing the Algorithm: Data Governance and Risk Mitigation in AI-Powered Adtech," along with Privacy, Security & Data Innovations Deputy Chair Robyn Mohr.

In Case You Missed It

California Governor Signs Law Requiring In-Browser Opt-Out Preference Signal

Jessica Lee is featured in an article published by IAPP discussing new privacy-focused legislation—the California Opt Me Out Act—which requires social media companies to implement easier account cancellation mechanisms that automatically delete users' personal data. In the article, Jessica highlights the complexity of implementing opt-out mechanisms and properly informing consumers.

Loeb & Loeb "Reel Talk: Inside the Business of Entertainment" Podcast Episode 2: Deepfakes & Identity Protection in Entertainment with Brandon Bauman of Loti AI

Episode 2 of Loeb's podcast series about the business of entertainment turns the dial straight to identity protection—because in 2025, it's getting harder to know whether the person you're seeing online is the real deal ... or a very convincing AI copy. Anne Kennedy Maguire, deputy chair of Loeb's Entertainment practice and chair of our Podcast practice, talks with Brandon Bauman, chief strategy officer of Loti AI, about helping artists, talent and other public figures control how they appear and are represented online.

Featured Loeb Quick Takes

AI in Robotics: Key Contract and Legal Risks
Recap—When the Ad Writes Itself: Navigating the Legal Frontier of Agentic AI in Advertising
The NAI Sunsets Its Legacy Opt-out Tools
FTC Issues Orders to Companies Providing AI Chatbots

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Jessica B. Lee
Jessica B. Lee
Photo of Robyn Mohr
Robyn Mohr
Photo of Caroline W. Hudson
Caroline W. Hudson
Photo of Allison Cohen
Allison Cohen
Photo of Nerissa McGinn
Nerissa McGinn
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More