Here are some recent privacy and cybersecurity related news stories that caught our attention over the past couple of weeks.

CPPA Board Adopts CCPA Regulations on ADMT, Risk Assessments, Cybersecurity Audits and Reopens Public Comment on DROP Requirements

On July 24, 2025, the California Privacy Protection Agency (CPPA) Board held a public meeting to finalize major amendments to the CCPA regulations, including rules on Automated Decision-Making Technology (ADMT), risk assessments, cybersecurity audits, and insurance companies. However, the Board opted to revisit the Delete Request and Opt-Out Platform (DROP) regulations, reopening those rules for further public input.

Key Highlights

1. Adoption of CCPA Regulations on ADMT, Risk Assessments, and Cybersecurity Audits
The CPPA unanimously approved regulations that expand the rules’ focus from the CCPA’s core scope of consumer privacy to also regulate cybersecurity and AI decision-making.

2. DROP Regulations Reopened for Public Comment

The CPPA declined to adopt the DROP regulations in their current form, instead reopening them for public input with several proposed changes.

Read the full article here.

The Minnesota Consumer Data Privacy Act

The Minnesota Consumer Data Privacy Act takes effect July 31, 2025. The Minnesota measure has a few unique requirements among state comprehensive privacy law. Here are a few that deserve a second look:

• Controllers shall maintain an inventory of personal data.
• A controller may not retain personal data that is no longer relevant and reasonably necessary to the purposes for which the data was collected.
• Controllers must document the policies and procedures adopted to comply with the law.
• Consumers may question the results of a controller’s profiling decisions.
• Controllers must maintain records of all appeals and responses for at least 24 months.

To read more about applicability click here.

D.C. Circuit Narrows Who Qualifies as a “Consumer” Under the VPPA

To bring a claim under the Video Privacy Protection Act (VPPA), a plaintiff must qualify as a “consumer,” which the statute defines as any renter, purchaser, or subscriber of goods or services from a video tape service provider. In Pileggi v. Washington Newspaper Publishing Company, LLC, the D.C. Circuit clarified that this definition requires a direct subscription to video content. Simply subscribing to another product or service, such as an email newsletter, does not suffice if the videos are offered separately on the company’s website. The plaintiff in Pileggi subscribed to the Washington Examiner’s newsletter, but her complaint alleged only that her viewing activity on the website’s videos was shared with a third party. It did not claim that the Washington Newspaper transmitted video content to a third party from the newsletter itself. Because her subscription was limited to the newsletter and not to videos available on the website, the court held that she had not established the necessary consumer relationship under the VPPA. Accordingly, the D.C. Circuit affirmed the lower court’s dismissal of the case.
 

The bottom line:
The ruling significantly narrows the pool of potential VPPA plaintiffs and defendants. The ruling is likely to reduce lawsuits using the VPPA as a mechanism for challenging the use of pixels and tracking technologies on websites. Companies that make videos available as a secondary feature of their websites now face less risk, provided users have not subscribed to video services themselves. Notably, plaintiffs continue to file hundreds of privacy complaints each week, so the decision may signal a shift away from VPPA claims but not a broader slowdown in pixel-related litigation.

What you need to do:
Businesses should evaluate how they host and distribute video content and use website tracking technology, along with how their consent practices are structured. Plaintiffs may attempt to test the limits of the ruling by arguing that integrated offerings (e.g., newsletters with embedded or linked videos) still create a qualifying consumer relationship. Companies facing VPPA lawsuits should also take note of Judge Randolph’s concurrence, which argued that the Washington Examiner did not qualify as a “video tape service provider” under the VPPA at all. He described the statute as outdated and “largely obsolete” in today’s digital environment, a signal that may make other courts challenge the VPPA’s relevance. 

Uncertain Boundaries: How Courts and Regulators View the Sharing of Health-Related Article Titles

Recent regulatory actions and court decisions highlight growing uncertainty over whether sharing article title data from webpages amounts to disclosure of sensitive health information under privacy laws.

Consider a consumer casually browsing the open internet, not logged into a hospital portal, and clicking on articles such as “Managing Life After a Diabetes Diagnosis” or “Understanding Early Symptoms of Depression.” If the URL or article title is then transmitted to an advertising platform through a cookie or pixel, does that constitute disclosure of sensitive health information?