State attorneys general (AGs) are among the most active and influential regulators in the U.S., using broad statutory authority, political visibility, and growing technical knowledge to shape policy and enforcement across sectors. In 2025, they asserted their authority to shape the legal and regulatory environment across the U.S. through aggressive and coordinated action. Despite changing
Key point: With a new governor taking office in New Jersey later this month, the fate of rules proposed last year to implement the New Jersey Data Privacy Act (NJDPA) will be decided by the incoming administration.
In this episode of our special 12 Days of Regulatory Insights podcast series, Ashley Taylor, co-leader of Troutman Pepper Locke’s State AG team, sits down with Privacy and Cyber chair Ron Raether to discuss how state attorneys general (AGs) are shaping the regulatory landscape for social media and the broader ad tech ecosystem.
In this episode of our special 12 Days of Regulatory Insights podcast series, Gene Fishel, a member of the firm’s RISE Practice Group and State AG team, is joined by Partner Dave Navetta of the Privacy + Cyber Practice Group, to discuss the biggest privacy and cyber enforcement themes of 2025 and preview what’s ahead for 2026.
Background
On November 6, California Attorney General (AG) Rob Bonta, Connecticut AG William Tong, and New York AG Letitia James announced a $5.1 million settlement with Illuminate Education, Inc. (Illuminate), an educational technology company that offers K-12 software solutions that enable schools and school districts to track student attendance and grades, and monitor academic progress, behavior, and mental health.
This article was originally published on October 8, 2025 on Law360 and is republished here with permission.
The U.S. Department of Defense released the final rule implementing the Cybersecurity Maturity Model Certification on Sept. 9.[1] Through the program, the DOD seeks to enhance protections for sensitive information.
Defense contractors’ efforts to ramp up their CMMC
Key point: The investigative sweep is part of a growing multistate approach to privacy enforcement actions.
On September 9, the California Privacy Protection Agency (CPPA) announced that it has initiated a joint regulatory sweep in collaboration with attorneys general (AG) from California, Colorado, and Connecticut. The sweep will target businesses’ compliance with legal requirements associated with recognition of opt-out preference signals (OOPS) and universal opt-out mechanisms (UOOMs) that consumers can use to exercise their right to opt out of online tracking technologies (i.e., targeted advertising, sales, or sharing).
Register Here
Thursday, September 25 • 1:00 – 3:10 p.m. ET
Sadia Mirza, co-leader of Troutman Pepper Locke’s Incidents + Investigations practice, Privacy + Cyber Partner Timothy St. George, and Regulatory Investigations, Strategy + Enforcement Counsel Gene Fishel, will participate in an upcoming CLE with myLawCLE to examine the nuances of navigating cybersecurity breaches.
On July 28, the New Jersey Division of Consumer Affairs issued a reminder to more than 3,000 auto dealerships regarding their obligations under the New Jersey data deletion law, N.J.S.A. § 56:12-18.1. This law, enacted and effective in January 2024, requires dealerships to offer data deletion services for consumer information stored in vehicles accepted for resale or lease. Dealerships are now on notice of their compliance obligations under the law.
On April 29, Michigan Attorney General (AG) Dana Nessel filed a lawsuit against Roku, Inc. (Roku), the smart TV and device provider and streaming service, alleging Roku violated the Children’s Online Privacy Protection Act (COPPA), federal and state privacy laws, the Michigan Consumer Protection Act, and other laws by collecting children’s personal data and selling it without proper parental consent. The lawsuit sought damages and equitable relief on behalf of Michigan consumers who subscribed to Roku’s streaming service. More information regarding this lawsuit can be found here.