Privacy Law

California's Long Arm: You're Likely Already Subject to These Laws

A common misconception persists that California privacy laws only apply to California-based companies. In reality, if you do business anywhere in the United States and meet certain thresholds such as processing personal information of California residents, you're subject to the California Privacy Rights Act (CPRA). Given California's population of nearly 40 million people, most U.S. companies inevitably interact with California consumers, bringing them within the CPPA's jurisdiction.​

The CPPA has made it clear that it intends to exercise this broad authority. In late 2025, the agency issued a record-breaking $1.35 million fine against Tractor Supply Company for multiple violations. Notably, this wasn't a data breach case, these were operational compliance failures that any business could face, including:​

• Failing to honor consumer opt-out requests within the required 15-day timeframe​
• Ignoring Global Privacy Control (GPC) signals from consumers' browsers​
• Maintaining inadequate service provider and contractor agreements that lacked required data protection provisions​
• Failing to conduct required annual reviews and updates of privacy policies​

What makes this enforcement action particularly concerning is that the CPPA investigated practices dating back to January 2020. Legacy compliance gaps or the complete absence of a privacy program can result in significant liability years later.​

New Cybersecurity Audit Requirements Take Effect January 1, 2026

California has finalized groundbreaking cybersecurity audit regulations under the CCPA that officially take effect on January 1, 2026. While businesses have staggered deadlines for submitting their first audit certifications based on revenue size, the compliance work begins immediately:​

• April 1, 2028: Businesses with annual revenues over $100 million (for 2026 revenue year)​
• April 1, 2029: Businesses with revenues between $50-100 million (for 2027 revenue year)​
• April 1, 2030: Businesses with revenues under $50 million (for 2028 revenue year)​

These regulations require comprehensive annual cybersecurity audits covering critical areas including:​

• Secure user authentication and access controls
• Encryption of personal information
• Personal information inventory and management
• Vulnerability scanning and penetration testing
• Audit-log management and network monitoring
• Vendor and third-party risk management
• Network defenses and segmentation

Businesses must prepare detailed audit reports documenting the review scope, policies assessed, evaluation criteria, identified compliance gaps, and remediation plans. All audit records must be retained for five years, and companies must submit written certifications of compliance to the CPPA annually, signed under penalty of perjury by appropriate executive leadership.​

Startups: Building Privacy Into Your Foundation

For startups, the temptation to defer privacy compliance until "later" can be strong. However, this approach carries significant risks. Investors increasingly conduct privacy due diligence as part of funding rounds and customers, particularly enterprise clients, expect robust data protection practices from day one.​

Building a solid privacy foundation early prevents costly retrofitting as you scale. Key priorities for startups include:

• Privacy-by-design architecture: Implementing data minimization, purpose limitation, and security controls at the product development stage
• Compliant vendor contracts: Ensuring all third-party service providers have appropriate Data Processing Agreements (DPAs) and security obligations
• Privacy policy accuracy: Drafting clear, comprehensive privacy notices that actually reflect your data practices
• Consent mechanisms: Implementing lawful consent collection that avoids "dark patterns"

Remember that the CPPA can investigate practices from years past. Starting with compliant systems is far more cost-effective than defending an enforcement action later.

AI Companies: Navigating Heightened Regulatory Scrutiny

Companies leveraging artificial intelligence face unique privacy challenges in 2026. Regulatory focus on AI technologies is intensifying, particularly around:​

• Automated decision-making disclosures: Requirements to inform consumers when AI systems make significant decisions affecting them
• Data minimization: Ensuring AI training datasets don't include unnecessary personal information
• Biometric and health data: Enhanced protections for sensitive information categories commonly processed by AI systems​
• Purpose limitation: Restricting AI model training and deployment to purposes disclosed to consumers

AI companies should also anticipate increased scrutiny of their vendor relationships. If you're using third-party AI services or providing AI tools to clients, ensuring proper contractual protections and liability allocations is critical.

The Mandatory Annual Privacy Review: More Than Just Policy Updates

The CPRA requires businesses to conduct annual reviews of their privacy policies. Tractor Supply's enforcement action highlighted the consequences of failing to meet this obligation—the company hadn't updated its privacy policy for years despite changes in its data practices.​ An effective annual privacy review should include:

• Policy-to-practice alignment: Verifying that your privacy notice accurately describes current data collection, use, and sharing practices
• Vendor assessment: Reviewing all service provider and contractor relationships to ensure compliant agreements and actual compliance
• Consumer rights infrastructure: Testing your processes for handling access, deletion, opt-out, and correction requests
• New regulatory developments: Incorporating changes in applicable laws and CPPA guidance 
• Dark patterns audit: Ensuring consent interfaces don't manipulate or pressure users​

Current CPPA Enforcement Priorities

Based on 2025 enforcement actions and regulatory guidance, the CPPA is prioritizing several areas:​

Global Privacy Control (GPC): Businesses must honor GPC signals sent from consumers' browsers and devices. Under CCPA 2026 requirements, GPC support has transitioned from optional best practice to mandatory obligation. Failure to process GPC signals as valid opt-out requests is a violation.​

Dark Patterns: The CPPA defines dark patterns as any method that "substantially subverts or impairs user autonomy, decision making, or choice, regardless of a business's intent". Both the CCPA and CPRA state that each violation is subject to a $2,500 fine, or $7,500 if intentional. Consent obtained through dark patterns is void.​

Service Provider and Contractor Agreements:  Many businesses overlook the requirement for compliant vendor contracts. Every service provider and contractor that processes personal information on your behalf must have an agreement containing specific CPRA-required provisions, including data protection obligations, limitations on data use, and audit rights.​

Opt-Out Request Processing: Businesses must process consumer opt-out requests within 15 days. The CPPA is actively investigating companies that fail to meet this deadline or that create barriers to exercising opt-out rights.​

Multi-State Coordination: The CPPA is increasingly collaborating with privacy regulators in Colorado and Connecticut on joint investigations. Expect privacy enforcement to become more coordinated across state lines in 2026.​

Practical Steps for 2026 Compliance

To position your business for success in 2026's enforcement environment:

• Conduct a privacy gap analysis: Identify where your current practices fall short of CPRA requirements
• Update vendor contracts: Ensure all service provider and contractor agreements include required CPRA provisions
• Implement GPC detection: Configure your website and services to recognize and honor Global Privacy Control signals
• Audit consent mechanisms: Remove any dark patterns from cookie banners and consent interfaces
• Document your annual review: Create a written record of your privacy policy review process and findings
• Prepare for cybersecurity audits: Begin implementing the technical and organizational measures required by the new audit regulations
• Train your team: Ensure employees understand privacy obligations, particularly those handling consumer requests

Why Professional Privacy Counsel Matters

Privacy compliance isn't a one-time checklist, it's an ongoing operational requirement that touches every aspect of your business. The Tractor Supply enforcement action demonstrates that seemingly minor operational gaps can result in seven-figure fines.​

Working with experienced privacy counsel helps you:

• Draft and maintain compliant privacy policies, cookie notices, and consent mechanisms
• Negotiate and review vendor Data Processing Agreements
• Implement efficient processes for handling consumer rights requests
• Stay current with rapidly evolving regulatory guidance and enforcement priorities
• Conduct meaningful annual reviews that actually improve your compliance posture
• Prepare for and respond to regulatory inquiries

Looking Ahead

Privacy enforcement will only intensify in 2026. With new cybersecurity audit requirements taking effect, continued CPPA enforcement actions, and multi-state regulatory coordination, proactive privacy management is no longer optional, it's a business necessity.

Whether you're a startup building your first privacy program, an AI company navigating new regulatory requirements, or an established business needing to strengthen your compliance posture, getting expert guidance early prevents costly problems later.

Ready to strengthen your privacy compliance for 2026? Book a free consultation to discuss your specific needs: https://www.lloydmousilli.com/calendar 

Disclaimer: Privacy laws and enforcement priorities can change rapidly. Readers are advised to consult current privacy guidance or legal counsel for the most up-to-date compliance strategies.

Step 1: Map Your Data

• List what personal data you collect (names, emails, payment info, IP addresses, etc.).
• Identify where it’s stored (databases, spreadsheets, SaaS tools, cloud).
• Track who has access (employees, contractors, vendors).
• Write down the purpose for each category of data—delete anything without a purpose.
• L&M Tip: Use a living data map you update as your business grows.

Step 2: Match Policy to Practice

• Draft a privacy policy that reflects your real practices, not a generic template.
• Avoid false promises: don’t say 'we never share data' if you use analytics or ads.
• Tailor for laws like California CPRA, Virginia VCDPA, or Colorado CPA.
• L&M Tip: Treat your privacy policy like a contract you must live up to.

Step 3: Lock Down Vendors

• Audit every vendor or SaaS provider that processes customer data.
• Sign Data Processing Agreements (DPAs) whenever possible.
• Clarify roles: know who is the 'controller' and who is the 'processor.'
• L&M Tip: Investors increasingly ask about vendor risk—have answers ready.

Step 4: Set Retention Rules

• Decide how long you keep data (e.g., delete inactive accounts after 24 months).
• Document and publish a retention schedule.
• Automate deletion with Software as a Service tools to reduce manual error.
• L&M Tip: Keeping unnecessary data only increases risk in a breach.

Step 5: Review and Update Regularly

• Update your policy at least every 12 months, or sooner if you add new tools or markets.
• Track version history to show compliance maturity.
• L&M Tip: Regulators expect continuous monitoring, not one-time drafting.

Step 6: Plan for Consumer Rights

• Prepare workflows for data access, correction, and deletion requests.
• Respond within 30–45 days as required by most laws.
• Log every request and response for audit defense.
• L&M Tip: A single mishandled request can trigger regulator scrutiny.

Step 7: Publish Transparently

• Put your policy in visible places: website footer, app signup, account settings.
• Use plain, human-readable language—avoid legalese.
• State your commitment to security (e.g., encryption, staff training).
• L&M Tip: Transparency builds trust and is a competitive advantage.

How Lloyd Mousilli Can Help

At Lloyd Mousilli, we help startups and business owners turn privacy compliance from a burden into a strength. Our team supports you with:

• Drafting privacy policies that reflect your practices and meet legal requirements.
• Negotiating and preparing Data Processing Agreements with vendors.
• Creating and documenting data retention policies that reduce liability.
• Designing compliance workflows that scale as your company grows.
• Preparing you for investor due diligence, audits, and customer trust reviews.

Whether you need a quick review of your policy or a full compliance program, Lloyd Mousilli is your partner for future-proof privacy solutions.

Don’t wait until regulators, investors, or customers spot weaknesses. Protect your business now with Lloyd Mousilli’s tailored privacy compliance support.

What Is Meta Pixel and Why Does Privacy Matter?

Meta Pixel is a small piece of code you add to your website to track things like page visits, purchases, or clicks. It helps you create better ads and understand your audience. But here’s the catch: it collects personal info like IP addresses and browsing habits, which privacy laws consider sensitive.

Laws like CCPA (in California) and GDPR (in Europe) require you to be upfront about what data you collect and give users control over it. If you don’t follow these rules, you could face big fines—think thousands per violation in California or millions under GDPR—and lose customer trust. Let’s make sure you’re covered with simple, practical steps.

Write a Clear Privacy Policy

Your privacy policy is like a promise to your customers about how you manage their data. When using Meta Pixel, make sure it explains:

• What Data You Collect: Mention things like IP addresses, pages visited, or purchase details tracked by MetaPixel.
• Why You Collect It: Be clear that it’s for ads, analytics, or improving customer experience.
• Who Gets the Data: Say that Meta (and sometimes its partners) receives this info and note if data is sent outside your country (like to the U.S.).
• Customer Rights: Let users know they can ask to see, delete, or opt out of their data being shared. For example, California customers can say “don’t sell my info,” and European customers can request their data be removed.
• How to Reach You: Include an email or contact form for privacy questions.

Use plain language. Instead of saying, “We process data for analytical purposes,” try, “We use Meta Pixel to see how you use our site so we can make better ads.”

Create a User-Friendly Cookie Policy

Meta Pixel uses cookies (small data files stored on a user’s device) to track activity, so you need a cookie policy that’s easy to understand. It should:

• List Cookie Types: Explain the difference between essential cookies (needed for your site to work),performance cookies (for analytics), and advertising cookies (like Meta Pixel for targeted ads).
• Mention Meta Pixel: Clearly state that Meta Pixel uses cookies to track actions like purchases to help with ads.
• Give Users Control: Use a cookie consent pop-up that lets users choose to accept or reject non-essential cookies. Make sure it’s easy to find and use.
• Link to Settings: Add a “manage cookies” link in your site’s footer so users can change their choice slater.

Check your site regularly to make sure your cookie policy matches the trackers you’re actually using.

Get Clear Consent from Users

Privacy laws, especially in Europe, require you to get clear permission before setting non-essential cookies like Meta Pixel. To do this right, make users choose their cookie preferences before they can interact with your website. Here’s how:

• Show a pop-up as soon as users arrive, asking them to accept, reject, or customize cookie settings. Don't let them use the site until they pick an option. This ensures no cookies (except essential ones) are set without their okay.
• Explain what they're agreeing to in simple terms, like, "We use cookies to show you better ads."
• Avoid sneaky tactics, like pre-checked boxes or hiding the "reject" button.
• For California users, add a "Do Not Sell My Personal Info" link to let them opt out of data sharing with Meta.

This approach builds trust and meets strict privacy rules by putting users in control from the start.

Practice Tips for Using Meta Pixel Safely

Here are six simple steps to stay compliant while using MetaPixel:

1. Require User Consent First: Set up your website so users must choose their cookie preferences (accept, reject, or customize) before any non-essential cookies, like Meta Pixel, are activated or they can fully use the site.
2. Check Your Risks: If you’re sending data across borders (like to Meta’s U.S. servers), do a quick risk assessment to spot any privacy concerns, as required by GDPR.
3. Collect Only What You Need: Setup Meta Pixel to track specific actions (like “Add to Cart”) instead of everything, reducing the data you collect.
4. Secure Data Transfers: If you’re global, follow rules like the EU-U.S. Data Privacy Framework to safely send data to Meta.
5. Update Policies Yearly: Review your privacy and cookie policies every year—or sooner if you change how you use Meta Pixel or if new laws pop up.
6. Train Your Team: Make sure your marketing and tech teams know the rules to avoid mistakes, like turning on Meta Pixel without a consent pop-up.

Why Compliance Matters

Following privacy laws when using Meta Pixel keeps your business safe and builds trust with customers. Here’s why it’s a big deal:

• Avoid Big Fines: Breaking GDPR can cost you up to €20 million or 4% of your yearly revenue. In 2022, France fined Meta €60 million for cookie issues. CCPA fines can hit $7,500 per violation.
• Reduce Lawsuit Risks: Lawsuits are on the rise under laws like California’s CIPA or the Video PrivacyProtection Act. For example, in 2025, Eisenhower Medical Center settled a class-action lawsuit for $875,000, accused of sharing patient health data, like appointment details, with Meta via Pixel without consent. Another ongoing case, In re Meta Pixel Healthcare Litigation (filed 2022, updated 2025), claims Meta collected sensitive health data from 664 hospitals, violating privacy laws. A clear cookie policy and upfront consent help protect you.
• Build Customer Trust: A2023 Pew Research study showed 81% of Americans think companies collect too much data. Being open about Meta Pixel and giving users control builds trust and keeps customers coming back.
• Stay Ahead of Regulators: Regulators are cracking down. California’s 2024 checks targeted Meta Pixel misuse, and EU authorities often audit cookie practices. Staying compliant keeps you safe.
• Prepare for New Rules: New privacy laws in places like Texas and Europe's updated ePrivacy rules mean stricter standards. Acting now saves you from costly changes later.

Wrap-Up: Make Compliance a Win for Your Business

Using Meta Pixel the right way doesn’t have to be complicated. By requiring users to choose cookie settings upfront, writing clear policies, and following smart practices, you can stay legal and show customers you care about their privacy. This builds trust, protects your business, and lets you keep using powerful tools like Meta Pixel without worry.

Not sure where to start? Talk to one of our privacy attorneys to make sure your policies are solid, and your business is ready for today’s privacy-first world.

The CCPA’s Annual Update Requirement

The California Consumer Privacy Act (CCPA), effective since January 1, 2020, has set a new standard for data privacy in the United States. Among its many provisions, one key requirement is the obligation to update privacy policies at least once every 12 months. This mandate is more than a mere formality—it’s a crucial step in ensuring transparency and responsible data management.

The rationale behind this annual update is simple yet significant. The ways in which personal data is collected, used, and shared are constantly changing due to technological advancements and shifts in consumer behavior. By requiring businesses to update their privacy policies annually, the CCPA ensures that consumers are kept informed about the latest practices and technologies that impact their personal information. This not only helps protect consumer rights but also fosters trust between businesses and their customers.

Key Elements to Include in Your Privacy Policy

When updating your privacy policy, it’s essential to reflect any changes in your business operations that could affect data privacy. Here are some critical elements to include to ensure compliance with the CCPA and other emerging privacy regulations:

• Categories of Personal Information Collected: Clearly outline the types of personal information your business collects. This may include identifiers such as names and addresses, commercial information, biometric data, and internet activity. If your business has begun collecting new types of data, ensure these are incorporated into your policy.
• Purpose of Data Collection: Explain the reasons behind your data collection practices and how the information will be used. This transparency is vital in building consumer trust. If new products or services have been introduced, ensure that these purposes are updated in your policy.
• Consumer Rights: Detail the rights consumers have under the CCPA, including the right to know, the right to delete, and the right to opt-out of the sale of their personal information. Any changes in how these rights are facilitated should be clearly communicated.
• Data Sharing Practices: Disclose whether personal information is shared with third parties and, if so, identify the categories of those third parties. Updates should reflect any new partnerships or changes in data-sharing practices.
• Contact Information: Provide clear instructions on how consumers can contact your business to exercise their rights or ask questions about your privacy practices. Ensure that any changes in contact details or procedures are reflected in the policy.
• Jurisdiction and Country Expansions: If your business has expanded into new jurisdictions or countries, or if your user base has become more international, your privacy policy must reflect compliance with all relevant regulations. This is particularly important as different regions have varying privacy laws.

By addressing these elements, your business can mitigate the risks associated with non-compliance and ensure that your privacy policy accurately reflects your current data practices. Taking a proactive approach not only helps in maintaining compliance but also strengthens consumer trust in your brand.

Staying Ahead of Emerging Privacy Laws

While the CCPA is a cornerstone of U.S. data privacy regulation, it is not the only law that businesses must consider. Other states, such as Virginia with its Consumer Data Protection Act (CDPA) and Colorado with its Privacy Act (CPA), have enacted their own privacy laws. Additionally, the European Union’s General Data Protection Regulation (GDPR) continues to influence global privacy standards.

Looking ahead, several new privacy laws are set to come into effect in 2024 and 2025, including the EU’s Digital Services Act (DSA), which imposes new obligations on online platforms and intermediaries. To ensure your privacy policy remains compliant with these evolving regulations, consider the following steps:

• Regular Legal Reviews: Conduct regular reviews of your privacy policy with the assistance of legal experts. This will help you stay informed about new laws and amendments to existing ones, such as the upcoming EU DSA and other state-specific regulations.
• Cross-Jurisdictional Compliance: If your business operates in multiple states or countries, ensure your privacy policy addresses the requirements of all relevant jurisdictions. This may involve creating separate sections for different regions or a comprehensive policy that covers all applicable laws.
• Technological Advancements: Stay informed about technological advancements that may impact data privacy, such as the increasing use of artificial intelligence and machine learning in data processing.

Conclusion

Updating your privacy policy annually is not just a legal obligation under the CCPA—it is a critical practice that demonstrates your commitment to protecting consumer privacy. With new privacy laws emerging, staying informed, and regularly reviewing your privacy practices is more important than ever. Failure to comply can result in severe penalties and damage to your reputation.

As privacy laws continue to develop, businesses must remain proactive in their approach to data protection. An up-to-date privacy policy is essential to safeguarding consumer rights and maintaining the integrity of your business operations. Don’t wait until it’s too late—ensure your privacy policy is compliant and reflects the latest legal requirements.

Contact us today to review your legal documents and stay ahead of the regulatory curve. Let us help you navigate the complexities of data privacy and protect your business from potential risks. Your commitment to privacy starts with a comprehensive and current privacy policy. Reach out now to secure your compliance and build trust with your consumers.

Scope and Applicability

The Texas Privacy Law aims to protect the privacy rights of individuals residing in Texas. It applies to businesses that collect, process, store, or disclose personal information of Texas residents, regardless of the business's physical location. This broad applicability underscores the commitment of the state to safeguarding personal data and ensures that both local and global organizations must comply with the law.

Consumer Rights and Control

One of the notable aspects of the Texas Privacy Law is the emphasis on consumer rights and control over personal information. The law grants Texas residents the right to know what personal information businesses collect and how it is used, as well as the right to access and delete their personal data. This increased transparency empowers individuals to make informed decisions about their privacy and exercise greater control over their personal information.

Consent and Opt-Out Mechanisms

The law introduces stricter consent requirements for businesses, mandating that they obtain affirmative consent from consumers before collecting or processing their personal data. It also strengthens opt-out mechanisms, enabling individuals to easily withdraw their consent for data processing at any time. These provisions reinforce the principle of consent as a cornerstone of privacy and give individuals more agency in determining how their personal information is managed.

Data Breach Notification

To ensure timely and effective responses to data breaches, the Texas Privacy Law establishes stringent requirements for data breach notification. Businesses are now required to promptly notify affected individuals in the event of a breach that poses a significant risk of harm, allowing them to act appropriately to protect themselves from potential harm resulting from the breach. The law also imposes reporting obligations on businesses, mandating them to inform the Texas Attorney General of certain breaches.

Compliance and Penalties

To enforce compliance, the Texas Privacy Law provides the state Attorney General with authority to investigate and enforce violations. Non-compliant businesses may face substantial penalties, including fines and injunctive relief. Compliance with the law necessitates the implementation of robust privacy practices, including privacy policies, data protection measures, and mechanisms for addressing consumer inquiries and requests.

Conclusion‍

The introduction of the new Texas Privacy Law marks a significant step forward in enhancing privacy rights and data protection for residents of the Lone Star State. By granting individuals greater control over their personal information and imposing obligations on businesses to ensure transparency and accountability, the law aligns Texas with the global privacy movement. Companies operating or having customers in Texas  must now prioritize privacy compliance to maintain consumer trust, avoid penalties, and demonstrate their commitment to protecting personal data.

While the implementation of the Texas Privacy Law may require businesses to adjust their data handling processes, it serves as a reminder that privacy is not just a legal obligation but a fundamental right that deserves respect and protection in the digital age. By embracing these privacy-enhancing measures, organizations can foster a culture of trust, establish a competitive advantage, and contribute to a more privacy-conscious society. If you need a review of your existing privacy compliance, please reach out to Lloyd & Mousilli to help.