Global privacy & cybersecurity law center | McDermott Skip to main content

Global Privacy & Cybersecurity Resource Center

Global Privacy & Cybersecurity Law

Resource Center

Section Content

Whether you are navigating the increasingly complex web of emerging privacy laws, responding to a data incident, unleashing the power of the data you collect, finding ways to safeguard the valuable information you hold, or otherwise in need of a data-based “gut check,” our Global Privacy & Cybersecurity Group provides the practical guidance to minimize risk and drive your business forward.

EU proposes sweeping reforms to the GDPR, cookie rules, Data Act, and breach reporting

On November 19, 2025, the European Commission published two proposed regulations as part of its Digital Package on Simplification – the Digital Omnibus and the Digital Omnibus on AI – containing some of the most significant changes to EU digital laws in recent years.

Read more

Mapping consumer privacy

The privacy landscape is rapidly changing as new state consumer privacy laws come into effect each year. This map tracks the states that have passed and enacted laws and provides a summary of each law.

Click on a gold state for an overview of its consumer privacy law or a blue state for an overview of its consumer health privacy law. To download a summary of all of the state consumer privacy laws, click below.

Download now

Consumer privacy law
Consumer health privacy law
Rulemaking activity
Click on a gold state for an overview of its consumer privacy law or a blue state for an overview of its consumer health privacy law.

Frequently asked questions: State consumer privacy laws

General

  • The applicability thresholds vary from state to state. Most of the thresholds are driven by the number of state residents whose information a company processes in the prior 12-month period. However, some, like the California Consumer Privacy Act (CCPA), are triggered based on a company’s gross, annual revenue.

    To learn more about individual thresholds and other requirements, click on a state in the map above.

  • As of January 1, 2026, only the CCPA applies.

  • While many state privacy laws exempt nonprofit entities, not all of them do. In addition, to the extent that a nonprofit becomes a service provider to an entity regulated by a state privacy law, the nonprofit could be subject to certain requirements of state privacy law.

  • It depends on the cookie. Regulators in several states have taken the position that the use of advertising cookies – and at times analytics cookies – can constitute a “sale” of information or enable targeted marketing. In either case, companies must provide opt-out rights for these types of cookies.

    Related: Cookies and online tracking technologies

  • No. While state regulators have expressed a desire to have their state named in the privacy notice, generally speaking, companies can rely on a single privacy notice with applicability in multiple states. The exception is that if a company is subject to the Washington My Health My Data Act or Nevada’s Consumer Health Data Privacy Law, a separate consumer health privacy policy is required.

    Related: Washington legislature passes My Health My Data Act and Nevada and Connecticut pass consumer health data laws

  • No. The laws generally permit companies to rely on a single assessment so long as the assessment meets the requirements of the applicable state law.

  • GPC (global privacy control) is an HTTPS signal that browsers can broadcast to websites with an opt-out request. If you are subject to state privacy laws, many of those laws require business websites to recognize GPC signals.

  • Generally, yes. While the scope of authority for agent requests varies, state privacy laws generally allow agents to submit opt-out requests on behalf of a consumer. Many states do not explicitly allow agent requests for access, correction, or deletion requests.

  • No. While the principles in the GDPR are the same as US state laws, state laws have introduced privacy rights and concepts that do not overlap with and/or are more nuanced than the GDPR. It is therefore important to evaluate your existing compliance program with the requirements under US state laws.

    Related: EU proposes sweeping reforms to the GDPR, cookie rules, Data Act, and breach reporting

  • Most likely, yes. While some state laws may exempt financial institutions regulated under the Gramm-Leach-Bliley Act (GLBA) or similar state rubrics such as the California Financial Information Privacy Act (CalFIPA), some state laws only exempt data subject to those laws and not the entity wholesale. As a result, if you are a financial institution, state privacy laws may apply to you.

    Related: Key takeaways | Navigating State Privacy Law Applicability for Healthcare and Financial Services Organizations

  • Timing depends on an organization’s annual gross revenue in 2026. Those with more than $100 million in annual gross revenue must perform cybersecurity audits in 2027. Those with $50 to $100 million must perform audits in 2028. Those with less than $50 million must begin their annual audits in 2029.

    Related: CPPA moves closer to finalizing amended CCPA regulations

  • ADMT (automated decisionmaking technology) refers to any technology that processes personal information and uses computation to replace human decisions or substantially replace human decision making. To “substantially” replace human decisionmaking means that the technology’s output is used to make a decision without human involvement.

    Related: Draft CCPA regulations stalled with applicability of ADMT rules

  • No. Only using ADMT to make a significant decision triggers ADMT rights. A “significant decision” is one that results in the provision or denial of financial or lending services, housing, education, enrollment or opportunities, employment or independent contracting opportunities or compensation, or healthcare services.

  • No. While CCPA is broad, other state laws have introduced privacy rights and concepts that do not overlap with CCPA. It is therefore important to evaluate privacy obligations in each state.

    Related: Mapping consumer privacy

How to prepare for new privacy legislation

Discover legislative updates, compliance strategies, and risk management insights to help your organization stay ahead of the latest state privacy laws and regulations. Plus, find out how new state privacy laws regulating health data apply, what they require, and practical tips to implement and operationalize compliance.

Video – Privacy Legislation in 2025: What’s New and What’s Next webinar, part of McDermott’s 2025 programming (runtime: 58m)

Privacy Legislation in 2025: What’s New and What’s Next

Webinar

Video – Privacy Legislation: What to Know from 2024 and Predictions for 2025 webinar, part of McDermott’s 2024 programming (runtime: 58m)

Privacy Legislation: What to Know from 2024 and Predictions for 2025

Webinar

Video – Let’s Look at the Progress: 2023 State Privacy Laws Recap webinar, part of McDermott’s 2023 programming (runtime: 58m)

Let’s Look at the Progress: 2023 State Privacy Laws Recap

Webinar

Video: Practical Tips for Employers Navigating State Privacy Law Compliance webinar, part of McDermott’s 2023 programming (runtime: 1h)

Practical Tips for Employers Navigating State Privacy Law Compliance

Webinar

Video: Navigating State Privacy Law Applicability for Healthcare and Financial Services Organizations webinar, part of McDermott’s 2023 programming (runtime: 1h1m)

Navigating State Privacy Law Applicability for Healthcare and Financial Services Organizations

Webinar

Video – Coming Soon to a State Near You: New Privacy Laws and Evolving Best Practices webinar, part of McDermott's 2023 programming (runtime: 1h)

Coming Soon to a State Near You: New Privacy Laws and Evolving Best Practices

Webinar

Cookies and online tracking technologies

Companies face significant and increasing litigation and enforcement risks when leveraging cookies, pixels, and other website tracking technologies to support business needs. There are dozens of plaintiffs’ firms aggressively litigating hundreds of claims each month under wiretapping laws that allow $5,000 to $10,000 in statutory damages per website per person, leading to seven- to eight-figure settlements. Regulators are similarly imposing seven-figure fines and 20-year consent decrees over cookie practices that most companies implement.

Stay ahead of these challenges with the resources below – without sacrificing business objectives and while still maximizing the value of your data.

California attorney general continues aggressive CCPA enforcement against Sling TV

Insight

Video – Navigating Cookie and Website Compliance in 2025: Insights and Strategies for In-House Counsel webinar, part of McDermott's 2025 programming (runtime: 1h 1m)

Navigating Cookie and Website Compliance in 2025: Insights and Strategies for In-House Counsel

Webinar
California continues privacy enforcement streak with order against Tractor Supply Company

Insight
California attorney general’s $1.55 million Healthline CCPA settlement continues cookie focus and signals increasing enforcement

Insight

Video – Navigating Cookie Compliance in 2025: Insights and Strategies webinar, part of McDermott's 2025 programming (runtime: 1h)

Navigating Cookie Compliance in 2025: Insights and Strategies

Webinar
FTC finalizes amendments to the Children’s Online Privacy Protection Rule

Insight
CPPA puts the brakes on Honda’s data privacy practices

Insight
Data privacy and cybersecurity in 2025: Website tracking

Insight

Video – Cookie Deep Dive: Maximizing Value While Minimizing Risk webinar, part of McDermott's 2024 programming (runtime: 1h)

Cookie Deep Dive: Maximizing Value While Minimizing Risk

Webinar
OCR withdraws appeal in AHA v. Becerra

Insight
OCR files Notice of Appeal in online tracking technologies case

Insight
New York attorney general issues cookie guidance and enforcement warnings

Insight
Federal court invalidates key part of HHS OCR Bulletin regarding application of HIPAA to online tracking technologies

Insight
OCR update on tracking technologies provides little relief for HIPAA-regulated entities

Insight
3 questions healthcare provider organizations need to consider when implementing pixel tracking technologies

Insight
For the General Counsel’s desk: Managing enforcement risks involving cookies, pixels, and other tracking technologies

Insight
FTC and HHS-OCR spotlight use of tracking tech by healthcare providers

Insight

How can McDermott Will & Schulte help?

Our lawyers have deep technical experience with these issues and help companies stay ahead with practical, easy-to-implement materials that can be quickly tailored to reflect risk tolerances, data practices, and geographic needs. Our curated suite of cookie-related deliverables includes internal and external policies, consent management procedures, and guidance to accelerate compliance and reduce risk so that your company can focus on monetizing data and driving growth.

Get started

European Digital Package

Europe’s cybersecurity puzzle: NIS2 progress in 30 pieces

The European Union has introduced strict new cybersecurity laws, including the NIS2 Directive, with broad industry impact. Member states are rolling out national requirements – many with unique obligations and severe penalties for non-compliance. For companies operating in Europe, it is essential to conduct a scoping analysis and assess relevant local requirements.

Use our NIS2 monitoring tracker to stay informed on country-specific implementation timelines and obligations.

View the tracker

3D illustration of a spiral pattern made up of futuristic particles (credit: Getty Images)

Germany’s NIS2 Law: One step away from taking effect

Insight

 

 

Unpacking the European Digital Package webinar series

The Unpacking the European Digital Package series delves into the most significant policy initiatives shaping the digital landscape in Europe: the respective EU and UK Digital Strategies. They encompass a comprehensive set of policies and legal instruments aimed at enhancing digital competitiveness, strengthening digital rights and fostering digital resilience across the European Union and the United Kingdom.

Video – Unpacking the European Digital Package: How the EU Digital Strategy Is Relevant to You webinar, part of McDermott's 2023 programming (runtime: 1h2m)

How the EU Digital Strategy is Relevant to You

Video – Unpacking the European Digital Package: E-commerce, Internet of Things and Platforms webinar, part of McDermott's 2023 programming (runtime: 1h1m)

EU Digital Strategy | E-commerce, Internet of Things, and Platforms

Video – Unpacking the European Digital Package: Cybersecurity NIS 2 Directive webinar, part of McDermott’s 2024 programming (runtime: 1h2m)

EU Digital Strategy | Cybersecurity

Final CMMC Rule

The US Department of Defense (DoD) published a final rule codifying the Cybersecurity Maturity Model Certification (CMMC) Program. Effective December 16, 2024, the final CMMC rule applies to all DoD contractors or subcontractors that process, store, or transmit Federal Contract Information or Controlled Unclassified Information, and the service providers that support those contractor information systems.

Explore resources from our multidisciplinary team of lawyers to help federal contractors and service providers understand the new CMMC requirements and maintain eligibility for DoD contracts now and in the future.

CMMC from the bottom up: A detailed review of Level 1

Insight
CMMC Level 2: The good, the bad, and the ugly

Insight
CMMC Level 3: Strict scoping and expansive requirements

Insight
CMMC: Final DFARS rule kicks off phased implementation

Insight

Video: Navigating the Final CMMC Rule webinar, part of McDermott’s 2024 programming (runtime: 1h1m)

Navigating the final CMMC rule

Webinar
Are we there yet? DoD issues final rule establishing CMMC program

Insight
DoD issues proposed DFARS Rule to implement CMMC 2.0

Insight
DoD rings in 2024 with proposed Cybersecurity Maturity Model Certification Rule

Insight

PCI DSS 4.0

The Payment Card Industry Data Security standard (PCI DSS) 4.0 went into effect on March 31, 2025, and it’s one of the most comprehensive data security updates in years for companies handling credit card transactions. Check out our resources to understand what has changed, where the biggest challenges lie, and how to stay compliant.

Steer clear of fines: Check your PCI DSS 4.0 compliance

Insight
New PCI DSS 4.0 credit card compliance requirements effective April 1, 2025

Insight
Data privacy and cybersecurity in 2025: PCI DSS 4.0

Insight
New PCI DSS 4.0 will impact the digital health and healthcare industries

Insight
How the new PCI DSS 4.0 will impact the automotive industry

Insight
PCI DSS 4.0 introduces transformational change: New risk analysis, governance requirements, and alternative customized approach

Insight