November 2025

Privacy Lawsuits Are Spiking…Is Your Website Next?

“Trap and trace” and website privacy lawsuits are on the rise nationwide. Plaintiffs’ lawyers are zeroing in on companies that use chat tools, analytics, or ad pixels without proper disclosures or consent. The common thread? Missing or outdated privacy notices.

Quick fixes to stay ahead:

1. Post a clear, easy-to-find Privacy Notice. Tell visitors what you collect and why.
2. Add a consent banner or cookie tool. Don’t track before getting permission.
3. Audit your site scripts. Know what third-party tools are collecting data.
4. Offer opt-outs. Include “Do Not Sell or Share” links if required.
5. If you say you do it, do it. Make sure your practices match your promises.
6. Review regularly. Laws—and lawsuits—are changing fast.

A few small updates today can save you from being the next headline tomorrow.

We helps businesses stay compliant and out of court. Contact us if your site hasn’t had a privacy check-up lately.

Insights

Was this email forwarded to you?

Legislative & Regulatory

Maryland Online Data Privacy Act (MODPA) Effective 10/1/2025:

The Maryland Online Data Privacy Act (MODPA) went into effect on October 1, 2025. Data protection assessment requirements apply to processing activities created or generated after this date. Requirement to allow consumers to opt out of processing for purposes of targeted advertising or any sale through opt-out preference signals goes into effect.

Colorado Tightens Rules on Minors’ Online Data:

Effective October 1, 2025, Colorado Senate Bill (SB) 24-041 significantly amended the Colorado Privacy Act (CPA) to impose heightened obligations on entities processing personal data of minors—defined as individuals under 18 years of age.

Montana Consumer Data Privacy Act (MTCDPA) Amendments:

The amendments to the Montana Consumer Data Privacy Act (MTCDPA) took effect on October 1, 2025 requiring any company that offers an online service, product, or feature to a consumer the controller actually knows, or willfully disregards, is a minor (defined as under 18) to use “reasonable care” to avoid a “heightened risk of harm to minors” and removes minimum thresholds so that the minor obligations apply to ALL companies and for all other data subjects the threshold dropped from 50,000 to 25,000.

Management of Individuals’ Neural Data Act of 2025 (MIND Act):

We are watching this upcoming bill to address concerns that some have about the rapid advancement of neurotechnologies that can “read and write” to the human mind, which will apply to both implanted brain-computer interfaces (BCIs) and wearable neurotech, such as headbands, ear buds, helmets, and wristbands that detect activity from the central or peripheral nervous system.

Enforcement Actions

Toy maker took kids’ data, now must pay $500,000 fine:

On September 30, 2025, the U.S. DOJ announced a settlement with Apitor Technology Co. for collecting data on kids using the company’s robotic toys without parental consent, in violation of COPPA.

NY AG gets $14 million, NY DFS gets $19 million from Car Insurance Cos.:

On October 14, 2025, the NY AG’s office and the NY DFS commissioner announced parallel settlements with eight insurance companies for failing to implement security per NYDFS Cybersecurity regs to protect personal data, which was then stolen by hackers. 

Florida AG Sues Roku over sale of kids’ data:

On October 14, 2025, the Florida AG’s office initiated a civil enforcement action against Roku under Florida Digital Bill of Rights, FDUTPA for collecting, selling, and re-identifying sensitive personal information about kids, without getting parental consent.

NY Accountant fined for failing to notify breach victims:

On October 20, 2025, the NY AG’s office announced a settlement with Wojeski & Co accountants for failing to protect personal data and failing to comply with NY data breach notification laws; $60,000 fine and obligation to improve security.

$530,000 settlement for CCPA violations:

On October 30, 2025, the California AG’s office announced a settlement with streaming company Sling TV for failing to provide easy opt-out for sale of personal data and improper collection of kids’ data under CCPA.

Google settles with Texas for $1.375 Billion:

On October 31, 2025, the Texas AG’s office announced settlement of claims against Google for unlawful tracking and collection of personal data including geolocation, incognito searches, and biometric data in violation of Texas law.

Notable Data Breaches

Ex: Fairmont Federal Credit Union:

More than 187,000 affected by data breach with Fairmont Federal Credit Union.

Univ. of Pennsylvania:

1.2 million donor/student/alumni and internal confidential records allegedly taken via social engineering attack.

Ribbon Communications:

Long-term (eight-nine month) breach of telecom company by nation state attackers; extent of breach unknown.

Conduent Business Solutions:

10.5 million health care records stolen by major vendor to health care providers, insurers, U.S. government.

Quantas Airlines:

Five million records from previously announced breach (along with 35 million records from other breaches) released on the Dark Web by hacking group Scattered Lapsus$ Hunters.

Discord:

70,000 user IDs exposed in breach of Discord 3rd party vendor 5CA.

F5 Networks:

A nation-state actor had prolonged access to internal systems. Compromised data included source code for the BIG-IP platform, details about to-be-disclosed vulnerabilities, and customer configuration and implementation data.

RedHat:

A RedHat Consulting GitLab instance was compromised. The attackers copied some client data from the instance, which includes hundreds of businesses and government entities.

Learn more about Shumaker's Technology, Data Privacy,

Cybersecurity & AI Service Line

Nick Carr

Partner

Lloyd Wilson

Associate

Enisha Smith

Associate

Andrew DeWeese

Associate