For two years, the legal technology conversation has turned on a single premise, that artificial intelligence can read a contract. It can.

In due diligence, where the review of hundreds or thousands of agreements once set the cost and the calendar, a well-pointed model now does in an afternoon what a team of associates needed two weeks to finish. The most labor-intensive phase of diligence has become, for practical purposes, nearly free.

The temptation is to treat that as the whole victory. In my experience it is not. Compressing the middle of a process does not eliminate the work that surrounds it. It moves that work to the two ends, and those ends are where legal AI is least useful. Cross-border technology M&A makes the point as well as any practice I know.

A Process That Resembles a Software Build

It helps to look at diligence the way an engineer looks at building software. Software moves through three phases, architecture, engineering and deployment. Due diligence moves through three of its own, scoping, issue identification and remediation. In both, the middle phase was historically the constraint. Engineering consumed the calendar, and issue identification consumed the associates who read every contract and flagged every clause.

Coding assistants compressed the first of those phases. Legal AI is compressing the second. The consequence is the same in each case. When the middle of a process is no longer the bottleneck, the work that determines the outcome shifts to the front and the back. Engineers spend their judgment on architecture and deployment. Diligence lawyers should spend theirs on scoping, which decides what to examine, and on remediation, which decides what the findings mean. Those phases turn on judgment rather than volume, and judgment is the thing the model does not provide.

The Familiar Problem of Garbage In, Garbage Out

A fast engine will carry out a poor instruction faithfully. Point legal AI at a loosely scoped review and it returns 500 findings, of which perhaps 50 bear on the transaction. The fee a team thought it had saved comes back as the labor of sorting the pile, and a deal-defining issue can sit in that pile receiving the same brief attention as the boilerplate around it.

This is the part of the story that tends to go unmentioned. The model surfaces everything, which means a person still has to decide what everything means. A tool that makes identification cheap raises the value of the scoping that comes before it and the remediation that follows. It does not lower it.

Where the Judgment Lives, In Practice

The point is clearest in the diligence of a modern software company, which is global whether or not anyone planned it that way. Code is written wherever the engineers live. Intellectual property is created across jurisdictions. A target with modest revenue can carry employees, data, and tax exposure in a dozen countries without a single foreign office. The central scoping question becomes geographic. Which jurisdictions deserve real scrutiny, and which do not.

That question rests on a distinction a model will not draw reliably on its own, the difference between a few foreign employees and a genuine foreign operating footprint. A handful of remote engineers in three countries presents real but bounded risk, usually handled with focused local employment advice. Running a full review in each of those countries spends money to disprove a risk that was never material. A company that genuinely operates abroad is a different matter, and two questions reward careful attention. The first is whether the company owns its intellectual property at all. Many jurisdictions, unlike the United States, do not vest an employee’s work product in the employer by default, and if the chain of title fails under local law, the buyer may not own the asset it is paying for. The second is tax. The assumption that a structuring review has answered the tax question can obscure whether a dispersed workforce has created a taxable presence in a country where nothing was ever filed.

A model can flag an assignment clause. It will not tell you that the clause is unenforceable under Portuguese law, or that the missing clause for a contractor in Bangalore is the one that matters. Recognizing that is scoping and remediation, the work at the two ends, and it remains human.

The Discipline the Tools Require

The lesson reaches past M&A, and it is the one worth carrying into any workflow that AI now touches. An accelerated middle pays off only when the ends are handled with discipline. In diligence that means scoping tightly enough that the machine looks in the right places, and remediating carefully enough to separate the exposures that threaten a deal from the ones that only look alarming on a printout. It also means scoping for the parties who rely on the work after signing. The representations and warranties insurer decides what it needs to see before it will cover a risk, and it penalizes too little diligence and too much in equal measure. The lenders have their own requirements for guarantees, share pledges, and audited financial statements, and those requirements surface at financing rather than at signing unless counsel has anticipated them.

Legal AI can read every document in a data room faster than any team a firm could assemble. It cannot tell a buyer which jurisdiction holds a real operation and which holds a single laptop, and it cannot tell the buyer what the deal’s eventual insurers and lenders will require. That judgment is the work the technology has made more valuable rather than less. The firms that see this will use AI to clear the middle and put the time it frees back into judgment at the ends. The firms that treat a faster review as a finished one will reach the wrong answer sooner than before.

Reprinted with permission from the June 4, 2026 edition of the Legaltech news ©2026 ALM Global Properties, LLC. All rights reserved. Further duplication without permission is prohibited, contact 877-256-2472 or asset-and-logo-licensing@alm.com.

The American Hospital Association (AHA) and the recently the launch of the (Accelerator) at AHA’s Health Research & Educational Trust (HRET), a three-year national initiative designed to help hospitals and health systems operationalize and scale proven technologies across care environments. The initiative is supported by a $12 million commitment from West Health Institute and will focus on three priority areas: electronic health record (EHR) optimization, virtual care, and artificial intelligence (AI) utilization and integration.

The announcement addresses a practical challenge for hospitals and health systems: many organizations are testing or adopting technologies that can improve care delivery, quality, safety, and operational performance, but it can be difficult to move those tools from limited pilots to consistent use across the organization. The Accelerator is intended to help close that gap. Participating hospitals and health systems will have access to a digital hub, implementation support, peer-learning opportunities, and examples from hospitals and health systems serving as national models. In other words, the initiative is focused on helping hospitals make the technologies work in real care delivery settings.

Why This Matters

The AHA/West Health announcement is another sign that AI, virtual care, and EHR optimization are moving out of the “innovation project” category and into the day-to-day operations of health care delivery. That shift matters because once technology is embedded in clinical workflows, staffing models, patient communications, documentation practices, triage pathways, and care management programs, it becomes more than an IT initiative. Implementation can raise practical questions about clinical oversight, medical staff governance, professional responsibility, documentation, reimbursement, and compliance infrastructure.

For hospitals and health systems, the key question is no longer only whether a technology works. It is whether the organization can implement the technology safely, consistently, and in a way that aligns with existing health care regulatory requirements.

The Accelerator’s Three Priority Areas

The Accelerator focuses on three areas that are already priorities for many hospitals, but that can be difficult to implement consistently across an organization: EHR optimization, virtual care, and AI utilization and integration.

EHR Optimization

EHR optimization has become both an operational priority and a compliance issue. Hospitals are looking for ways to reduce administrative burden, improve clinical workflows, support earlier identification of patient risk, and make it easier for care teams to act on the right information at the right time. As EHR workflows become more closely integrated with AI-enabled tools, clinical decision support, documentation functions, virtual care platforms, and care management programs, hospitals should assess whether those workflows continue to support integral functions including accurate documentation, appropriate billing, medical record integrity, and clear clinical accountability. This is especially important when technology changes how information is presented to clinicians, how documentation is generated, or how patient needs are escalated. Even when a tool improves efficiency, the hospital still needs a clear process for determining who is responsible for reviewing the information, acting on it, and documenting the clinical decision-making process.

Virtual Care

The Accelerator’s focus on virtual care also reflects the continued evolution of telehealth from an access tool to a broader care delivery and staffing strategy. For hospitals and health systems, virtual care may include telehealth visits, virtual nursing, centralized care teams, specialist consults, remote monitoring, and hybrid care models. These models can help expand capacity, support staffing flexibility, and improve access, but they also need to be structured carefully. Scaling virtual care requires more than selecting a platform. Hospitals need workflows that are clinically appropriate, operationally sustainable, and compliant across the states and care settings in which patients and clinicians are located.

Artificial Intelligence Utilization and Integration

The Accelerator’s AI focus is notable because it is framed around utilization and integration, not just experimentation. In hospital settings, AI tools may support a range of functions, including clinical workflow support, documentation, risk identification, operational efficiency, and care team coordination. The regulatory analysis depends less on the fact that a tool uses AI and more on how the tool is used, what role it plays in the care delivery process, and who remains responsible for clinical judgment. An AI tool that supports an administrative workflow raises different regulatory issues than a tool that influences clinical decision-making, generates clinical documentation, prioritizes patient outreach, recommends next steps, or communicates information to patients or care teams. Hospitals should classify AI-enabled tools by use case and risk level, then align oversight, documentation, monitoring, and escalation processes accordingly.

From Pilots to Systemwide Practice

A similar implementation challenge applies beyond the Accelerator. For many hospitals, the difficult step is not identifying a promising technology-enabled use case but moving that use case from a limited pilot to a workflow that can operate consistently across the organization.

Many hospitals are already testing or using AI-enabled tools, virtual care models, remote monitoring programs, or EHR-enabled interventions in limited settings. Those pilots can be useful, but broader implementation is different. A pilot may be managed through a narrow protocol, limited users, and close operational oversight. Systemwide implementation requires a more formal framework, including policies, governance, training, escalation pathways, documentation standards, medical staff involvement, billing review, and ongoing monitoring.

A workflow that is appropriate for a small pilot may not be sufficient once the same technology is deployed across multiple service lines, facilities, or patient populations. As hospitals move from pilots to broader implementation, legal and compliance teams should be involved early enough to help design a scalable model, not just review issues after the technology is already in use.

Regulatory Questions Hospitals Should Ask Before Scaling

Hospitals and health systems evaluating AI, virtual care, and EHR-enabled tools should consider several threshold questions before moving from pilot programs to broader implementation. These questions should be addressed early in the implementation process, rather than after the workflow is already live.

1. Who is furnishing the service?

Hospitals should determine whether the technology changes which clinicians or care team members are involved in furnishing the service. For example, a virtual nursing model, centralized monitoring program, or AI-supported triage workflow may involve different personnel than the hospital’s traditional in-person workflow. That can raise questions about licensure, scope of practice, supervision, delegation, credentialing, privileging, and medical staff oversight.

2. Where are the patient and clinician located?

For virtual care models, patient and clinician location remain central regulatory questions. Hospitals should evaluate whether clinicians are appropriately licensed or otherwise authorized to furnish services to patients in the states where the patients are located. This is especially important for centralized or cross-state virtual care models. Hospitals should also consider state-specific virtual care requirements.

3. How is the workflow documented?

Hospitals should confirm that the medical record accurately reflects the care furnished, the individuals involved, the information reviewed, and the clinical decisions made. If technology generates summaries, prompts, alerts, draft notes, risk scores, or recommended actions, hospitals should determine whether and how those outputs are incorporated into the medical record and who is responsible for reviewing them.

4. How is the service billed?

Technology-enabled workflows can affect coding, billing, and reimbursement. Hospitals should evaluate whether the workflow supports the requirements for the service being billed, including any applicable requirements related to clinician involvement, supervision, time, documentation, patient consent, or location of service, and payor-specific coverage or billing rules.

5. Who reviews and acts on technology-generated information?

Hospitals should clearly define who is responsible for reviewing alerts, summaries, escalations, or recommendations generated through AI-enabled tools, EHR workflows, remote monitoring platforms, or virtual care programs. If a workflow generates information that requires clinical action, the hospital should have a clear process for review, escalation, documentation, and follow-up.

6. Does the workflow require medical staff or committee review?

Some technology-enabled workflows may require review through medical staff, clinical leadership, quality, compliance, IT, or other governance channels, particularly if the tool affects clinical decision-making, patient safety, documentation, or care delivery responsibilities. Hospitals should consider whether existing committees and policies are sufficient or whether additional review processes are needed for AI-enabled or virtual care workflows.

Looking Ahead

The AHA/West Health Accelerator reflects the continued push to move AI, virtual care, and EHR-enabled tools from limited pilots into broader operational use. For hospitals and health systems, broader implementation of these tools creates an opportunity to improve quality, safety, efficiency, and access. It also underscores the need for practical regulatory planning. As these tools become part of day-to-day care delivery, hospitals should be prepared to show not only that the technology works, but that it is being implemented consistently and with appropriate clinical and operational oversight. Hospitals should also build regulatory review into the implementation plan, with clear accountability for clinical review, documentation, billing, escalation, and ongoing monitoring.

Â鶹´«Ă˝ is here to help you address the short- and long-term impacts in the wake of regulatory changes. We have the resources to help you navigate these and other important legal considerations related to business operations and industry-specific issues. Please reach out to the authors, your Â鶹´«Ă˝ relationship partner, our Health Care & Life Sciences Sector, or to our Health Care Practice Group with any questions.

AI‑enabled transcription tools have quickly become a fixture in modern business meetings. Properly vetted and deployed, they offer efficiency and accessibility advantages. Yet, while many companies are still developing governance frameworks for authorized AI tools, an emerging risk has quietly surfaced: employees using unauthorized transcription tools without the company’s or participants’ consent.

This practice, often referred to as shadow AI, creates new layers of compliance, privacy, and legal exposure. For companies seeking to adopt AI responsibly, it is no longer enough to decide which tools to authorize; they must also manage the risk of employees using tools outside approved systems.

In a recent survey conducted by the National Cybersecurity Alliance, 43 percent of AI users admitted to sharing sensitive company information with AI tools without their employer’s knowledge.¹ These statistics underscore that shadow AI use is not theoretical, it is already happening, often outside company’s systems and platforms, and, therefore, not in view of legal and compliance teams.

Understanding the Risk Landscape

Once employees begin using transcription tools that the company has not vetted or authorized, problems can emerge quickly. Key risk areas include state law recording‑consent requirements, privilege and confidentiality obligations, governance controls, and record retention practices, all of which can lead to serious downstream consequences if not addressed through clear policy and oversight.

In “two‑party” or “all‑party” consent jurisdictions, every participant in a conversation must agree before the meeting is recorded or transcribed.² Employees who enable transcription functions without consent may unknowingly violate state law. Some states impose criminal penalties; others allow civil lawsuits. In jurisdictions imposing civil liability, and where company policy does not expressly forbid unauthorized transcription, employers may face vicarious liability if employees act within the scope of their duties. In jurisdictions that recognize corporate criminal liability, an employer may be exposed if, for example, an employee surreptitiously records and transcribes a meeting with an executive of another company.

Unauthorized tools can also jeopardize confidentiality and privilege. When a company contracts directly with a vendor, it can negotiate data‑security and retention terms, deletion rights, confidentiality protections and control over how information is processed. Consumer or free transcription tools do not typically offer these safeguards. Meeting content may be uploaded into large, unbounded language models that learn from user data or store information indefinitely, creating potential waiver of attorney-client privilege, loss of trade‑secret protection, and violation of data‑privacy obligations. Once data enters such systems, the company cannot control its dissemination, access, or downstream use.

From a governance perspective, unauthorized transcription denies the organization the ability to decide strategically when and how meetings are recorded. Recording decisions should be made at the organizational level, not by individual employees, because the decisions determine what becomes part of the corporate record. Without that oversight, the company has no real visibility into what employees are recording or how the resulting transcripts are being managed. When employees record meetings on their own, the company loses the opportunity to review transcripts for accuracy, ensure proper context, and reconcile them with official notes or minutes.

These risks increase in litigation and regulatory matters. Data stored outside official retention and discovery channels can lead to production gaps or spoliation concerns, and civil discovery sanctions or even potential obstruction of justice charges if the production is to a government entity and as not maintained.³ Most consumer platforms lack defined retention periods or deletion controls, making it difficult for companies to ensure that unauthorized records comply with established data‑management policies. Investigators or opposing counsel may also compel transcripts directly from employees, bypassing corporate legal oversight and creating conflicting accounts that can undermine privilege and raise credibility questions.

In short, shadow AI undermines a core principle of good governance — the company must maintain control over what is recorded, how it is stored, and how long it is retained. Reestablishing that control is essential to protecting privilege, confidentiality, and compliance.⁴

Taking Control of Shadow AI

Effective management of shadow AI begins with a threshold question: should employees be permitted to use transcription tools at all, and if so, under what circumstances? That decision should be made as part of the company’s broader AI governance framework, led by legal, compliance, and IT‑security functions.

If the company concludes that transcription tools can provide value when properly managed, legal counsel should bring AI usage into the open. Begin by identifying what tools employees already rely on and why. In many cases, employees turn to shadow AI for efficiency, not to evade policy, and that insight should help shape a practical response. Engage directly with business teams to understand where current tools or support fall short and adjust approved solutions to meet those needs.

Once the landscape is understood, select secure, enterprise‑grade transcription tools that satisfy confidentiality, privilege, and record‑keeping requirements and align with the company’s operational needs and regulatory environment. Authorized vendors should offer clear data‑ownership terms, defined retention and deletion rights, and secure environments that prevent company information from being used to train AI models.

Company policies should specify when recordings are permitted and who approves them. Recording decisions should rest with designated personnel, not individual employees; and employees must also understand that each recording is a corporate document subject to consent obligations and document‑hold requirements.

Employee engagement and training are essential. Counsel and compliance teams should make sure employees understand:

• The legal and reputational risks of unauthorized recording or transcription;
• State consent requirements and the potential penalties for non‑compliance;
• How privilege and confidentiality can be lost through unapproved tools; and
• When recording is permitted, who must authorize it, and how to manage resulting data.

Equally important is giving employees functional, approved tools that actually meet their needs. When authorized solutions are efficient and transparent, shadow AI use naturally declines.

If the company decides transcription should not be used, that position must be communicated and reinforced through training. Employees should understand the reasons: unauthorized recordings can violate the law, compromise confidentiality and waive privilege. Technical controls can support enforcement by spotting or blocking prohibited applications, but consistent communication and visible support from leadership are usually more effective at sustaining compliance.

Looking ahead, companies should assume that some shadow AI activity exists. Strong governance depends on visibility and accountability — identifying unauthorized tools, limiting their use, and ensuring data from approved channels is properly managed. Integrating AI oversight into existing compliance and information‑governance programs helps organizations stay in control as technology and business practices continue to evolve.

I. Introduction

This article is designed to provide an overview of the current state consumer privacy landscape in the United States, the key distinctions among these state laws, practical compliance approaches, and actionable takeaways for operationalizing privacy programs in a fragmented regulatory environment.

Companies operating across the United States today face one of the most complex privacy regulatory environments in the world. Unlike the European Union, which adopted a single, comprehensive framework in the General Data Protection Regulation (“GDPR”), the United States has no federal omnibus consumer privacy law governing the collection and use of personal information. States have filled the gap, creating a fast-growing, often contradictory patchwork of rules that challenges even the most sophisticated privacy programs. With over twenty comprehensive state consumer privacy laws now enacted and counting, understanding each state’s requirements – and choosing the right compliance strategy – is no longer optional. It is foundational to responsible data governance and, as cure periods sunset and regulators sharpen their enforcement tools, the margin for error is narrowing by the quarter.

The sections that follow trace the rise of the state-based privacy regime, examine California’s outsized role, survey the “baseline” states that have followed Virginia’s lead, identify the critical distinctions that separate these laws from one another, explore the emerging role of automated decision-making provisions, survey enforcement trends, and present two competing compliance models alongside practical guidance for harmonizing them into a cohesive program.

II. The Rise of the State-Based Privacy Regime

When the GDPR took effect on May 25, 2018, it redefined global expectations for data protection and gave individuals across the European Union a robust set of rights over their personal data. That same year, California enacted the California Consumer Privacy Act (“CCPA”), the first comprehensive consumer privacy law in the United States, which took effect on January 1, 2020. The CCPA was later amended and significantly expanded by the California Privacy Rights Act (“CPRA”), which California voters approved as a ballot initiative in November 2020 and which took full effect on January 1, 2023.¹

California’s law set the tone. Over the following years, more than twenty additional states enacted their own comprehensive consumer privacy statutes.² Each of these laws grants consumers some version of the core rights that have become standard in the modern privacy lexicon – access, deletion, correction, portability, and the ability to opt out of certain processing activities. But while these laws share surface-level similarities, they diverge in critical details. Each state establishes its own definitions, exemptions, applicability thresholds, response timelines, and obligations.

These differences are not academic. They determine whether a particular business must comply at all, how operationally burdensome compliance will be, what categories of data must be protected, and how a company must respond to consumer rights requests. For organizations operating in multiple states – which, in the age of e-commerce, means most organizations of any meaningful scale – this divergence translates into tangible operational complexity.

The absence of a federal privacy law is the primary driver of this fragmentation. Despite sustained interest on Capitol Hill, disagreements over federal preemption of state laws and whether to include a private right of action have repeatedly stalled legislative efforts.³ In the absence of federal legislation, states continue to fill the void, and the patchwork continues to expand.

III. California: The Most Impactful State

California remains the single most impactful jurisdiction in U.S. privacy law. It enforces some of the strictest requirements in the country, and its law contains several features that no other state has replicated.

• A Standalone Revenue Threshold. California is the only state whose consumer privacy law applies based on a standalone annual gross revenue threshold. Under the CPRA, a business is subject to the law if it has annual gross revenues exceeding $26,625,000 – a figure that the California Privacy Protection Agency (“CPPA”) has inflation-adjusted from the original $25 million threshold.⁴ Critically, this revenue test applies regardless of the volume of California residents’ personal information in the business process. The practical effect is that many business-to-business companies, professional services firms, and other non-consumer-facing organizations are pulled into scope solely by virtue of their revenue, even if they collect or otherwise process minimal consumer data.
• Employment and B2B Data Coverage. Most state privacy laws confine their protections to “consumers,” defined narrowly as natural persons acting in a personal or household capacity – meaning that individuals acting in a commercial or employment context are generally excluded from coverage. As a result, business-to-business contacts, employees, and job applicants typically fall outside the scope of these statutes, unless a specific exception applies. Conversely, California takes a broader approach, applying its law to personal information collected from or about employees, job applicants, independent contractors, and business representatives and contacts who reside in that State.⁵ This dramatically expands compliance obligations for human resources departments, recruiting functions, and sales and business development teams – particularly for national companies that meet California’s revenue threshold.
• The Sensitive Data Paradox. One of the more counterintuitive features of the CPRA is its treatment of sensitive personal information. The majority of the other state consumer privacy laws require businesses to obtain opt-in consent before processing sensitive data, such as biometric identifiers, precise geolocation, health- or medical-related details, or information about racial or ethnic origin, among other sensitive data elements.⁶ California, by contrast, does not require prior opt-in consent. Instead, the CPRA restricts businesses from using or disclosing “sensitive personal information” beyond those purposes specifically enumerated in the statute, and grants consumers the right to limit that use.⁷ In this particular respect, California is surprisingly less stringent than most of its counterparts. In nearly every other regard, however – enforcement mechanisms, applicability thresholds, the breadth of consumer rights, and the scope of covered data – California remains the most complex and operationally demanding state for privacy compliance.

For any organization evaluating or building a privacy program, understanding the full scope of California’s requirements is an essential first step.

IV. Baseline States: The Virginia Model and Its Variations

Outside of California, many states have modeled their comprehensive privacy laws on the Virginia Consumer Data Protection Act (“VCDPA”), which took effect on January 1, 2023.⁸  These “baseline” states, which include Indiana, Kentucky, Tennessee, Texas, Nebraska, and Rhode Island, among others, generally share a common architecture.

The baseline model typically provides consumers with:

• Rights to access, delete, correct, and port their personal data;
• Rights to opt out of (i) the sale of personal data, (ii) the processing of personal data for targeted advertising purposes, and (iii) in some states, certain forms of profiling; and
• Requirements that controllers conduct data protection assessments for high-risk processing activities.

This common architecture gives the appearance of uniformity. In practice, however, even these facially similar laws contain differences that create real compliance challenges. The distinctions are often found in the details — in how each state defines key terms, where it sets its applicability thresholds, what exemptions it grants, and how it structures enforcement. The sections that follow highlight the most consequential of these differences.

V. Key Distinctions Among State Privacy Laws

(a) The Definition of “Sale”

The definition of “sale” is among the most consequential variables in the state privacy landscape. California’s CPRA defines “sell” to mean the disclosure of personal information for “valuable consideration,” a formulation broad enough to capture exchanges in which no money changes hands.⁹ Under this definition, activities such as third-party analytics integrations, targeting cookies, pixel-based advertising tools, and cross-context behavioral advertising may all constitute a “sale,” triggering specific disclosure obligations and opt-out rights.

Other states, however – including Virginia and Indiana – define “sale” more narrowly, requiring that the exchange involve monetary consideration.¹⁰ This single definitional difference can dramatically alter a company’s compliance strategy with respect to cookies, tracking pixels, analytics tools, and advertising technology. A practice that constitutes a “sale” under California law requiring prominent opt-out mechanisms may fall entirely outside the scope of a narrower state’s sale provisions.

(b) Applicability Thresholds

States diverge sharply in when their privacy laws apply:

• California applies its law based on a standalone annual gross revenue threshold of $26,625,000, irrespective of consumer data volume.
• Texas and Nebraska impose no numerical consumer-count thresholds. If a business conducts operations in the state and does not qualify as a “small business” under applicable federal definitions, the law applies.¹¹
• Most other states use consumer-count thresholds, but these range widely – from as few as 35,000 residents to as many as 175,000.
• Connecticut is especially notable: effective July 1, 2026, its amended threshold will be low enough that many companies currently outside its scope will unexpectedly qualify.¹²

These threshold differences mean that a company’s applicability analysis cannot be performed once and applied universally. It must be conducted on a state-by-state basis.

(c) Exemptions

Differences in exemptions are among the most operationally significant – and most frequently overlooked – sources of complexity in multistate privacy compliance. This is particularly true for financial services companies, healthcare organizations, and utilities.

Key exemption variations include:

• Some states exempt entities that are subject to the Gramm-Leach-Bliley Act (“GLBA”)¹³ in their entirety; others exempt only the data that is subject to GLBA, leaving the entity itself within scope for non-GLBA-covered data.
• Some states exempt regulated utilities, while others do not.
• Some states exempt nonprofit organizations, while others subject them to the full weight of the law.

The result is that a company with identical operations across multiple states may be fully subject to one state’s law, partially exempt from another’s, and entirely excluded from a third’s.

(d) Consumer Rights and Response Timelines

Although the core consumer rights are broadly similar across states, the timelines for responding to consumer requests vary meaningfully. Most states require controllers to respond to consumer requests within 45 days, but several mandate a shorter 30-day window. California imposes a 10-business-day acknowledgment requirement for all requests, in addition to its substantive response deadline.¹⁴ Appeal timelines — the period within which a consumer may appeal a controller’s denial of a rights request – also differ from state to state.

For companies that receive high volumes of consumer rights requests, these timeline variations create genuine operational complexity and increase the risk of inadvertent noncompliance.

(e) Data Rights Variability

Even core privacy rights that appear in most state laws are not truly universal. For example:

• Iowa does not grant consumers the right to correct inaccurate personal data.
• Utah does not require controllers to offer an opt-out right with respect to profiling.
• Oregon and Minnesota require controllers to disclose the specific third parties – not merely categories of third parties – with whom they share consumer data.¹⁵

These variations may appear minor in isolation. In the aggregate, they meaningfully affect the design of consumer-facing communications, privacy notices, and intake workflows.

VI. Automated Decision-Making and Profiling

An area of growing importance – and one that directly intersects with the rise of artificial intelligence and machine-learning technologies – is the treatment of automated decision-making (“ADM”) and profiling under state consumer privacy laws. As this panel’s learning objectives emphasize, understanding these provisions is essential for any organization deploying algorithmic tools that affect consumers.

Several state privacy laws now grant consumers the right to opt out of profiling that produces legal or similarly significant effects.¹⁶ The specifics, however, vary. Some states define “profiling” broadly to encompass any automated processing used to evaluate, analyze, or predict aspects of an individual’s behavior, preferences, or characteristics. Others limit the opt-out right to profiling that results in decisions with concrete legal, financial, or similarly significant consequences.

Colorado’s regulations are among the most detailed in this area, establishing specific requirements for data protection assessments and consumer notification when profiling is used in connection with decisions that produce legal or similarly significant effects.¹⁷ Connecticut has also strengthened its ADM provisions. As states continue to refine their frameworks, businesses deploying AI-driven tools – including automated underwriting, content personalization, targeted advertising algorithms, and fraud detection models – should expect growing scrutiny of how those tools interact with consumer rights.

The practical takeaway is that companies cannot evaluate their AI and machine-learning deployments in isolation from their privacy compliance obligations. The same algorithmic tool that enhances operational efficiency may trigger profiling opt-out obligations, require a data protection impact assessment, or necessitate heightened consumer disclosures, depending on the state.

VII. Enforcement Regimes and Trends

Understanding state privacy laws also requires understanding how they are enforced, and here, too, the landscape is far from uniform.

• Enforcement Authority. Most state comprehensive privacy laws vest enforcement authority in the state attorney general. California is the notable exception: the CPRA created the CPPA, a dedicated regulatory body with independent rulemaking and enforcement authority – the first of its kind in the United States.¹⁸ The CPPA has been active, issuing regulations, conducting public proceedings, and initiating enforcement actions. In states without a dedicated agency, the attorney general’s office serves as both regulator and enforcer, with varying levels of resources and appetite for privacy-specific enforcement.
• Cure Periods. Many early-enacted state privacy laws included mandatory cure periods – typically 30 days – during which businesses could remedy alleged violations before facing enforcement action. Several states, however, have allowed their cure periods to sunset or have eliminated them altogether.¹⁹ Colorado, Connecticut, and Virginia initially included cure periods that have since expired or transitioned to discretionary consideration. The trend is toward stricter enforcement without a guaranteed opportunity to cure.
• Private Rights of Action. The vast majority of state consumer privacy laws do not grant consumers a private right of action; enforcement is limited to the attorney general or applicable regulatory body. California is the principal exception, providing a limited private right of action for data breaches resulting from a business’s failure to implement reasonable security measures.²⁰ Washington’s My Health My Data Act also provides a private right of action for violations involving consumer health data.²¹ The availability (or absence) of private enforcement rights significantly affects litigation exposure and, accordingly, should influence a company’s risk assessment.
• Enforcement Actions to Date. State regulators have already begun to exercise their enforcement authority. The CPPA and the California Attorney General have pursued actions against companies for alleged failures to honor opt-out requests, provide adequate privacy notices, and comply with data minimization requirements. Other states’ attorneys general have likewise signaled increasing willingness to investigate and act. Companies should treat the current enforcement environment as the floor, not the ceiling, of regulatory activity.

VIII. Compliance Approaches: “Race to the Top” vs. “State-Specific by Design”

With twenty state consumer privacy laws currently in effect, companies face a fundamental strategic question: how to structure a compliance program that addresses multiple overlapping but non-identical legal requirements. Two competing models have emerged.

(a) Approach One: “Race to the Top” (One-Size-Fits-All)

Under this approach, a company identifies the most stringent requirement from across all applicable state consumer privacy laws – whether it relates to consumer rights, response timelines, sensitive data handling, or opt-out obligations – and applies that requirement universally to all consumers, regardless of their state of residence.

In sum: The “Race to the Top” approach trades operational simplicity for the risk of over-compliance. This approach works best for organizations that prioritize uniformity and have the resources to meet the highest standard across the board. It simplifies training, reduces the risk that employees will apply the wrong rule, promotes consistency across systems, and offers a degree of future-proofing as new states enact laws. However, it carries real risks. Voluntarily extending California-level rights to consumers in states with less demanding laws may create enforcement exposure if the company fails to meet those self-imposed standards. And for certain obligations – such as universal opt-in consent for health data under Washington’s My Health My Data Act – blanket application may be impractical or commercially untenable.

(b) Approach Two: “State-Specific by Design” (Jurisdiction-Specific)

Under this approach, a company builds state-specific workflows – often supported by geolocation tools – to apply the precise legal requirements of each state to the consumers who reside there.

In sum: The jurisdiction-specific approach trades operational complexity for precision and flexibility. It is well-suited to organizations in regulated industries – financial services, healthcare, and data-intensive businesses – where over-compliance may carry genuine commercial costs or where state-specific exemptions offer meaningful relief. It avoids unnecessary obligations and allows businesses to tailor their programs to the regulatory environment that actually applies. On the other hand, this approach demands branching logic in technology systems, rigorous training and internal oversight, and ongoing monitoring of legal developments. Regulators may also view inconsistency across jurisdictions as a red flag if programs are not carefully documented and implemented.

(c) Finding the Middle Ground

In practice, most companies will adopt a hybrid approach that draws on the strengths of both models. A common framework might apply a uniform set of consumer rights across most states – honoring the broadest access, deletion, and opt-out rights regardless of jurisdiction – while introducing state-specific overlays only where the legal requirements diverge materially. A single privacy notice with jurisdiction-specific addendums, for example, can provide consistency without the chaos of fully splintered programs. This hybrid model allows companies to reduce over-compliance in states with narrower requirements while maintaining the operational simplicity needed to scale a privacy program across the country.

IX. Practical Key Takeaways for Companies

As this panel’s learning objectives emphasize, understanding the law is only part of the challenge. Operationalizing a compliance program across more than twenty jurisdictions requires practical planning. The following takeaways are designed to bridge the gap between legal analysis and day-to-day execution.

1. Conduct a Thorough Applicability Assessment. Do not assume that a single applicability analysis covers all states. Since thresholds, exemptions, and definitions vary, a company may be in scope in one state and exempt in another. This assessment should be revisited at least annually, as states continue to amend their laws and adjust their thresholds.
2. Map Your Data Flows. Understanding what personal data the organization collects, from whom, where it flows, and with whom it is shared is a prerequisite to compliance with any state privacy law. Data mapping also supports data protection assessments, which an increasing number of states require for high-risk processing activities.
3. Evaluate Your Compliance Model Deliberately. Whether a company chooses a race-to-the-top model, a jurisdiction-specific approach, or a hybrid, the decision should be made intentionally, not by default. The right model depends on the company’s operations, systems, risk tolerance, industry, data practices, and internal resources.
4. Pay Close Attention to Sensitive Data. Because states define “sensitive data” differently and impose divergent consent requirements – opt-in in most states, use-limitation in California – companies must understand exactly what data they process that falls into a “sensitive” category and how each applicable state regulates it.
5. Build Profiling and ADM Compliance into AI Governance. Companies deploying AI and machine-learning tools should evaluate those tools against each applicable state’s profiling and automated decision-making provisions. As regulators sharpen their focus on algorithmic accountability, the intersection of privacy law and AI governance will only become more consequential.
6. Monitor Enforcement Trends. The enforcement landscape is evolving rapidly. Companies should track regulatory guidance, enforcement actions, and litigation developments as leading indicators of regulatory expectations. Early investment in monitoring pays dividends in reduced enforcement risk.
7. Invest in Training. The complexity of multistate privacy compliance makes employee training essential. Whether a company adopts a uniform or jurisdiction-specific model, front-line personnel – from customer service representatives to marketing teams to HR professionals – need to understand their obligations and how to execute them correctly.
8. Revisit and Refresh. Privacy compliance is not a one-time project. With new laws taking effect, existing laws being amended, cure periods sunsetting, and enforcement accelerating, companies should treat their privacy programs as living frameworks that require continuous attention.

X. Conclusion

The U.S. state consumer privacy landscape has reached a level of complexity that demands sustained, deliberate attention from every organization that collects personal information. Understanding each state’s unique thresholds, definitions, exemptions, consumer rights, and enforcement mechanisms is foundational. But choosing the right compliance approach – and operationalizing it effectively – is equally important.

Whether an organization leans toward a one-size-fits-all strategy, a jurisdiction-specific approach, or a hybrid model, thoughtful planning and consistent execution are essential. The practical takeaways outlined above are intended to help attendees of this panel translate the legal landscape into concrete compliance action. As states continue to legislate and regulators continue to enforce, the companies that invest in understanding and operationalizing these frameworks will be best positioned to manage risk and build trust with the consumers they serve.

For further reference, practitioners may wish to consult Â鶹´«Ă˝â€™s U.S. State Comprehensive Consumer Data Privacy Law Comparison Chart, available at /ľ±˛Ô˛őľ±˛µłółŮ˛ő/‌płÜ˛ú±ôľ±ł¦˛ąłŮľ±´Ç˛Ô˛ő/2026/01/łÜ˛ő-˛őłŮ˛ąłŮ±đ-ł¦´Ç˛Ô˛őłÜłľ±đ°ů-»ĺ˛ąłŮ˛ą-±č°ůľ±±ą˛ął¦˛â-±ô˛ą·É˛ő/.

---

[1] Cal. Civ. Code § 1798.100, et seq. For ease of readability, the CCPA and CPRA are collectively referred to as the CPRA.

[2] As of the date of this article, comprehensive state consumer privacy laws have been enacted in, among other states, California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Texas, Montana, Oregon, Delaware, New Hampshire, New Jersey, Nebraska, Kentucky, Maryland, Minnesota, and Rhode Island.

[3] See, e.g., American Data Privacy and Protection Act, H.R. 8152, 117th Cong. (2022) (advanced out of committee but did not receive a floor vote).

[4] Cal. Civ. Code § 1798.140(d)(1)(A); Cal. Code Regs. tit. 11, § 7001(d) (inflation-adjusted threshold).

[5] Cal. Civ. Code § 1798.140(c)(1)–(2).

[6] See, e.g., Va. Code Ann. § 59.1-578(A)(5); Colo. Rev. Stat. § 6-1-1308(7); Conn. Gen. Stat. § 42-520(a)(5).

[7] Cal. Civ. Code § 1798.121(a).

[8] Va. Code Ann. §§ 59.1-575 to 59.1-585. Other baseline states include, but are not limited to, Indiana (Ind. Code §§ 24-15-1-1 to 24-15-14-1), Kentucky (Ky. Rev. Stat. Ann. §§ 367.400–367.499), Tennessee (Tenn. Code Ann. §§ 47-18-3301 to 47-18-3313), Texas (Tex. Bus. & Com. Code §§ 541.001–541.205), Nebraska (Neb. Rev. Stat. §§ 87-1101 to 87-1116), and Rhode Island (R.I. Gen. Laws §§ 6-48.1-1 to 6-48.1-16).

[9] Cal. Civ. Code § 1798.140(ad)(1).

[10] See Va. Code Ann. § 59.1-575 (defining “sale of personal data” as an exchange of personal data “for monetary consideration” by a controller to a third party); Ind. Code § 24-15-2-17 (same).

[11] Tex. Bus. & Com. Code § 541.002(a); Neb. Rev. Stat. § 87-1103

[12] Conn. Gen. Stat. § 42-516(a) (as amended, effective July 1, 2026).

[13] 15 U.S.C. §§ 6801–6809

[14] Cal. Civ. Code § 1798.130(a)(1).

[15] See Iowa Code ch. 715D (omitting a right to correction); Utah Code Ann. §§ 13-61-101 to 13-61-404 (omitting a profiling opt-out right); Or. Rev. Stat. § 646A.578(1)(d) (requiring disclosure of specific third parties); Minn. Stat. § 325O.07, subd. 1 (similar).

[16] See, e.g., Colo. Rev. Stat. § 6-1-1306(1)(a)(IV); Conn. Gen. Stat. § 42-520(a)(6); Va. Code Ann. § 59.1-577(A)(5).

[17] 4 Colo. Code Regs. § 904-3, Rules 7-8.

[18] Cal. Civ. Code § 1798.199.10.

[19] See, e.g., Va. Code Ann. § 59.1-584(B) (30-day cure period); Colo. Rev. Stat. § 6-1-1311 (cure period sunset Jan. 1, 2025).

[20] Cal. Civ. Code § 1798.150(a)(1).

[21] Wash. Rev. Code §§ 19.373.005–19.373.900.

Key Takeaways:

• The Trump Administration has introduced a national AI regulatory framework, building off the executive order issued late last year.
• The National Policy Framework for Artificial Intelligence calls on Congress to create a uniform federal standard that would preempt the current patchwork of state laws.
• The framework also focuses on issues such as protecting children, infrastructure, intellectual property protections, and promoting innovation.

Recently, the Trump Administration released their (AI). This builds on the executive order issued last year and addresses what they call the “most pressing policy topics that AI presents.” This now sets the stage for Congress to act and create some kind of uniform federal standard that would preempt the patchwork of state laws throughout the US.

It is unclear whether there will be enough bipartisan support to move through the administration’s proposal as it currently stands, but as reports, Speaker Mike Johnson has already called on Congress to enact legislation and codify the administration’s agenda.

There are seven key objectives the administration is seeking to address:

1. Protection of Children and Empowerment of Parents – The framework calls on Congress to provide tools that would enable parents to manage their children’s digital environment, including privacy settings, screen time, content exposure, and account controls. It also calls on Congress to require AI platforms and services likely to be accessed by minors to implement features that would reduce the risks of sexual exploitation and self-harm to minors. The framework also calls on Congress to build on the Trump Administration’s signing of the Take It Down Act, affirm that existing child privacy protections apply to AI systems, and ensure states can continue to enforce their own laws protecting children.
2. Safeguard and Strengthen Communities – This portion addresses several priorities related to AI infrastructure and community protection. The framework directs Congress to ensure that residential ratepayers do not experience increased electricity costs from new AI data center construction, streamline federal permitting so AI developers can develop or procure on-site power generation, combat AI-enabled impersonation scams and fraud targeting vulnerable populations such as seniors, and provide AI resources to small businesses through grants, tax incentives, and technical assistance programs. It also calls for ensuring that national security agencies possess sufficient technical capacity to understand frontier AI model capabilities.
3. Intellectual Property Rights – IP rights are another consistent area of concern when it comes to AI, and this framework proposes an approach that would protect the works of creators while still allowing AI to innovate. Specifically, while the Administration believes that training AI models on copyrighted material does not violate copyright laws, it supports allowing the courts to resolve this issue. The framework also asks Congress to consider enabling licensing frameworks or collective rights systems for rights holders to negotiate compensation from AI providers, and to consider establishing a federal framework protecting individuals from the unauthorized distribution or commercial use of AI-generated digital replicas of their voice, likeness, or other identifiable attributes.
4. Prevent Censorship and Protect Free Speech – The framework addresses the need to protect free speech and to prevent AI systems from being used to silence or censor lawful political expression or dissent. It calls on Congress to prevent the government from coercing technology providers, including AI providers, to ban, compel, or alter content based on partisan or ideological agendas, and to provide an effective means for Americans to seek redress from the Federal Government for agency efforts to censor expression on AI platforms.
5. Enable Innovation and Ensure American AI Dominance – The Administration is focused on deploying world-class AI systems from the U.S., removing barriers to innovation and accelerating the deployment of AI applications across sectors. The framework calls on Congress to establish regulatory sandboxes, provide resources to make federal datasets accessible in AI-ready formats, and avoid creating any new federal rulemaking body to regulate AI, instead supporting sector-specific AI applications through existing regulatory bodies and industry-led standards.
6. Educating Americans and Developing an AI-Ready Workforce – This addresses the concerns surrounding AI and its impact on the workforce, asking for education programs, skills training, and apprenticeships that incorporate AI training, expanded federal efforts to study workforce realignment driven by AI, and new opportunities for workers in an AI-powered economy. The framework also calls for bolstering capabilities at land-grant institutions to provide technical assistance and develop AI youth development programs.
7. Establishing a Federal Policy Framework and Preempting Cumbersome State AI Laws – The framework calls on Congress to preempt state AI laws that impose undue burdens and establish a minimally burdensome national standard, while respecting key principles of federalism. States would retain their traditional police powers to enforce laws of general applicability, including laws to protect children, prevent fraud, and protect consumers, as well as zoning laws and requirements governing a state’s own use of AI. However, states would not be permitted to regulate AI development or unduly burden Americans’ use of AI for activity that would be lawful if performed without AI.

Importantly, the administration notes that this framework must be applied uniformly across the country for it to succeed. Their announcement states, “A patchwork of conflicting state laws would undermine American innovation and our ability to lead in the global AI race.” This was one of the main tenants of last year’s executive order.

There will of course be much debate in Congress as they attempt to come to an agreement on how they will regulate this technology on a national scale. We will be watching closely to see the final result and how closely it will be to this initial framework.

On March 12, 2026, the U.S. Patent and Trademark Office (“USPTO”) released new guidance[1] (the “Guidance”) that updates prior USPTO practice guidelines for the examination of design patent applications for computer-generated interfaces, commonly known as graphical user interfaces (“GUIs”) and icons. 

With the evolution of computer technology, such as the increased usage of artificial intelligence, the USPTO recognizes that the field of GUI designs is also evolving at a rapid pace.  Appreciating this evolution is spurring the USPTO and others[2] to enable designers to effectively and efficiently protect their computer interface designs. 

We expect the rise of GUI, icon, and other virtual interface designs to increase given this Guidance, and the number of rejections during examination to decrease given the more flexible standards announced in this Guidance. 

A couple of notes regarding the Guidance are provided below, starting with some key takeaways.

• Guidance Highlights Additional Design Patent Subject Matter: The Guidance highlights that projections, holograms, and virtual and augmented reality icons or interfaces are eligible for design patent protection so long as the designs are disclosed and claimed correctly.
• Guidance Eliminates the Requirement to Depict Display Screen/Panel: Applicants no longer need to depict a display screen in applications related to computer-generated images, which was formerly a requirement of MPEP 1504.01(a), as long as both the title and the claim properly identify the article of manufacture (e.g., a computer).

The USPTO warns that design patents cannot claim transient, disembodied, or three-dimensional computer-generated images alone; they must still claim the design of an article of manufacture.  

With this Guidance, there are now two ways to comply with this requirement: (i) show the display screen or portion thereof in broken lines (traditional method) or (ii) the title and the claim must properly identify the article of manufacture, even if there is no display panel depicted in the drawings. 

With respect to option (ii), Applicants can now omit showing the display screen in dashed lines so long as the title and claim identify the article of manufacture (e.g., for a computer, computer system, computer display panel, etc.).The guidance instructs applicants to use language with the word “for,” such as: “icon for display panel,” “projected interface for computer,” or “interface for computer system.”

Based on the foregoing, examples of acceptable and unacceptable drawings, titles, and claims relative to the Guidance are provided below. 

While we expect to see an increase in computer interface applications, it is important to note that this help is specific to the U.S. Caution should be employed when pursuing virtual interface designs abroad.

---

[1] See

[2] India has recently proposed several changes to their Designs Act, including proposing amendments to expressly provide for design patent protection for GUIs, icons, and other virtual designs (e.g., AR/VR interfaces).  See https://www.dpiit.gov.in/static/uploads/2026/01/791a71ebde47d93b67560f7394be2fec.pdf

Part III: Practical Compliance – What You Should Be Doing Now

California’s new Fair Investment Practices by Venture Capital Companies Law (FIPVCC) is shaking up the Venture Capital (VC) industry with its first compliance deadlines right around the corner. In Part I of our blog series, we discussed applicability and who is covered. In Part II, we covered comprehensive compliance requirements. In Part III of our blog series, we’re focusing on practical, near-term compliance. In other words, what should VC firms be doing now to get compliant and stay compliant.

Key Takeaways

• Covered entities should start, if they haven’t already, gathering their 2025 data to meet the first FIPVCC annual report submission deadline of April 1, 2026. Covered entities should use the DFPI template.
• Covered entities should begin building out compliance programs to gather, track, and report the relevant demographic data, keeping in mind that the VC Demographic Data Survey cannot be sent until after it has “executed an investment agreement with the business and made the first transfer of funds.”
• Covered entities will need to evaluate their other compliance frameworks in light of the FIPVCC including policies related to record retention as well as data privacy and information security as founder demographic data includes sensitive personal information.

Determine Applicability

See Part I in our blog series for more detail but, generally, you can determine if you (or each fund/vehicle and/or its manager) are a covered entity under the FIPVCC by answering the following questions:

1. Are you a “venture capital company”?[1]

If yes, move on to question 2. If no, you are not a “covered entity.”

2. Do you primarily engage in the business of investing in, or providing financing to, startup, early-stage, or emerging growth companies?

If yes, move on to question 3. If no, you are not a “covered entity.”

3. Do you meet any one of the following criteria – i.e., have a California nexus?

• You are headquartered in California;
• You have a significant presence or operational office in California;
• You make venture capital investments in businesses that are located in, or have significant operations in, California; or
• You solicit or receive investments from a person who is a resident of California.

If yes, you are a “covered entity.” If no, you are not a “covered entity.”

Kick off Your Compliance Program

Covered entities must provide an annual to the DFPI with an initial reporting deadline of April 1, 2026 whereby they must provide aggregated, anonymized data from collected from founding team members. While each covered entity should establish a compliance program tailored to the scope and complexity of its own activities and risk profile, the following are the immediate next steps every covered entity should be considering.

Step 1: Determine whether reporting under the FIPVCC will occur at the fund/vehicle level or at a controlling entity level, as appropriate.

Step 2: Identify which investments and portfolio companies are relevant for the April 1, 2026 reporting deadline.

• Once applicability is determined, a covered entity must send the surveys and report on all portfolio companies that receive funding, regardless of the portfolio company’s location or whether the particular investment in the portfolio company would necessarily meet the definition of “venture capital investment.”[2]
• Note, however, surveys may only be provided to a founding team member after the covered entity has executed an investment agreement with the business and made the first transfer of funds.

Step 3: Send the to the founding team members of the portfolio companies identified in Step 2.

Step 4: Build out initial data tracking and reporting processes.

• Ensure personnel, technology and compliance systems are assigned to track the sending and receipt of surveys from founding team members.
• Ensure personnel, technology and compliance systems are prepared to anonymize and aggregate data from the surveys in order to populate the annual .
• Have designated responsible for maintaining compliance and ultimately submitting a timely annual report to the DFPI.

Step 5: Build out longer term processes and controls.

• Covered entities should start tracking and maintaining data related to the amounts invested per portfolio company and each portfolio company’s principal place of business to streamline future reporting.
• Covered entities should incorporate the template into deal flows, keeping in mind the timing restriction noted in Step 2.
• Covered entities should consider what if any record retention and privacy and data governance policies need to be revisited in light of the additional requirements and information implicated under the FIPVCC.
• Covered entities should continue to monitor for related regulatory updates from the DFPI.

Register with the DFPI by March 1, 2026

Don’t forget to register as a covered entity on the DFPI’s VCC Reporting Program portal, soon to be accessible via its , by March 1, 2026.

Â鶹´«Ă˝ Can Help

We are tracking the FIPVCC and related DFPI updates. For any questions regarding the FIPVCC, please reach out to the authors or another member of the Â鶹´«Ă˝ team.

---

[1] As that term is defined under Cal. Code Regs. tit. 10, § 260.204.9(a)(4).

[2] “Venture capital investment,” which falls withing the definition of “venture capital company,” means an acquisition of securities in an operating company in which the investment adviser, the entity advised by the investment adviser, or an affiliated person of either has management rights and/or participates in the management of the operating company (e.g., through a board seat). Cal. Code Regs. tit. 10, § 260.204.9(a)(4)(A).