The United States’ Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI), in collaboration with the United Kingdom’s National Cyber Security Centre and other international partners,...more
11/4/2025
/ Critical Infrastructure Sectors ,
Cybersecurity ,
EU ,
Government Agencies ,
Industrial Sector ,
Information Technology ,
Infrastructure ,
International Harmonization ,
Network Security ,
New Guidance ,
Popular ,
Regulatory Requirements ,
Risk Management ,
Supply Chain ,
Third-Party Risk ,
UK ,
United States
The Court of Justice of the European Union (ECJ) has issued a landmark decision in European Data Protection Supervisor v Single Resolution Board (C-413/23 P), narrowing the circumstances in which pseudonymised data is...more
11/3/2025
/ Data Management ,
Data Privacy ,
Data Protection ,
Data Protection Authority ,
Data Transfers ,
Data-Sharing ,
EU ,
European Court of Justice (ECJ) ,
General Data Protection Regulation (GDPR) ,
Personal Data ,
Popular ,
Privacy Laws ,
Regulatory Requirements ,
Transparency
On 22 August 2025, the UK Court of Appeal issued its judgment in Farley v Paymaster. The case related to the Sussex Police, whose pension scheme members’ “annual benefit statements” were posted to out-of-date addresses. The...more
11/3/2025
/ Class Action ,
Collective Actions ,
Corporate Counsel ,
Court of Justice of the European Union (CJEU) ,
Damages ,
Data Breach ,
Data Protection ,
EU ,
EU Directive ,
General Data Protection Regulation (GDPR) ,
Personal Data ,
Privacy Laws ,
Private Right of Action ,
UK ,
UK GDPR
On September 23 2025, the California Office of Administrative Law approved the California Privacy Protection Agency’s (CPPA’s) regulations under the California Consumer Privacy Act (CCPA). The final regulations create three...more
10/3/2025
/ Automated Decision Systems (ADS) ,
California ,
California Consumer Privacy Act (CCPA) ,
California Privacy Protection Agency (CPPA) ,
Consumer Privacy Rights ,
Cybersecurity ,
Data Privacy ,
New Regulations ,
Popular ,
Risk Assessment ,
State Privacy Laws
This coordinated enforcement sweep builds on the “Consortium of Privacy Regulators” announcement earlier this year, which, as we have written, marked a shift toward joint, multistate privacy enforcement. The Consortium of...more
10/3/2025
/ California ,
California Privacy Protection Agency (CPPA) ,
California Privacy Rights Act (CPRA) ,
Colorado ,
Connecticut ,
Consumer Privacy Rights ,
Data Privacy ,
Data Protection ,
Enforcement Actions ,
Opt-Outs ,
Privacy Laws ,
State Attorneys General ,
State Privacy Laws
On September 29, 2025, California Governor Gavin Newsom signed into law Senate Bill 53 (SB 53), known as the Transparency in Frontier Artificial Intelligence Act (TFAIA). This landmark legislation establishes the nation’s...more
10/3/2025
/ Artificial Intelligence ,
California ,
Compliance ,
Cybersecurity ,
Disclosure Requirements ,
New Legislation ,
Popular ,
Regulatory Requirements ,
Reporting Requirements ,
Risk Management ,
State and Local Government ,
Whistleblowers
On September 10, 2025, the U.S. Department of Defense (DoD) published its final rule implementing the contractual requirements under the Cybersecurity Maturity Model Certification (CMMC) Program. The rule (CMMC DFARS Rule),...more
9/19/2025
/ Corporate Counsel ,
Cybersecurity ,
Cybersecurity Maturity Model Certification (CMMC) ,
Defense Contracts ,
Department of Defense (DOD) ,
False Claims Act (FCA) ,
Federal Acquisition Regulations (FAR) ,
Federal Contractors ,
Final Rules ,
Subcontractors ,
Supply Chain
Under the EU General Data Protection Regulation (GDPR), the European Commission can issue “adequacy” decisions allowing data to be transferred from the EU to a non-EEA country without additional security measures such as...more
9/10/2025
/ Adequacy Requirement ,
Appeals ,
Corporate Counsel ,
Court of Justice of the European Union (CJEU) ,
Data Privacy ,
Data Protection ,
EU ,
European Commission ,
European Court of Justice (ECJ) ,
General Court of the European Union (GCEU) ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Personal Data ,
Privacy Laws
The FTC’s letters highlight the commission’s concern that tech companies may adopt content moderation or data security policies that, while designed to meet foreign legal requirements, could impermissibly infringe upon U.S....more
9/5/2025
/ Censorship ,
Consumer Privacy Rights ,
Data Security ,
Digital Services ,
Encryption ,
EU ,
Federal Trade Commission (FTC) ,
FTC Act ,
Online Platforms ,
Regulatory Requirements ,
Section 5 ,
UK ,
Unfair or Deceptive Trade Practices
- What is new: On 26 June 2025, the EU Agency for Cybersecurity (ENISA) published guidance documents setting out security measures that regulated organisations should have in place to comply with the EU’s critical...more
- What is new: DOJ announced a $9.8 million FCA settlement with Illumina Inc. to resolve claims arising out of alleged cybersecurity deficiencies in DNA sequencing systems Illumina sold to government agencies.
- Why it...more
8/8/2025
/ Compliance ,
Cybersecurity ,
Department of Justice (DOJ) ,
False Claims Act (FCA) ,
Food and Drug Administration (FDA) ,
Government Agencies ,
Life Sciences ,
Medical Devices ,
Medical Technology Companies ,
Popular ,
Whistleblowers
- What is new: The ICO is proposing to relax its enforcement of cookie consent requirements, meaning user consent would not be required for lower-risk advertising cookies.
- Why it matters: The proposals aim to address...more
8/6/2025
/ Advertising ,
Consent ,
Cookies ,
Corporate Counsel ,
Data Privacy ,
Data Protection ,
Information Commissioner's Office (ICO) ,
New Guidance ,
Privacy Laws ,
UK ,
Web Tracking
- What is new: The Trump administration’s AI Action Plan reflects a striking shift in approach, with the federal government driving development, expansion and regulation, focusing on deregulation, permitting, procurement and...more
7/30/2025
/ Artificial Intelligence ,
Deregulation ,
Export Controls ,
Federal Contractors ,
Government Agencies ,
Infrastructure ,
Innovation ,
National Security ,
Popular ,
Regulatory Reform ,
Technology ,
Trump Administration
- What is new: The EU’s Delegated Regulation on Subcontracting has come into force, completing the legal framework of the Digital Operational Resilience Act (DORA). Attention will now turn to enforcement.
- Why it matters:...more
As federal privacy enforcement shows signs of slowing, states are aggressively stepping in to fill the void.
On July 1, 2025, the California attorney general (AG) announced a $1.55 million settlement with Healthline Media,...more
7/22/2025
/ California ,
California Consumer Privacy Act (CCPA) ,
Connecticut ,
Consumer Privacy Rights ,
Data Privacy ,
Data Protection ,
Enforcement Actions ,
Opt-Outs ,
Privacy Acts ,
Privacy Laws ,
Sensitive Personal Information ,
State Attorneys General ,
State Privacy Laws
In recent weeks, the EU and UK have both introduced changes to their respective versions of Europe’s landmark privacy legislation, the General Data Protection Regulation (GDPR). These reforms mark the first substantial...more
7/11/2025
/ Compliance ,
Cookies ,
Data Privacy ,
Data Protection ,
EU ,
General Data Protection Regulation (GDPR) ,
Member State ,
New Legislation ,
Personal Data ,
Regulatory Agenda ,
Regulatory Reform ,
Regulatory Requirements ,
UK
On 25 June 2025, the European Commission announced its proposal for a “Space Act” that would introduce a new regulatory framework for EU space activities. The proposed framework includes cyber-resilience obligations for EU...more
7/9/2025
/ Compliance ,
Cybersecurity ,
Data Privacy ,
Enforcement ,
EU ,
National Security ,
Outer Space ,
Privacy Laws ,
Proposed Legislation ,
Regulatory Requirements ,
Reporting Requirements ,
Risk Management
- On 26 March 2025, the European Health Data Space (EHDS) Regulation entered into force. The regulation establishes a comprehensive framework for health-data sharing and access in the EU, with the dual aim of supporting the...more
6/26/2025
/ Compliance ,
Data Privacy ,
Data Security ,
Data-Sharing ,
Electronic Protected Health Information (ePHI) ,
EU ,
Health Care Providers ,
Healthcare ,
Healthcare Reform ,
Intellectual Property Protection ,
Life Sciences ,
Noncompliance ,
Personal Data ,
Regulatory Agenda ,
Regulatory Requirements ,
Shareholders
Texas has become the second state, after Colorado, to enact omnibus legislation regulating artificial intelligence (AI) systems. On June 22, 2025, Texas Gov. Greg Abbott signed into law the Texas Responsible Artificial...more
6/24/2025
/ Artificial Intelligence ,
Biometric Information ,
Corporate Counsel ,
Data Privacy ,
Disclosure Requirements ,
Enforcement Actions ,
Government Agencies ,
Legislative Agendas ,
New Legislation ,
Regulatory Requirements ,
State and Local Government ,
State Attorneys General ,
Technology ,
Texas
Executive Summary -
The EU Data Act, whose requirements apply from 12 September 2025, establishes new rights for businesses and consumers to access data they generated using “connected devices,” limiting the exclusive...more
6/24/2025
/ Cloud Computing ,
Competition ,
Contract Terms ,
DATA Act ,
Data Privacy ,
Data Protection ,
Data-Sharing ,
Enforcement ,
EU ,
General Data Protection Regulation (GDPR) ,
New Legislation ,
Regulatory Requirements ,
UK
After years of regulatory uncertainty, the Trump administration has signaled a new approach to digital assets, including by establishing a working group focused on digital assets and nominating crypto-friendly chairs to the...more
5/6/2025
/ Artificial Intelligence ,
Blockchain ,
CFTC ,
Cryptocurrency ,
Cybersecurity ,
Data Privacy ,
Digital Assets ,
Enforcement Actions ,
Enforcement Priorities ,
FinTech ,
NYDFS ,
Popular ,
Regulatory Agenda ,
Regulatory Requirements ,
Risk Management ,
Securities and Exchange Commission (SEC) ,
State Attorneys General ,
Technology
On April 23 and 24, 2025, regulators, industry leaders and data privacy leaders from across the globe convened in Washington, D.C. for the 2025 International Association of Privacy Professionals (IAPP) Global Privacy Summit....more
5/5/2025
/ Artificial Intelligence ,
California Consumer Privacy Act (CCPA) ,
Corporate Counsel ,
Cybersecurity ,
Data Privacy ,
Data Protection ,
Enforcement Actions ,
EU ,
General Data Protection Regulation (GDPR) ,
Machine Learning ,
Privacy Laws ,
Regulatory Agenda ,
Regulatory Requirements ,
State Privacy Laws ,
Technology ,
UK
In a major development for businesses subject to state data privacy laws, eight state privacy regulators have joined forces to form the “Consortium of Privacy Regulators,” a bipartisan coalition aimed at coordinating...more
5/5/2025
/ California Privacy Protection Agency (CPPA) ,
Consumer Privacy Rights ,
Corporate Counsel ,
Cybersecurity ,
Data Collection ,
Data Privacy ,
Enforcement ,
Enforcement Actions ,
Personal Information ,
Privacy Laws ,
Regulatory Requirements ,
State Attorneys General ,
State Privacy Laws
In two recent rulings, judges in the U.S. Northern District of California have allowed proposed class actions under the California Consumer Privacy Act (CCPA) to proceed without an allegation of a data breach, departing from...more
In its first major initiative, on March 21, 2025, the Federal Communications Commission’s (FCC’s) newly formed Council on National Security (Council) launched an investigation into the “ongoing U.S. operations” of businesses...more