The Digital Download provides a quarterly snapshot of emerging issues at the intersection of privacy, cybersecurity, and data strategy. It brings together Alston & Bird’s thought leadership, publications, events, and firm news into a single, easy‑to‑navigate resource.
Publications & Advisories
- January 28, 2026 – Kelly Hagedorn, Paul Greaves, and Hanna Hewitt published “Privacy, Cyber & Data Strategy Advisory | UK’s Data (Use and Access) Act 2025 – What Does It Change?”
- January 2026 - Kathleen Benway, Alex Brown, Maki DePalo, Jennifer Everett, Graham Gardner, and Hyun Jai Oh published “Flurry of Federal Trade Commission Activity Shows Enforcement Emphasis on Youth Protection” in Pratt’s Privacy & Cybersecurity Law Report.
- January 6, 2026 – Kim Peretti, Lance Taubin, and Carson Kuck published “Privacy, Cyber & Data Strategy Advisory | How AI Is Changing the Incident Response Landscape: What GCs Need to Know.”
- December 18, 2025 – Jennifer Everett, Dan Felz, Kate Hanniford, Jennifer Pike, and Santiago Villar published “Privacy, Cyber & Data Strategy Advisory | President Trump Signs Executive Order Aiming to Curb State AI Regulation.”
- December 17, 2025 – Our Privacy, Cyber & Data Strategy; Investment Funds; White Collar, Government & Internal Investigations; and Securities Litigation teams published “Investment Funds / Privacy, Cyber & Data Strategy Advisory | SEC Settles with Virtu over Customer MNPI Controls.”
- December 16, 2025 – Kelly Hagedorn, Wim Nauwelaerts, and Paul Greaves published “Privacy, Cyber & Data Strategy Advisory | The Data Act: 5 Things to Know About How the Data Act Mitigates Risks to Cybersecurity and Trade Secrets.”
- December 15 - Kelly Hagedorn, Wim Nauwelaerts, Paul Greaves, Alice Portnoy, and Hanna Hewitt published “The EU Data Act: 5 Things to Know About the Data Act and New Switching Requirements for Providers of Cloud Services” in The Global Regulatory Developments Journal.
- December 15 - Kelly Hagedorn, Wim Nauwelaerts, Paul Greaves, Alice Portnoy, and Hanna Hewitt published “The EU Data Act: 7 Things to Know About the Data Act and Connected Products” in The Global Regulatory Developments Journal.
- December 5, 2025 – Jennifer Everett and Dorian Simmons published “What Businesses Need to Know About California’s AI Safety Law” in Bloomberg Law.
Selected U.S. Privacy & Cyber Updates
California Attorney General Announces Investigative Sweep into “Surveillance Pricing”
On January 28, 2026, California Attorney General (AG) Rob Bonta announced an investigative sweep targeting “surveillance pricing” practices among businesses in the retail, grocery, and hotel sectors. The investigation focuses on companies that use consumers’ personal information to set individualized prices. According to the AG’s press release, surveillance pricing practices could violate the California Consumer Privacy Act (CCPA), particularly its “purpose limitation” requirement.
New York Regulates Large Artificial Intelligence Models
On December 19, 2025, just eight days after President Trump issued the Executive Order Ensuring a National Policy Framework for Artificial Intelligence to challenge burdensome state laws that regulate artificial intelligence, New York Governor Kathy Hochul signed the Responsible Artificial Intelligence Safety and Education Act (RAISE Act). The RAISE Act imposes transparency, compliance, safety, and reporting requirements on certain developers of large “frontier” AI models. The RAISE Act takes effect March 19, 2026.
DOJ Cybersecurity Enforcement Pace Shows No Signs of Slowing Down Going into 2026
As 2025 drew to a close, the U.S. Department of Justice (DOJ) announced significant developments in cases involving the allegedly deficient cybersecurity practices of two Department of Defense contractors. These two cases suggest that the federal government will continue to make DFARS 7012 compliance for companies that process controlled unclassified information an enforcement priority in 2026. They also suggest that the DOJ may be broadening its enforcement efforts.
Texas Court Blocks Smart TV Data Collection
A Texas state court has issued a temporary restraining order (TRO) blocking Hisense, a major Chinese smart TV manufacturer, from collecting data on the content viewers watch via automatic content recognition (ACR) technology. The TRO follows lawsuits that Texas Attorney General Ken Paxton filed on December 15, 2025 against Hisense and four other smart TV manufacturers alleging violations of the Texas Deceptive Trade Practices Act arising out of the collection and use of sensitive ACR data without adequate disclosure or consent.
NYDFS Releases New Prescriptive FAQs on MFA
The New York Department of Financial Services (NYDFS) has released a new set of frequently asked questions (FAQs 18–23) under 23 NYCRR Part 500, reinforcing its position that multifactor authentication (MFA) remains a critical component of a covered entity’s cybersecurity program. These FAQs provide highly prescriptive guidance, including clarifications on technical requirements for the “possession” factor and risks associated with push-based authentication methods.
California AG Announces $1.4 Million Settlement with Mobile App Provider for Alleged CCPA Violations
On November 21, 2025, California AG Rob Bonta announced a $1.4 million settlement with Jam City Inc., a mobile game app company, for alleged failures to enable in-app opt-outs from the sale and sharing of personal information across many of the company’s mobile apps as required by the CCPA.
Selected Global Privacy & Cyber Updates
European Commission Publishes Guidance for Companies Implementing the EU Cyber Resilience Act
On 3 December 2025, the European Commission published its first set of technical FAQs on the EU Cyber Resilience Act (CRA). The CRA is an EU-wide law which lays down cybersecurity requirements for ‘products with digital elements’, including Internet of Things (IoT) devices, hardware components, and certain software. It becomes fully applicable on 11 December 2027, with reporting obligations (for actively exploited vulnerabilities and significant incidents) kicking in earlier – from 11 September 2026.
Spanish DPA Highlights Privacy Risks in GenAI Content Creation
In early January 2026, the Spanish Data Protection Authority (Agencia Española de Protección de Datos, or AEPD) issued new guidance on the privacy and data protection risks associated with uploading images or photos – whether directly or indirectly identifying individuals – into generative AI tools. The guidance is particularly focused on situations when those images are hosted by third‑party online services or digital platforms.
How to Comply with the EU AI Act: Guidance from the Spanish AI Regulator
On 10 December, the Spanish supervisory authority for the EU AI Act published a set of 16 detailed guidelines and nonbinding checklists designed to help companies navigate their obligations under the AI Act, which entered into force in August 2024.
New EU Regulation Clarifies Cybersecurity Rules for IoT Devices and Other ‘Products with Digital Elements’
On 28 November 2025, the European Commission adopted a regulation implementing the Cyber Resilience Act – an EU-wide law which lays down cybersecurity requirements for companies that design and sell ‘products with digital elements’ (PDEs). PDEs can take many forms, including IoT devices, hardware components, and certain software.
[View source.]
