A new lawsuit filed by the Texas Attorney General against Roblox has brought privacy, safety, and data handling into the spotlight for online platforms, especially those used by kids and teens. The allegations followed concerns raised by advocacy groups in 2024 and suggest that Texas will continue to be active in the privacy space.
Continue Reading Texas Sets Sights on Roblox
The Dutch Data Protection Authority recently updated its cookie banner guidance. This comes after the agency, the Autoriteit Persoonsgegevens (or AP), promoted a goal earlier this year to monitor 500 websites a year to ensure their use of cookies complies with GDPR. The Dutch are not the only ones concerned about cookie banners. See, for example, activity from the UK that we wrote about last year. Of note, the Dutch authority stresses in its guide that even if a company uses third-party consent management platforms, the site operator is still responsible for compliance.
Continue Reading Is Your Website’s Cookie Banner Up to Date? New Guidance from Dutch DPA
A recent settlement with an education service provider and three states – California, Connecticut, and New York – serves as a reminder to deactivate the credentials of departed employees. The case arose following a data breach suffered by Illuminate Education, which provides assessment software to K-12 school systems. As part of its services, the company stores sensitive details like students’ special education and accommodation needs.
Continue Reading The Ghost of Employees Past: The Data Breach Risks from User-Credential Management
The European Data Protection Supervisor (EDPS) AI guidance for EU institutions has lessons for businesses. This includes when inputting personal information into these tools. The recommendations from the guidance fall into five categories, which businesses can take as potential principles. Namely:
Continue Reading Protecting Personal Data in the Age of AI: Lessons from the Latest EDPS Guidance
The Southern District of California recently reminded companies that it has concerns about steps to take to make online terms binding. The case arose from a putative class action over alleged false pricing practices brought against Maggy London International Ltd. an online clothing retailer.
Continue Reading Are Your Online Terms Enforceable?: Lessons from California
The Consortium of Privacy Regulators is growing. Meanwhile, CalPrivacy has announced a new program, a data broker “strike force.”
Continue Reading State Privacy Action Grows: Consortium Expands, California Launches Data Broker Strike Force
California has set what may be an emerging trend with AB 45, restricting collection and use of personal information collected near family planning facilities. The law was signed recently by h Governor Newsom and is set to go into effect January 1, 2027. It provides for penalties of $25,000 fine per violation.
Continue Reading Keep Out! California Draws the Privacy Fence Around Health Data
Illinois employers are reminded that a law addressing the use of AI in the workplace is set to take effect January 1, 2026.
Continue Reading Illinois AI Employment Law Goes Live Soon: Are Your Hiring Practices Compliant?
If you thought social media needed a warning label, many state regulators agree. California recently passed a new warning label law, which will take effect on January 1, 2027. That is, unless it is challenged. Meanwhile, Colorado is fighting to keep alive a similar law following a NetChoice challenge. Other states (like Arkansas, California, Florida, Utah, Maryland, Mississippi, Ohio, and Texas) have not been successful, seeing similar laws stopped on First Amendment grounds.
Continue Reading Warning! States Continue to Worry About Social Media and Teens
Italy became the first EU country to enact a comprehensive national AI law when its AI law (Law No. 132/2025) took effect last month. The law is intended to work with the existing EU AI Act, but with more details and specific obligations. In fact, it mirrors many of the themes that are being implemented in US AI laws (like those in Texas, Virginia (vetoed), and Colorado). This may be one of many similar laws we see coming out of Europe this year, and the potential for a fragmented AI regulatory patchwork in the EU.
Continue Reading When in Rome—Make Your AI Do As the Regulators Do
California is getting serious about age checks online, and businesses should pay attention. Thanks to the passage of AB 1043, starting January 1, 2027, software makers and app stores will need to know the user’s age (or at least their age bracket) and signal it to apps every time a download or launch happens. For businesses that may be unclear whether COPPA or CCPA’s provisions for teenagers apply to their app, this law is aimed at clarifying that ambiguity.
Continue Reading “How Old Are You, Anyway?” California’s New Law Makes Apps Ask… And Remember!
California recently passed an amendment accelerating how quickly businesses must notify following a data breach. Previously, the requirement was to notify affected individuals “without unreasonable delay.” Beginning January 1, 2026, the law mandates that businesses notify individuals within 30 calendar days after the discovery or notification of a breach. (New York also shortened its reporting this earlier this year). While some flexibility remains for law enforcement needs or to fully investigate the incident and restore data systems, this change places a clear emphasis on prompt action and accountability. Businesses in California will also face a new requirement when a
Continue Reading 2026 Data Breach Law Updates – California and Oklahoma
Companies are become increasingly concerned about being viewed as “selling” personal data. In the midst of these worries, California’s governor signed SB 361, which will change the California Delete Act starting January 1, 2026. The law applies to those who sell personal information about consumers with whom they do not have a direct relationship. For covered entities, the amendment will add to compliance complexities.
Continue Reading California Continues to Expand Data Broker Requirements
Many courts have held that that information gathered by video-related pixels are not “personal” for purposes of the Video Privacy Protection Act. Nevertheless, plaintiff class action attorneys continue to file these VPPA actions in federal court.
Continue Reading Behind the Pixel: Not Always Personal Information Under VPPA
A thorny issue for companies has been how to handle data derived from personal information. Is it still personal information? Do privacy laws apply? The EU Court of Justice of grappled with this issue in a September decision. The case arose following a Spanish bank’s financial difficulties. Its regulatory agency, the European Single Resolution Board, stepped in to attempt to value some of the bank’s investments and otherwise determine next steps. As part of the process, the board hired a consulting firm to analyze feedback from the bank’s shareholders and creditors. The board collected the information, pseudonymized the data,
Continue Reading EU Weighs in on Pseudonymized Data
Will a final rule issued by the Department of Defense on September 10, 2025 (available here) cause companies to rethink their compliance approach? The rule –relating to the Cybersecurity Maturity Model Certification program or CMMC – will impact how defense contractors engage with the Department of Defense. (We wrote previously (here) about the separate, but related, CMMC rule that addressed substantive CMMC program requirements.)
Continue Reading Leveling Up: Will CMMC Contract Obligations Impact Your Organization?