Companies are become increasingly concerned about being viewed as “selling” personal data. In the midst of these worries, California’s governor signed SB 361, which will change the California Delete Act starting January 1, 2026. The law applies to those who sell personal information about consumers with whom they do not have a direct relationship. For covered entities, the amendment will add to compliance complexities.
Continue Reading California Continues to Expand Data Broker Requirements

Many courts have held that that information gathered by video-related pixels are not “personal” for purposes of the Video Privacy Protection Act. Nevertheless, plaintiff class action attorneys continue to file these VPPA actions in federal court.
Continue Reading Behind the Pixel: Not Always Personal Information Under VPPA

A thorny issue for companies has been how to handle data derived from personal information. Is it still personal information? Do privacy laws apply? The EU Court of Justice of grappled with this issue in a September decision. The case arose following a Spanish bank’s financial difficulties. Its regulatory agency, the European Single Resolution Board, stepped in to attempt to value some of the bank’s investments and otherwise determine next steps. As part of the process, the board hired a consulting firm to analyze feedback from the bank’s shareholders and creditors. The board collected the information, pseudonymized the data,…
Continue Reading EU Weighs in on Pseudonymized Data

Will a final rule issued by the Department of Defense on September 10, 2025 (available here) cause companies to rethink their compliance approach? The rule –relating to the Cybersecurity Maturity Model Certification program or CMMC – will impact how defense contractors engage with the Department of Defense. (We wrote previously (here) about the separate, but related, CMMC rule that addressed substantive CMMC program requirements.)…
Continue Reading Leveling Up: Will CMMC Contract Obligations Impact Your Organization?

We are in the final quarter of the year, which is typically budgeting and planning for many issues, including -hopefully!- data incident preparedness. Is your organization able to take advantage of one of the growing number of states’ safe harbor provisions? In particular, Connecticut, Iowa, Ohio, Oklahoma (beginning January 1, 2026), Oregon, – as of September 2025 Texas (for entities with less than 250 employees) – and Utah provide certain affirmative defenses against claims resulting from data breaches. The safe harbor is available if the company has a “qualified” cybersecurity program. What that means varies by state. …
Continue Reading Incident Response Defenses: Can You Take Advantage of a Cyber Program Safe Harbor?

For those keeping track of the growing list of US state “comprehensive” privacy laws, you know that the Maryland law (the Maryland Online Data Privacy Act or MODPA) went into effect on October 1st. This rounds us out for US state privacy laws in 2025, bringing the total to 17 (or 16, if you discount Florida). Next up will be Indiana, Kentucky, and Rhode Island (all on January 1, 2026).
Continue Reading 2025 Brought Us Eight US “Comprehensive” Privacy Laws, What’s Next?

Companies can take many lessons from the FTC’s recent COPPA settlement with a robot app from the toy manufacturer Apitor Technologies. According to the FTC complaint, the app allegedly allowed a Chinese entity to collect and share children’s geolocation information without parental consent – violating COPPA. In particular, children could use the app to program their robots, but to do so, they needed to enable location permissions. Once enabled, a third party SDK (JPush), developed by Chinese-based entity Jiguang, would send the child’s location to that entity’s Chinese-based servers.
Continue Reading What Can We Learn from This Administration’s FTC COPPA Settlement

This post has been updated to reflect that the regulations were approved by the CA Office of Administrative Law on September 23, 2025.
Continue Reading CPPA Adopts ADMT, Cybersecurity and Risk Assessment Regulations

Now is the time that many are putting together their 2026 budgets and considering how much to allocate next year to address the constantly evolving privacy and data security landscape. In the last article in this series we looked at three change management tools that can help effectuate privacy compliance. Here are three more, and things to consider -and potentially budget for- in the new year.
Continue Reading More Privacy Compliance Considerations for the 2026 Budget Process

Today’s compliance landscape is more crowded—and more complex—than ever. As the pace of regulatory change accelerates, companies need to find effective paths forward. As I detailed in a Law360 article from earlier this year, change management tools can help. Here are three areas to consider as you begin to think about your compliance plans (and budget) for 2026.
Continue Reading Setting Your Privacy Compliance Strategy in Advance of the 2026 Budget Process

Can we take any insights from Connecticut’s first settlement under the state’s Data Privacy Act, reached with TicketNetwork, an online ticket marketplace? The AG concerns mirrored priorities outlined in Connecticut’s 2025 CTDPA Enforcement Report. This suggests that future cases may also draw from that report.
Continue Reading Privacy Compliance Insights from Connecticut’s First Privacy Law Settlement

Starting January 1, 2026, health care practitioners in Texas are required to store electronic health records in the United States under a new Act. It applies to all records- regardless of the date on which the record was first prepared. his requirement is found in a recently enacted law that also includes requirements for practitioner’s AI use.
Continue Reading New Texas Law Requires Storage of Electronic Health Records in U.S.

Texas recently enacted a pair of laws aimed at AI governance in the public sector and in healthcare. Starting September 1, 2025, there will be statutory authorization for health care practitioners (HCPs) in Texas to use AI for care-related purposes. This includes a practitioner’s ability to develop courses of treatment and to diagnose patients.
Continue Reading New Texas Law Permits Use of AI In Health Care