Privacy & Cybersecurity Law Blog

The Federal Trade Commission has issued a new Policy Statement encouraging the adoption of robust age‑verification technologies by pledging not to bring enforcement actions under the COPPA Rule against operators of general‑ or mixed‑audience sites that collect, use or disclose personal information solely to determine users’ ages, so long as long as they follow strict safeguards.

On February 24, 2026, the UK ICO announced that it had fined Reddit, Inc. £14.47 million following an investigation into the company’s handling of children’s personal information.

On February 18, 2026, Virginia Attorney General Jay Jones announced that his office intends to fully enforce new provisions of the Virginia Consumer Data Protection Act restricting minors’ use of social media.

On February 5, 2026, Connecticut Attorney General William Tong and Senator James Maroney announced that the state’s lawmakers will soon consider new measures aimed at protecting children and teenagers from potential risks associated with artificial intelligence technologies

On February 6, 2026, the Federal Trade Commission announced its second report to Congress on its efforts to combat ransomware and other cyber attacks.

On February 11, 2026, California Attorney General Rob Bonta announced a record $2.75 million settlement with the Walt Disney Company to resolve allegations that the company did not sufficiently comply with consumer opt-out rights under the California Consumer Privacy Act.  

On February 3, 2026, the UK Information Commissioner’s Office publicly confirmed that it has launched formal investigations into X Internet Unlimited Company and X.AI LLC, focused on the Grok artificial intelligence system.

On February 5, 2026, the UK Information Commissioner’s Office announced a £247,590 fine against MediaLab.AI, Inc., the company behind the image-sharing platform Imgur, for failing to lawfully process children’s personal information. 

On February 5, 2026, the next phase of the UK Data (Use and Access) Act officially came into force, bringing most of its provisions, including the major reforms in Part 5, into effect.

On January 27, 2026, Data Privacy Day, the California Office of the Attorney General announced an investigative sweep into surveillance pricing, a type of algorithmic pricing that uses personal information to set individualized prices, and how such practices may violate the California Consumer Privacy Act.

The U.S. Supreme Court will soon decide who qualifies as a “consumer” under the federal Video Privacy Protection Act, a 1988 law originally enacted to protect the privacy of individuals’ video rental and purchase records.

On January 8, 2026, New York Attorney General Letitia James sent a letter to Instacart demanding more information about the grocery platform’s use of algorithmic pricing and price-setting experiments.

On January 15, 2026, the UK Information Commissioner’s Office published updated guidance on international transfers of personal data under the UK GDPR.

On January 8, 2026, the Kentucky Attorney General announced the first enforcement action against a company for alleged violations of the Kentucky Consumer Data Protection Act, just eight days after the law went into effect. The enforcement action is part of a larger legislative and regulatory focus on AI-powered chatbots used by minors.

The New York Office of the Attorney General recently reached a $500,000 settlement with a New York orthopedics practice for allegedly failing to protect patient and employee information in light of a 2023 data breach.

The Consumer and Governmental Affairs Bureau (“CBG”) has extended, to January 31, 2027, the effective date of the Federal Communications Commission’s (“FCC”) Telephone Consumer Protection Act (“TCPA”) “global revocation” rule.

On December 15, 2025, the Federal Trade Commission announced that it, along with 21 states and the District of Columbia, filed an amended complaint in the U.S. District for the Northern District of California alleging that Uber used unfair and deceptive billing and cancellation practices. 

On December 31, 2025, the Federal Trade Commission announced that a federal judge had approved a $10 million settlement of its complaint against Disney for alleged violation of the Children’s Online Privacy Protection Act (“COPPA”).

On December 16, 2025, the Federal Trade Commission announced an enforcement action against Illusory Systems Inc., a Utah-based company doing business as Nomad, following a major data breach in which hackers stole $186 million from consumers.

Indiana’s comprehensive consumer privacy law, the Indiana Consumer Data Protection Act, is set to take effect on January 1, 2026. In advance of the law’s effective date, the Indiana Attorney General’s Office has published a Consumer Bill of Rights that provides guidance to both consumers and businesses.

On December 1, 2025, the Federal Trade Commission announced a proposed settlement with Illuminate Education, Inc., an education technology provider, to resolve allegations that the company’s data security failures led to a data breach affecting the personal information of over 10 million students.

On October 30, 2025, California Attorney General Rob Bonta announced a settlement with television streaming companies Sling TV LLC and Dish Media Sales LLC to resolve allegations that the companies violated the California Consumer Privacy Act by failing to provide an easy way for consumers to opt out of the sale or sharing of their personal information, and failing to provide sufficient privacy protections for minors.

On November 6, 2025, Connecticut Attorney General William Tong, along with California Attorney General Rob Bonta and New York Attorney General Letitia James, announced a significant settlement stemming from the enforcement of Connecticut’s Student Data Privacy Law.

On November 21, 2025, California Attorney General Rob Bonta announced a $1.4 million settlement with Jam City, a mobile gaming app company, for violations of the California Consumer Privacy Act’s opt-out of sale/sharing requirements.

On November 20, 2025, the U.S. Securities and Exchange Commission issued a brief announcement that it filed a joint stipulation with defendants SolarWinds Corporation and its Chief Information Security Officer to dismiss, with prejudice, the SEC’s ongoing civil enforcement action against them.

On October 13, 2025, California Governor Newsom signed into law Assembly Bill 56,  which requires social media platforms to display health warnings to users under 18 years old about the risks of social media use.

On October 31, 2025, the UK ICO launched a public consultation on its draft Data Protection Enforcement Procedural Guidance which sets out the updated procedures for investigations and enforcement by the ICO.

On October 14, 2025, the European Data Protection Board announced that its fifth coordinated enforcement action will focus on compliance with the transparency and information requirements under the GDPR.

On October 15, 2025, the UK Information Commissioner’s Office announced a £14 million fine against Capita plc and Capita Pension Solutions Limited following a significant data breach.

On September 30, 2025, the U.S. Department of Health and Human Services’ Office for Civil Rights announced a settlement with five affiliated health care providers collectively known as Cadia Healthcare Facilities for potential violations of the HIPAA Privacy and Breach Notification Rules.

On September 26, 2025, California Governor Newsom signed into law Assembly Bill 45, which amends existing California law to strengthen privacy protections for health and location data of individuals seeking health care services, including reproductive health care.

On September 29, 2025, the FTC announced it had initiated an enforcement action against the operator of anonymous messaging app Sendit and the company’s CEO, Hunter Rice, for alleged violations of the Children’s Online Privacy Protection Act and the Restore Online Shoppers’ Confidence Act. 

Tractor Supply Company, the largest rural lifestyle retailer in the country, recently agreed to pay $1.35 million fine to the California Privacy Protection Agency for CCPA violations.

The Federal Trade Commission recently published its Draft Strategic Plan for Fiscal Years 2026-2030, which identifies children’s online privacy and telemarketing abuse prevention as key enforcement priorities.

Google recently resolved two cases—one by verdict and one by settlement—involving allegations regarding the control that Google promised to give users over Google’s use of their data. 

On September 15, 2025, the Federal Trade Commission announced a $7.5M settlement with education technology provider, Chegg, settling allegations that Chegg violated the Restore Online Shoppers’ Confidence Act and the FTC Act by making it difficult for consumers to cancel subscription services and deceiving consumers by failing to honor cancellation requests.

On September 23, 2025, the California Privacy Protection Agency announced that the California Office of Administrative Law approved the new California Consumer Privacy Act regulations on cybersecurity audits, risk assessments, automated decision-making technology, and insurance companies, with staggered deadlines for compliance.

The Ninth Circuit recently upheld key provisions of California’s Protecting Our Kids from Social Media Addiction Act, including a ban on personalized social media feeds for minors and a requirement to implement default privacy settings on minors’ social media accounts.

The U.S. Department of Health and Human Services recently delegated authority to the HHS Office for Civil Rights to enforce new privacy rules governing substance use disorder treatment records, which are set to take effect in early 2026.

The authority of the California Privacy Protection Agency to examine companies’ conduct prior to the enactment of regulations implementing the California Consumer Privacy Act in 2023 recently has been challenged.  Last month, the CPPA announced that it had filed a petition in Sacramento County Superior Court to enforce an investigative subpoena against retailer Tractor Supply Company regarding the company’s privacy practices prior to January 1, 2023. This action marks the first time the Agency has publicly disclosed an ongoing investigation.

A bill making its way through the California legislature (S.B. 361) would amend the California Delete Act to require data brokers to provide significantly more information in their registration applications with the California Privacy Protection Agency.

On August 14, 2025, the New York Department of Financial Services announced a settlement with dental insurance management services provider, Healthplex, following an investigation conducted in the wake of a 2021 data breach that revealed alleged violations of the NYDFS Cybersecurity Regulation.

On August 13, 2025, New York Attorney General Letitia James announced the filing of a lawsuit against Zelle for its failure to adopt adequate account security and verification measures, leading to the theft of $1 billion from Zelle users.

The California Privacy Protection Agency recently announced that it had ordered Washington-based data broker, Accurate Append, Inc., to pay a $55,400 fine and the CPPA’s attorneys’ fees and costs, in addition to injunctive relief, for failure to register as a data broker with the CPPA and pay an annual fee, as required by California’s Delete Act.

New York recently passed legislation regulating the use of algorithmic pricing using personal data and the operation of AI companions.

Connecticut enacted SB 1295 in June, which added another round of amendments to the Connecticut Data Privacy Act. While most of the changes will take effect on July 1, 2026, impact assessment requirements will apply to processing activities created or generated on or after August 1, 2026.

On July 25, 2025, the UK government published guidance outlining the key stages for bringing the provisions of the UK Data (Use and Access) Act into effect.

On June 27, 2025, the Amendment of the Anti-unfair Competition Law of PRC was published.  The AUCL will take effect on October 15, 2025.

On July 24, 2025, the California Privacy Protection Agency finalized CCPA regulations on automated decision-making technology, risk assessments and cybersecurity audits.

On July 23, 2025, the Trump Administration published an AI Action Plan and three Executive Orders on AI.

Texas recently enacted a law requiring electronic health records to be physically stored in the U.S., among other requirements.   

On June 20, 2025, the Texas governor signed into law S.B. 2121, which amends the Texas Data Broker Act’s definition of “data broker” and applicability thresholds.

On July 7, 2025, the Department of Health and Human Services’ Office for Civil Rights announced a HIPAA enforcement action against a behavioral health care provider for failure to comply with the HIPAA Security Rule, resulting in a $225,000 fine and a two-year corrective action plan.

On July 8, 2025, Connecticut Attorney General William Tong announced a settlement with TicketNetwork for alleged violations of the Connecticut Data Privacy Act.

On July 7, 2025, the UK Information Commissioner’s Office launched two new consultations related to its approach to enforcement under PECR with respect to online advertising and to certain proposed updates to its guidance on cookies following passage of the Data (Use and Access) Act 2025.

On July 1, 2025, the California Office of the Attorney General announced that the AG had reached a proposed settlement with Healthline Media LLC, the publisher of a website that provides medical and health-related information, over alleged violations of the California Consumer Privacy Act.

SolarWinds has reached an agreement in principle with the US Securities and Exchange Commission in the agency’s ongoing securities fraud lawsuit against the company and its former chief information security officer in connection with a series of cyberattacks against the company.

The U.S. Department of Health and Human Services Office for Civil Rights recently announced two settlements over alleged violations of the HIPAA Security Rule, against a covered entity and a business associate, respectively, specifically with respect to unauthorized access to ePHI and failure to properly secure ePHI.

On April 11, 2025, the North Dakota governor signed H.B. 1127, which establishes new data security measures and breach notification obligations for financial corporations.

In May 2025, Nebraska enacted a series of laws aimed to protect children online including the Parental Rights in Social Media Act (LB383) and the Age-Appropriate Online Design Code Act (LB 504).

On May 19, 2025, President Trump signed into law the Take It Down Act, which bans the nonconsensual online publication of sexually explicit images and videos that are both authentic and computer-generated, and includes notice and takedown obligations for covered online platforms.

On May 15, 2025, the U.S. Department of Health and Human Services’ Office for Civil Rights announced a settlement with Vision Upright MRI, a small California-based radiology provider, over alleged violations of the HIPAA Security and Breach Notification Rules.

On May 9, 2025, Texas Attorney General Ken Paxton announced a $1.375 billion agreement in principle to settle cases it filed against Google in 2022 alleging that Google unlawfully collected, stored and used certain personal data of Texans without consent, including location information, biometric identifiers and web browsing activity.

On April 29, 2025, the Michigan Attorney General filed a lawsuit against Roku alleging violations of the Children’s Online Privacy Protection Act.

On May 6, 2025, the Missouri Attorney General Andrew Bailey announced a rule filed under the Missouri Merchandising Practices Act on social media platform content moderation.

On May 6, 2025, the California Privacy Protection Agency announced that it had issued an order requiring clothing retailer Todd Snyder, Inc. to change its business practices and pay a $345,178 fine to resolve alleged violations of the California Consumer Privacy Act.

In April 2025, the U.S. Department of Health and Human Services’ Office for Civil Rights announced a HIPAA enforcement settlement with Comprehensive Neurology, PC, a New York-based neurology practice, in connection with a ransomware incident that compromised the electronic protected health information of approximately 6,800 individuals.

On April 23, 2025, the Department of Health and Human Services’ Office for Civil Rights announced a HIPAA enforcement action against a health care network following a phishing attack that exposed patients’ electronic protected health information, which resulted in a $600,000 monetary settlement and two-year corrective action plan.

The California Privacy Protection Agency and California Attorney General recently announced the formation of a new coalition of state regulators called the Consortium of Privacy Regulators, which includes regulators from California, Colorado, Connecticut, Delaware, Indiana, New Jersey and Oregon.

On April 29, 2025, the CNIL published its Annual Activity Report for 2024. The Report provides an overview of the CNIL’s activities in 2024, including enforcement activities and other new developments.

On April 22, 2025, the European Commission announced its first two non-compliance decisions under the Digital Markets Act. In these decisions, the European Commission fined Apple EUR 500 million and Meta EUR 200 million.

The Department of Health and Human Services’ Office for Civil Rights recently announced two HIPAA enforcement actions involving failures to safeguard electronic protected health information in violation of the HIPAA Security Rule.

On April 16, 2025, the U.S. District Court for the Southern District of Ohio Eastern Division issued a ruling permanently enjoining the Ohio Attorney General from enforcing the Parental Notification by Social Media Operators Act.

On April 17, 2025, the New Jersey Office of the Attorney General announced it had filed a lawsuit against messaging app Discord for alleged violations of the New Jersey Consumer Fraud Act in connection with its children’s privacy and safety practices.

Last year, the Federal Communications Commission issued a rule amending a portion of the Telephone Consumer Protection Act.

On March 27, 2025, the Information Commissioner's Office announced that it had issued a fine against Advanced Computer Software Group for £3.07 million for non-compliance with security rules identified through an investigation following a ransomware attack.

On March 27, 2025, the Federal Trade Commission announced that it had reached a $17 million settlement with Cleo AI, Inc., an online cash advance company, over alleged deceptive representations regarding the company’s services and subscription cancellation process.

On March 7, 2025, the New York Attorney General announced a $650,000 settlement with Saturn Technologies Inc., the developer of a student social networking app, for alleged privacy violations.

After six months of enforcement of Oregon’s Consumer Privacy Act, a new report from the Oregon Attorney General indicates strong consumer engagement with the law’s privacy rights, notable business compliance efforts and key areas where businesses are falling short.

On March 6, 2025, the U.S. Department of Health and Human Services Office for Civil Rights announced a $200,000 civil monetary penalty against Oregon Health & Science University for allegedly violating the HIPAA Privacy Rule’s right of access.

The Attorney General of Arkansas filed a lawsuit against General Motors and its subsidiary, OnStar, alleging deceptive trade practices related to the collection and sale of drivers’ data.

The Cyberspace Administration of China recently released requirements regarding data protection compliance audits, which will go into effect on May 1, 2025.

As part of the California Privacy Protection Agency’s investigative sweep of data broker registration compliance under California’s Delete Act, the CPPA recently announced an enforcement action against a Florida-based data broker and a settlement with a California-based data broker for failure to register as a data broker on the California Data Broker Registry, as required under the Delete Act.

On February 20, 2025, the U.S. Department of Health and Human Services’ Office for Civil Rights announced a $1.5 million fine against Warby Parker for alleged violations of the HIPAA Security Rule.

On February 7, 2025, the French Data Protection Authority (“CNIL”) released two recommendations aimed at guiding organizations in the responsible development and deployment of artificial intelligence (“AI”) systems in compliance with the EU General Data Protection Regulation (“GDPR”). The first recommendation is titled “AI: Informing Data Subjects” (the “Recommendation on Informing Individuals”) and the second recommendation is titled “AI: Complying and Facilitating Individuals’ Rights” (the “Recommendation on Individual Rights”). The recommendations build on the CNIL’s four-pillar AI action plan announced in 2023.

The Massachusetts Attorney General released internal TikTok documents last week as part of an unsealed complaint alleging that the company designed its platform to maximize children’s engagement while downplaying associated risks.

On February 3, 2025, U.S. District Judge B. Lynn Winmill of the District of Idaho denied digital marketing data broker Kochava Inc.’s motion to dismiss a suit brought by the Federal Trade Commission.

On January 23, 2025, the New York Department of Financial Services (“NYDFS”) announced a $2 million civil fine against PayPal, Inc. (“PayPal”) for alleged cybersecurity failures that resulted in the unauthorized exposure of customers’ personal information. 

On January 29, 2025, the California Privacy Protection Agency announced that it had reached a settlement with Connecticut-based data broker Key Marketing Advantage, LLC, resolving the fifth action against a business  for its alleged failure to register as a data broker, as required under California’s Delete Act.

On January 31, 2025, the UK government published the Code of Practice for the Cyber Security of AI and the Implementation Guide for the Code. 

On January 29, 2025, the United States Court of Appeals for the Ninth Circuit enjoined California from enforcing the Protecting Our Kids from Social Media Addiction Act in its entirety, pending a challenge to the law brought by NetChoice.

On January 14, 2025, the Federal Trade Commission announced that it had issued final orders against data brokers Gravy Analytics, Inc. and Mobilewalla, Inc. for the collection, use, and sale of consumers’ precise geolocation data.

On January 16, 2025, the FTC announced a proposed order against General Motors and OnStar that would resolve allegations that the companies collected, used and sold drivers’ precise geolocation data and driving behavior information from millions of vehicles without adequately notifying consumers and obtaining their affirmative consent.

New York Attorney General Letitia James announced a $450,000 settlement with three companies distributing eufy home security video cameras—Fantasia Trading LLC, Power Mobile Life LLC and Smart Innovation LLC—following an investigation into the security of their Internet-enabled video products.

On February 2, 2025, the EU AI Act’s rules on AI literacy, along with the prohibition of certain types of AI system, became applicable in the EU.

On December 21, 2024, New York Governor Kathy Hochul signed a flurry of privacy and social media bills, including Senate Bill 895B, Senate Bill 5703B, Senate Bill 2376B and Senate Bill 1759B.

On January 21, 2025, the New York state legislature passed Senate Bill (S-929), which provides for the protection of health data. 

On January 15, 2025, the Federal Trade Commission announced a proposed order against web hosting company GoDaddy for unfair or deceptive acts or practices in violation of Section 5 of the FTC Act, and issued guidance for customers of web hosting services on security practices in light of the settlement.

On January 14, 2025, the UK government opened a consultation seeking views on three proposals aimed at reducing the threat of ransomware attacks.

On January 13, 2025, Texas Attorney General Ken Paxton announced lawsuits against Allstate and its subsidiary, Arity (together, “Allstate”), for the unlawful collection, use and sale of precise geolocation data collected through Allstate’s mobile apps, in violation of Texas’s comprehensive data privacy law. The AG’s office alleges that Allstate then used this covertly obtained data to justify raising insurance rates.