Privacy & Cybersecurity Law Blog

Louisiana recently enacted the Louisiana Data Privacy Act, becoming the 22nd U.S. state to adopt a comprehensive consumer data privacy law.

On May 27, 2026, Connecticut enacted a comprehensive state artificial intelligence law establishing several regulatory frameworks that address companion chatbots, frontier model governance, and AI use in employment decisions, among other topics.

On April 29, 2026, China's Cyberspace Administration released an official Q&A document on personal data audits to help data handlers understand and comply with China’s personal data audit-related framework.

Effective June 5, 2026, Oregon Senate Bill 1587 prohibits any state government, local government or special government bodies from disclosing personally identifiable information to a data broker unless the data broker first provides a written attestation to the public body that the information will not be sold or otherwise transferred to any entity that will use the information to enforce federal immigration law.

On May 18. 2026, the U.S. Department of Health and Human Services announced a reorganization of its Office for Civil Rights, the agency responsible for enforcing health information privacy and security requirements and federal civil rights laws.

Technology companies should be prepared for possible enforcement actions by the Federal Trade Commission under the Take It Down Act, which took effect on May 19, 2026.     

On May 27, 2026, Connecticut Governor Ned Lamont signed Senate Bill 4 into law, which amends the Connecticut Data Privacy Act to create data broker registration and compliance requirements, ban the sale of geolocation data, and set limits on surveillance pricing and the processing of genetic data.

On May 21, 2026, the New York Department of Financial Services issued an industry letter warning regulated entities that emerging frontier AI models may significantly increase cyber risk by enabling threat actors to identify and exploit vulnerabilities with greater speed, scale, and sophistication.

On May 21, 2026, the FTC announced settlements with three marketing firms, requiring them to pay a total of $930,000 to settle allegations that they deceived customers by falsely claiming to offer an AI-powered service that could target localized ads based on conversations captured from consumers’ smart devices, and that consumers had opted into such targeting.

On May 25, 2026, a new Memorandum of Understanding between the UK AI Security Institute and the Australian AI Safety Institute was announced, aimed at strengthening bilateral cooperation on AI security and safety.