Privacy & Information Security Law Blog

Texas recently enacted a law requiring electronic health records to be physically stored in the U.S., among other requirements.   

On June 20, 2025, the Texas governor signed into law S.B. 2121, which amends the Texas Data Broker Act’s definition of “data broker” and applicability thresholds.

On July 7, 2025, the Department of Health and Human Services’ Office for Civil Rights announced a HIPAA enforcement action against a behavioral health care provider for failure to comply with the HIPAA Security Rule, resulting in a $225,000 fine and a two-year corrective action plan.

The California Privacy Protection Agency Board will hold a board meeting on July 24, 2025, at 9:00 am PDT.

On July 10, 2025, the European Commission published the final version of the General-Purpose AI Code of Practice.  

On July 8, 2025, Connecticut Attorney General William Tong announced a settlement with TicketNetwork for alleged violations of the Connecticut Data Privacy Act.

On July 7, 2025, the UK Information Commissioner’s Office launched two new consultations related to its approach to enforcement under PECR with respect to online advertising and to certain proposed updates to its guidance on cookies following passage of the Data (Use and Access) Act 2025.

The New York legislature recently passed the Responsible AI Safety and Education Act, which regulates large developers of frontier AI models.  The bill awaits signature by the New York Governor.

On July 3, 2025, the European Data Protection Board issued the Helsinki Statement outlining new initiatives to make compliance with the GDPR easier and to strengthen consistency and boost cross-regulatory cooperation.

On July 1, 2025, the California Office of the Attorney General announced that the AG had reached a proposed settlement with Healthline Media LLC, the publisher of a website that provides medical and health-related information, over alleged violations of the California Consumer Privacy Act.