Privacy & Information Security Law Blog

On September 26, 2025, the European Commission initiated a public consultation on draft guidance and a draft reporting template for serious AI incidents under the EU AI Act.

Last month, the Cyberspace Administration of China issued the draft Measures for the Identification of Online Platform Service Providers with a Substantial Number of Minor Users and Significant Influence on Minors.

Google recently resolved two cases—one by verdict and one by settlement—involving allegations regarding the control that Google promised to give users over Google’s use of their data. 

On September 15, 2025, the Federal Trade Commission announced a $7.5M settlement with education technology provider, Chegg, settling allegations that Chegg violated the Restore Online Shoppers’ Confidence Act and the FTC Act by making it difficult for consumers to cancel subscription services and deceiving consumers by failing to honor cancellation requests.

On September 22, 2025, the U.S. Supreme Court granted on its emergency docket President Trump’s application for a stay of the lower federal court’s order for Rebecca Kelly Slaughter to be reinstated as FTC Commissioner after Trump fired her, and decided to revisit separation of powers issues, including whether to overrule its 1935 decision in Humphrey’s Executor v. United States.

On September 23, 2025, the California Privacy Protection Agency announced that the California Office of Administrative Law approved the new California Consumer Privacy Act regulations on cybersecurity audits, risk assessments, automated decision-making technology, and insurance companies, with staggered deadlines for compliance.

The Ninth Circuit recently upheld key provisions of California’s Protecting Our Kids from Social Media Addiction Act, including a ban on personalized social media feeds for minors and a requirement to implement default privacy settings on minors’ social media accounts.

The U.S. Department of Health and Human Services recently delegated authority to the HHS Office for Civil Rights to enforce new privacy rules governing substance use disorder treatment records, which are set to take effect in early 2026.

On September 11, 2025, the Cyberspace Administration of China issued the Administrative Measures for Reporting National Cybersecurity Incidents.

Colorado Governor Jared Polis recently signed Senate Bill 25B-004 into law, which delays the enforcement date of the Colorado Artificial Intelligence Act from February 1, 2026, to June 30, 2026. The bill does not amend the substantive requirements of the Act.