Privacy & Information Security Law Blog

On October 13, 2025, California Governor Gavin Newsom signed into law the Digital Age Assurance Act, which introduces new requirements for age verification in software applications.

On Oct 14, 2025, the Cyberspace Administration of China and the State Administration for Market Regulation issued Measures for the Certification for Outbound Cross-Border Transfer of Personal Information, effective Jan 1, 2026.

On October 21, 2025, the UK Technology Secretary announced plans to introduce an AI Growth Lab, consisting of AI sandboxes to allow companies and innovators to test new AI products in real-world conditions.

On October 20, 2025, the European Data Protection Board adopted two opinions on the European Commission’s draft decisions to extend the validity of the UK’s adequacy status until December 2031.

On October 8, 2025, California Governor Gavin Newsom signed into law SB-361, which amends the California Delete Act to require data brokers to provide significantly more information in their registration applications with the California Privacy Protection Agency.

On October 14, 2025, the European Data Protection Board announced that its fifth coordinated enforcement action will focus on compliance with the transparency and information requirements under the GDPR.

On October 15, 2025, the UK Information Commissioner’s Office announced a £14 million fine against Capita plc and Capita Pension Solutions Limited following a significant data breach.

On October 14, 2025, the UK government announced a coordinated effort by senior ministers and security officials to urge top UK businesses to improve their cybersecurity defenses.

Ace American Insurance Company (“Ace”) recently filed a subrogation lawsuit against two technology and cybersecurity providers, following a cybersecurity incident suffered by an insured policyholder that had engaged the providers. This case highlights the growing risk of subrogation lawsuits following a cybersecurity incident.

On September 30, 2025, the U.S. Department of Health and Human Services’ Office for Civil Rights announced a settlement with five affiliated health care providers collectively known as Cadia Healthcare Facilities for potential violations of the HIPAA Privacy and Breach Notification Rules.