Privacy & Information Security Law Blog

On January 28, 2025, the Italian Data Protection Authority announced that it had launched an investigation into the data processing practices of Hangzhou DeepSeek Artificial Intelligence and Beijing DeepSeek Artificial Intelligence.

New York Governor Kathy Hochul recently signed into law several bills (S2659B and S2376B) modifying the state’s breach notification law. The amendments revise the timing requirements for notice to affected individuals, expand the list of regulators to be notified, and add new data elements to New York’s definition of “private information.”

On January 20, 2025, President Trump revoked a number of Biden-era Executive Orders, including Executive Order 14110 on Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence.

On January 21, 2025, the New York state legislature passed Senate Bill (S-929), which provides for the protection of health data. 

On January 23, 2025, the UK Information Commissioner’s Office published its new online tracking strategy for 2025 which sets out how it intends to achieve its vision of a fair and transparent online world where people are given meaningful control over how they are tracked online.

On January 15, 2025, the Federal Trade Commission announced a proposed order against web hosting company GoDaddy for unfair or deceptive acts or practices in violation of Section 5 of the FTC Act, and issued guidance for customers of web hosting services on security practices in light of the settlement.

On January 14, 2025, the UK government opened a consultation seeking views on three proposals aimed at reducing the threat of ransomware attacks.

On January 16, 2025, French Data Protection Authority unveiled its strategic plan for 2025-2028, highlighting its priorities for the coming years.

On January 21, 2025, the Council of the EU adopted the European Health Data Space Regulation.

Earlier this month, the U.S. Consumer Financial Protection Bureau invited public comment on strengthening privacy protections for, and a proposed interpretive rule extending financial consumer protections to, emerging payment mechanisms.

Last week President Biden issued Executive Order 14144, titled “Strengthening and Promoting Innovation in the Nation’s Cybersecurity,” which aims to strengthen software supply chain security, impose more stringent cybersecurity requirements on federal contractors, combat cybercrime, and encourage the development of identity verification technologies.

On January 3, 2025, the Cyberspace Administration of China issued the draft Measures for Personal Information Protection Certification for Cross-Border Transfers of Personal Information (“Draft Measures”) for public consultation.  The Draft Measures will make available a certification which can be used as a mechanism for lawfully transferring personal information outside of China.

On January 13, 2025, Texas Attorney General Ken Paxton announced lawsuits against Allstate and its subsidiary, Arity (together, “Allstate”), for the unlawful collection, use and sale of precise geolocation data collected through Allstate’s mobile apps, in violation of Texas’s comprehensive data privacy law. The AG’s office alleges that Allstate then used this covertly obtained data to justify raising insurance rates.

On January 13, 2025, California Attorney General Rob Bonta issued two legal advisories on the use of AI, including in the healthcare context. The first legal advisory (“AI Advisory”) advises consumers and entities about their rights and obligations under the state’s consumer protection, civil rights, competition, and data privacy laws with respect to the use of AI, while the second (“Healthcare AI Advisory”) provides guidance specific to healthcare entities about their obligations under California law regarding the use of AI.

On January 9, 2025, the Court of Justice of the European Union issued its judgment in the case Österreichische Datenschutzbehörde.

On January 16, 2025, the non-profit organization None Of Your Business filed six complaints against organizations with five European data protection authorities for the unlawful transfer of personal data to China.

On January 17, 2025, the Supreme Court of the United States unanimously upheld the Protecting Americans from Foreign Adversary Controlled Applications Act, which restricts companies from making foreign adversary controlled applications available (i.e., on an app store) and from providing hosting services with respect to such apps.

On January 17, 2025, Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector (“DORA”) becomes applicable in the EU.

On January 7, 2025, the Biden White House announced that a new “Cyber Trust Mark” will begin appearing on products in the U.S. in 2025. The Cyber Trust Mark will denote products that are “cyber secure.”

On January 16, 2025, the FTC announced the issuance of updates to the FTC’s Children’s Online Privacy Protection Rule (the “Rule”), which implements the federal Children's Online Privacy Protection Act of 1998 (“COPPA”).

On January 8, 2025, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency published finalized Security Requirements for Restricted Transactions as designated by the Department of Justice in the DOJ’s final rulemaking, each pursuant to Executive Order 14117 (Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern). The Requirements and DOJ rule will go into effect on April 8, 2025.

On January 8, 2025, the General Court of the Court of Justice of the European Union issued its judgment in the case of Bindl v Commission (Case T-354/22), ruling that the European Commission must pay damages to a German citizen whose personal data was transferred to the U.S. without adequate safeguards.

During the week of January 6, 2025, the U.S. Department of Health and Human Services’ Office for Civil Rights entered into resolution agreements and corrective action plans with Elgon Information Systems, Virtual Private Network Solutions, LLC and USR Holdings, LLC for violations of the Health Insurance Portability and Accountability Act of 1996 Security Rule.

The New York Department of Financial Services (“NYDFS”) recently cautioned regulated entities to be aware of individuals applying for remote technology-related positions due to an increase in reported threats from North Korea. Threat actors have repeatedly attempted to access company systems and illegally generate revenue for North Korea under the guise of seeking remote Information Technology jobs at U.S. companies.

On December 24, 2024, the Oregon Attorney General published AI guidance, “What you should know about how Oregon’s laws may affect your company’s use of Artificial Intelligence,” (the “Guidance”) that clarifies how existing Oregon consumer protection, privacy and anti-discrimination laws apply to AI tools. Through various examples, the Guidance highlights key themes such as privacy, accountability and transparency, and provides insight into “core concerns,” including bias and discrimination.

The Equal Employment Opportunity Commission recently issued a fact sheet addressing the application of employment discrimination laws to the use of wearable technologies in U.S. workplaces.

On January 6, 2025, the New Jersey Division of Consumer Affairs Cyber Fraud Unit published a set of frequently asked questions and answers on the New Jersey Data Privacy Law.

On December 27, 2024, the U.S. Department of Justice issued a comprehensive final rule implementing Executive Order 14117, Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern. The Final Rule will go into effect on April 8, 2025, with the exception of certain due diligence, audit and reporting obligations, which will become effective on October 5, 2025.

On January 7, 2025, the U.S. Food and Drug Administration (“FDA”) issued draft guidance, titled “Artificial Intelligence-Enabled Device Software Functions: Lifecycle Management and Marketing Submission Recommendations” (the “Guidance”), that addresses management of cybersecurity risks affecting AI-enabled devices.

On December 30, 2024, the Connecticut Attorney General issued an advisory to consumers and businesses that new opt-out rights under the Connecticut Data Privacy Act are effective as of January 1, 2025.

On December 27, 2024, the U.S. Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) announced a Notice of Proposed Rulemaking (“NPRM”) to update the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule.  The NPRM is intended to strengthen cybersecurity protections for electronic protected health information (“ePHI”) in light of increasing cybersecurity threats to the health care sector.