Privacy & Information Security Law Blog

On June 27, 2025, the Cyberspace Administration of China released the third version of the Guidance on the Application for Security Assessment of Cross-border Data Transfers.

On June 18, 2025, the U.S. District Court for the Northern District of Texas vacated the HIPAA Privacy Rule to Support Reproductive Health Care Privacy issued by the U.S. Department of Health and Human Services under the Biden Administration.

On June 19, 2025, the UK Data (Use and Access) Act 2025 received Royal Assent. The same day, the UK Information Commissioner’s Office published a comprehensive suite of resources on the Act.

On June 12, 2025, Vermont Governor Phil Scott signed into law the Vermont Age-Appropriate Design Code Act, which will take effect January 1, 2027.

On June 16, 2025, the UK Information Commissioner’s Office published its draft guidance on Internet of Things products and services.

On June 2, 2025, proposed rules were published under New Jersey’s Data Privacy Act. The Proposed Rules elaborate on what constitutes “personal data” and detail a number of compliance obligations, some of which parallel existing requirements under data privacy laws in California and Colorado.

On June 11, 2025, the UK Data (Use and Access) Bill successfully navigated its final parliamentary hurdle and will soon become law.

On May 30, 2025, the Texas legislature passed the Texas Responsible Artificial Intelligence Act, which regulates the development and deployment of AI systems.

On May 30, 2025, the Texas Legislature passed S.B. 1343, which amends the Texas Data Broker Act to impose new notice and registration obligations on data brokers.

The U.S. Department of Health and Human Services Office for Civil Rights recently announced two settlements over alleged violations of the HIPAA Security Rule, against a covered entity and a business associate, respectively, specifically with respect to unauthorized access to ePHI and failure to properly secure ePHI.

On June 4, 2025, the European Data Protection Board published the final version of Guidelines 02/2024 on Article 48 of the GDPR regarding data transfers to third country authorities. In addition, during its June plenary meeting, the EDPB presented two new Support Pool of Experts projects to provide training materials on AI and data protection.

On May 27, 2025, and June 3, 2025, Oregon Governor Tina Kotek signed into law H.B. 3875 and H.B. 2008, each of which amends the Oregon Consumer Privacy Act.

On May 27, 2025, Texas Governor Greg Abbott signed the Texas App Store Accountability Act into law, which will require app stores to verify the age of users and comply with certain requirements and restrictions with respect to minor users under the age of 18. The Act takes effect on January 1, 2026.

On April 11, 2025, the North Dakota governor signed H.B. 1127, which establishes new data security measures and breach notification obligations for financial corporations.