Privacy & Information Security Law Blog

On August 13, 2025, the National Computer Virus Emergency Response Center of China announced that it had identified 70 mobile applications as being in violation of China’s Personal Information Protection Law. The findings highlight potential areas of regulatory enforcement.

On August 14, 2025, the New York Department of Financial Services announced a settlement with dental insurance management services provider, Healthplex, following an investigation conducted in the wake of a 2021 data breach that revealed alleged violations of the NYDFS Cybersecurity Regulation.

On August 13, 2025, New York Attorney General Letitia James announced the filing of a lawsuit against Zelle for its failure to adopt adequate account security and verification measures, leading to the theft of $1 billion from Zelle users.

On August 21, 2025, the UK Information Commissioner’s Office initiated public consultations to refine certain guidance following amendments to UK data protection law passed under the Data (Use and Access) Act 2025.

On August 13, 2025, the UK ICO published guidance on how data protection principles apply to live facial recognition technology when used by law enforcement.

The California Privacy Protection Agency recently announced that it had ordered Washington-based data broker, Accurate Append, Inc., to pay a $55,400 fine and the CPPA’s attorneys’ fees and costs, in addition to injunctive relief, for failure to register as a data broker with the CPPA and pay an annual fee, as required by California’s Delete Act.

The Kentucky Attorney General recently filed a lawsuit against Temu, an online shopping platform, alleging that Temu violates the privacy of Kentucky residents.

On August 2, 2025, the AI Act’s rules on general-purpose AI models became applicable.

New York recently passed legislation regulating the use of algorithmic pricing using personal data and the operation of AI companions.

The Centre for Information Policy Leadership at Hunton recently filed responses to consultations from Colorado, Canada, and Australia, each of which addressed issues of children’s privacy and safety.

Connecticut enacted SB 1295 in June, which added another round of amendments to the Connecticut Data Privacy Act. While most of the changes will take effect on July 1, 2026, impact assessment requirements will apply to processing activities created or generated on or after August 1, 2026.

On July 30, 2025, the UK Information Commissioner’s Office launched a consultation seeking feedback on draft guidance concerning the use of profiling tools for online safety.

Salesforce recently modified its Slack API Terms of Service to prohibit the bulk exporting or copying of Slack data, or the use of Slack data in connection with LLMs, potentially posing significant changes to the way organizations may use Slack.  

On July 25, 2025, the UK government published guidance outlining the key stages for bringing the provisions of the UK Data (Use and Access) Act into effect.