Privacy & Information Security Law Blog

Google recently resolved two cases—one by verdict and one by settlement—involving allegations regarding the control that Google promised to give users over Google’s use of their data. 

On September 15, 2025, the Federal Trade Commission announced a $7.5M settlement with education technology provider, Chegg, settling allegations that Chegg violated the Restore Online Shoppers’ Confidence Act and the FTC Act by making it difficult for consumers to cancel subscription services and deceiving consumers by failing to honor cancellation requests.

On September 22, 2025, the U.S. Supreme Court granted on its emergency docket President Trump’s application for a stay of the lower federal court’s order for Rebecca Kelly Slaughter to be reinstated as FTC Commissioner after Trump fired her, and decided to revisit separation of powers issues, including whether to overrule its 1935 decision in Humphrey’s Executor v. United States.

On September 23, 2025, the California Privacy Protection Agency announced that the California Office of Administrative Law approved the new California Consumer Privacy Act regulations on cybersecurity audits, risk assessments, automated decision-making technology, and insurance companies, with staggered deadlines for compliance.

The Ninth Circuit recently upheld key provisions of California’s Protecting Our Kids from Social Media Addiction Act, including a ban on personalized social media feeds for minors and a requirement to implement default privacy settings on minors’ social media accounts.

The U.S. Department of Health and Human Services recently delegated authority to the HHS Office for Civil Rights to enforce new privacy rules governing substance use disorder treatment records, which are set to take effect in early 2026.

On September 11, 2025, the Cyberspace Administration of China issued the Administrative Measures for Reporting National Cybersecurity Incidents.

Colorado Governor Jared Polis recently signed Senate Bill 25B-004 into law, which delays the enforcement date of the Colorado Artificial Intelligence Act from February 1, 2026, to June 30, 2026. The bill does not amend the substantive requirements of the Act.

On September 12, 2025, the majority of the provisions of the EU Data Act began to apply across EU Member States. The Data Act was formally adopted in November 2023 and entered into force on January 11, 2024.

The California Privacy Protection Agency Board will hold a board meeting on September 26, 2025, at 9:00 am PT. 

On September 5, 2025, the U.S. President Trump signed into law the Homebuyers Privacy Protection Act, H.R. 2808 which amends the Fair Credit Reporting Act to prohibit the furnishing of “trigger leads” except in limited circumstances.

On September 8, 2025, the U.S. Supreme Court issued an administrative stay temporarily preventing Rebecca Kelly Slaughter’s reinstatement to her former position as FTC Commissioner.

On September 10, 2025, the U.S. Department of Defense published its final rule amending the Defense Federal Acquisition Regulation Supplement to incorporate contractual requirements related to the Cybersecurity Maturity Model Certification program.

The authority of the California Privacy Protection Agency to examine companies’ conduct prior to the enactment of regulations implementing the California Consumer Privacy Act in 2023 recently has been challenged.  Last month, the CPPA announced that it had filed a petition in Sacramento County Superior Court to enforce an investigative subpoena against retailer Tractor Supply Company regarding the company’s privacy practices prior to January 1, 2023. This action marks the first time the Agency has publicly disclosed an ongoing investigation.

Qantas Airways recently announced that the company’s CEO and top executives would forfeit approximately half a million USD in compensation following a cyber incident that compromised the personal information of 5.7 million customers.

On September 4, 2025, the Court of Justice of the European Union issued a significant decision in the case EDPS v SRB C-413/23 P regarding pseudonymized data, holding that whether pseudonymized data constitutes personal data is a fact-specific determination.

On September 2, 2025, two class actions were filed in federal district court alleging that defendants digital advertising platforms Xandr, Inc. and Index Exchange, Inc. violated the Electronic Communications Privacy Act by unlawfully intercepting wire communications for the purpose of violating the Department of Justice’s Bulk Data Transfer Rule.

The U.S. Federal Trade Commission plans to study the impact of AI-powered chatbots on children’s mental health. 

The FTC recently announced that it had sent letters to more than a dozen technology companies reminding them of their obligation to protect American consumer data despite pressure from foreign governments to weaken data privacy and security protections.

A bill making its way through the California legislature (S.B. 361) would amend the California Delete Act to require data brokers to provide significantly more information in their registration applications with the California Privacy Protection Agency.

On September 3, 2025, the EU’s General Court issued its judgment in the Latombe v. Commission case. The applicant, a member of the French National Assembly, sought the annulment of the adequacy decision adopted by the European Commission with respect to the EU-U.S. Data Privacy Framework.

The Colorado Department of Law recently issued a Notice of Proposed Rulemaking with proposed draft amendments to the Colorado Privacy Act rules.

A recent decision by the U.S. Couple of Appeals for the Sixth Circuit granting the IRS access to certain EU personal data has created potential legal compliance implications for multinational organizations subject to the EU GDPR.

On August 27, 2025, the Federal Trade Commission announced that fees for telemarketers to access phone numbers listed on the National Do Not Call Registry will increase effective October 1, 2025.

On August 28, 2025, the UK Information Commissioner’s Office initiated a public consultation on draft guidance on Distributed Ledger Technologies, focusing on blockchain.