Privacy & Information Security Law Blog

On December 16, 2025, the Federal Trade Commission announced an enforcement action against Illusory Systems Inc., a Utah-based company doing business as Nomad, following a major data breach in which hackers stole $186 million from consumers.

On December 19, 2025, the European Commission announced the renewal of the two UK adequacy decisions originally adopted in 2021, reaffirming that personal data may continue to move freely between the European Economic Area and the UK.

On December 11, 2025, New York Governor Kathy Hochul signed SB-8420A into law, which regulates the use of AI generated “synthetic performers” in advertising.

On December 11, 2025, President Trump signed an Executive Order entitled “Ensuring A National Policy Framework for Artificial Intelligence” ordering the creation of a task force dedicated to challenging state-level AI regulations that conflict with the federal AI policy set forth in the Order.

Indiana’s comprehensive consumer privacy law, the Indiana Consumer Data Protection Act, is set to take effect on January 1, 2026. In advance of the law’s effective date, the Indiana Attorney General’s Office has published a Consumer Bill of Rights that provides guidance to both consumers and businesses.

On December 3, 2025, the California Privacy Protection Agency announced that it fined ROR Partners LLC, a Nevada-based marketing firm, $56,600 for failing to register as a data broker under California’s Delete Act.

On December 1, 2025, the Federal Trade Commission announced a proposed settlement with Illuminate Education, Inc., an education technology provider, to resolve allegations that the company’s data security failures led to a data breach affecting the personal information of over 10 million students.

On October 30, 2025, California Attorney General Rob Bonta announced a settlement with television streaming companies Sling TV LLC and Dish Media Sales LLC to resolve allegations that the companies violated the California Consumer Privacy Act by failing to provide an easy way for consumers to opt out of the sale or sharing of their personal information, and failing to provide sufficient privacy protections for minors.

On November 6, 2025, Connecticut Attorney General William Tong, along with California Attorney General Rob Bonta and New York Attorney General Letitia James, announced a significant settlement stemming from the enforcement of Connecticut’s Student Data Privacy Law.

On December 1, 2025, the UK Information Commissioner’s Office announced a new initiative to scrutinize privacy protections in mobile games frequently played by children in the UK.