Privacy & Information Security Law Blog

A bill making its way through the California legislature (S.B. 361) would amend the California Delete Act to require data brokers to provide significantly more information in their registration applications with the California Privacy Protection Agency.

On August 14, 2025, the New York Department of Financial Services announced a settlement with dental insurance management services provider, Healthplex, following an investigation conducted in the wake of a 2021 data breach that revealed alleged violations of the NYDFS Cybersecurity Regulation.

On August 13, 2025, New York Attorney General Letitia James announced the filing of a lawsuit against Zelle for its failure to adopt adequate account security and verification measures, leading to the theft of $1 billion from Zelle users.

The California Privacy Protection Agency recently announced that it had ordered Washington-based data broker, Accurate Append, Inc., to pay a $55,400 fine and the CPPA’s attorneys’ fees and costs, in addition to injunctive relief, for failure to register as a data broker with the CPPA and pay an annual fee, as required by California’s Delete Act.

New York recently passed legislation regulating the use of algorithmic pricing using personal data and the operation of AI companions.

Connecticut enacted SB 1295 in June, which added another round of amendments to the Connecticut Data Privacy Act. While most of the changes will take effect on July 1, 2026, impact assessment requirements will apply to processing activities created or generated on or after August 1, 2026.

On July 25, 2025, the UK government published guidance outlining the key stages for bringing the provisions of the UK Data (Use and Access) Act into effect.

On June 27, 2025, the Amendment of the Anti-unfair Competition Law of PRC was published.  The AUCL will take effect on October 15, 2025.

On July 24, 2025, the California Privacy Protection Agency finalized CCPA regulations on automated decision-making technology, risk assessments and cybersecurity audits.

On July 23, 2025, the Trump Administration published an AI Action Plan and three Executive Orders on AI.

Texas recently enacted a law requiring electronic health records to be physically stored in the U.S., among other requirements.   

On June 20, 2025, the Texas governor signed into law S.B. 2121, which amends the Texas Data Broker Act’s definition of “data broker” and applicability thresholds.

On July 7, 2025, the Department of Health and Human Services’ Office for Civil Rights announced a HIPAA enforcement action against a behavioral health care provider for failure to comply with the HIPAA Security Rule, resulting in a $225,000 fine and a two-year corrective action plan.

On July 8, 2025, Connecticut Attorney General William Tong announced a settlement with TicketNetwork for alleged violations of the Connecticut Data Privacy Act.

On July 7, 2025, the UK Information Commissioner’s Office launched two new consultations related to its approach to enforcement under PECR with respect to online advertising and to certain proposed updates to its guidance on cookies following passage of the Data (Use and Access) Act 2025.

On July 1, 2025, the California Office of the Attorney General announced that the AG had reached a proposed settlement with Healthline Media LLC, the publisher of a website that provides medical and health-related information, over alleged violations of the California Consumer Privacy Act.

SolarWinds has reached an agreement in principle with the US Securities and Exchange Commission in the agency’s ongoing securities fraud lawsuit against the company and its former chief information security officer in connection with a series of cyberattacks against the company.

The U.S. Department of Health and Human Services Office for Civil Rights recently announced two settlements over alleged violations of the HIPAA Security Rule, against a covered entity and a business associate, respectively, specifically with respect to unauthorized access to ePHI and failure to properly secure ePHI.

On April 11, 2025, the North Dakota governor signed H.B. 1127, which establishes new data security measures and breach notification obligations for financial corporations.

In May 2025, Nebraska enacted a series of laws aimed to protect children online including the Parental Rights in Social Media Act (LB383) and the Age-Appropriate Online Design Code Act (LB 504).

On May 19, 2025, President Trump signed into law the Take It Down Act, which bans the nonconsensual online publication of sexually explicit images and videos that are both authentic and computer-generated, and includes notice and takedown obligations for covered online platforms.

On May 15, 2025, the U.S. Department of Health and Human Services’ Office for Civil Rights announced a settlement with Vision Upright MRI, a small California-based radiology provider, over alleged violations of the HIPAA Security and Breach Notification Rules.

On May 9, 2025, Texas Attorney General Ken Paxton announced a $1.375 billion agreement in principle to settle cases it filed against Google in 2022 alleging that Google unlawfully collected, stored and used certain personal data of Texans without consent, including location information, biometric identifiers and web browsing activity.

On April 29, 2025, the Michigan Attorney General filed a lawsuit against Roku alleging violations of the Children’s Online Privacy Protection Act.

On May 6, 2025, the Missouri Attorney General Andrew Bailey announced a rule filed under the Missouri Merchandising Practices Act on social media platform content moderation.

On May 6, 2025, the California Privacy Protection Agency announced that it had issued an order requiring clothing retailer Todd Snyder, Inc. to change its business practices and pay a $345,178 fine to resolve alleged violations of the California Consumer Privacy Act.

In April 2025, the U.S. Department of Health and Human Services’ Office for Civil Rights announced a HIPAA enforcement settlement with Comprehensive Neurology, PC, a New York-based neurology practice, in connection with a ransomware incident that compromised the electronic protected health information of approximately 6,800 individuals.

On April 23, 2025, the Department of Health and Human Services’ Office for Civil Rights announced a HIPAA enforcement action against a health care network following a phishing attack that exposed patients’ electronic protected health information, which resulted in a $600,000 monetary settlement and two-year corrective action plan.

The California Privacy Protection Agency and California Attorney General recently announced the formation of a new coalition of state regulators called the Consortium of Privacy Regulators, which includes regulators from California, Colorado, Connecticut, Delaware, Indiana, New Jersey and Oregon.

On April 29, 2025, the CNIL published its Annual Activity Report for 2024. The Report provides an overview of the CNIL’s activities in 2024, including enforcement activities and other new developments.

On April 22, 2025, the European Commission announced its first two non-compliance decisions under the Digital Markets Act. In these decisions, the European Commission fined Apple EUR 500 million and Meta EUR 200 million.

The Department of Health and Human Services’ Office for Civil Rights recently announced two HIPAA enforcement actions involving failures to safeguard electronic protected health information in violation of the HIPAA Security Rule.

On April 16, 2025, the U.S. District Court for the Southern District of Ohio Eastern Division issued a ruling permanently enjoining the Ohio Attorney General from enforcing the Parental Notification by Social Media Operators Act.

On April 17, 2025, the New Jersey Office of the Attorney General announced it had filed a lawsuit against messaging app Discord for alleged violations of the New Jersey Consumer Fraud Act in connection with its children’s privacy and safety practices.

Last year, the Federal Communications Commission issued a rule amending a portion of the Telephone Consumer Protection Act.

On March 27, 2025, the Information Commissioner's Office announced that it had issued a fine against Advanced Computer Software Group for £3.07 million for non-compliance with security rules identified through an investigation following a ransomware attack.

On March 27, 2025, the Federal Trade Commission announced that it had reached a $17 million settlement with Cleo AI, Inc., an online cash advance company, over alleged deceptive representations regarding the company’s services and subscription cancellation process.

On March 7, 2025, the New York Attorney General announced a $650,000 settlement with Saturn Technologies Inc., the developer of a student social networking app, for alleged privacy violations.

After six months of enforcement of Oregon’s Consumer Privacy Act, a new report from the Oregon Attorney General indicates strong consumer engagement with the law’s privacy rights, notable business compliance efforts and key areas where businesses are falling short.

On March 6, 2025, the U.S. Department of Health and Human Services Office for Civil Rights announced a $200,000 civil monetary penalty against Oregon Health & Science University for allegedly violating the HIPAA Privacy Rule’s right of access.

The Attorney General of Arkansas filed a lawsuit against General Motors and its subsidiary, OnStar, alleging deceptive trade practices related to the collection and sale of drivers’ data.

The Cyberspace Administration of China recently released requirements regarding data protection compliance audits, which will go into effect on May 1, 2025.

As part of the California Privacy Protection Agency’s investigative sweep of data broker registration compliance under California’s Delete Act, the CPPA recently announced an enforcement action against a Florida-based data broker and a settlement with a California-based data broker for failure to register as a data broker on the California Data Broker Registry, as required under the Delete Act.

On February 20, 2025, the U.S. Department of Health and Human Services’ Office for Civil Rights announced a $1.5 million fine against Warby Parker for alleged violations of the HIPAA Security Rule.

On February 7, 2025, the French Data Protection Authority (“CNIL”) released two recommendations aimed at guiding organizations in the responsible development and deployment of artificial intelligence (“AI”) systems in compliance with the EU General Data Protection Regulation (“GDPR”). The first recommendation is titled “AI: Informing Data Subjects” (the “Recommendation on Informing Individuals”) and the second recommendation is titled “AI: Complying and Facilitating Individuals’ Rights” (the “Recommendation on Individual Rights”). The recommendations build on the CNIL’s four-pillar AI action plan announced in 2023.

The Massachusetts Attorney General released internal TikTok documents last week as part of an unsealed complaint alleging that the company designed its platform to maximize children’s engagement while downplaying associated risks.

On February 3, 2025, U.S. District Judge B. Lynn Winmill of the District of Idaho denied digital marketing data broker Kochava Inc.’s motion to dismiss a suit brought by the Federal Trade Commission.

On January 23, 2025, the New York Department of Financial Services (“NYDFS”) announced a $2 million civil fine against PayPal, Inc. (“PayPal”) for alleged cybersecurity failures that resulted in the unauthorized exposure of customers’ personal information. 

On January 29, 2025, the California Privacy Protection Agency announced that it had reached a settlement with Connecticut-based data broker Key Marketing Advantage, LLC, resolving the fifth action against a business  for its alleged failure to register as a data broker, as required under California’s Delete Act.

On January 31, 2025, the UK government published the Code of Practice for the Cyber Security of AI and the Implementation Guide for the Code. 

On January 29, 2025, the United States Court of Appeals for the Ninth Circuit enjoined California from enforcing the Protecting Our Kids from Social Media Addiction Act in its entirety, pending a challenge to the law brought by NetChoice.

On January 14, 2025, the Federal Trade Commission announced that it had issued final orders against data brokers Gravy Analytics, Inc. and Mobilewalla, Inc. for the collection, use, and sale of consumers’ precise geolocation data.

On January 16, 2025, the FTC announced a proposed order against General Motors and OnStar that would resolve allegations that the companies collected, used and sold drivers’ precise geolocation data and driving behavior information from millions of vehicles without adequately notifying consumers and obtaining their affirmative consent.

New York Attorney General Letitia James announced a $450,000 settlement with three companies distributing eufy home security video cameras—Fantasia Trading LLC, Power Mobile Life LLC and Smart Innovation LLC—following an investigation into the security of their Internet-enabled video products.

On February 2, 2025, the EU AI Act’s rules on AI literacy, along with the prohibition of certain types of AI system, became applicable in the EU.

On December 21, 2024, New York Governor Kathy Hochul signed a flurry of privacy and social media bills, including Senate Bill 895B, Senate Bill 5703B, Senate Bill 2376B and Senate Bill 1759B.

On January 21, 2025, the New York state legislature passed Senate Bill (S-929), which provides for the protection of health data. 

On January 15, 2025, the Federal Trade Commission announced a proposed order against web hosting company GoDaddy for unfair or deceptive acts or practices in violation of Section 5 of the FTC Act, and issued guidance for customers of web hosting services on security practices in light of the settlement.

On January 14, 2025, the UK government opened a consultation seeking views on three proposals aimed at reducing the threat of ransomware attacks.

On January 13, 2025, Texas Attorney General Ken Paxton announced lawsuits against Allstate and its subsidiary, Arity (together, “Allstate”), for the unlawful collection, use and sale of precise geolocation data collected through Allstate’s mobile apps, in violation of Texas’s comprehensive data privacy law. The AG’s office alleges that Allstate then used this covertly obtained data to justify raising insurance rates.

On January 13, 2025, California Attorney General Rob Bonta issued two legal advisories on the use of AI, including in the healthcare context. The first legal advisory (“AI Advisory”) advises consumers and entities about their rights and obligations under the state’s consumer protection, civil rights, competition, and data privacy laws with respect to the use of AI, while the second (“Healthcare AI Advisory”) provides guidance specific to healthcare entities about their obligations under California law regarding the use of AI.

On January 9, 2025, the Court of Justice of the European Union issued its judgment in the case Österreichische Datenschutzbehörde.

On January 16, 2025, the non-profit organization None Of Your Business filed six complaints against organizations with five European data protection authorities for the unlawful transfer of personal data to China.

On January 17, 2025, the Supreme Court of the United States unanimously upheld the Protecting Americans from Foreign Adversary Controlled Applications Act, which restricts companies from making foreign adversary controlled applications available (i.e., on an app store) and from providing hosting services with respect to such apps.

On January 15, 2025, the U.S. Department of Health and Human Services’ Office for Civil Rights  announced a settlement with a Florida health system, Memorial Healthcare System, for a violation of the HIPAA Privacy Rule.

During the week of January 6, 2025, the U.S. Department of Health and Human Services’ Office for Civil Rights entered into resolution agreements and corrective action plans with Elgon Information Systems, Virtual Private Network Solutions, LLC and USR Holdings, LLC for violations of the Health Insurance Portability and Accountability Act of 1996 Security Rule.

On December 24, 2024, the Oregon Attorney General published AI guidance, “What you should know about how Oregon’s laws may affect your company’s use of Artificial Intelligence,” (the “Guidance”) that clarifies how existing Oregon consumer protection, privacy and anti-discrimination laws apply to AI tools. Through various examples, the Guidance highlights key themes such as privacy, accountability and transparency, and provides insight into “core concerns,” including bias and discrimination.

Earlier this month, the Federal Trade Commission’s Office of Technology and Division of Privacy and Identity Protection posted a set of recommendations related to the security risks posed by developing products like AI, targeted advertising and surveillance pricing.

Texas Attorney General Ken Paxton recently launched investigations into Character.AI and 14 other technology companies on allegations of failure to comply with the safety and privacy requirements of the Securing Children Online through Parental Empowerment Act and the Texas Data Privacy and Security Act.

On December 17, 2024, the Irish Data Protection Commission announced that it concluded two inquiries initiated following a personal data breach reported in 2018 affecting Meta Platforms Ireland Limited.

On December 3, 2024, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced it imposed a $1.19 million civil monetary penalty on Gulf Coast Pain Consultants, LLC d/b/a Clearway Pain Solutions Institute (“Gulf Coast Pain Consultants”) for various HIPAA Security Rule violations, including a failure to terminate former workforce members’ access to systems containing electronic protected health information (“ePHI”).

On December 5, 2024, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced a penalty of $548,265 against Children’s Hospital Colorado (“CHC”) in connection with a series of alleged data breaches that occurred in 2017 and 2020. In September 2017, CHC reported to OCR a phishing attack that compromised an employee’s email account. OCR’s investigation revealed that the breach occurred because multi-factor authentication was disabled on the employee’s email account. According to OCR, the second breach in April 2020 occurred in part because two workforce members provided unknown third parties with access to their email accounts by accepting a multi-factor authentication access request that neither individual had initiated. OCR also determined that CHC violated the HIPAA Privacy Rule’s requirement to train workforce members on the HIPAA Privacy Rule and the HIPAA Security Rule’s requirements regarding conducting risk analyses to determine the risks and vulnerabilities to ePHI in an organization’s systems.

The telehealth and prescription drug discount provider, GoodRx, recently agreed to pay $25 million to settle class action claims originating from the company’s unauthorized disclosure of consumers’ personal health information, according to recent filings with the U.S. District Court for the Northern District of California.

On November 25, 2024, the New York Attorney General and New York Department of Financial Services announced a $11.3 million settlement with insurance companies GEICO and Travelers over alleged legal violations related to cybersecurity incidents.

On November 6, 2024, a Texas state district court jury found that a large e-discovery vendor violated Title 7, Chapter 33 of the Texas Penal Code, which provides that accessing a computer without its owner’s permission is a Class B misdemeanor. This case highlights the importance for e-discovery vendors of considering data privacy and security requirements in the course of discovery proceedings.

On November 7, 2024, the Commission Implementing Regulation 2024/2690 laying down rules for the application of the NIS2 Directive as regards technical and methodological requirements of cybersecurity risk-management measures and further specification of the cases in which an incident is considered to be significant with regard to certain digital service providers entered into force.

On October 31, 2024, the U.S. Department of Health and Human Services’ Office for Civil Rights announced two settlements over medical providers’ failures to comply with the HIPAA Security Rule, one with Plastic Surgery Associates of South Dakota and one with Bryan County Ambulance Authority.  The settlements mark the sixth and seventh OCR enforcement actions related to ransomware attacks with the latter being the first enforcement action in OCR’s Risk Analysis Initiative.

The California Privacy Protection Agency recently announced that it is conducting an investigative sweep focused on enforcing requirements for data brokers to register with the CPPA by January 31, 2024, under California’s Delete Act.

On October 22, 2024, the Securities and Exchange Commission charged four public companies with making materially misleading disclosures about cybersecurity risks and intrusions.

On October 24, 2024, the Irish Data Protection Commission announced that it had issued a fine of 310 million euros against LinkedIn Ireland Unlimited Company for breaches of the EU GDPR related to transparency, fairness and lawfulness in the context of the company’s processing of its users’ personal data for behavioral analysis and targeted advertising.

On October 4, 2024, the Court of Justice of the European Union (“CJEU”) issued its judgment in case KNLTB (C‑621/22). In this judgment, the CJEU was called upon to clarify the concept of “legitimate interests” and, in particular, whether purely commercial interests can be considered as legitimate under the EU General Data Protection Regulation (“GDPR”).

On October 16, 2024, the Federal Trade Commission issued a final Click-to-Cancel Rule, also known as the Negative Option Rule, updating its existing regulatory scheme that requires sellers to make it as easy for consumers to cancel their subscriptions and memberships as it is to sign up in the first place. 

On September 30, 2024, the State Council of China published the Regulations on Administration of Network Data Security (the “Regulations”), which will take effect on January 1, 2025. The Regulations cover multiple dimensions of network data security, including personal information protection, security of important data, cross-border transfers, network platform service providers’ obligations, and regulatory supervision and administration. Certain of the key provisions are summarized below. In general, most of the provisions under the Regulations can be found in other existing laws and regulations of China.

On September 26, 2024, the U.S. Department of Health and Human Services Office for Civil Rights entered into a resolution agreement and corrective action plan with Cascade Eye and Skin Centers, P.C. following a ransomware attack that impacted approximately 291,000 files containing electronic PHI.

On October 9, 2024, both the Federal Trade Commission and a coalition of 50 state attorneys general issued announcements that they had reached settlement agreements with Marriott International, Inc. and its subsidiary Starwood Hotels & Resorts Worldwide LLC over a multi-year series of data breaches impacting hundreds of millions of individuals.

On October 3, 2024, the U.S. Department of Health and Human Services’ Office for Civil Rights announced a monetary penalty of 240,000 dollars against Providence Medical Institute, an interstate network of medical providers, for violations of the HIPAA Security Rule in relation to a series of ransomware attacks against an orthopedics practice acquired by the entity.

On September 27, 2024, the Irish Data Protection Commission announced it had issued a fine of 91 million euros and a reprimand against Meta Ireland for inadvertently storing passwords of certain users in plaintext on its internal systems.

In August 2024, the Guangzhou Internet Court in China published its final decision in the case No. (2022) Yue 0192 Minchu 6486 regarding the cross-border transfer of personal information under the Personal Information Protection Law (“PIPL”), which was originally issued on September 8, 2023. It is the first case explaining the reliance on necessity for performance of contract in cross-border data transfer activities.

On September 4, 2024, the California Privacy Protection Agency issued an Enforcement Advisory on Avoiding Dark Patterns: Clear and Understandable Language, Symmetry in Choice.

On September 10, 2024, the UK Information Commissioner’s Office announced that it signed a memorandum of understanding with the UK National Crime Agency related to cyber resilience.

On August 30, 2024, the Federal Trade Commission announced a proposed settlement with Verkada, a security camera firm, in connection with alleged data security failures and CAN-SPAM Act violations. Under the proposed order, Verkada will be required to implement a comprehensive information security program and pay a $2.95 million monetary penalty.

On September 3, 2024, the Dutch Data Protection Authority announced a €30.5 million fine against Clearview AI for the processing of personal data related to its biometric data database.

On August 28, 2024, the FCC announced that it signed a Memorandum of Understanding on Cooperation in the Enforcement of Laws Protecting Personal Information in the Private Sector with the Office of the Privacy Commissioner of Canada.

On August 26, 2024, the Dutch Data Protection Authority as lead supervisory authority announced it has imposed a fine of 290 Million Euros on Uber related to a violation of international transfer requirements under the EU General Data Protection Regulation. 

As reported on the Hunton Retail Law resource blog, on August 2, 2024, Illinois amended its Biometric Information Privacy Act (“BIPA”), curbing the potential for massive damages and modernizing the law’s written consent provisions. On their face, the amendments are not retroactive.  It remains unclear, however, whether this change in Illinois law will nonetheless be applied retroactively by the courts.

For more information click here.

On August 14, 2024, the Committee on Foreign Investment in the United States disclosed that it had assessed a $60 million penalty against T-Mobile US, Inc. in connection with unauthorized data access incidents following T-Mobile’s 2020 merger with Sprint Corporation.

On August 7, 2024, the UK Information Commissioner’s Office announced its provisional decision to fine Advanced Computer Software Group Ltd £6.09 million following an initial finding that the company, which acted as a data processor, had failed to implement sufficient measures to protect personal information.

On July 18, 2024, in a highly anticipated ruling, U.S. District Judge Paul A. Engelmayer dismissed a substantial portion of the U.S. Securities and Exchange Commission’s case against SolarWinds Corporation and its Chief Information Security Officer, Timothy Brown.

On July 16, 2024, the California Privacy Protection Agency Board held a public meeting and discussed next steps regarding its upcoming Formal Rulemaking for Automated Decisionmaking Technology, Risk Assessments, Cybersecurity Audits, Insurance, and Updates to Existing Regulations.

On July 9, 2024, the Federal Trade Commission issued a proposed order that banned NGL Labs, LLC, and two of its co-founders from offering an anonymous messaging app called “NGL: ask me anything” to children under the age of 18.