Privacy & Information Security Law Blog

On June 27, 2025, the Cyberspace Administration of China released the third version of the Guidance on the Application for Security Assessment of Cross-border Data Transfers.

On June 18, 2025, the U.S. District Court for the Northern District of Texas vacated the HIPAA Privacy Rule to Support Reproductive Health Care Privacy issued by the U.S. Department of Health and Human Services under the Biden Administration.

On June 19, 2025, the UK Data (Use and Access) Act 2025 received Royal Assent. The same day, the UK Information Commissioner’s Office published a comprehensive suite of resources on the Act.

On June 12, 2025, Vermont Governor Phil Scott signed into law the Vermont Age-Appropriate Design Code Act, which will take effect January 1, 2027.

On June 16, 2025, the UK Information Commissioner’s Office published its draft guidance on Internet of Things products and services.

On June 2, 2025, proposed rules were published under New Jersey’s Data Privacy Act. The Proposed Rules elaborate on what constitutes “personal data” and detail a number of compliance obligations, some of which parallel existing requirements under data privacy laws in California and Colorado.

On June 11, 2025, the UK Data (Use and Access) Bill successfully navigated its final parliamentary hurdle and will soon become law.

On May 30, 2025, the Texas legislature passed the Texas Responsible Artificial Intelligence Act, which regulates the development and deployment of AI systems.

On May 30, 2025, the Texas Legislature passed S.B. 1343, which amends the Texas Data Broker Act to impose new notice and registration obligations on data brokers.

The U.S. Department of Health and Human Services Office for Civil Rights recently announced two settlements over alleged violations of the HIPAA Security Rule, against a covered entity and a business associate, respectively, specifically with respect to unauthorized access to ePHI and failure to properly secure ePHI.