Privacy & Information Security Law Blog

On February 27, 2027, in Chabolla v. ClassPass Inc., the U.S. Court of Appeals for the Ninth Circuit, in a split 2-1 decision, held that website users were not bound by the terms of a “sign-in wrap” agreement.

The Attorney General of Arkansas filed a lawsuit against General Motors and its subsidiary, OnStar, alleging deceptive trade practices related to the collection and sale of drivers’ data.

On March 10, 2025, the Attorney General of New York filed a lawsuit against several insurance companies doing business as Allstate Insurance Company and National General for alleged violations of New York’s breach notification law, general business laws and consumer protection laws. 

On February 20, 2025, the U.S. District Court for the Northern District of Georgia granted a motion for class certification in a class action alleging that WebMD violated the federal Video Privacy Protection Act by disclosing certain user data to Facebook without the users’ consent. 

On March 5, 2025, the European Data Protection Board announced the launch of its latest Coordinated Enforcement Framework action addressing the right to erasure.

Last month, SEC Commissioner Hester Peirce, chair of the Crypto Task Force, laid out a broad agenda for the SEC’s approach to cryptocurrency over the next four years.

On February 21, 2025, President Trump issued a National Security Memorandum on America First Investment Policy outlining the administration’s foreign direct investment policy, including initiatives for a regulatory fast track process, additional scrutiny for Chinese investors, key changes to reviews by the Committee on Foreign Investment in the United States including CFIUS’s use of national security agreements.

On February 20, 2025, the Virginia legislature passed the High-Risk Artificial Intelligence Developer and Deployer Act.

On February 20, 2025, the UK Information Commissioner’s Office published its annual Tech Horizons Report, which explores four key technologies expected to play a significant role in society in upcoming years.

The California Privacy Protection Agency Board will hold Board meetings on March 6 at 2 PM PT and March 7 at 9 AM PT addressing the creation of a data broker deletion request mechanism, pursuant to the CA Delete Act.