Privacy & Information Security Law Blog

On March 5, 2025, the European Data Protection Board published Opinion 06/2025 on the extension of the European Commission Implementing Decisions under the GDPR and the Law Enforcement Directive on the adequate protection of personal data in the United Kingdom.

Since the beginning of 2025, the Cyberspace Administration Authority has continued to strengthen the protection of minors on the Internet.

On May 6, 2025, the California Privacy Protection Agency announced that it had issued an order requiring clothing retailer Todd Snyder, Inc. to change its business practices and pay a $345,178 fine to resolve alleged violations of the California Consumer Privacy Act.

In April 2025, the U.S. Department of Health and Human Services’ Office for Civil Rights announced a HIPAA enforcement settlement with Comprehensive Neurology, PC, a New York-based neurology practice, in connection with a ransomware incident that compromised the electronic protected health information of approximately 6,800 individuals.

On May 2, 2025, Virginia Governor Glenn Youngkin signed into law a bill that amends the Virginia Consumer Data Protection Act to impose significant restrictions on minors’ use of social media.

The National Computer Virus Emergency Response Center of China recently discovered 13 mobile apps in breach of cross-border transfer requirements.

On April 23, 2025, the Department of Health and Human Services’ Office for Civil Rights announced a HIPAA enforcement action against a health care network following a phishing attack that exposed patients’ electronic protected health information, which resulted in a $600,000 monetary settlement and two-year corrective action plan.

The California Privacy Protection Agency and California Attorney General recently announced the formation of a new coalition of state regulators called the Consortium of Privacy Regulators, which includes regulators from California, Colorado, Connecticut, Delaware, Indiana, New Jersey and Oregon.

On April 29, 2025, the UK Information Commissioner’s Office and the California Privacy Protection Agency signed a declaration of cooperation regarding international privacy and data protection coordination, formalizing their existing collaboration.

In April 2025, the Montana legislature passed a bill amending the Montana Consumer Data Privacy Act, to enhance protections for minors, add transparency requirements, clarify individual rights provisions, expand the law’s applicability, revise the law’s exemptions, and remove the law’s guaranteed right to cure alleged violations.