Privacy & Information Security Law Blog

On September 23, 2025, the California Privacy Protection Agency announced that the California Office of Administrative Law approved the new California Consumer Privacy Act regulations on cybersecurity audits, risk assessments, automated decision-making technology, and insurance companies, with staggered deadlines for compliance.

The Ninth Circuit recently upheld key provisions of California’s Protecting Our Kids from Social Media Addiction Act, including a ban on personalized social media feeds for minors and a requirement to implement default privacy settings on minors’ social media accounts.

The U.S. Department of Health and Human Services recently delegated authority to the HHS Office for Civil Rights to enforce new privacy rules governing substance use disorder treatment records, which are set to take effect in early 2026.

On September 11, 2025, the Cyberspace Administration of China issued the Administrative Measures for Reporting National Cybersecurity Incidents.

Colorado Governor Jared Polis recently signed Senate Bill 25B-004 into law, which delays the enforcement date of the Colorado Artificial Intelligence Act from February 1, 2026, to June 30, 2026. The bill does not amend the substantive requirements of the Act.

On September 12, 2025, the majority of the provisions of the EU Data Act began to apply across EU Member States. The Data Act was formally adopted in November 2023 and entered into force on January 11, 2024.

The California Privacy Protection Agency Board will hold a board meeting on September 26, 2025, at 9:00 am PT. 

On September 5, 2025, the U.S. President Trump signed into law the Homebuyers Privacy Protection Act, H.R. 2808 which amends the Fair Credit Reporting Act to prohibit the furnishing of “trigger leads” except in limited circumstances.

On September 8, 2025, the U.S. Supreme Court issued an administrative stay temporarily preventing Rebecca Kelly Slaughter’s reinstatement to her former position as FTC Commissioner.

On September 10, 2025, the U.S. Department of Defense published its final rule amending the Defense Federal Acquisition Regulation Supplement to incorporate contractual requirements related to the Cybersecurity Maturity Model Certification program.