Privacy & Information Security Law Blog

On August 28, 2025, the UK Information Commissioner’s Office initiated a public consultation on draft guidance on Distributed Ledger Technologies, focusing on blockchain.

On August 13, 2025, the National Computer Virus Emergency Response Center of China announced that it had identified 70 mobile applications as being in violation of China’s Personal Information Protection Law. The findings highlight potential areas of regulatory enforcement.

Connecticut enacted SB 1295 in June, which added another round of amendments to the Connecticut Data Privacy Act. While most of the changes will take effect on July 1, 2026, impact assessment requirements will apply to processing activities created or generated on or after August 1, 2026.

On July 30, 2025, the UK Information Commissioner’s Office launched a consultation seeking feedback on draft guidance concerning the use of profiling tools for online safety.

On July 24, 2025, the California Privacy Protection Agency finalized CCPA regulations on automated decision-making technology, risk assessments and cybersecurity audits.

On July 22, 2025, the European Commission announced the launch of the process to adopt new adequacy decisions for the UK following the European Commission’s assessment of the recently passed UK Data (Use and Access) Act 2025.

The California Privacy Protection Agency Board will hold a board meeting on July 24, 2025, at 9:00 am PDT.

The California Privacy Protection Agency recently released modified draft regulations in response to public feedback on its proposed updates to the California Consumer Privacy Act regulations.

On February 20, 2025, the Virginia legislature passed the High-Risk Artificial Intelligence Developer and Deployer Act.

On February 20, 2025, the UK Information Commissioner’s Office published its annual Tech Horizons Report, which explores four key technologies expected to play a significant role in society in upcoming years.

On January 13, 2025, Texas Attorney General Ken Paxton announced lawsuits against Allstate and its subsidiary, Arity (together, “Allstate”), for the unlawful collection, use and sale of precise geolocation data collected through Allstate’s mobile apps, in violation of Texas’s comprehensive data privacy law. The AG’s office alleges that Allstate then used this covertly obtained data to justify raising insurance rates.

On December 24, 2024, the Oregon Attorney General published AI guidance, “What you should know about how Oregon’s laws may affect your company’s use of Artificial Intelligence,” (the “Guidance”) that clarifies how existing Oregon consumer protection, privacy and anti-discrimination laws apply to AI tools. Through various examples, the Guidance highlights key themes such as privacy, accountability and transparency, and provides insight into “core concerns,” including bias and discrimination.

In December 2024, the Centre for Information Policy Leadership at Hunton Andrews Kurth published a discussion paper titled, “Applying Data Protection Principles to Generative AI: Practical Approaches for Organizations and Regulators.”

On November 8, 2024, the California Privacy Protection Agency Board hosted its public bimonthly meeting, during which it adopted new regulations applicable to data brokers and initiated the formal rulemaking process for proposed regulations for risk assessments, cybersecurity audits, automated decisionmaking technologies and AI, and insurance.

On October 31, 2024, the UK Information Commissioner’s Office published its response to the draft Data (Use and Access) Bill.

On July 16, 2024, the California Privacy Protection Agency Board held a public meeting and discussed next steps regarding its upcoming Formal Rulemaking for Automated Decisionmaking Technology, Risk Assessments, Cybersecurity Audits, Insurance, and Updates to Existing Regulations.