Privacy & Information Security Law Blog

On June 16, 2025, the UK Information Commissioner’s Office published its draft guidance on Internet of Things products and services.

On June 2, 2025, proposed rules were published under New Jersey’s Data Privacy Act. The Proposed Rules elaborate on what constitutes “personal data” and detail a number of compliance obligations, some of which parallel existing requirements under data privacy laws in California and Colorado.

On May 30, 2025, the Texas legislature passed the Texas Responsible Artificial Intelligence Act, which regulates the development and deployment of AI systems.

On May 30, 2025, the Texas Legislature passed S.B. 1343, which amends the Texas Data Broker Act to impose new notice and registration obligations on data brokers.

On May 27, 2025, and June 3, 2025, Oregon Governor Tina Kotek signed into law H.B. 3875 and H.B. 2008, each of which amends the Oregon Consumer Privacy Act.

On May 27, 2025, Texas Governor Greg Abbott signed the Texas App Store Accountability Act into law, which will require app stores to verify the age of users and comply with certain requirements and restrictions with respect to minor users under the age of 18. The Act takes effect on January 1, 2026.

On April 11, 2025, the North Dakota governor signed H.B. 1127, which establishes new data security measures and breach notification obligations for financial corporations.

On May 19, 2025, President Trump signed into law the Take It Down Act, which bans the nonconsensual online publication of sexually explicit images and videos that are both authentic and computer-generated, and includes notice and takedown obligations for covered online platforms.

On May 21, 2025, the U.S. District Court for the District of Columbia ruled that two Democrat members of the United States Privacy and Civil Liberties Oversight Board were unlawfully terminated by President Trump.

On May 9, 2025, the California Privacy Protection Agency opened a formal public comment period for modifications to the text of proposed California Consumer Privacy Act regulations addressing cybersecurity audits, risk assessments, automated decisionmaking technology, insurance companies, and updates to existing CCPA regulations. The comment period will remain open until June 2, 2025.

On May 7, 2025, the Colorado legislature passed a bill that would amend the Colorado Privacy Act’s provisions regarding the processing of precise geolocation data if signed into law by Colorado Governor Jared Polis.

On May 9, 2025, Texas Attorney General Ken Paxton announced a $1.375 billion agreement in principle to settle cases it filed against Google in 2022 alleging that Google unlawfully collected, stored and used certain personal data of Texans without consent, including location information, biometric identifiers and web browsing activity.

On April 29, 2025, the Michigan Attorney General filed a lawsuit against Roku alleging violations of the Children’s Online Privacy Protection Act.

On May 9, 2025, the Texas House of Representatives passed Senate Bill 2420—the App Store Accountability Act—by a vote of 120 to 9. The bill, which previously cleared the state Senate in April by a vote of 30 to 1, now awaits concurrence from the Senate on House amendments before it can be sent to Governor Greg Abbott.

On May 6, 2025, the California Privacy Protection Agency announced that it had issued an order requiring clothing retailer Todd Snyder, Inc. to change its business practices and pay a $345,178 fine to resolve alleged violations of the California Consumer Privacy Act.

On May 2, 2025, Virginia Governor Glenn Youngkin signed into law a bill that amends the Virginia Consumer Data Protection Act to impose significant restrictions on minors’ use of social media.

The California Privacy Protection Agency and California Attorney General recently announced the formation of a new coalition of state regulators called the Consortium of Privacy Regulators, which includes regulators from California, Colorado, Connecticut, Delaware, Indiana, New Jersey and Oregon.

FTC Commissioners recently indicated their enforcement priorities under the Trump Administration, including enforcement of existing federal privacy laws and fostering AI innovation.

On April 25, 2025, the California Privacy Protection Agency opened the formal public comment period on proposed regulations for the Delete Request and Opt-Out Platform.

Democratic State Senator Anna M. Caballero introduced Senate Bill 690 (S.B. 690), which aims to curb “abusive lawsuits” under the California Invasion of Privacy Act based on the use of cookies and other online technologies, on February 24, 2025, and the Bill is now scheduled to be heard by the Senate Public Safety Committee on April 29, 2025.

On April 17, 2025, the Connecticut Office of the Attorney General issued a report highlighting key enforcement initiatives, complaint trends and legislative recommendations aimed at strengthening Connecticut’s privacy law.

On April 17, 2025, the New Jersey Office of the Attorney General announced it had filed a lawsuit against messaging app Discord for alleged violations of the New Jersey Consumer Fraud Act in connection with its children’s privacy and safety practices.

Last year, the Federal Communications Commission issued a rule amending a portion of the Telephone Consumer Protection Act.

On March 27, 2025, the Federal Trade Commission announced that it had reached a $17 million settlement with Cleo AI, Inc., an online cash advance company, over alleged deceptive representations regarding the company’s services and subscription cancellation process.

On March 24, 2025, Virginia Governor Youngkin signed into law S.B. 754, Virginia Consumer Protection Act (“VCPA”).

On March 25, 2025, Virginia Governor Glenn Youngkin vetoed the High-Risk Artificial Intelligence Developer and Deployer Act, which had been passed by the Virginia legislature. The Act would have imposed accountability and transparency requirements with respect to the development and deployment of “high-risk” AI systems.

On March 15, 2025, Kentucky Governor Andy Beshear signed into law a bill amending the Kentucky Consumer Data Protection Act to exempt from the law’s application certain data subject to HIPAA.

On March 7, 2025, the California Privacy Protection Agency voted to authorize the agency to advance proposed data broker regulations concerning the Delete Request and Opt-Out Platform to formal rulemaking.

On March 11, 2025, the Virginia legislature passed a bill that would amend the Virginia Consumer Data Protection Act to impose significant restrictions on minor users’ use of social media.

On March 12, 2025, the California Privacy Protection Agency announced that it reached a settlement with American Honda Motor Co. in which Honda will pay a $632,500 fine to resolve claims that the company violated the CCPA.

After six months of enforcement of Oregon’s Consumer Privacy Act, a new report from the Oregon Attorney General indicates strong consumer engagement with the law’s privacy rights, notable business compliance efforts and key areas where businesses are falling short.

The Attorney General of Arkansas filed a lawsuit against General Motors and its subsidiary, OnStar, alleging deceptive trade practices related to the collection and sale of drivers’ data.

On March 10, 2025, the Attorney General of New York filed a lawsuit against several insurance companies doing business as Allstate Insurance Company and National General for alleged violations of New York’s breach notification law, general business laws and consumer protection laws. 

Last month, SEC Commissioner Hester Peirce, chair of the Crypto Task Force, laid out a broad agenda for the SEC’s approach to cryptocurrency over the next four years.

NetChoice has filed a lawsuit challenging Maryland’s Age-Appropriate Design Code Act on constitutional grounds, arguing that the law’s requirements, including requirements to perform data protection impact assessments, inhibit free speech.

As part of the California Privacy Protection Agency’s investigative sweep of data broker registration compliance under California’s Delete Act, the CPPA recently announced an enforcement action against a Florida-based data broker and a settlement with a California-based data broker for failure to register as a data broker on the California Data Broker Registry, as required under the Delete Act.

Attorney General Ken Paxton announced an investigation into DeepSeek, a Chinese artificial intelligence company, regarding its privacy practices and compliance with Texas law.

On February 11, 2025, the data protection authorities of the UK, Ireland, France, South Korea and Australia issued a joint statement on building trustworthy data governance frameworks to encourage development of innovative and privacy-protective artificial intelligence.

On February 4, 2025, the Minnesota Attorney General published the second volume of a report outlining the negative impact that AI and social media is having on minors in Minnesota.

The Massachusetts Attorney General released internal TikTok documents last week as part of an unsealed complaint alleging that the company designed its platform to maximize children’s engagement while downplaying associated risks.

On January 1, 2025, an amendment to the Virginia Consumer Data Protection Act (“VCDPA”) went into effect that provides additional protections for children. The amendment imposes additional requirements on the processing of personal data of a known child, which is defined as a consumer who is under 13 years of age. Our earlier blog entry provides additional details regarding these new requirements.

On February 3, 2025, U.S. District Judge B. Lynn Winmill of the District of Idaho denied digital marketing data broker Kochava Inc.’s motion to dismiss a suit brought by the Federal Trade Commission.

On January 29, 2025, the California Privacy Protection Agency announced that it had reached a settlement with Connecticut-based data broker Key Marketing Advantage, LLC, resolving the fifth action against a business  for its alleged failure to register as a data broker, as required under California’s Delete Act.

On January 16, 2025, the FTC announced a proposed order against General Motors and OnStar that would resolve allegations that the companies collected, used and sold drivers’ precise geolocation data and driving behavior information from millions of vehicles without adequately notifying consumers and obtaining their affirmative consent.

New York Attorney General Letitia James announced a $450,000 settlement with three companies distributing eufy home security video cameras—Fantasia Trading LLC, Power Mobile Life LLC and Smart Innovation LLC—following an investigation into the security of their Internet-enabled video products.

On January 15, 2025, the Federal Trade Commission announced a proposed order against web hosting company GoDaddy for unfair or deceptive acts or practices in violation of Section 5 of the FTC Act, and issued guidance for customers of web hosting services on security practices in light of the settlement.

Earlier this month, the U.S. Consumer Financial Protection Bureau invited public comment on strengthening privacy protections for, and a proposed interpretive rule extending financial consumer protections to, emerging payment mechanisms.

On January 13, 2025, Texas Attorney General Ken Paxton announced lawsuits against Allstate and its subsidiary, Arity (together, “Allstate”), for the unlawful collection, use and sale of precise geolocation data collected through Allstate’s mobile apps, in violation of Texas’s comprehensive data privacy law. The AG’s office alleges that Allstate then used this covertly obtained data to justify raising insurance rates.

On January 7, 2025, the Biden White House announced that a new “Cyber Trust Mark” will begin appearing on products in the U.S. in 2025. The Cyber Trust Mark will denote products that are “cyber secure.”

On December 24, 2024, the Oregon Attorney General published AI guidance, “What you should know about how Oregon’s laws may affect your company’s use of Artificial Intelligence,” (the “Guidance”) that clarifies how existing Oregon consumer protection, privacy and anti-discrimination laws apply to AI tools. Through various examples, the Guidance highlights key themes such as privacy, accountability and transparency, and provides insight into “core concerns,” including bias and discrimination.

On January 6, 2025, the New Jersey Division of Consumer Affairs Cyber Fraud Unit published a set of frequently asked questions and answers on the New Jersey Data Privacy Law.

On December 30, 2024, the Connecticut Attorney General issued an advisory to consumers and businesses that new opt-out rights under the Connecticut Data Privacy Act are effective as of January 1, 2025.

Earlier this month, the Federal Trade Commission’s Office of Technology and Division of Privacy and Identity Protection posted a set of recommendations related to the security risks posed by developing products like AI, targeted advertising and surveillance pricing.

Texas Attorney General Ken Paxton recently launched investigations into Character.AI and 14 other technology companies on allegations of failure to comply with the safety and privacy requirements of the Securing Children Online through Parental Empowerment Act and the Texas Data Privacy and Security Act.

The Colorado Attorney General announced the adoption of the draft amendments on December 5, 2024, and the adopted rules were filed with the Secretary of State and the Office of Legislative Legal Services on December 17, 2024. The amendments underwent minor clarifying changes prior to the Department of Law hearing, and in response to comments and testimony received during the public comment period.

The telehealth and prescription drug discount provider, GoodRx, recently agreed to pay $25 million to settle class action claims originating from the company’s unauthorized disclosure of consumers’ personal health information, according to recent filings with the U.S. District Court for the Northern District of California.

As reported on the Hunton Employment & Labor Perspectives blog, on October 24, 2024, the Consumer Financial Protection Bureau (“CFPB”) issued a policy statement (known as a Circular) to explain the link between the Fair Credit Reporting Act (“FCRA”) and employers’ growing use of artificial intelligence (“AI”) to evaluate, rank and score applicants and employees. Employers should take note that the FCRA does not only apply to criminal history or credit reports. As the use of advanced data analysis and AI rise, employers should ensure that they are not running afoul of the FCRA’s requirements.

On October 24, 2024, the White House released a memorandum implementing Executive Order 14110 on national security and responsible AI.

The U.S. Government Accountability Office has launched an investigation into how retirement plan providers use data collected from 401k plan participants to engage in cross-selling of financial products.

On October 22, 2024, the Consumer Financial Protection Bureau finalized a rule concerning the portability of consumers’ personal financial data.

On October 16, 2024, the Federal Trade Commission issued a final Click-to-Cancel Rule, also known as the Negative Option Rule, updating its existing regulatory scheme that requires sellers to make it as easy for consumers to cancel their subscriptions and memberships as it is to sign up in the first place. 

On October 3, 2024, Texas Attorney General Ken Paxton announced a lawsuit against TikTok for operating its platform in violation of the Texas Secure Children Online through Parental Empowerment Act.

On October 9, 2024, both the Federal Trade Commission and a coalition of 50 state attorneys general issued announcements that they had reached settlement agreements with Marriott International, Inc. and its subsidiary Starwood Hotels & Resorts Worldwide LLC over a multi-year series of data breaches impacting hundreds of millions of individuals.

On September 30, 2024, the Federal Communications Commission announced that T-Mobile has entered into an agreement to settle multiple data protection and cybersecurity investigations stemming from data breaches in 2021, 2022 and 2023.

In August 2024, the Guangzhou Internet Court in China published its final decision in the case No. (2022) Yue 0192 Minchu 6486 regarding the cross-border transfer of personal information under the Personal Information Protection Law (“PIPL”), which was originally issued on September 8, 2023. It is the first case explaining the reliance on necessity for performance of contract in cross-border data transfer activities.

On September 24, 2024, a federal district court held that New York City’s Customer Data Law violates the First Amendment.

On September 19, 2024, the Federal Trade Commission announced the publication of a staff report entitled, A Look Behind the Screens: Examining the Data Practices of Social Media and Video Streaming Services. The Report documents the data collection and use practices of major social media and video streaming services and provides recommendations for better protecting users’ data and privacy, with a particular focus on children and teens.

On September 4, 2024, the California Privacy Protection Agency issued an Enforcement Advisory on Avoiding Dark Patterns: Clear and Understandable Language, Symmetry in Choice.

On August 29, 2024, the California State Assembly passed California bill AB-1949, following the bill’s passage in the California State Senate. If enacted, AB-1949 would amend the California Consumer Privacy Act (as amended by the California Privacy Rights Act) to significantly expand privacy protections concerning the personal information of consumers under the age of 18.

On August 16, 2024, a Ninth Circuit panel partially upheld an injunction halting implementation of the California Age-Appropriate Design Code Act (the “Act”). In particular, the Ninth Circuit affirmed the district court’s ruling that NetChoice, a technology trade group, was likely to succeed in showing that the Act’s data protection impact assessment (“DPIA”) requirements violate the First Amendment. Under the DPIA requirements, covered businesses would have been required to identify material risks to children under the age of 18, document and mitigate those risks before such children access an online service, product or feature, and provide the DPIA to the California Attorney General upon written request.

On August 30, 2024, the Federal Trade Commission announced a proposed settlement with Verkada, a security camera firm, in connection with alleged data security failures and CAN-SPAM Act violations. Under the proposed order, Verkada will be required to implement a comprehensive information security program and pay a $2.95 million monetary penalty.

On August 28, 2024, the FCC announced that it signed a Memorandum of Understanding on Cooperation in the Enforcement of Laws Protecting Personal Information in the Private Sector with the Office of the Privacy Commissioner of Canada.

On July 30, 2024, New York Attorney General Letitia James announced the Office of the AG’s publication of two privacy guides, one for businesses and one for consumers, both focused on the use of website tracking technologies.

On July 5, 2024, the California Privacy Protection Agency  issued a set of proposed regulations to implement the CA Delete Act, a law that imposes requirements on data brokers and grants consumers rights designed to facilitate control over their personal information. 

On July 30, 2024, Texas AG Ken Paxton announced that Meta agreed to pay $1.4 billion to settle a lawsuit over allegations that Meta processed facial geometry data of Texas residents in violation of Texas law, including the Texas Capture or Use of Biometric Identifier Act (“CUBI”).

On July 23, 2024, the Federal Trade Commission announced that it had launched a study of eight companies’ “surveillance pricing” practices. According to the FTC, “the orders are aimed at helping the FTC better understand the opaque market for products by third-party intermediaries that claim to use advanced algorithms, artificial intelligence and other technologies, along with personal information about consumers—such as their location, demographics, credit history, and browsing or shopping history—to categorize individuals and set a targeted price for a product or service.”

Earlier this month, the Federal Trade Commission, International Consumer Protection and Enforcement Network and Global Privacy Enforcement Network announced the results of a comprehensive review regarding the use of “dark patterns.”

On July 9, 2024, the Federal Trade Commission issued a proposed order that banned NGL Labs, LLC, and two of its co-founders from offering an anonymous messaging app called “NGL: ask me anything” to children under the age of 18.

On June 26, 2024, the California Privacy Protection Agency (“CPPA” or the “Agency”) held a virtual preliminary stakeholder session regarding a data broker accessible deletion mechanism.

On June 29, 2024, Rhode Island enacted the Rhode Island Data Transparency and Privacy Protection Act after Governor Daniel McKee transmitted the act back to the legislature without signature. The RIDTPPA will take effect on January 1, 2026.

The Texas Attorney General’s Office joined the recent swell of regulatory and judicial scrutiny into privacy issues related to connected cars, driving data and telematics, launching an investigation on the data practices of several car manufacturers. 

On May 24, 2024, Governor Tim Walz signed H.F. 4757 into law, enacting the Minnesota Consumer Data Privacy Act. The MNCDPA will take effect on July 31, 2025. 

On May 10, 2024, the Vermont legislature passed HB 121, which was delivered to Governor Phil Scott for signature. HB 121 will enact the Vermont Data Privacy Act, the Vermont Data Broker Security Breach Notice Act and the Vermont Age-Appropriate Design Code.

The Maryland legislature recently passed the Maryland Online Data Privacy Act of 2024 (“MODPA”), which was delivered to Governor Wes Moore for signature and, if enacted, will impose robust requirements with respect to data minimization, the protection of sensitive data, and the processing and sale of minors’ data.

On April 7, 2024, U.S. Sen. Maria Cantwell (D-WA) and U.S. Rep. Cathy McMorris Rodgers (R-WA) released a discussion draft of the latest federal privacy proposal, known as American Privacy Rights Act (“APRA” or the “Act”). The APRA builds upon the American Data Privacy and Protection Act (“ADPPA”), which was introduced as H.R. 8152 in the 117th Congress and advanced out of the House Energy and Commerce Committee but did not become law. As the latest iteration of a federal privacy proposal, the APRA signals that some members of Congress continue to seek to create a federal standard in the wake of—and in spite of—the ever-growing patchwork of state privacy laws.

The Connecticut Attorney General’s Office (“OAG”) has released a Report on the status of Connecticut’s Data Privacy Act (“CTDPA”), which took effect on July 1, 2023. The Report covers complaints, inquiries, and early enforcement activities under the CTDPA.

On March 27, 2024, the Kentucky legislature passed a comprehensive data privacy bill, which was delivered to the Governor for signature.  If H.B. 15 is enacted, Kentucky will join the growing list of states with comprehensive data privacy laws. 

On March 25, 2024, Florida Governor Ron DeSantis signed into law a bill prohibiting minors under the age of 14 from having accounts on social media platforms.

On March 1, 2024, the Virginia legislature passed S.B. 361 (the “Bill”), which amends the Virginia Consumer Data Protection Act to introduce new protections for children’s privacy. If signed by the Virginia Governor, the new children’s privacy protections will go into effect on January 1, 2025.

After potential warning signs spanning several years, on March 14, 2024, the Federal Trade Commission brought an enforcement action against two entities selling virus protection software to consumers via online and telemarketing sales. According to the FTC’s complaint, for several years the entities, Restoro Cyprus Limited and Reimage Cyprus Limited, received excessive chargebacks on purchases, numerous consumer complaints made directly to the entities, and various indirect consumer complaints made to vendors, telecoms service providers and others. 

On March 8, 2024, the Centre for Information Policy Leadership at Hunton Andrews Kurth (“CIPL”) filed its response to the Federal Trade Commission’s notice of proposed rulemaking (“NPRM”), which addresses amendments to the Children’s Online Privacy Protection Rule (“COPPA Rule”).

Bloomberg Law reported that the Federal Communications Commission adopted rules creating a voluntary cybersecurity labeling program for wireless consumer Internet of Things products, as well as a further notice of proposed rulemaking that seeks comments addressing additional disclosure requirements for program participants with respect to national security.

Last week, Utah Governor Spencer J. Cox signed three privacy-related bills into law. The bills are focused on, respectively, protection of motor vehicle consumer data, regulations on social media companies with respect to minors, and access to protected health information by third parties. The Utah legislature appears to be focused on data-related legislation this session, as Governor Cox signed two other bills related to AI into law last week as well.

On March 8, 2024, the California Privacy Protection Agency (“CPPA”) Board discussed and voted 3-2 in favor of further edits to revised draft regulations regarding risk assessments and automated decisionmaking technology (“ADMT”), which were released in February 2024, but did not initiate the formal rulemaking process for these regulations, which is anticipated to begin in July 2024.

On March 6, 2024, Governor Chris Sununu signed into law SB 255, making New Hampshire the 15th state with a comprehensive privacy law.

The Federal Trade Commission held its eighth annual privacy conference, PrivacyCon, on March 6, 2024. The goal of PrivacyCon is to assemble researchers, academics, industry representatives, consumer advocates and government regulators to consider and discuss cutting-edge research and trends related to consumer privacy and data security. This year’s conference consisted of remarks by FTC Commissioners Lina Khan, Alvaro Bedoya and Rebecca Kelly Slaughter, and a total of seven panels including “Economics”, “Privacy Enhancing Technologies,” “Artificial ...

On February 12, 2024, California bill AB-1949 was referred to the Assembly Committee on Privacy and Consumer Protection. The bill would amend the California Consumer Privacy Act (as amended by the California Privacy Rights Act) (the “CCPA”) to significantly expand businesses’ obligations with respect to the personal information of consumers under the age of 18.

On February 21, 2024, the California Attorney General announced that it had reached a settlement resolving an enforcement action under the California Consumer Privacy Act (“CCPA”) and the California Online Privacy Protection Act (“CalOPPA”) brought against online food delivery company  DoorDash, Inc. (the “Company”). This is the AG’s second CCPA enforcement settlement, following the agency’s settlement with Sephora.

Recent developments in the Shanghai Pilot Free Trade Zone to facilitate cross-border data transfers are expected to provide greater flexibility in exporting data from China, which has been stymied by the Cyberspace Administration of China (“CAC”)’s strict cross-border data transfer regulations proposed in December 2023. In recent years, the legal framework and practical enforcement for cross-border data transfers in China have undergone significant developments, especially with respect to the CAC’s cross-border data transfer security reviews and standard contractual clauses. The lack of clarity around the CAC’s strict rules for security assessment reviews appears to have caused significant delays in the approval process for cross-border data transfers and concern among international companies who regularly transfer data outside of China. However, it appears that the Shanghai government is likely to permit international companies to transfer data offshore by leveraging its sprawling free trade zones. Shanghai, for example, has recently unveiled new measures aimed at accelerating cross-border data transfers.

On February 9, 2024, a California state court of appeal ruled in favor of the California Privacy Protection Agency (“CPPA”) and vacated the lower court order postponing enforcement of the CPPA’s final regulations under the California Consumer Privacy Act.