2025

On September 23, 2025, the California Privacy Protection Agency announced that the state’s Office of Administrative Law approved regulations that update existing California Consumer Privacy Act (“CCPA”) regulations and introduce new regulations covering cybersecurity audits, risk assessments, and automated decision-making technology.  The updates to the existing regulations—which take effect on January 1, 2026—expand business obligations

Before issuing a proposal for a Quantum Act, the European Commission has issued a call for evidence (“Call for Evidence”), asking for views from all stakeholders on the best approach to addressing structural problems that the Commission has identified in the areas of research, industrial capacity, and supply chain resilience. Industry stakeholders already grappling with

In a recent decision, the Northern District of Illinois dismissed a deceptive advertising class action filed against Mondeléz International, Inc. (“Mondeléz”).  Salguero v. Mondeléz Int’l, Inc., 2025 WL 3004534, at *6 (N.D. Ill. Oct. 27, 2025).  Mondeléz, a snack food company, manufactured and distributed energy snack bars (“Zbars”) while labeling the packaging as “climate neutral

On October 20, a California trial court granted summary judgment in favor of defendants in Mach v. Yardi Systems, Inc., rejecting class plaintiffs’ claims that defendants violated California’s antitrust law, the Cartwright Act, through their common use of rental pricing software.  The decision, which relied on “critical” evidence produced by defendant Yardi Systems in discovery,

Following an announcement in September that the White House intends to deploy the Foreign Agents Registration Act (“FARA”) to investigate persons with foreign ties that “foment political violence,” the FARA Unit of the Department of Justice (“DOJ”) quietly (and maybe inadvertently) published and then unpublished 17 new advisory opinions regarding FARA.

The publication and subsequent

On October 14, 2025, the European Data Protection Board (“EDPB”) announced that its 2026 coordinated enforcement action (“CEA”) will focus on transparency and information obligations — the rules that require organizations to clearly explain how they collect, use, and share personal data — under Articles 12-14 of the General Data Protection Regulation (“GDPR”).

On October 21, 2025, the New York State Department of Financial Services (“NYDFS”) issued an industry letter (the “Guidance”) highlighting the cybersecurity risks related to Covered Entities’ use of Third-Party Service Providers (“TPSPs”) and providing strategies to address these risks. The Guidance is addressed to all Covered Entities subject to NYDFS’s cybersecurity regulation codified at

On October 27, 2025, the Ninth Circuit affirmed in a memorandum opinion the dismissal of a proposed class action asserting that the owner of a cybersecurity browser extension violated the California Invasion of Privacy Act (“CIPA”) and the Electronic Communications Privacy Act (“ECPA”) by intercepting communications between extension-users and search engines. Karwowski v. Gen Digital,

Over the past few months, Chinese regulators have taken steps to update the country’s cybersecurity framework, with a particular focus on artificial intelligence (AI) safety and clarifying incident reporting obligations for onshore infrastructure. These developments reflect a broader trend toward more proactive AI and cyber governance and could signal priorities for the year ahead.

The Commerce Department today published a Request for Information (RFI) inviting the public to submit comments on U.S. artificial intelligence exports.  The RFI asks stakeholders to weigh in on aspects of the Department’s new “American AI Exports Program,” an initiative intended to “promot[e] the export of full-stack American AI technology packages.”

The RFI follows from