2025

***Update (January 27, 2026): The EU and Brazil have now formally adopted mutual adequacy decisions, confirming that both jurisdictions ensure comparable levels of data protection and enabling the free and safe flow of personal data between the EU and Brazil without the need for additional transfer mechanisms.***

On September 5, 2025, the European Commission announced

This blog post discusses the Department of Defense’s (“DoD”) new cybersecurity rule that imposes certain cybersecurity requirements on relevant DoD contractors and subcontractors. The post will be of interest to all DoD contractors, subcontractors, and possibly affiliates of contractors that may be impacted by the new rule’s cybersecurity requirements.

On September 10, 2025, DoD published

On August 20, 2025, the Federal Trade Commission (“FTC”) sued Fitness International, LLC and Fitness & Sports Club LLC – the parent companies of LA Fitness and other gym chains – for  violations of Section 5 of the FTC Act and the Restore Online Shoppers’ Confidence Act (“ROSCA”) in connection with alleged practices that make it

On August 27, 2025, the imageboard website 4chan Community Support LLC (“4chan”) and discussion forum Lolcow, LLC (dba “Kiwi Farms”) (together, the “Plaintiffs”)  filed a claim in the U.S. District Court of the District of Columbia (“Court”) asking the Court to declare, in effect, that the UK’s Online Safety Act 2023 (“OSA”) is unenforceable against

The EU e-evidence Regulation and Directive, which establish a regime for law enforcement authorities (“LEAs”) in one Member State to issue legally-binding demands for data from certain types of providers established in other Member States, will come into effect on 18 August 2026 (our post on the specific requirements of the Regulation and Directive

On September 2, 2025, the U.S. Commerce Department, Bureau of Industry and Security (“BIS”) published in the Federal Register a final rule titled Relaxing Export Controls for Syria (the “Syria Export Controls Rule”). The rule eases certain export controls applicable to Syria under the Export Administration Regulations (“EAR”) by adding a new license exception applicable

On August 29, the Oregon Department of Justice (DOJ) issued an enforcement report and press release covering its first year of enforcement of the Oregon Consumer Privacy Act (OCPA).  The OCPA took effect on July 1, 2024, and the cure period sunsets on January 1, 2026.  We previously summarized some of requirements in the OCPA

In August, the Federal Trade Commission (“FTC”) announced a $14 million settlement with Match Group, Inc. and Match Group, LLC (collectively, “Match”), the parent companies of online dating platforms Match.com, OkCupid, PlentyOfFish, and other dating sites. In addition to monetary relief, the settlement includes significant injunctive provisions aimed at addressing alleged deceptive marketing and unfair

Last month, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”), in partnership with the Federal Bureau of Investigation (“FBI”), National Security Agency, Environmental Protection Agency, and cybersecurity authorities in Australia, Canada, Germany, Netherlands, and New Zealand, published new cybersecurity guidance (the “Guidance”) related to operational technology (“OT”), i.e., systems and devices that interact with a