Inside Privacy

Updates on developments in data privacy and cybersecurity

Subscribe via RSS
Visit Blog

Blog Authors

ABCDEFGHIJKLMNOPQRSTUVWXYZ
Wade Ackerman
Christopher Adams
Bolatito Adetula
Christian Ahlborn
Samar Amidi
Fredericka Argent

Latest from Inside Privacy

On March 11, 2026, the Federal Trade Commission (“FTC” or “the Commission”) announced an Advanced Notice of Proposed Rulemaking (“ANPRM”) regarding its Rule Concerning the Use of Prenotification Negative Option Plans, commonly known as the Negative Option Rule (“the Rule”).  This ANPRM signals the beginning of a rulemaking process that will expand the scope of

On February 27, 2026, CalPrivacy and PlayOn settled a CCPA claim for $1.1 million. PlayOn is a digital ticketing platform used by schools and other organizations for ticketing, streaming, fundraising, concessions, merchandise sales, and website management. The settlement resolves allegations that PlayOn unlawfully “sold” and “shared” users’ personal information without providing sufficient opt-outs and notice,

On March 6, 2026, the Administration released “President Trump’s Cyber Strategy for America” alongside an Executive Order (entitled “Combating Cybercrime, Fraud, and Predatory Schemes Against American Citizens”) and accompanying Fact Sheet.  The framework set forth in the Strategy document is significantly shorter and higher-level than the prior National Cybersecurity Strategy issued in

In February 2026, the Spanish data protection authority (Agencia Española de Protección de Datos, “AEPD”) published guidance on data protection issues related to the use of AI agents. The guidance follows an earlier, similar analysis by the UK Information Commissioner’s Office, which we discussed in a prior blog post.

Helpfully, AEPD’s guidance maps key

On February 13, 2026, France’s highest administrative court (“Conseil d’État”) delivered an important decision clarifying the boundary between pseudonymization and anonymization under the GDPR. The ruling confirms that data which remain re‑identifiable in practice—even with some effort—must be treated as personal data under the GDPR by service providers, unless the risk of re‑identification by such

On January 28, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published a new resource on Assembling a Multi-Disciplinary Insider Threat Management Team.  The guidance is intended to assist critical infrastructure stakeholders, which includes private sector entities across various sectors, with implementing an insider threat mitigation program that combines physical security, cybersecurity, personnel

On February 19, 2026, the UK Court of Appeal handed down its decision in DSG Retail Limited v The Information Commissioner [2026] EWCA Civ 140. The Court ruled that a controller’s data security duty applies to all personal data for which it acts as controller – irrespective of whether the information would constitute personal

Earlier this month, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) announced a series of public town hall meetings to solicit additional stakeholder input on the Notice of Proposed Rulemaking (“Proposed Rule”) implementing the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”), which CISA published in April 2024.  

Background

CIRCIA established two

On February 18, 2026, the European Data Protection Board (“EDPB”) published its Report on Stakeholder Event on Anonymisation and Pseudonymisation of 12 December 2025 (the “Report”). The Report summarises feedback from a remote stakeholder event convened to inform the EDPB’s ongoing work on Guidelines 01/2025 on Pseudonymisation (version for public consultation available here