Inside Privacy

Updates on developments in data privacy and cybersecurity

Subscribe via RSS
Visit Blog

Blog Authors

ABCDEFGHIJKLMNOPQRSTUVWXYZ
Rachel Bercovitz
Alexander Berengaut
Alix Bertrand
Divya Bhat
Elżbieta Bieńkowska
Diego Bonomo
Eric Bosset
John Bowers
David Brazil
Lindsay Brewer
Analese Bridges
Elizabeth Brim
John Buchanan
Kerry Burke
Lindsay Burke
Ryan Burnette

Latest from Inside Privacy

Over the past few months, there have been several notable developments in the cross-border data frameworks of the U.S., EU, UK, Brazil, and several Asia Pacific (“APAC”) countries. These developments reflect evolving regulatory approaches to international data flows, trade agreements, and national security priorities—each with certain nuances and particularities that multinational companies need to understand

On September 23, 2025, the California Privacy Protection Agency announced that the state’s Office of Administrative Law approved regulations that update existing California Consumer Privacy Act (“CCPA”) regulations and introduce new regulations covering cybersecurity audits, risk assessments, and automated decision-making technology.  The updates to the existing regulations—which take effect on January 1, 2026—expand business obligations

On October 14, 2025, the European Data Protection Board (“EDPB”) announced that its 2026 coordinated enforcement action (“CEA”) will focus on transparency and information obligations — the rules that require organizations to clearly explain how they collect, use, and share personal data — under Articles 12-14 of the General Data Protection Regulation (“GDPR”).

On October 21, 2025, the New York State Department of Financial Services (“NYDFS”) issued an industry letter (the “Guidance”) highlighting the cybersecurity risks related to Covered Entities’ use of Third-Party Service Providers (“TPSPs”) and providing strategies to address these risks. The Guidance is addressed to all Covered Entities subject to NYDFS’s cybersecurity regulation codified at

Over the past few months, Chinese regulators have taken steps to update the country’s cybersecurity framework, with a particular focus on artificial intelligence (AI) safety and clarifying incident reporting obligations for onshore infrastructure. These developments reflect a broader trend toward more proactive AI and cyber governance and could signal priorities for the year ahead.

By December 9, 2026, all EU Member States must update their product liability laws to align with the (new) Product Liability Directive (EU) 2024/2853 (“PLD”). The PLD imposes liability on manufacturers of products (and other relevant parties) for harm caused by defective products, regardless of fault. The PLD modernizes the current EU product liability framework

On September 17, 2025, the German Supervisory Authorities (Konferenz der unabhängigen Datenschutzaufsichtsbehörden des Bundes und der Länder, DSK) published new guidelines and recommendations addressing the complex requirements for transferring personal data, particularly health data (including health data contained in biomaterials), to countries outside of the European Economic Area for scientific research purposes under the GDPR.

Recently, California Governor Gavin Newsom signed into law several privacy and related proposals, including new laws governing browser opt-out preference signals, social media account deletion, data brokers, reproductive and health services, age signals for app stores, social media “black box warning” labels for minors, and companion chatbots. This blog summarizes the statutes’ key takeaways.

  • Opt-Out

On September 30, 2025, the California Privacy Protection Agency (“Agency”) announced a decision and $1.35 million fine to resolve allegations that Tractor Supply Co. (“Tractor Supply”) violated the California Consumer Privacy Act (“CCPA”). The settlement comes after the Agency filed a petition to enforce an investigative subpoena against Tractor Supply. In addition to imposing the

On September 17, 2025, the Federal Trade Commission (“FTC”) and seven states – Colorado, Florida, Illinois, Nebraska, Tennessee, Utah, and Virginia – sued Live Nation and Ticketmaster for violations of Section 5 of the FTC Act and the Better Online Ticket Sales Act (“BOTS Act”). Additionally, each state Attorney General alleges violation of various state