Following the approach taken by the Kentucky and Connecticut legislatures this spring, Oregon has amended its comprehensive privacy statute to implement changes to the law. Specifically, the amendment extends the statutory cure period to July 1, 2026, but this extension is limited to certain controllers. Beginning on January 1, 2026, the statute’s cure provision will
Inside Privacy
Updates on developments in data privacy and cybersecurity
U.S. Government Issues Cybersecurity Warning to Critical Infrastructure Operators and Others
On June 30, 2025, the Cybersecurity and Infrastructure Agency (CISA), the Federal Bureau of Investigation (FBI), the Department of Defense Cyber Crime Center (DC3), and the National Security Agency (NSA) warned U.S. critical infrastructure organizations and other companies that the threat of cyber attacks from Iran-affiliated cyber actors is heightened in the wake of the…
Connecticut Legislature Amends Its Privacy Statute
On June 24, 2025, the Connecticut governor signed SB 1295, which amends the state’s comprehensive privacy statute, the Connecticut Data Privacy Act (“CTDPA”). SB 1295 takes effect on July 1, 2026.…
The UK’s new Data Legislation – What does it mean for the Life Science sector?
This blog was prepared in collaboration with, and was originally published by, the UK BioIndustry Association, here. We are grateful to the UK BioIndustry Association for collaborating on this blog, and for the opportunity to post it here.
What are the UK’s plans to reform data protection law?
After an extended period of legislative…
New York State Department of Financial Services Issues Guidance on Cybersecurity, Sanctions, and Virtual Currency Following Escalation of Iran Conflict
On June 23, 2025, the New York State Department of Financial Services (“NY DFS”) issued guidance to NY DFS-regulated individuals and entities regarding the impact of “ongoing global conflicts” to the financial sector. The guidance follows a bulletin from the U.S. Department of Homeland Security about the “heightened threat environment” in the United States, which…
State Legislatures Advance Surveillance Pricing Regulations
This year, state lawmakers have introduced over a dozen bills to regulate “surveillance,” “personalized,” or “dynamic” pricing. Although many of these proposals have failed as 2025 state legislative sessions come to a close, lawmakers in New York, California, and a handful of other states are moving forward with a range of different approaches. These proposals…
New Jersey Division of Consumer Affairs Proposes Draft Regulations
On June 2, 2025, the New Jersey Division of Consumer Affairs published draft regulations to implement the New Jersey Data Protection Act, which went into effect on January 1, 2025. The draft regulations propose detailed requirements, including for privacy notices, consent, and consumer rights. Interested parties may submit written comments by August 1, 2025.
New State Privacy and Minor Social Media Laws to Become Effective in July
A number of previously enacted laws related to privacy and minors’ use of social media platforms will enter into force in July 2025. These laws include comprehensive privacy frameworks in Tennessee and Minnesota, as well as laws governing the use of social media platforms by minors in Georgia and Louisiana. An overview of some key…
Digital Fairness Act Series — Topic 3: Personalized Advertising and Pricing
Personalized advertising and pricing are increasingly common online practices, and prompt discussions about fairness and consumer rights in the EU. This post examines how these practices are regulated under EU consumer protection law, and what we anticipate from the forthcoming Digital Fairness Act (DFA). We also consider how data protection rules—such as the GDPR—interact with…
CNIL Publishes Recommendations on Legitimate Interest as a Legal Basis for AI Training
On June 19, 2025, the French Data Protection Authority (“CNIL”) published two recommendations for AI developers. The first recommendation covers reliance on the GDPR’s legitimate interest legal basis for developing an AI model. It provides examples of legitimate interests that can justify the use of personal data for AI development. The second recommendation discusses measures…