Privacy & Information Security Law Blog

As part of the California Privacy Protection Agency’s investigative sweep of data broker registration compliance under California’s Delete Act, the CPPA recently announced an enforcement action against a Florida-based data broker and a settlement with a California-based data broker for failure to register as a data broker on the California Data Broker Registry, as required under the Delete Act.

On February 20, 2025, the U.S. Department of Health and Human Services’ Office for Civil Rights announced a $1.5 million fine against Warby Parker for alleged violations of the HIPAA Security Rule.

Attorney General Ken Paxton announced an investigation into DeepSeek, a Chinese artificial intelligence company, regarding its privacy practices and compliance with Texas law.

On February 7, 2025, the U.S. District Court for the Western District of Texas granted a preliminary injunction further blocking enforcement of Texas’ Securing Children Online through Parental Empowerment Act.

It has been nearly two decades since Illinois introduced the first biometric information privacy law in the country in 2008, the Illinois Biometric Information Privacy Act (“BIPA”). Since then, litigation relating to biometric information privacy laws has mushroomed, and the insurance industry has responded with increasingly broad exclusions for claims stemming from the litigation.

Hunton publishes AI Act Guide for In-House Lawyers, providing a comprehensive yet practical roadmap for businesses to comply with the European Union’s AI Act. This blog entry provides a link to download a copy of the guide and a summary of the key areas covered.

The European Data Protection Board held its latest plenary meeting on February 12, 2025.

On February 11, 2025, the European Commission made available its 2025 work program, which sets out the key strategies, action plans and legislative initiatives to be pursued by the European Commission.

On February 11, 2025, the data protection authorities of the UK, Ireland, France, South Korea and Australia issued a joint statement on building trustworthy data governance frameworks to encourage development of innovative and privacy-protective artificial intelligence.

On February 4, 2025, the Minnesota Attorney General published the second volume of a report outlining the negative impact that AI and social media is having on minors in Minnesota.

On February 10, 2025, the UK Information Commissioner’s Office released an updated response to the draft Data (Use and Access) Bill, providing comments on the amendments made by the House of Lords.

On February 7, 2025, the French Data Protection Authority (“CNIL”) released two recommendations aimed at guiding organizations in the responsible development and deployment of artificial intelligence (“AI”) systems in compliance with the EU General Data Protection Regulation (“GDPR”). The first recommendation is titled “AI: Informing Data Subjects” (the “Recommendation on Informing Individuals”) and the second recommendation is titled “AI: Complying and Facilitating Individuals’ Rights” (the “Recommendation on Individual Rights”). The recommendations build on the CNIL’s four-pillar AI action plan announced in 2023.

The Massachusetts Attorney General released internal TikTok documents last week as part of an unsealed complaint alleging that the company designed its platform to maximize children’s engagement while downplaying associated risks.

On January 1, 2025, an amendment to the Virginia Consumer Data Protection Act (“VCDPA”) went into effect that provides additional protections for children. The amendment imposes additional requirements on the processing of personal data of a known child, which is defined as a consumer who is under 13 years of age. Our earlier blog entry provides additional details regarding these new requirements.

On February 3, 2025, U.S. District Judge B. Lynn Winmill of the District of Idaho denied digital marketing data broker Kochava Inc.’s motion to dismiss a suit brought by the Federal Trade Commission.

On January 23, 2025, the New York Department of Financial Services (“NYDFS”) announced a $2 million civil fine against PayPal, Inc. (“PayPal”) for alleged cybersecurity failures that resulted in the unauthorized exposure of customers’ personal information. 

On January 29, 2025, the California Privacy Protection Agency announced that it had reached a settlement with Connecticut-based data broker Key Marketing Advantage, LLC, resolving the fifth action against a business  for its alleged failure to register as a data broker, as required under California’s Delete Act.

On January 31, 2025, the UK government published the Code of Practice for the Cyber Security of AI and the Implementation Guide for the Code. 

On January 29, 2025, the United States Court of Appeals for the Ninth Circuit enjoined California from enforcing the Protecting Our Kids from Social Media Addiction Act in its entirety, pending a challenge to the law brought by NetChoice.

On January 14, 2025, the Federal Trade Commission announced that it had issued final orders against data brokers Gravy Analytics, Inc. and Mobilewalla, Inc. for the collection, use, and sale of consumers’ precise geolocation data.

On January 16, 2025, the FTC announced a proposed order against General Motors and OnStar that would resolve allegations that the companies collected, used and sold drivers’ precise geolocation data and driving behavior information from millions of vehicles without adequately notifying consumers and obtaining their affirmative consent.

New York Attorney General Letitia James announced a $450,000 settlement with three companies distributing eufy home security video cameras—Fantasia Trading LLC, Power Mobile Life LLC and Smart Innovation LLC—following an investigation into the security of their Internet-enabled video products.

On January 24, 2025, the UK Information Commissioner’s Office published a letter setting out proposals to boost business confidence, improve the investment climate, and foster sustainable economic growth in the UK.

On February 2, 2025, the EU AI Act’s rules on AI literacy, along with the prohibition of certain types of AI system, became applicable in the EU.

On December 21, 2024, New York Governor Kathy Hochul signed a flurry of privacy and social media bills, including Senate Bill 895B, Senate Bill 5703B, Senate Bill 2376B and Senate Bill 1759B.