Privacy & Information Security Law Blog

On December 30, 2024, the Connecticut Attorney General issued an advisory to consumers and businesses that new opt-out rights under the Connecticut Data Privacy Act are effective as of January 1, 2025.

On December 27, 2024, the U.S. Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) announced a Notice of Proposed Rulemaking (“NPRM”) to update the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule.  The NPRM is intended to strengthen cybersecurity protections for electronic protected health information (“ePHI”) in light of increasing cybersecurity threats to the health care sector.

On December 17, 2024, the European Data Protection Board adopted an opinion on the processing of personal data in the context of AI models. This blog entry provides a summary of the opinion. 

Earlier this month, the Federal Trade Commission’s Office of Technology and Division of Privacy and Identity Protection posted a set of recommendations related to the security risks posed by developing products like AI, targeted advertising and surveillance pricing.

In January 2025, comprehensive data privacy laws go into effect in Delaware, Iowa, Nebraska, New Hampshire and New Jersey.

Texas Attorney General Ken Paxton recently launched investigations into Character.AI and 14 other technology companies on allegations of failure to comply with the safety and privacy requirements of the Securing Children Online through Parental Empowerment Act and the Texas Data Privacy and Security Act.

On December 12, 2024, the French Data Protection Authority announced that it had issued notices to several organizations ordering them to modify the cookie banners on their websites to bring them into compliance.

On December 17, 2024, the Irish Data Protection Commission announced that it concluded two inquiries initiated following a personal data breach reported in 2018 affecting Meta Platforms Ireland Limited.

The Colorado Attorney General announced the adoption of the draft amendments on December 5, 2024, and the adopted rules were filed with the Secretary of State and the Office of Legislative Legal Services on December 17, 2024. The amendments underwent minor clarifying changes prior to the Department of Law hearing, and in response to comments and testimony received during the public comment period.

In December 2024, the Centre for Information Policy Leadership at Hunton Andrews Kurth published a discussion paper titled, “Applying Data Protection Principles to Generative AI: Practical Approaches for Organizations and Regulators.”