Privacy & Information Security Law Blog

After six months of enforcement of Oregon’s Consumer Privacy Act, a new report from the Oregon Attorney General indicates strong consumer engagement with the law’s privacy rights, notable business compliance efforts and key areas where businesses are falling short.

On March 6, 2025, the U.S. Department of Health and Human Services Office for Civil Rights announced a $200,000 civil monetary penalty against Oregon Health & Science University for allegedly violating the HIPAA Privacy Rule’s right of access.

On February 27, 2027, in Chabolla v. ClassPass Inc., the U.S. Court of Appeals for the Ninth Circuit, in a split 2-1 decision, held that website users were not bound by the terms of a “sign-in wrap” agreement.

The Attorney General of Arkansas filed a lawsuit against General Motors and its subsidiary, OnStar, alleging deceptive trade practices related to the collection and sale of drivers’ data.

On February 20, 2025, the U.S. District Court for the Northern District of Georgia granted a motion for class certification in a class action alleging that WebMD violated the federal Video Privacy Protection Act by disclosing certain user data to Facebook without the users’ consent. 

On March 5, 2025, the European Data Protection Board announced the launch of its latest Coordinated Enforcement Framework action addressing the right to erasure.

Last month, SEC Commissioner Hester Peirce, chair of the Crypto Task Force, laid out a broad agenda for the SEC’s approach to cryptocurrency over the next four years.

On February 21, 2025, President Trump issued a National Security Memorandum on America First Investment Policy outlining the administration’s foreign direct investment policy, including initiatives for a regulatory fast track process, additional scrutiny for Chinese investors, key changes to reviews by the Committee on Foreign Investment in the United States including CFIUS’s use of national security agreements.

On February 20, 2025, the Virginia legislature passed the High-Risk Artificial Intelligence Developer and Deployer Act.

On February 20, 2025, the UK Information Commissioner’s Office published its annual Tech Horizons Report, which explores four key technologies expected to play a significant role in society in upcoming years.