Privacy & Information Security Law Blog

California Attorney General Rob Bonta recently announced a new enforcement sweep targeting the location data industry’s compliance with the CCPA.

On March 13, 2025, the U.S. District Court for the Northern District of California granted a second motion for preliminary injunction in favor of the technology trade group NetChoice.

On March 7, 2025, the California Privacy Protection Agency voted to authorize the agency to advance proposed data broker regulations concerning the Delete Request and Opt-Out Platform to formal rulemaking.

Earlier this month, the Centre for Information Policy Leadership at Hunton submitted a response to India’s Ministry of Electronics and Information Technology regarding the Draft Digital Personal Data Protection Rules 2025.

On March 11, 2025, the Virginia legislature passed a bill that would amend the Virginia Consumer Data Protection Act to impose significant restrictions on minor users’ use of social media.

On March 12, 2025, the California Privacy Protection Agency announced that it reached a settlement with American Honda Motor Co. in which Honda will pay a $632,500 fine to resolve claims that the company violated the CCPA.

After six months of enforcement of Oregon’s Consumer Privacy Act, a new report from the Oregon Attorney General indicates strong consumer engagement with the law’s privacy rights, notable business compliance efforts and key areas where businesses are falling short.

The Attorney General of Arkansas filed a lawsuit against General Motors and its subsidiary, OnStar, alleging deceptive trade practices related to the collection and sale of drivers’ data.

On February 20, 2025, the U.S. District Court for the Northern District of Georgia granted a motion for class certification in a class action alleging that WebMD violated the federal Video Privacy Protection Act by disclosing certain user data to Facebook without the users’ consent. 

On February 21, 2025, President Trump issued a National Security Memorandum on America First Investment Policy outlining the administration’s foreign direct investment policy, including initiatives for a regulatory fast track process, additional scrutiny for Chinese investors, key changes to reviews by the Committee on Foreign Investment in the United States including CFIUS’s use of national security agreements.

On February 20, 2025, the UK Information Commissioner’s Office published its annual Tech Horizons Report, which explores four key technologies expected to play a significant role in society in upcoming years.

The Cyberspace Administration of China recently released requirements regarding data protection compliance audits, which will go into effect on May 1, 2025.

The People’s Bank of China recently released the Draft Administrative Measures for Reporting of Cybersecurity Incidents in the Operational Areas of PBOC for public comment.

NetChoice has filed a lawsuit challenging Maryland’s Age-Appropriate Design Code Act on constitutional grounds, arguing that the law’s requirements, including requirements to perform data protection impact assessments, inhibit free speech.

As part of the California Privacy Protection Agency’s investigative sweep of data broker registration compliance under California’s Delete Act, the CPPA recently announced an enforcement action against a Florida-based data broker and a settlement with a California-based data broker for failure to register as a data broker on the California Data Broker Registry, as required under the Delete Act.

Attorney General Ken Paxton announced an investigation into DeepSeek, a Chinese artificial intelligence company, regarding its privacy practices and compliance with Texas law.

On February 8, 2025, the Shanghai Cyberspace Administration and four other Shanghai government agencies released the Data Export Management List in the Free Trade Trial Zone and Lin Gang New Area, Administrative Measures on the Negative List, and the Implementation Guideline on the Negative List.

The European Data Protection Board held its latest plenary meeting on February 12, 2025.

On February 11, 2025, the data protection authorities of the UK, Ireland, France, South Korea and Australia issued a joint statement on building trustworthy data governance frameworks to encourage development of innovative and privacy-protective artificial intelligence.

On February 7, 2025, the French Data Protection Authority (“CNIL”) released two recommendations aimed at guiding organizations in the responsible development and deployment of artificial intelligence (“AI”) systems in compliance with the EU General Data Protection Regulation (“GDPR”). The first recommendation is titled “AI: Informing Data Subjects” (the “Recommendation on Informing Individuals”) and the second recommendation is titled “AI: Complying and Facilitating Individuals’ Rights” (the “Recommendation on Individual Rights”). The recommendations build on the CNIL’s four-pillar AI action plan announced in 2023.

On February 3, 2025, U.S. District Judge B. Lynn Winmill of the District of Idaho denied digital marketing data broker Kochava Inc.’s motion to dismiss a suit brought by the Federal Trade Commission.

On January 23, 2025, the New York Department of Financial Services (“NYDFS”) announced a $2 million civil fine against PayPal, Inc. (“PayPal”) for alleged cybersecurity failures that resulted in the unauthorized exposure of customers’ personal information. 

On January 29, 2025, the California Privacy Protection Agency announced that it had reached a settlement with Connecticut-based data broker Key Marketing Advantage, LLC, resolving the fifth action against a business  for its alleged failure to register as a data broker, as required under California’s Delete Act.

On January 14, 2025, the Federal Trade Commission announced that it had issued final orders against data brokers Gravy Analytics, Inc. and Mobilewalla, Inc. for the collection, use, and sale of consumers’ precise geolocation data.

New York Attorney General Letitia James announced a $450,000 settlement with three companies distributing eufy home security video cameras—Fantasia Trading LLC, Power Mobile Life LLC and Smart Innovation LLC—following an investigation into the security of their Internet-enabled video products.

On January 24, 2025, the UK Information Commissioner’s Office published a letter setting out proposals to boost business confidence, improve the investment climate, and foster sustainable economic growth in the UK.

On February 2, 2025, the EU AI Act’s rules on AI literacy, along with the prohibition of certain types of AI system, became applicable in the EU.

On December 21, 2024, New York Governor Kathy Hochul signed a flurry of privacy and social media bills, including Senate Bill 895B, Senate Bill 5703B, Senate Bill 2376B and Senate Bill 1759B.

On January 28, 2025, the Italian Data Protection Authority announced that it had launched an investigation into the data processing practices of Hangzhou DeepSeek Artificial Intelligence and Beijing DeepSeek Artificial Intelligence.

New York Governor Kathy Hochul recently signed into law several bills (S2659B and S2376B) modifying the state’s breach notification law. The amendments revise the timing requirements for notice to affected individuals, expand the list of regulators to be notified, and add new data elements to New York’s definition of “private information.”

On January 20, 2025, President Trump revoked a number of Biden-era Executive Orders, including Executive Order 14110 on Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence.

On January 21, 2025, the New York state legislature passed Senate Bill (S-929), which provides for the protection of health data. 

On January 23, 2025, the UK Information Commissioner’s Office published its new online tracking strategy for 2025 which sets out how it intends to achieve its vision of a fair and transparent online world where people are given meaningful control over how they are tracked online.

On January 15, 2025, the Federal Trade Commission announced a proposed order against web hosting company GoDaddy for unfair or deceptive acts or practices in violation of Section 5 of the FTC Act, and issued guidance for customers of web hosting services on security practices in light of the settlement.

On January 16, 2025, French Data Protection Authority unveiled its strategic plan for 2025-2028, highlighting its priorities for the coming years.

On January 21, 2025, the Council of the EU adopted the European Health Data Space Regulation.

On January 3, 2025, the Cyberspace Administration of China issued the draft Measures for Personal Information Protection Certification for Cross-Border Transfers of Personal Information (“Draft Measures”) for public consultation.  The Draft Measures will make available a certification which can be used as a mechanism for lawfully transferring personal information outside of China.

On January 13, 2025, California Attorney General Rob Bonta issued two legal advisories on the use of AI, including in the healthcare context. The first legal advisory (“AI Advisory”) advises consumers and entities about their rights and obligations under the state’s consumer protection, civil rights, competition, and data privacy laws with respect to the use of AI, while the second (“Healthcare AI Advisory”) provides guidance specific to healthcare entities about their obligations under California law regarding the use of AI.

On January 16, 2025, the non-profit organization None Of Your Business filed six complaints against organizations with five European data protection authorities for the unlawful transfer of personal data to China.

On January 16, 2025, the FTC announced the issuance of updates to the FTC’s Children’s Online Privacy Protection Rule (the “Rule”), which implements the federal Children's Online Privacy Protection Act of 1998 (“COPPA”).

On January 8, 2025, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency published finalized Security Requirements for Restricted Transactions as designated by the Department of Justice in the DOJ’s final rulemaking, each pursuant to Executive Order 14117 (Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern). The Requirements and DOJ rule will go into effect on April 8, 2025.

On December 24, 2024, the Oregon Attorney General published AI guidance, “What you should know about how Oregon’s laws may affect your company’s use of Artificial Intelligence,” (the “Guidance”) that clarifies how existing Oregon consumer protection, privacy and anti-discrimination laws apply to AI tools. Through various examples, the Guidance highlights key themes such as privacy, accountability and transparency, and provides insight into “core concerns,” including bias and discrimination.

The Equal Employment Opportunity Commission recently issued a fact sheet addressing the application of employment discrimination laws to the use of wearable technologies in U.S. workplaces.

On January 6, 2025, the New Jersey Division of Consumer Affairs Cyber Fraud Unit published a set of frequently asked questions and answers on the New Jersey Data Privacy Law.

On December 27, 2024, the U.S. Department of Justice issued a comprehensive final rule implementing Executive Order 14117, Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern. The Final Rule will go into effect on April 8, 2025, with the exception of certain due diligence, audit and reporting obligations, which will become effective on October 5, 2025.

On December 30, 2024, the Connecticut Attorney General issued an advisory to consumers and businesses that new opt-out rights under the Connecticut Data Privacy Act are effective as of January 1, 2025.

Texas Attorney General Ken Paxton recently launched investigations into Character.AI and 14 other technology companies on allegations of failure to comply with the safety and privacy requirements of the Securing Children Online through Parental Empowerment Act and the Texas Data Privacy and Security Act.

The Colorado Attorney General announced the adoption of the draft amendments on December 5, 2024, and the adopted rules were filed with the Secretary of State and the Office of Legislative Legal Services on December 17, 2024. The amendments underwent minor clarifying changes prior to the Department of Law hearing, and in response to comments and testimony received during the public comment period.

In December 2024, the Centre for Information Policy Leadership at Hunton Andrews Kurth published a discussion paper titled, “Applying Data Protection Principles to Generative AI: Practical Approaches for Organizations and Regulators.”

On December 5, 2024, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced a penalty of $548,265 against Children’s Hospital Colorado (“CHC”) in connection with a series of alleged data breaches that occurred in 2017 and 2020. In September 2017, CHC reported to OCR a phishing attack that compromised an employee’s email account. OCR’s investigation revealed that the breach occurred because multi-factor authentication was disabled on the employee’s email account. According to OCR, the second breach in April 2020 occurred in part because two workforce members provided unknown third parties with access to their email accounts by accepting a multi-factor authentication access request that neither individual had initiated. OCR also determined that CHC violated the HIPAA Privacy Rule’s requirement to train workforce members on the HIPAA Privacy Rule and the HIPAA Security Rule’s requirements regarding conducting risk analyses to determine the risks and vulnerabilities to ePHI in an organization’s systems.

On December 6, 2024, the U.S. Court of Appeals for the D.C. Circuit upheld the Protecting Americans from Foreign Adversary Controlled Applications Act, which is set to take effect on January 19, 2025, and make the distribution of TikTok illegal in the U.S. if parent company ByteDance has not divested. The D.C. Circuit is now considering a request for emergency injunction pending Supreme Court review. 

In November 2024, the Department of Commerce’s Artificial Intelligence Safety Institute established a new taskforce to research and test AI models in areas critical to national security and public safety, while ODNI released guidance on the acquisition and use of foundation AI models, both part of the national security community’s response to the directives of the recent White House AI Memo and Executive Order 14110.

Patrick Gunning of King & Wood Mallesons reports that on November 29, 2024, the Australian Parliament passed more than 30 bills on the final sitting day for the calendar year. Among the flurry of legislative activity were the Privacy and Other Legislation Amendment Act 2024 and the Online Safety Amendment (Social Media Minimum Age) Act 2024, the latest developments in Australia’s ongoing efforts to update its privacy legislation and address concerns related to children’s privacy.

On November 27, 2024, the Centre for Information Policy Leadership at Hunton Andrews Kurth filed a response to the Department of Justice’s Notice of Proposed Rulemaking, which implements Executive Order 14117 of February 28, 2024.

On November 25, 2024, the New York Attorney General and New York Department of Financial Services announced a $11.3 million settlement with insurance companies GEICO and Travelers over alleged legal violations related to cybersecurity incidents.

On November 6, 2024, a Texas state district court jury found that a large e-discovery vendor violated Title 7, Chapter 33 of the Texas Penal Code, which provides that accessing a computer without its owner’s permission is a Class B misdemeanor. This case highlights the importance for e-discovery vendors of considering data privacy and security requirements in the course of discovery proceedings.

On November 7, 2024, the Commission Implementing Regulation 2024/2690 laying down rules for the application of the NIS2 Directive as regards technical and methodological requirements of cybersecurity risk-management measures and further specification of the cases in which an incident is considered to be significant with regard to certain digital service providers entered into force.

The Supreme Judicial Court of Massachusetts, the state’s highest appellate court, recently held that website operators’ use of third-party tracking software, including Meta Pixel and Google Analytics, is not prohibited under the state’s Wiretap Act.

The California Privacy Protection Agency recently announced that it is conducting an investigative sweep focused on enforcing requirements for data brokers to register with the CPPA by January 31, 2024, under California’s Delete Act.

On November 7, 2024, the UK Information Commissioner’s Office released a report exploring data privacy concerns in genomic technology.

On November 6, 2024, the UK Information Commissioner’s Office published a report following consensual audit engagements conducted between August 2023 and May 2024 with developers and providers of artificial intelligence powered sourcing, screening, and selection tools used in recruitment.

On November 4, 2024, the European Data Protection Board adopted its first report under the EU-U.S. Data Privacy Framework.

On October 24, 2024, the White House released a memorandum implementing Executive Order 14110 on national security and responsible AI.

On October 24, 2024, the Irish Data Protection Commission announced that it had issued a fine of 310 million euros against LinkedIn Ireland Unlimited Company for breaches of the EU GDPR related to transparency, fairness and lawfulness in the context of the company’s processing of its users’ personal data for behavioral analysis and targeted advertising.

The U.S. Government Accountability Office has launched an investigation into how retirement plan providers use data collected from 401k plan participants to engage in cross-selling of financial products.

On October 21, 2024, the U.S. Department of Justice National Security Division issued a Notice of Proposed Rulemaking implementing Executive Order 14117 that will restrict certain transactions with high-risk countries.

On October 15, 2024, the U.S. Court of Appeals for the Second Circuit vacated the dismissal of a proposed class action against the National Basketball Association under the Video Privacy Protection Act, holding that the named plaintiff successfully pled that he was a “consumer” protected by the Act by virtue of his subscription to the Defendant’s online newsletter.

On October 10, 2024, the Council of the European Union adopted the EU’s new regulation on horizontal cybersecurity requirements for products with digital elements.

October 17, 2024, is the final day for EU Member States to implement the necessary measures for transposing the NIS2 Directive into their national laws.

On October 4, 2024, the Court of Justice of the European Union issued its judgment in case C‑446/21 to assess whether the GDPR imposes limits to Meta Platforms Ireland’s use of personal data collected outside of the Facebook social network for advertising purposes.

On September 30, 2024, the State Council of China published the Regulations on Administration of Network Data Security (the “Regulations”), which will take effect on January 1, 2025. The Regulations cover multiple dimensions of network data security, including personal information protection, security of important data, cross-border transfers, network platform service providers’ obligations, and regulatory supervision and administration. Certain of the key provisions are summarized below. In general, most of the provisions under the Regulations can be found in other existing laws and regulations of China.

On October 3, 2024, Texas Attorney General Ken Paxton announced a lawsuit against TikTok for operating its platform in violation of the Texas Secure Children Online through Parental Empowerment Act.

On October 9, 2024, both the Federal Trade Commission and a coalition of 50 state attorneys general issued announcements that they had reached settlement agreements with Marriott International, Inc. and its subsidiary Starwood Hotels & Resorts Worldwide LLC over a multi-year series of data breaches impacting hundreds of millions of individuals.

On September 30, 2024, the Federal Communications Commission announced that T-Mobile has entered into an agreement to settle multiple data protection and cybersecurity investigations stemming from data breaches in 2021, 2022 and 2023.

On September 28, 2024, California Governor Gavin Newsom signed into law a pair of bills that amend the California Consumer Privacy Act of 2018 by defining neural data as sensitive personal information and specifying that personal information can exist in various formats.

In August 2024, the Guangzhou Internet Court in China published its final decision in the case No. (2022) Yue 0192 Minchu 6486 regarding the cross-border transfer of personal information under the Personal Information Protection Law (“PIPL”), which was originally issued on September 8, 2023. It is the first case explaining the reliance on necessity for performance of contract in cross-border data transfer activities.

On September 24, 2024, a federal district court held that New York City’s Customer Data Law violates the First Amendment.

Last week, the House Energy and Commerce Committee advanced the Kids Online Safety Act (H.R. 7891) and the Children and Teen’s Online Privacy Protection Act (H.R. 7890).

On September 19, 2024, the Federal Trade Commission announced the publication of a staff report entitled, A Look Behind the Screens: Examining the Data Practices of Social Media and Video Streaming Services. The Report documents the data collection and use practices of major social media and video streaming services and provides recommendations for better protecting users’ data and privacy, with a particular focus on children and teens.

On September 4, 2024, the California Privacy Protection Agency issued an Enforcement Advisory on Avoiding Dark Patterns: Clear and Understandable Language, Symmetry in Choice.

On August 29, 2024, the California State Assembly passed California bill AB-1949, following the bill’s passage in the California State Senate. If enacted, AB-1949 would amend the California Consumer Privacy Act (as amended by the California Privacy Rights Act) to significantly expand privacy protections concerning the personal information of consumers under the age of 18.

On August 30, 2024, the Federal Trade Commission announced a proposed settlement with Verkada, a security camera firm, in connection with alleged data security failures and CAN-SPAM Act violations. Under the proposed order, Verkada will be required to implement a comprehensive information security program and pay a $2.95 million monetary penalty.

On August 30, 2024, the Beijing Municipal Internet Information Office, Beijing Municipal Commerce Bureau and Beijing Municipal Government Services and Data Administration Bureau jointly issued the Data Export Management List (Negative List) of China (Beijing) Pilot Free Trade Zone (Version 2024) and the Administrative Measures for the Negative List.

On July 30, 2024, New York Attorney General Letitia James announced the Office of the AG’s publication of two privacy guides, one for businesses and one for consumers, both focused on the use of website tracking technologies.

On July 5, 2024, the California Privacy Protection Agency  issued a set of proposed regulations to implement the CA Delete Act, a law that imposes requirements on data brokers and grants consumers rights designed to facilitate control over their personal information. 

On July 9, 2024, the Federal Trade Commission issued a proposed order that banned NGL Labs, LLC, and two of its co-founders from offering an anonymous messaging app called “NGL: ask me anything” to children under the age of 18.

On June 29, 2024, Rhode Island enacted the Rhode Island Data Transparency and Privacy Protection Act after Governor Daniel McKee transmitted the act back to the legislature without signature. The RIDTPPA will take effect on January 1, 2026.

On July 1, 2024, a new agreement between the EU and Japan facilitating data flows between the two jurisdictions entered into force.

On May 24, 2024, Governor Tim Walz signed H.F. 4757 into law, enacting the Minnesota Consumer Data Privacy Act. The MNCDPA will take effect on July 31, 2025. 

On May 10, 2024, the Vermont legislature passed HB 121, which was delivered to Governor Phil Scott for signature. HB 121 will enact the Vermont Data Privacy Act, the Vermont Data Broker Security Breach Notice Act and the Vermont Age-Appropriate Design Code.

The Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth recently released a report on Enabling Beneficial and Safe Uses of Biometric Technology Through Risk-Based Regulations (the “Report”).  The Report examines global laws and regulations that target biometric data and encourages adoption of a risk-based approach.  According to the Report, biometric technology applications are growing and can provide societal and economic benefits. However, there are recognized concerns over potential harms for individuals and their rights, and data protection and privacy laws are increasingly targeting the collection and use of biometric data.

On April 9, 2024, Representatives Tim Walberg (R-MI) and Kathy Castor (D-FL) introduced the Children and Teens’ Online Privacy Protection Act (“COPPA 2.0.”) The bill serves as a companion to the Senate bill by the same name.

On April 12, 2024, the UK Information Commissioner’s Office (“ICO”) launched the third installment in its consultation series examining how data protection law applies to the development and use of generative AI. This installment focuses on how the data protection principle of accuracy applies to the outputs of generative AI models, and the impact that accurate training data has on the output. The two previous installments discussed the lawful basis for web scraping to train generative AI models, and purpose limitation in the generative AI lifecycle. 

On April 2, 2024, the California Privacy Protection Agency (“CPPA”) Enforcement Division issued its first Enforcement Advisory, titled “Applying Data Minimization to Consumer Requests.”  The purpose of this Enforcement Advisory is to address the CPPA Enforcement Division’s observation that some businesses are asking consumers “to provide excessive and unnecessary personal information in response to requests that consumers make under the CCPA.” The Enforcement Advisory serves as a reminder to businesses to apply the data minimization principle to each purpose for which they collect, use, retain and share consumers’ personal information, including information that businesses collect when processing consumers’ CCPA requests.  The Enforcement Advisory provides further guidance on how businesses may comply with the principle, noting, however, that in general, Enforcement Advisories “do not implement, interpret or make specific the law enforced or administered by the [CPPA], establish substantive policy or rights, constitute legal advice or reflect the views of the [CPPA]’s Board.” The Advisory notes several other caveats, reiterating the general point that  Enforcement Advisories do not have the force of law or safe harbor for CCPA compliance purposes.  However, the guidance provides illustrative hypotheticals and substantive insight into how the CPPA may approach enforcement in certain areas and “encourages” businesses to voluntarily comply with the law.

On March 25, 2024, Florida Governor Ron DeSantis signed into law a bill prohibiting minors under the age of 14 from having accounts on social media platforms.

On March 20, 2024, the U.S. House of Representatives passed legislation that will prohibit data brokers from transferring U.S. residents’ sensitive personal data to foreign adversaries, including China and Russia. The House bill HR 7520 (the “Bill”), also known as the Protecting Americans’ Data from Foreign Adversaries Act of 2024, marks a significant development in executive and legislative action related to foreign access to U.S. data. The Bill follows a similarly groundbreaking Executive Order and Department of Justice Notice of Proposed Rulemaking issued at the end of February that will establish strict protective measures against data exploitation by countries considered national security threats for U.S. sensitive personal data and U.S. government-related data. The Bill also comes after the House overwhelmingly passed HR 7521, (the Protecting Americans from Foreign Adversary Controlled Applications Act) resulting from concerns that the Chinese government would compel TikTok (or other foreign adversary-controlled apps) to turn over U.S. data. HR 7521 would effectively require TikTok to divest from parent company ByteDance in order to avoid a ban in the U.S.

On March 1, 2024, the Virginia legislature passed S.B. 361 (the “Bill”), which amends the Virginia Consumer Data Protection Act to introduce new protections for children’s privacy. If signed by the Virginia Governor, the new children’s privacy protections will go into effect on January 1, 2025.

On March 8, 2024, the California Privacy Protection Agency (“CPPA”) Board discussed and voted 3-2 in favor of further edits to revised draft regulations regarding risk assessments and automated decisionmaking technology (“ADMT”), which were released in February 2024, but did not initiate the formal rulemaking process for these regulations, which is anticipated to begin in July 2024.

On February 28, 2024, President Biden released an Executive Order (“EO”) “addressing the extraordinary and unusual national security threat posed by the continued effort of certain countries of concern to access Americans’ bulk sensitive personal data and certain U.S. Government-related data.” In tandem with the EO, the Department of Justice’s (“DOJ’s”) National Security Division is set to issue an advance notice of proposed rulemaking (“ANPRM”) pursuant to the EO, which directs the DOJ to “establish, implement and administer new and targeted national security programming” to address the threat. The DOJ regulations will identify specific categories of “data transactions” that are prohibited or restricted due to their “unacceptable risk to national security.” 

As reported on the Hunton Employment & Labor Perspectives blog, on February 15, 2024, California lawmakers introduced the bill AB 2930. AB 2930 seeks to regulate use of artificial intelligence (“AI”) in various industries to combat “algorithmic discrimination.” The proposed bill defines “algorithmic discrimination” as a “condition in which an automated decision tool contributes to unjustified differential treatment or impacts disfavoring people” based on various protected characteristics including actual or perceived race, color, ethnicity, sex, national origin, disability and veteran status.