California recently passed an amendment accelerating how quickly businesses must notify following a data breach. Previously, the requirement was to notify affected individuals “without unreasonable delay.” Beginning January 1, 2026, the law mandates that businesses notify individuals within 30 calendar days after the discovery or notification of a breach. (New York also shortened its reporting this earlier this year). While some flexibility remains for law enforcement needs or to fully investigate the incident and restore data systems, this change places a clear emphasis on prompt action and accountability. Businesses in California will also face a new requirement when a data breach impacts over 500 residents. The law also calls for a copy of the notice sent to consumers to be submitted to the California Attorney General within 15 days of notifying individuals. Previously, there were no specific deadlines for sending a copy of the notice to the AG office.Continue Reading 2026 Data Breach Law Updates – California and Oklahoma

Companies are become increasingly concerned about being viewed as “selling” personal data. In the midst of these worries, California’s governor signed SB 361, which will change the California Delete Act starting January 1, 2026. The law applies to those who sell personal information about consumers with whom they do not have a direct relationship. For covered entities, the amendment will add to compliance complexities.Continue Reading California Continues to Expand Data Broker Requirements

Many courts have held that that information gathered by video-related pixels are not “personal” for purposes of the Video Privacy Protection Act. Nevertheless, plaintiff class action attorneys continue to file these VPPA actions in federal court.Continue Reading Behind the Pixel: Not Always Personal Information Under VPPA

A thorny issue for companies has been how to handle data derived from personal information. Is it still personal information? Do privacy laws apply? The EU Court of Justice of grappled with this issue in a September decision. The case arose following a Spanish bank’s financial difficulties. Its regulatory agency, the European Single Resolution Board, stepped in to attempt to value some of the bank’s investments and otherwise determine next steps. As part of the process, the board hired a consulting firm to analyze feedback from the bank’s shareholders and creditors. The board collected the information, pseudonymized the data, and then sent the pseudonymized data set to the consulting firm.Continue Reading EU Weighs in on Pseudonymized Data

Will a final rule issued by the Department of Defense on September 10, 2025 (available here) cause companies to rethink their compliance approach? The rule –relating to the Cybersecurity Maturity Model Certification program or CMMC – will impact how defense contractors engage with the Department of Defense. (We wrote previously (here) about the separate, but related, CMMC rule that addressed substantive CMMC program requirements.)Continue Reading Leveling Up: Will CMMC Contract Obligations Impact Your Organization?

We are in the final quarter of the year, which is typically budgeting and planning for many issues, including -hopefully!- data incident preparedness. Is your organization able to take advantage of one of the growing number of states’ safe harbor provisions? In particular, Connecticut, Iowa, Ohio, Oklahoma (beginning January 1, 2026), Oregon, – as of September 2025 Texas (for entities with less than 250 employees) – and Utah provide certain affirmative defenses against claims resulting from data breaches. The safe harbor is available if the company has a “qualified” cybersecurity program. What that means varies by state. Continue Reading Incident Response Defenses: Can You Take Advantage of a Cyber Program Safe Harbor?

For those keeping track of the growing list of US state “comprehensive” privacy laws, you know that the Maryland law (the Maryland Online Data Privacy Act or MODPA) went into effect on October 1st. This rounds us out for US state privacy laws in 2025, bringing the total to 17 (or 16, if you discount Florida). Next up will be Indiana, Kentucky, and Rhode Island (all on January 1, 2026).Continue Reading 2025 Brought Us Eight US “Comprehensive” Privacy Laws, What’s Next?

Companies can take many lessons from the FTC’s recent COPPA settlement with a robot app from the toy manufacturer Apitor Technologies. According to the FTC complaint, the app allegedly allowed a Chinese entity to collect and share children’s geolocation information without parental consent – violating COPPA. In particular, children could use the app to program their robots, but to do so, they needed to enable location permissions. Once enabled, a third party SDK (JPush), developed by Chinese-based entity Jiguang, would send the child’s location to that entity’s Chinese-based servers.Continue Reading What Can We Learn from This Administration’s FTC COPPA Settlement

Now is the time that many are putting together their 2026 budgets and considering how much to allocate next year to address the constantly evolving privacy and data security landscape. In the last article in this series we looked at three change management tools that can help effectuate privacy compliance. Here are three more, and things to consider -and potentially budget for- in the new year.Continue Reading More Privacy Compliance Considerations for the 2026 Budget Process

Today’s compliance landscape is more crowded—and more complex—than ever. As the pace of regulatory change accelerates, companies need to find effective paths forward. As I detailed in a Law360 article from earlier this year, change management tools can help. Here are three areas to consider as you begin to think about your compliance plans (and budget) for 2026.Continue Reading Setting Your Privacy Compliance Strategy in Advance of the 2026 Budget Process