We are less than a month into the new Trump administration and are seeing an unprecedented wave of activity and major changes at federal agencies. These changes promise to bring significant disruption to the staff and negatively impact the typical activities of numerous agencies, including the nation’s consumer protection watchdog, the Federal Trade Commission (FTC). As discussed below, we expect the impact on the FTC to be significant given the rapid and aggressive moves by the new administration. And we expect state Attorneys General (AGs) to step in to fill the gap.Continue Reading Consumer Protection Update: With Disruption at the Federal Level, State Attorneys General Are Likely to Loom Large
The EU’s AI Act Starts to Apply as of February 2, 2025
On February 2, 2025, the European Union’s (EU) Artificial Intelligence Act (AI Act) will start to apply in phases. This alert summarizes the new obligations that will apply as of February 2, 2025. It also indicates when companies can expect the first enforcement actions, and what the enforcement regime will look like. For more information about the scope and requirements of the AI Act, please see our 10 Things You Should Know About the EU AI Act.Continue Reading The EU’s AI Act Starts to Apply as of February 2, 2025
New Federal Children’s Privacy Requirements Are Not Child’s Play: FTC Amends COPPA Rule, Imposing New Obligations on Child-Directed Services
Companies that may have child users, or whose competitors have child users, take note. On January 16, 2025, the Federal Trade Commission (FTC) announced the final amendments to the Children’s Online Privacy Protection Rule (COPPA Rule). At a high level, the COPPA Rule requires websites or online services to provide notice and obtain verifiable parental consent before collecting information from children under the age of 13. The Rule’s amendments slightly expand the Rule’s scope, change the previous notice and consent provisions, and implement new data security requirements. Violations of the Rule would be subject to $53,088 in civil penalties per violation.Continue Reading New Federal Children’s Privacy Requirements Are Not Child’s Play: FTC Amends COPPA Rule, Imposing New Obligations on Child-Directed Services
Ransomware Attacks: UK Government Proposes Ransom Payment Ban and Mandatory Notification Requirements
On January 14, 2025, the UK government unveiled a proposed framework aimed at combating the rise of ransomware attacks by implementing a payment prevention and reporting regime. This would require companies to not only report all ransomware incidents, but also to declare whether they intend to pay a ransom. The government also announced that it proposes to ban public bodies and infrastructure providers from making ransom payments to cyber attackers. A public consultation is open until April 8, 2025.Continue Reading Ransomware Attacks: UK Government Proposes Ransom Payment Ban and Mandatory Notification Requirements
The UK’s Online Safety Regime Is Coming into Force: Steps to Take Now
In the last month, Ofcom, the regulator tasked with enforcing the UK’s Online Safety Act (OSA), has published guidance enacting requirements under the OSA to carry out illegal harms risk assessments and children’s access assessments. Providers of in-scope services must document an illegal harms risk assessment by March 16, 2025, and a children’s access assessment by April 16, 2025. This alert outlines the steps that in-scope services must take to prepare for these deadlines. For more information on the OSA and its phased implementation, refer to our previous blog post here. Continue Reading The UK’s Online Safety Regime Is Coming into Force: Steps to Take Now
New EU Cyber Resilience Requirements for Financial Sector Enter into Force
As of January 17, 2025, financial entities and their critical information and communication technology (ICT) service providers need to comply with the new cybersecurity requirements in the Digital Operational Resilience Act (DORA). DORA introduces significant operational and ICT security requirements for a wide range of financial market participants, including banks, insurers, trading platforms, as well as for their ICT service providers.Continue Reading New EU Cyber Resilience Requirements for Financial Sector Enter into Force
HHS-OCR Announces Proposed Modifications to the HIPAA Security Rule
Overview
The U.S. Department of Health and Human Services Office for Civil Rights (HHS-OCR) has announced proposed modifications to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (the Proposed Rule). The Proposed Rule was published in the Federal Register for comment on January 6, 2025. It aims to strengthen the security and privacy of electronic protected health information (ePHI) in response to the evolving threat landscape and emerging technological challenges. If finalized as proposed, the Proposed Rule will have significant implications for healthcare organizations, their business associates, and other entities subject to HIPAA compliance requirements (the “regulated entities”). This alert represents the first in a multipart series outlining the most pertinent of the proposed rules and the potential implications for regulated entities.Continue Reading HHS-OCR Announces Proposed Modifications to the HIPAA Security Rule