On June 16, 2025, the Council of the EU (Council) and the European Parliament (EP) reached an agreement on a new regulation (the Draft Regulation) to enhance enforcement of the General Data Protection Regulation (GDPR). The Draft Regulation aims to improve cooperation between national data protection authorities (DPAs) to speed up their handling of cross-border GDPR complaints and related investigations.Continue Reading EU Reaches a Deal on Rules for Swifter Cross-Border GDPR Enforcement

On June 4, 2025, the U.S. Department of Health and Human Services (HHS) announced the appointment of Paula M. Stannard as the Director of the Office for Civil Rights (OCR). As Director, Stannard will lead the enforcement of the Privacy, Security, and Breach Notification Rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as well as federal civil rights laws.Continue Reading HHS Announces New Director of Office for Civil Rights: What to Watch from the New Health Privacy Leader

On May 13, 2025, the European Commission (EC) published draft guidelines on the protection of minors online. The guidelines outline the proposed measures that the EC expects online platforms accessible to minors to take to protect minors’ privacy, safety, and security in line with requirements under the Digital Services Act (DSA).Continue Reading EU Commission Launches DSA Consultation on the Protection of Minors Online

On April 28, 2025, Congress passed the “TAKE IT DOWN Act.” In addition to criminalizing intentional publication of non-consensual intimate imagery, including computer-generated intimate imagery (collectively, NCII), the bill requires “covered platforms” to develop a process for removing NCII within 48 hours of a valid report. Covered platforms are those that primarily provide a public forum for user-generated content. The term does not include ISPs, email providers, online services that consist primarily of non-user-generated content, or services for which chat, comment, or interactive functionality is directly related to the provision of non-user-generated content. The bill now awaits President Trump’s signature and is expected to be signed in light of receiving bipartisan support and an endorsement from the First Lady.

A summary of the bill’s key provisions are highlighted below.Continue Reading The “TAKE IT DOWN Act” Goes Up to President Trump’s Desk for Signature

Key Changes to Upcoming AI, Risk Assessment, and Cybersecurity Regulations

On May 1, 2025, the California Privacy Protection Agency (CPPA) Board met again to discuss updates to the latest draft California Consumer Privacy Act (CCPA) regulations related to automated decision-making technology (ADMT), cybersecurity audits, risk assessments, and an assortment of other updates to existing regulations. These latest updates come after the CPPA first released draft regulations on these topics in July 2024 and initiated the formal rulemaking in November 2024, as analyzed in a prior alert. In April 2025, the Board continued to grapple with public concerns and received hundreds of public comments on the prior draft regulations, an analysis of which can be found in this recent client alert. At the CPPA meeting last week, CPPA staff proposed significant changes to the prior draft, on which the Board provided more feedback and agreed to open the regulations for public comment as soon as this week and closing June 2, 2025.Continue Reading CPPA Board Opens Draft Regulations for Public Comment

On April 22, 2025, the EU Commission’s AI Office published draft guidelines to clarify the obligations in the EU AI Act for providers of general-purpose AI models (guidelines). These obligations will be applicable to AI

Continue Reading EU AI Office Clarifies Key Obligations for AI Models Becoming Applicable in August

On April 21, 2025, the Federal Trade Commission (FTC) announced that it had filed a complaint against Uber Technologies, Inc. and Uber USA LLC (collectively, Uber), a rideshare and delivery company. Among other things, the FTC alleges in its complaint that Uber violated Section 5 of the FTC Act and the Restore Online Shoppers’ Confidence Act (ROSCA) by charging consumers for its Uber One subscription service without their consent and making it difficult for users to cancel the service despite its “cancel anytime” promises.Continue Reading FTC Files Consumer Protection Complaint Against Uber for Deceptive Billing and Cancellation Practices