On November 19, 2025, the EU Commission (Commission) published a set of legislative proposals to introduce more flexibility into a number of EU digital regulations, including:
On November 6, 2025, the California, Connecticut, and New York Attorneys General (collectively, the “Attorneys General”) announced a settlement with Illuminate Education, Inc. to resolve allegations that the company violated state privacy laws following a student data breach. The settlement marks the first enforcement actions under the California K-12 Pupil Online Personal Information Protection Act (KOPIPA, formerly known as SOPIPA) and Connecticut’s Student Data Privacy Law, and also constitutes the second major enforcement action under New York Education Law § 2-d.Continue Reading EdTech Provider Agrees to $5.1 Million Settlement with Three State Attorneys General over Student Data Breach
On July 24, 2025, the California Privacy Protection Agency (CPPA) Board voted to approve a long-awaited rulemaking package imposing substantial new compliance obligations on businesses subject to the California Consumer Privacy Act (CCPA). The package contains finalized rules on AI-related, automated decision-making technologies (ADMT), cybersecurity audits, and risk assessments, as well as updates to existing CCPA regulations. These regulations will impact a broad swath of businesses handling personal information of California residents.
The CPPA Board’s approval of the new regulations is the culmination of a year-long process that began when the agency first released draft regulations on these topics in July 2024 and initiated the formal rulemaking in November 2024 (analyzed in prior Wilson Sonsini client alerts). In April and May 2025, the Board grappled with public concerns from hundreds of public comments on the draft regulations, analyses of which can be found in these recent client alerts.
In addition, the CPPA Board approved modifications to the proposed data broker regulations concerning the Delete Request and Opt-Out Platform (DROP) mandated by the Delete Act (discussed in a prior post). These modifications will be subject to a new 15-day public comment period once the agency publishes official notice of the changes.Continue Reading CPPA Approves New CCPA Regulations on AI, Cybersecurity, and Risk Governance, and Advances Updated Data Broker Regulations
Nebraska and Vermont are the latest U.S. states to join the growing landscape of children’s online safety laws that have swelled in state chambers in recent years. On May 30, 2025, Nebraska Governor Jim Pillen signed the Age-Appropriate Online Design Code Act (the Nebraska AADC). On June 12, 2025, Vermont Governor Phil Scott signed the Vermont Age-Appropriate Design Code Act (the Vermont AADC). In doing so, Nebraska and Vermont join California and Maryland, which in 2022 and 2024, respectively, enacted age-appropriate design code laws of their own. Notably, the ongoing legal challenges1 to the California and Maryland AADCs do not appear to have dissuaded state legislators from enacting AADC-style and other children’s online safety laws. The Nebraska AADC takes effect January 1, 2026 (though the state Attorney General (AG) must wait until July 1, 2026, to seek civil penalties). The Vermont AADC takes effect January 1, 2027.Continue Reading Nebraska and Vermont Pass Age-Appropriate Design Codes
On May 1, 2025, the California Privacy Protection Agency (CPPA) Board met again to discuss updates to the latest draft California Consumer Privacy Act (CCPA) regulations related to automated decision-making technology (ADMT), cybersecurity audits, risk assessments, and an assortment of other updates to existing regulations. These latest updates come after the CPPA first released draft regulations on these topics in July 2024 and initiated the formal rulemaking in November 2024, as analyzed in a prior alert. In April 2025, the Board continued to grapple with public concerns and received hundreds of public comments on the prior draft regulations, an analysis of which can be found in this recent client alert. At the CPPA meeting last week, CPPA staff proposed significant changes to the prior draft, on which the Board provided more feedback and agreed to open the regulations for public comment as soon as this week and closing June 2, 2025.Continue Reading CPPA Board Opens Draft Regulations for Public Comment
On April 4, 2025, the California Privacy Protection Agency (CPPA) Board met to discuss the latest draft California Consumer Privacy Act (CCPA) regulations related to cybersecurity audits, risk assessments, automated decision-making technology (ADMT), and an assortment of other updates to existing regulations. These revisions come after the CPPA first released draft regulations on these topics in July 2024 and initiated the formal rulemaking in November 2024, as analyzed in a prior alert. The board meeting turned out to be quite contentious, with board member Alastair Mactaggart emphasizing some of the serious concerns raised in the unusually large volume of public comments—totaling 630 comments and 1,664 pages of feedback—expressing his own concerns that those comments lay out “the very explicit blueprints” for others to challenge the constitutionality of the draft regulations. Ultimately, the Board provided extensive feedback on the draft regulations to CPPA staff, going beyond the issues that staff had prepared for discussion.Continue Reading CPPA Board Grapples with Public Concerns: Key Updates on Upcoming AI, Risk Assessment, and Cybersecurity Regulations
On March 27, 2025, the Information Commissioner’s Office (ICO) announced a fine of 3 million GBP (3.9 million USD) against a software provider (the company) for security deficiencies following a ransomware incident (e.g., lack of multi-factor authentication (MFA)). This is the first time the ICO has fined a processor under the UK’s General Data Protection Regulation (GDPR). This post provides an overview of the decision and outlines the key points companies should consider, including the security measures the ICO expects them to implement.Continue Reading UK Regulator Issues Three Million GBP Monetary Penalty in Connection with Ransomware Attack