FTC finalizes changes to COPPA Rule, expands online protections for children
On January 16, 2025, the Federal Trade Commission (FTC) announced that it had finalized changes to the Children’s Online Privacy Protection Act (COPPA) Rule to strengthen key protections for children’s online privacy and impose new requirements around the collection, use, and disclosure of children’s personal information. What led to this update? In 1998, Congress enacted […]
Hoyoverse, developer of Genshin Impact, to pay $20 million to settle FTC complaint
On January 17, the Federal Trade Commission (FTC) announced a proposed settlement with Cognosphere Pte. Ltd and its subsidiary Cognosphere, LLC, doing business as Hoyoverse, developer of gacha video games such as Genshin Impact and Zenless Zone Zero, over allegations that Hoyoverse’s loot boxes and children’s data collection practices violated various federal laws. What is […]
Texas sues Allstate, continuing Lone Star’s focus on vehicle data regulation
Update: On Jan. 29, 2025, it was reported that on Jan. 12, 2025, Texas sent Kia America, Inc., a notice of their alleged violations of the Texas Data Privacy and Security Act. Kia has 30 days to cure the alleged violations. Everything is bigger in Texas, including data privacy enforcement. On January 13, 2025, Texas […]
HHS releases proposed rule to modify HIPAA Security Rule requirements
On December 27, 2024, the U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), announced a proposed rule that would modify the security requirements imposed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The proposed rule, if adopted, would modify the HIPAA Security Rule […]
2024 U.S. regulatory enforcement priorities for data & AI
In late 2023 and early 2024, federal and state regulators signaled their enforcement priorities regarding the use of data and AI. These enforcement priorities range from sweeping investigations into entire labor sectors to targeting specific uses of technology. FEDERAL FTC. The FTC continues bringing actions against companies over their improper use of AI, increasing the […]
California Delete Act allows consumers to easily delete data from all data brokers in California
On October 10, 2023, California Governor Gavin Newsom announced that he had signed into law Senate Bill 362, which is otherwise known as the Delete Act.[1] The full text of the Delete Act can be found here. The Delete Act is a landmark law seeking to provide consumers with a one-stop-shop mechanism for deleting the […]
An overview of biometrics laws in the U.S.
[Updated: September 27, 2023] In addition to state comprehensive privacy laws, state legislatures are increasingly interested in regulating the collection, use, and possession of biometric data. It is therefore imperative for startups and businesses to remain informed of the potential laws that may apply and when. Readers are encouraged to review the following enacted and […]
CCPA + CPRA Timeline of Key Events
[Updated: August 30, 2023] As the first comprehensive state privacy law to provide broad consumer rights over personal information, the California Consumer Privacy Act of 2018 (“CCPA”) is a groundbreaking privacy law in the United States, and it paved the way for subsequent state comprehensive privacy laws. However, the road to progress is rarely smooth, […]
An overview of the twenty (and counting!) US state comprehensive privacy laws
[Updated: Dec. 19, 2025] Since 2018, US state legislative bodies have shown no signs of slowing their efforts to pass comprehensive privacy laws. While these laws often mirror one another, they also often differ in notable and material ways. This creates a complicated patchwork of obligations and requirements for businesses navigating the data ecosystem, because […]
Meta fined US $1.3 billion for data transfer violations
The decade-long case on Meta’s transfer of EU personal data to the United States ended on May 22, 2023, with a € 1.2 billion (US $1.3 billion) GDPR fine against Meta.[1] In addition, the Irish Data Protection Commission (DPC) exercised the following corrective powers against Meta: An order, pursuant to Article 58(2)(j) of the GDPR, […]