In a significant step toward strengthening consumer privacy protections, the California Privacy Protection Agency (CPPA) board has officially adopted a comprehensive set of updates to the California Consumer Privacy Act (CCPA) regulations. These long-anticipated regulations—covering cybersecurity audits, risk assessments, and automated decision-making technology (ADMT)—mark a pivotal shift in the state’s data privacy enforcement landscape.
Italy’s Law No. 132/2025 on Artificial Intelligence
On September 23, 2025, Italy adopted Law no. 132/2025 on Artificial Intelligence (AI). The law will enter into force on 10 October 2025 and aims, inter alia, to complement the Regulation EU 2024/1689 (EU AI Act).
Software Bill of Materials Guidance for Government Contractors
In June 2025, the Cybersecurity and Infrastructure Security Agency (CISA) issued draft updated guidance for public comment on the Minimum Elements for a Software Bill of Materials (SBOM), which the National Telecommunications and Information Administration (NTIA) first published in 2021 for federal agencies in response to Executive Order 14028 on Improving the Nation’s Cybersecurity.
Privacy by Design, Profit by Strategy: Thoughts from Dayton’s Startup Week
Last month, I had the opportunity to speak to entrepreneurs at Launch Dayton’s Startup Week regarding the positive effects that strong privacy and data governance practices have on business.
As regulations increase and complexity rises, many businesses remain hesitant to view privacy and security obligations as anything other than impediments to innovation. In practice, embedding
Using Patient Photos in Marketing? OCR Settlement Highlights HIPAA Compliance Requirements
Businesses across many industries naturally want to showcase their satisfied customers. Whether it’s a university featuring successful graduates, a retailer highlighting happy shoppers, or a healthcare facility showcasing thriving patients, these real-world testimonials can be powerful marketing tools. However, when it comes to healthcare providers subject to HIPAA, using patient images and information for promotional
FDA Requests Public Comment on Real-World Evaluation of AI-Enabled Medical Devices
On September 30, 2025, the U.S. Food and Drug Administration (FDA) issued a Request for Public Comment seeking input on “practical approaches to measuring and evaluating the performance of AI-enabled medical devices in the real-world,” including strategies for detecting, assessing, and mitigating performance changes over time (the “Request”).
The Request acknowledges the opportunities for AI,
California Privacy Agency Rolls Out New Regulations and Approves $1.35 Million Penalty in Latest CCPA Enforcement Action
On September 25, the California Privacy Protection Agency (CPPA) Board advanced OAL-approved updates to the California Consumer Privacy Act (CCPA), the process of which we covered in detail here and here, that include long-awaited regulations on cybersecurity audits, risk assessments, and automated decision-making technology (ADMT). The CPPA Board also approved a $1.35 Million settlement with
California Enacts Major AI Safety Legislation for Frontier AI Developers
On September 29, 2025, California Governor Gavin Newsom signed into law Senate Bill 53, the Transparency in Frontier AI Act (TFAIA), the first-of-its-kind AI legislation in the U.S. that will require large AI developers to publicly disclose how they plan to mitigate potentially “catastrophic risks” posed by advanced frontier AI models. The law builds
Navigating California’s New and Emerging AI Employment Regulations
The California Civil Rights Council and the California Privacy Protection Agency have recently passed regulations that impose requirements on employers who use “automated-decision systems” or “automated decisionmaking technology,” respectively, in employment decisions or certain HR processes. On the legislative side, the California Legislature passed SB 7, which would impose additional obligations on employers who
Massachusetts and California Legislative Activity: Data Privacy and AI Legislation
Key point: Recent legislative efforts in Massachusetts, seeking to add another comprehensive data privacy law to the national patchwork of state laws, and in California enacting a law to regulate AI development, occurred this week when the Massachusetts Senate unanimously sent Senate Bill 2608 to the state House, and California enacted the nation’s second substantive