On June 4, 2025, the U.S. Department of Health and Human Services (HHS) announced the appointment of Paula M. Stannard as the Director of the Office for Civil Rights (OCR). As Director, Stannard will lead the enforcement of the Privacy, Security, and Breach Notification Rules under the Health Insurance Portability and Accountability Act of 1996
Using Facial Recognition? Regulators Expect Detailed Risk Assessments
Following the Federal Trade Commission’s decision in December 2023 to ban Rite Aid from using AI facial recognition, it has become crystal clear that U.S. regulators expect a risk assessment when a retailer uses facial recognition technology.A new, and detailed, report from the New Zealand privacy commission provides helpful considerations for such Data Protection
Employee Privacy Notice: Why Your Business Can’t Afford to Wing It
DAA Launches AI-Focused Review of Interest-Based Advertising Self-Regulatory Principles
On June 4, 2025, the Digital Advertising Alliance (“DAA”), the self-regulatory body that sets and enforces privacy standards for digital advertising, announced it is launching a process to determine if it is necessary to issue new guidance to address how the DAA’s Self-Regulatory Principles apply to the use of artificial intelligence systems and tools that
White House Issues New Cybersecurity Executive Order
On June 6, 2025, President Trump issued an Executive Order (“Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144”) (the “Order”) that modifies certain initiatives in prior Executive Orders issued by Presidents Obama and Biden and highlights key cybersecurity priorities for the current Administration. Specifically, the
CISA Releases AI Data Security Guidance
On May 22, 2025, the Cybersecurity and Infrastructure Security Agency (“CISA”), which sits within the Department of Homeland Security (“DHS”) released guidance for AI system operators regarding managing data security risks. The associated press release explains that the guidance provides “best practices for system operators to mitigate cyber risks through the artificial intelligence lifecycle, including
Proposed State Privacy Law Update: June 9, 2025
Keypoint: Last week, the Connecticut legislature passed an amendment to the state’s consumer data privacy law and bills advanced in Oregon, California, Texas, Nevada, Louisiana, and New York.
Below is the twenty second weekly update on the status of proposed state privacy legislation in 2025. As always, the contents provided below are time-sensitive and subject
What is Agentic AI? A Primer for Legal and Privacy Teams
As companies begin to move beyond large language model (LLM)-powered assistants into fully autonomous agents—AI systems that can plan, take actions, and adapt without human-in-the-loop—legal and privacy teams must be aware of the use cases and the risks that come with them.
What is Agentic AI?Agentic AI refers to AI systems—often built using LLMs but
Is California cooling to privacy law run amok?
California is a bellwether for privacy laws, which is why we’ve been watching carefully as recent events suggest that business-friendly interests may be gaining a foothold in what has historically been one of the most restrictive states in the country. Since the landmark California Consumer Privacy Act (“CCPA”) went into effect in 2020, interest groups,
FTC’s COPPA Rule changes include AI training consent requirement
The Federal Trade Commission has published a Final Rule relating to changes in the Children’s Online Privacy Protection Act (“COPPA”) regulations, which will go into effect on Monday, June 23, 2025. The final Rule generally provides 365 days from the final Rule’s publication date (April 22, 2025) to come into full compliance. The Final Rule