On March 21, the Ontario’s Bill 149, Working for Workers Four Act, 2024 (“Bill 149”) received Royal Assent.
AI and Job Postings: Navigating Ontario’s Upcoming Requirements
UK: Data (Use and Access) Bill passes through Parliament
On 11 June 2025, the UK’s Data (Use and Access) Act 2025 (“DUA Act”) was passed and received Royal Assent on 19th June 2025.
The government first announced plans for the new DUA Act in the King’s speech back in July 2024. The DUA Act introduces reforms to data protection and e-privacy laws and also
Proposed State Privacy Law Update: June 16, 2025
Keypoint: Last week, the Vermont Governor signed the Vermont Age-Appropriate Design Code Act into law.
Below is the twenty third weekly update on the status of proposed state privacy legislation in 2025. As always, the contents provided below are time-sensitive and subject to change.
Table of Contents
1.
Operationalizing Privacy Across Teams, Tools, and Tech
HHS Announces New Director of Office for Civil Rights: What to Watch from the New Health Privacy Leader
On June 4, 2025, the U.S. Department of Health and Human Services (HHS) announced the appointment of Paula M. Stannard as the Director of the Office for Civil Rights (OCR). As Director, Stannard will lead the enforcement of the Privacy, Security, and Breach Notification Rules under the Health Insurance Portability and Accountability Act of 1996
Using Facial Recognition? Regulators Expect Detailed Risk Assessments
Following the Federal Trade Commission’s decision in December 2023 to ban Rite Aid from using AI facial recognition, it has become crystal clear that U.S. regulators expect a risk assessment when a retailer uses facial recognition technology.A new, and detailed, report from the New Zealand privacy commission provides helpful considerations for such Data Protection
Employee Privacy Notice: Why Your Business Can’t Afford to Wing It
DAA Launches AI-Focused Review of Interest-Based Advertising Self-Regulatory Principles
On June 4, 2025, the Digital Advertising Alliance (“DAA”), the self-regulatory body that sets and enforces privacy standards for digital advertising, announced it is launching a process to determine if it is necessary to issue new guidance to address how the DAA’s Self-Regulatory Principles apply to the use of artificial intelligence systems and tools that
White House Issues New Cybersecurity Executive Order
On June 6, 2025, President Trump issued an Executive Order (“Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144”) (the “Order”) that modifies certain initiatives in prior Executive Orders issued by Presidents Obama and Biden and highlights key cybersecurity priorities for the current Administration. Specifically, the
CISA Releases AI Data Security Guidance
On May 22, 2025, the Cybersecurity and Infrastructure Security Agency (“CISA”), which sits within the Department of Homeland Security (“DHS”) released guidance for AI system operators regarding managing data security risks. The associated press release explains that the guidance provides “best practices for system operators to mitigate cyber risks through the artificial intelligence lifecycle, including