The EU Data Act, which entered into full effect on 12 September 2025, is one of the cornerstones of the EU’s digital strategy, yet it places considerable compliance challenges for companies falling within its scope.  Francesco Liberatore, Gorka Navea and Bartolomé Martín provide an overview of the act, its key practical compliance challenges and outline how its key provisions interact with other EU instruments, such as the GDPR, the Trade Secrets Directive, the DME and other complementary frameworks.

Access the alert here: EU Data Act in Full Effect | Publications | Insights & Events | Squire Patton Boggs.

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Germany Implements NIS2: Registration portal will open on January 6, 2026

2025 State Privacy Roundup: Key Trends and California Developments to Watch in 2026

2025 Mass Arbitration Year in Review

Extra Large PII-zza: Courts Allows California Privacy Class Action to Proceed for Use of AI Phone Call Assistant

California Federal Court Urges California Legislature to Clean Up “Total Mess” of State Wiretap Act, Dismisses Claim for Website Tracking

Federal Court Dismisses “Trap and Trace” Lawsuit for Plaintiff’s Lack of Injury

Federal Court Holds That Button-Click Data From Public Website Can Disclose Patient Status in Violation of the ECPA

Second Circuit Undercuts Plaintiffs’ Threats of Mass Arbitration Fees, Often Used In Asserting Privacy Claims

Attention Privacy World Readers!  Do you need CLE? We have some options for you!

Stay Ahead on Consumer Privacy News

Not a subscriber yet? Subscribe here to be among the first to receive timely updates on the fast-moving world of data privacy, security, and innovation—delivered straight to your inbox.

Looking for deeper insights and expert analysis? You can also subscribe here to our privacy attorneys’ marketing communications for thought leadership and rich content when you need a more comprehensive perspective.

With the official enactment of the NIS-2 Implementation Act, Germany has taken a major step toward modernizing its cybersecurity framework. Starting from 6 December 2025, stricter requirements will apply to both federal administration and thousands of private companies. This law revises the BSI Act (BSIG) and introduces comprehensive obligations for IT security and risk management. The NIS2 Directive  is the EU’s updated cybersecurity framework. It requires organizations to implement risk management measures, ensure incident reporting within an initial 24-hour timeline, strengthens supply chain security while introducing management accountability, including personal liability for non-compliance.

Continue Reading Germany Implements NIS2: Registration portal will open on January 6, 2026

The 2025 legislative cycle marked a pivotal year in US privacy law, defined not only by continued nationwide expansion into Artificial Intelligence (AI) governance, children’s and teen privacy and online safety, as well as emerging data categories, but by a major restructuring of California’s privacy enforcement infrastructure. California’s introduction of the Delete Request and Opt-out Platform (DROP) system, the nation’s first centralized, statewide platform for managing consumer deletion requests; combined with sweeping reforms to the Consumer Privacy Fund, will materially increase CalPrivacy and attorney general enforcement capacity on a recurring, self-replenishing basis. These developments accompany completion of a far-reaching rulemaking package that imposes detailed obligations for Data Protection Impact Assessments (DPIAs or risk assessments), cybersecurity governance and Automated Decision-Making Technology (ADMT). At the same time, states beyond California have enacted targeted statutory reforms addressing neurotechnology, data-broker practices and minors’ online safety, underscoring that – absent federal preemption – state-driven models will continue to shape the national privacy compliance landscape in 2026. By January 2026, there will be 20 state consumer privacy laws in effect, several with unique material obligations. We detail what enterprises need to be prepared for in 2026 and explain why we believe next year will be a watershed period for consumer privacy in the US.

Continue Reading 2025 State Privacy Roundup: Key Trends and California Developments to Watch in 2026

Mass arbitrations—where a plaintiffs’ firm brings dozens, hundreds, or thousands of identical claims against a business—is a mechanism increasingly relied upon by the plaintiffs’ bar in the past few years.  This is because mass arbitrations enable a plaintiffs’ firm to create settlement pressure by leveraging unavoidable arbitration fees borne by a business regardless of the merits of the claims filed.  Further powered by litigation funding, plaintiffs’ firms have used the mass arbitration device to bring vexatious claims and escape review of the merits or any downside risk.

Continue Reading 2025 Mass Arbitration Year in Review

A Domino’s customer may proceed in her putative class action for violations of the California Invasion of Privacy Act (CIPA) against ConverseNow for its provision of an AI virtual assistant that processes restaurant telephone orders. In Taylor v. ConverseNow Technologies, Inc., Case No. 25-cv-00990-SI, 2025 WL 2308483 (N.D. Cal. Aug. 11, 2025), the Court held that a communication software provider that could potentially improve its software with collection of communications was plausibly violating CIPA even though it had an agreement with the business receiving the communications. This ruling serves a cautionary note to both software companies and – because of potential aiding and abetting liability – companies that use those technologies.

Continue Reading Extra Large PII-zza: Courts Allows California Privacy Class Action to Proceed for Use of AI Phone Call Assistant

This fall, a federal court in California granted summary judgment in favor of a website operator for alleged violations of the California Invasion of Privacy Act (CIPA). In its decision, the Court emphasized that it was “virtually impossible” to apply CIPA to internet communications and urged the California legislature to “step up” and “speak clearly” about how internet activity should be treated under the statute in light of a deluge of claims that have been filed recently against website operators.

Continue Reading California Federal Court Urges California Legislature to Clean Up “Total Mess” of State Wiretap Act, Dismisses Claim for Website Tracking

Over the past year, there has been an explosion of lawsuits targeting website analytics and tracking tools. One recent decision brought businesses another victory in challenging lawsuits alleging violations of the California Invasion of Privacy Act’s (CIPA)’s prohibition against use of “pen registers” and “trap and trace devices.” Cal. Penal Code § 638.51. In a recent ruling, a federal judge in the Central District of California dismissed one such lawsuit, holding that the claim could not be asserted in federal court.

Continue Reading Federal Court Dismisses “Trap and Trace” Lawsuit for Plaintiff’s Lack of Injury

In early October, a federal court in the Northern District of Illinois refused to dismiss a privacy litigation brought against a healthcare website operator for claims under the Electronic Communications Privacy Act (ECPA). The court held that the plaintiff plausibly alleged that Defendant violated the Health Insurance Portability and Accountability Act (HIPAA) by revealing to a third party that she clicked on the login button to the healthcare provider’s patient portal, and, as a result, disclosed her individually identifiable healthcare information—even though no third-party data collection tools were installed on the patient portal itself. Hartley v. Univ. of Chi. Med. Ctr., Case No. 22-cv-5891, 2025 WL 2802317 (N.D. Ill. Oct. 1, 2025).  However, at the same time, the court dismissed certain claims arising out of Plaintiff’s use of a “find-a-physician feature,” rejecting the full scope of Plaintiff’s theories. On the balance, this decision unfortunately broadens the scope of potential liability under the ECPA and will likely result in ECPA suits being brought against website operators in the healthcare sector.

Continue Reading Federal Court Holds That Button-Click Data From Public Website Can Disclose Patient Status in Violation of the ECPA

Earlier this fall, the United States Court of Appeals for the Second Circuit undermined a strategy often used by the plaintiff’s bar in privacy claims: the threat of mass arbitration fees.  In a decision reversing the district court, the Second Circuit held that the petitioners cannot use the Federal Arbitration Act (FAA) to compel arbitration on the basis that a business failed to pay arbitration fees.  This decision adds to a growing body of precedent that courts cannot compel a business to pay arbitration fees, which as discussed previously here on Privacy World, can total in the thousands or millions of dollars in the event of mass arbitration.

Continue Reading Second Circuit Undercuts Plaintiffs’ Threats of Mass Arbitration Fees, Often Used In Asserting Privacy Claims