Data Privacy

On December 23, 2025, a federal judge enjoined enforcement of Texas’ App Store Accountability Act (SB 2420) by Texas Attorney General, Ken Paxton. The law, which was slated to go into effect on January 1, 2026, would have imposed onerous age assurance and parental consent obligations on app stores and app developers, which our expert

The 2025 legislative cycle marked a pivotal year in US privacy law, defined not only by continued nationwide expansion into Artificial Intelligence (AI) governance, children’s and teen privacy and online safety, as well as emerging data categories, but by a major restructuring of California’s privacy enforcement infrastructure. California’s introduction of the Delete Request and Opt-out Platform (DROP) system, the nation’s first centralized, statewide platform for managing consumer deletion requests; combined with sweeping reforms to the Consumer Privacy Fund, will materially increase CalPrivacy and attorney general enforcement capacity on a recurring, self-replenishing basis. These developments accompany completion of a far-reaching rulemaking package that imposes detailed obligations for Data Protection Impact Assessments (DPIAs or risk assessments), cybersecurity governance and Automated Decision-Making Technology (ADMT). At the same time, states beyond California have enacted targeted statutory reforms addressing neurotechnology, data-broker practices and minors’ online safety, underscoring that – absent federal preemption – state-driven models will continue to shape the national privacy compliance landscape in 2026. By January 2026, there will be 20 state consumer privacy laws in effect, several with unique material obligations. We detail what enterprises need to be prepared for in 2026 and explain why we believe next year will be a watershed period for consumer privacy in the US.Continue Reading 2025 State Privacy Roundup: Key Trends and California Developments to Watch in 2026

On November 13, 2025, the Government of India formally brought into effect the much-awaited Digital Personal Data Protection Rules, 2025 (Rules). The Rules enforce the Digital Personal Data Protection Act, 2023 (DPDP Act) and provide practical guidance on how to comply with certain provisions of the DPDP Act. Together, they implement binding legislation that regulates the management of digital personal data[1] in and from India.Continue Reading India Passes the Digital Personal Data Protection Rules, Ushering in a New Digital Age in India 

On September 25, the California Privacy Protection Agency (CPPA) Board advanced OAL-approved updates to the California Consumer Privacy Act (CCPA), the process of which we covered in detail here and here, that include long-awaited regulations on cybersecurity audits, risk assessments, and automated decision-making technology (ADMT). The CPPA Board also approved a $1.35 Million settlement with

September 17, 2025, at 1:00 pm ET   

Join Julia Jacobson, Partner (New York), and Kyle Dull, Senior Associate (New York), for “Survey of U.S. Data Privacy Laws,” a Strafford Live CLE Webinar.

For more information: https://www.sp-04.com/r/products/tllspdzsna 

(We have a limited number of complimentary passes. Please contact julia.jacobson@squirepb.com by September

Inside AI Policy reports that a survey of U.S. office workers indicates that across industries approximately half of survey respondents said that they do or would use AI contrary to company policy to make their job easier, including 42% of security sector workers.  The study published on August 20, 2025 by CalypsoAI, found that while 87% of respondents indicated that their employers had AI governance policies 52% are not prepared to follow restrictions, and 28% admitted to submitting sensitive or proprietary  data or documents so AI could complete a task; 29% used AI to generate something sent without, or with minimal, review; and 25% used AI without knowing if the use case was permissible.  The results for highly regulated industries are not better, and in some cases worse.  For instance, 60% of employees in financial services and banking indicated that they use AI tools regardless of company policy and 36% “don’t feel guilty about it.”Continue Reading Rogue AI Usage and High-risk Data Processing Runs Rampant

On October 6, 2025, the “Preventing Access to U.S. Sensitive Personal Data and Government Related Data by Countries or Concern or Covered Persons” Rule released by the U.S. Department of Justice (DOJ) (DOJ Rule) will be fully in force. Is your organization ready?

During the first half of 2025, numerous clients reached out to find out if they are in scope for the DOJ Rule. Therefore, we developed, refined and applied a step-by-step process for assessing whether and when the DOJ Rule applies. As we applied this process, we learned that many clients operating only in the U.S. were surprised to learn that the DOJ Rule applies to their operations. U.S. clients operating internationally were less surprised, and many had started compliance efforts and/or were planning steps to modify their business operations to minimize or eliminate prohibited transactions.  Clearly, businesses operating in both “countries of concern” and in the U.S. face the biggest compliance uplift and have been the most active.Continue Reading Countdown to October 6th: Fewer than 60 days until the DOJ’s Bulk Sensitive Data and Government Related Data Rule is fully in force

The Privacy Act 1988 (Cth) (Act) is one of the longest-standing pieces of national data protection legislation in the world, but – despite its name – it has been more concerned with regulating use of individuals’ personal data than granting them an actionable, stand-alone right to privacy.

However, as of June 2025, this has changed.