Can a data controller reject a data subject’s first data access request on the basis that it is “excessive”? Until recently, many organisations were cautious and adopted an agnostic view about the intentions behind first access requests. However, the EU Court of Justice (“CJEU”) has clarified in a recent decision that although excessive
On April 16, 2026, Governor Kay Ivey signed into law the Alabama Personal Data Protection Act (“APDPA”) after a unanimous vote in favor from both chambers of the Alabama legislature. The APDPA is the 22nd state consumer privacy law overall (counting Florida) and the second one enacted in 2026, following enactment of Oklahoma’s privacy law in March (summarized here).
We highlight key features of the APDPA below. (We also offer a subscription service that offers details and comparisons (by topic) of state consumer privacy laws (“CPLs”).)
Continue Reading The “Heart of Dixie” Embraces Consumer Privacy
The Maryland Online Data Privacy Act (MODPA) is, as of April 1 of this year, now enforceable (subject to a potential cure opportunity until April 1, 2027). MODPA is amongst the strictest state consumer privacy laws (CPLs), and outright bans the sale of sensitive personal data, including precise geolocation data, as well as targeted advertising
The countdown is on—the IAPP Global Privacy Summit is only six days away, and we’re looking forward to seeing so many of you in Washington, DC, for another energizing and insightful week in the privacy community. If you’ll be in town, we’d love to connect.
Continue Reading We Hope to See You at the IAPP Global Privacy Summit!
Privacy compliance has entered a new phase—one defined not only by high-profile enforcement actions but by the growing expectation that organizations implement and maintain mature information governance programs capable of validating true, system-level technical compliance rather than merely projecting the appearance of it. A spate of recent California enforcement actions makes clear that companies must be prepared to validate how privacy control’s function, including across systems, platforms, and data flows, making thoughtful, system-oriented self-assessment an increasingly important tool for aligning policy commitments with operational reality—before regulators do it for them. SPB helps client’s self-access, identify gaps and remediate issues under the cloak of privilege.
Continue Reading CalPrivacy Update: Shifting to Structural Compliance and Auditing
On December 23, 2025, a federal judge enjoined enforcement of Texas’ App Store Accountability Act (SB 2420) by Texas Attorney General, Ken Paxton. The law, which was slated to go into effect on January 1, 2026, would have imposed onerous age assurance and parental consent obligations on app stores and app developers, which our expert panelists analyzed in depth in a webinar last month (and which we detailed in a FAQ).
Continue Reading Federal Judge Enjoins Enforcement of Texas App Store Age Verification Law
The EU Data Act, which entered into full effect on 12 September 2025, is one of the cornerstones of the EU’s digital strategy, yet it places considerable compliance challenges for companies falling within its scope. Francesco Liberatore, Gorka Navea and Bartolomé Martín provide an overview of the act, its key practical compliance challenges and
The 2025 legislative cycle marked a pivotal year in US privacy law, defined not only by continued nationwide expansion into Artificial Intelligence (AI) governance, children’s and teen privacy and online safety, as well as emerging data categories, but by a major restructuring of California’s privacy enforcement infrastructure. California’s introduction of the Delete Request and Opt-out Platform (DROP) system, the nation’s first centralized, statewide platform for managing consumer deletion requests; combined with sweeping reforms to the Consumer Privacy Fund, will materially increase CalPrivacy and attorney general enforcement capacity on a recurring, self-replenishing basis. These developments accompany completion of a far-reaching rulemaking package that imposes detailed obligations for Data Protection Impact Assessments (DPIAs or risk assessments), cybersecurity governance and Automated Decision-Making Technology (ADMT). At the same time, states beyond California have enacted targeted statutory reforms addressing neurotechnology, data-broker practices and minors’ online safety, underscoring that – absent federal preemption – state-driven models will continue to shape the national privacy compliance landscape in 2026. By January 2026, there will be 20 state consumer privacy laws in effect, several with unique material obligations. We detail what enterprises need to be prepared for in 2026 and explain why we believe next year will be a watershed period for consumer privacy in the US.
Continue Reading 2025 State Privacy Roundup: Key Trends and California Developments to Watch in 2026
On November 13, 2025, the Government of India formally brought into effect the much-awaited Digital Personal Data Protection Rules, 2025 (Rules). The Rules enforce the Digital Personal Data Protection Act, 2023 (DPDP Act) and provide practical guidance on how to comply with certain provisions of the DPDP Act. Together, they implement binding legislation that regulates the management of digital personal data[1] in and from India.
Continue Reading India Passes the Digital Personal Data Protection Rules, Ushering in a New Digital Age in India
On January 1, 2026, the first of four state app store age verification laws – which are relevant regardless of your target audience – will come into effect. Join us for a webinar discussion on Thursday, November 20 at 1PM ET/10AM PT with Hailun Ying (Head of PrivSec Legal, Roblox), Amy Lawrence (Head of Legal