On January 1, 2026, the first of four state app store age verification laws – which are relevant regardless of your target audience – will come into effect. Join us for a webinar discussion on Thursday, November 20 at 1PM ET/10AM PT with Hailun Ying (Head of PrivSec Legal, Roblox), Amy Lawrence (Head of Legal
On September 25, the California Privacy Protection Agency (CPPA) Board advanced OAL-approved updates to the California Consumer Privacy Act (CCPA), the process of which we covered in detail here and here, that include long-awaited regulations on cybersecurity audits, risk assessments, and automated decision-making technology (ADMT). The CPPA Board also approved a $1.35 Million settlement
Join Julia Jacobson, Partner (New York), and Kyle Dull, Senior Associate (New York), for “Survey of U.S. Data Privacy Laws,” a Strafford Live CLE Webinar.
For more information: https://www.sp-04.com/r/products/tllspdzsna
(We have a limited number of complimentary passes. Please contact julia.jacobson@squirepb.com by September
Inside AI Policy reports that a survey of U.S. office workers indicates that across industries approximately half of survey respondents said that they do or would use AI contrary to company policy to make their job easier, including 42% of security sector workers. The study published on August 20, 2025 by CalypsoAI, found that while 87% of respondents indicated that their employers had AI governance policies 52% are not prepared to follow restrictions, and 28% admitted to submitting sensitive or proprietary data or documents so AI could complete a task; 29% used AI to generate something sent without, or with minimal, review; and 25% used AI without knowing if the use case was permissible. The results for highly regulated industries are not better, and in some cases worse. For instance, 60% of employees in financial services and banking indicated that they use AI tools regardless of company policy and 36% “don’t feel guilty about it.”Continue Reading Rogue AI Usage and High-risk Data Processing Runs Rampant
On October 6, 2025, the “Preventing Access to U.S. Sensitive Personal Data and Government Related Data by Countries or Concern or Covered Persons” Rule released by the U.S. Department of Justice (DOJ) (DOJ Rule) will be fully in force. Is your organization ready?
During the first half of 2025, numerous clients reached out to find out if they are in scope for the DOJ Rule. Therefore, we developed, refined and applied a step-by-step process for assessing whether and when the DOJ Rule applies. As we applied this process, we learned that many clients operating only in the U.S. were surprised to learn that the DOJ Rule applies to their operations. U.S. clients operating internationally were less surprised, and many had started compliance efforts and/or were planning steps to modify their business operations to minimize or eliminate prohibited transactions. Clearly, businesses operating in both “countries of concern” and in the U.S. face the biggest compliance uplift and have been the most active.Continue Reading Countdown to October 6th: Fewer than 60 days until the DOJ’s Bulk Sensitive Data and Government Related Data Rule is fully in force
The Privacy Act 1988 (Cth) (Act) is one of the longest-standing pieces of national data protection legislation in the world, but – despite its name – it has been more concerned with regulating use of individuals’ personal data than granting them an actionable, stand-alone right to privacy.
However, as of June 2025, this has changed.
Announcing the July 31, 2025, effectiveness of Minnesota’s strict consumer privacy law (CPL), the Act’s author said in a press release that he will be personally making requests to a “long list of ‘data brokers’ … [to] provide a timely ‘test case’ that we can use to measure compliance….” Until January 31, 2026, businesses will have 30 days to cure violations.Continue Reading Minnesota’s Comprehensive Privacy Law Takes Effect – and Enforcement Efforts Begin Immediately
On July 23, 2025, the Trump Administration released Winning the Race: America’s AI Action Plan, signaling a decisive departure from the AI governance strategy set forth by the Biden Administration’s Executive Order 14110 (November 2023). While the previous framework focused on risk mitigation, civil rights, and regulatory oversight—particularly of advanced AI systems—the new plan
In late June, Governor Abbott signed into law SB 2121 and SB 1343, two bills that amend the existing Texas Data Broker Act. The amendments broaden the definition of “data broker” and alter the applicability thresholds (SB 2121), and provide enhanced notice and registration statement requirements regarding how consumers can exercise their privacy rights (SB 1343). As we discuss below, companies that previously assessed and decided that Texas’ data broker law may not apply to them should likely review and re-evaluate this decision in view of these amendments, which become effective September 1, 2025.Continue Reading Texas Legislature Amends Data Broker Law to Broaden Definition, Arguably Narrow Applicability Thresholds
As companies begin to move beyond large language model (LLM)-powered assistants into fully autonomous agents—AI systems that can plan, take actions, and adapt without human-in-the-loop—legal and privacy teams must be aware of the use cases and the risks that come with them.
What is Agentic AI?
Agentic AI refers to AI systems—often built using LLMs but not limited to them—that can take independent, goal-directed actions across digital environments. These systems can plan tasks, make decisions, adapt based on results, and interact with software tools or systems with little or no human intervention.
Agentic AI often blends LLMs with other components like memory, retrieval, application programming interfaces (APIs), and reasoning modules to operate semi-autonomously. It goes beyond chat interfaces and can initiate real actions—inside business applications, internal databases, or even external platforms.
For example:
These systems aren’t just helping users write emails or summarize docs. In some cases, they’re initiating workflows, modifying records, making decisions, and interacting directly with enterprise systems, third-party APIs, and internal data environments. Here are a handful of issues that legal and privacy teams should be tracking now.Continue Reading What is Agentic AI? A Primer for Legal and Privacy Teams