Category Archives: Data Privacy

Reset or rollback: Unpacking the EU’s Digital Omnibus Package

by Gareth Kristensen, Prudence Buckland, Jan-Frederik Keustermans, and Hakki Can Yildiz

Left to right: Gareth Kristensen, Prudence Buckland, Jan-Frederik Keustermans, and Hakki Can Yildiz (photos courtesy of Cleary Gottlieb Steen & Hamilton LLP)

Background

On 19 November 2025, the European Commission presented its much-anticipated Digital “Omnibus” package[1] intended to ease the administrative and compliance burden facing European businesses. Executive Vice-President of the Commission Henna Virkkunen stated that “[f]rom factories to start-ups, the digital package is the EU’s answer to calls to reduce burdens on our businesses.”[2] 

Continue reading

AI’s Biggest Enterprise Challenge in 2026: Contractual Use Limitations on Data

by Charu A. ChandrasekharAvi Gesser, and Adam Shankman 

Left to right: Charu A. Chandrasekhar, Avi Gesser, and Adam Shankman (photos courtesy of Debevoise & Plimpton LLP)

We recognize it’s a little early to make the call for the biggest AI challenge for 2026, but we’re pretty confident that NDAs and other contractual use limitations are about to become a significant problem for enterprise AI adoption.

Continue reading

White House’s AI Action Plan: Winning the Race in a Patchwork Regulatory Era

By Joshua Ashley Klayman, Ieuan JollyJeffrey Cohen, and Caitlin Potratz Metcalf

Left to right: Joshua Ashley Klayman, Ieuan Jolly, Jeffrey Cohen, and Caitlin Potratz Metcalf (photos courtesy of Linklaters)

On July 23, 2025, the White House published Winning the AI Race: America’s AI Action Plan (the AI Action Plan), a comprehensive effort aimed to solidify United States leadership in artificial intelligence. The AI Action Plan acknowledges the U.S.’ uniquely complex—and, at times, conflicting—regulatory landscape, including the patchwork of state-level laws that impact innovation, compliance, and policy predictability. The Action Plan calls for national leadership and seeks a unified, pro-innovation regulatory approach, with an understanding that states will continue to develop their own laws. Businesses should prepare for both the opportunities and the compliance challenges that will arise as the Action Plan is implemented.

Continue reading

CPPA Adopts Long Awaited Rulemaking Package

by Avi Gesser, Johanna N. Skrzypczyk, HJ Brehmer, and Melyssa Eigen

Left to right: Avi Gesser, Johanna N. Skrzypczyk, HJ Brehmer, and Melyssa Eigen (photos courtesy of Debevoise & Plimpton LLP)

The California Privacy Protection Agency (the “CPPA”) Board met on July 24, 2025, to decide whether to adopt its comprehensive rulemaking package covering cybersecurity audits, automated decision-making technology, and other adjustments to its existing regulations (collectively, the “Draft Regulations”). We have written about these topics in December 2024, February 2025, and May 2025 respectively. Ultimately, after its initial 45-day comment period and additional revisions, the Board decided to finalize the text of the rulemaking package (the “Regulations”).

Continue reading

Maturing Compliance with the Bulk Sensitive Data Rule before the July 8, 2025 Safe Harbor Expires

by Luke Dembosky, Avi Gesser, Erez Liebermann, Rick Sofield, Johanna N. Skrzypczyk, and Mengyi Xu

Top left to right: Luke Dembosky, Avi Gesser, Erez Liebermann, Rick Sofield, Johanna N. Skrzypczyk, and Mengyi Xu (photos courtesy of Debevoise & Plimpton LLP)

All eyes are on the DOJ Bulk Sensitive Data Rule (28 C.F.R. Part 202) and July 8, 2025, when the recently announced good-faith safe harbor expires. The rule, which the Department of Justice now refers to as the Data Security Program (the “DSP”), creates a comprehensive export control regime to restrict the transfer of bulk sensitive personal and government-related data to foreign adversaries deemed threats to U.S. national security. On April 11, 2025, shortly after the first effective date of the DSP, the National Security Division (“NSD”) of DOJ issued a suite of three policy and guidance documents to facilitate compliance with the DSP, including a 90-day civil enforcement safe harbor for good-faith compliance. As previously discussed, the DSP seeks to address the bipartisan concern that sensitive datasets could be exploited by foreign adversaries for espionage, cyberattacks, malign influence, and coercion, which would undermine the United States’ national security interests.

Continue reading

CPPA Fines Honda $632,500 for CCPA Violations

by Jenna N. Rode

Photo courtesy of the author

On March 12, 2025, the California Privacy Protection Agency (“CPPA”) announced that it reached a settlement with American Honda Motor Co. (“Honda”) in which Honda will pay a $632,500 fine to resolve claims that the company violated the CCPA. The enforcement action comes as part of the CPPA’s ongoing investigation into connected vehicle manufacturers, which began in 2023.

Continue reading

Explaining Credit Scores – The ECJ Rules on Automated Credit Assessments

by Katja Langenbucher and Kevin Bauer

Photos of the authors

Left to right: Katja Langenbucher and Kevin Bauer (photos courtesy of authors)

A little over a year ago, the SCHUFA tightened the requirements for credit scoring under the EU GDPR. On February 27, the Court handed down further instructions on providing scored consumers with “meaningful information about the logic involved” as required by Art. 15(1)(h) of the GDPR.

Continue reading

Children’s Online Privacy: Recent Actions by the States and the FTC

by Amber C. Thomson, Howard W. Waltzman, Kathryn Allen, and Megan P. Von Borstel

Photos of authors.

Amber C. Thomson, Howard W. Waltzman, Kathryn Allen, and Megan P. Von Borstel (Photos courtesy of Mayer Brown)

As the digital world becomes an integral part of children’s lives, state legislatures are placing greater emphasis on regulating how companies handle children’s personal information. This article explores the recent developments in state and federal children’s privacy legislation, examining how states are shaping the future of online safety for minors and shedding light on amendments to the federal Children’s Online Privacy Protection Act.

As social media companies and digital services providers increasingly cater to younger audiences, state legislatures are placing greater emphasis on regulating how companies handle children’s personal information. This Legal Update explores the recent developments in state and federal children’s privacy legislation, examining how states are shaping the future of online safety for minors and shedding light on amendments to the federal Children’s Online Privacy Protection Act (“COPPA”).

Continue reading

FTC’s Consent Order Against Marriott: Expectations for Reasonable Security

by Erez LiebermannJim PastoreChristopher S. FordMichael BloomMengyi XuAchutha Raman, and Michelle Shen  

Photos of the authors

Top left to right: Erez Liebermann, Jim Pastore, Christopher S. Ford, Michael Bloom.
Bottom left to right: Mengyi Xu, Achuta Raman and Michelle Shen. (Photos courtesy of the authors.)

Introduction

On December 20, 2024, the Federal Trade Commission (the “FTC”) finalized a consent agreement (“Consent Order”) with Marriott International, Inc. and its subsidiary Starwood Hotels & Resorts Worldwide LLC (collectively, “Marriott”) to settle allegations that Marriott failed to implement reasonable data security measures, resulting in three large data breaches from 2014 to 2020 and affecting more than 344 million customers worldwide. With obligations extending 20 years, the Consent Order requires Marriott to, among other remedial steps, implement a comprehensive information security program (“ISP”) with prescribed security measures, the effectiveness of which will be subject to a third-party independent biennial assessment. Key elements of the required ISP include multi-factor authentication (“MFA”), encryption, asset inventory, written documentation, and vulnerability and patch management. The final Consent Order is materially identical to the proposal announced on October 9, 2024.

Continue reading

New York Data Breach Notification Law Updated

by Jenna Rode and Emilie Galper

Photos of the authors

Jenna Rode and Emilie Galper (Photos courtesy of Hunton Andrews Kurth LLP)

New York Governor Kathy Hochul recently signed into law several bills (S2659B and S2376B) modifying the state’s data breach notification law. The amendments revise the timing requirements for notice to affected individuals, expand the list of regulators to be notified, and add new data elements to New York’s definition of “private information.”

Continue reading