Privacy & Information Security Law Blog

On September 4, 2025, the Court of Justice of the European Union issued a significant decision in the case EDPS v SRB C-413/23 P regarding pseudonymized data, holding that whether pseudonymized data constitutes personal data is a fact-specific determination.

On September 2, 2025, two class actions were filed in federal district court alleging that defendants digital advertising platforms Xandr, Inc. and Index Exchange, Inc. violated the Electronic Communications Privacy Act by unlawfully intercepting wire communications for the purpose of violating the Department of Justice’s Bulk Data Transfer Rule.

The U.S. Federal Trade Commission plans to study the impact of AI-powered chatbots on children’s mental health. 

The FTC recently announced that it had sent letters to more than a dozen technology companies reminding them of their obligation to protect American consumer data despite pressure from foreign governments to weaken data privacy and security protections.

A bill making its way through the California legislature (S.B. 361) would amend the California Delete Act to require data brokers to provide significantly more information in their registration applications with the California Privacy Protection Agency.

On September 3, 2025, the EU’s General Court issued its judgment in the Latombe v. Commission case. The applicant, a member of the French National Assembly, sought the annulment of the adequacy decision adopted by the European Commission with respect to the EU-U.S. Data Privacy Framework.

The Colorado Department of Law recently issued a Notice of Proposed Rulemaking with proposed draft amendments to the Colorado Privacy Act rules.

A recent decision by the U.S. Couple of Appeals for the Sixth Circuit granting the IRS access to certain EU personal data has created potential legal compliance implications for multinational organizations subject to the EU GDPR.

On August 27, 2025, the Federal Trade Commission announced that fees for telemarketers to access phone numbers listed on the National Do Not Call Registry will increase effective October 1, 2025.

On August 28, 2025, the UK Information Commissioner’s Office initiated a public consultation on draft guidance on Distributed Ledger Technologies, focusing on blockchain.