Privacy & Information Security Law Blog

On May 21, 2025, the European Commission published a proposal for a new regulation simplifying certain regulatory requirements for small mid-caps, which will be companies with fewer than 750 employees and either up to €150 million in turnover or up to €129 million in balance sheet.

On May 15, 2025, the U.S. Department of Health and Human Services’ Office for Civil Rights announced a settlement with Vision Upright MRI, a small California-based radiology provider, over alleged violations of the HIPAA Security and Breach Notification Rules.

On May 8, 2025, the European Data Protection Board and the European Data Protection Supervisor adopted a joint letter addressed to the European Commission regarding the upcoming proposal to simplify record-keeping obligations under the EU General Data Protection Regulation.

As the UK Data (Use and Access) Bill reaches its final stages, the House of Commons and the House of Lords are still debating several key issues. This blog provides a summary of the outstanding issues.

On May 9, 2025, the California Privacy Protection Agency opened a formal public comment period for modifications to the text of proposed California Consumer Privacy Act regulations addressing cybersecurity audits, risk assessments, automated decisionmaking technology, insurance companies, and updates to existing CCPA regulations. The comment period will remain open until June 2, 2025.

On May 7, 2025, the Colorado legislature passed a bill that would amend the Colorado Privacy Act’s provisions regarding the processing of precise geolocation data if signed into law by Colorado Governor Jared Polis.

On April 29, 2025, the Michigan Attorney General filed a lawsuit against Roku alleging violations of the Children’s Online Privacy Protection Act.

The Centre for Information Policy Leadership at Hunton is pleased to launch “CIPL In Focus”—a knowledge-sharing roundtable for in-depth discussions with senior-level professionals.

On March 5, 2025, the European Data Protection Board published Opinion 06/2025 on the extension of the European Commission Implementing Decisions under the GDPR and the Law Enforcement Directive on the adequate protection of personal data in the United Kingdom.

Since the beginning of 2025, the Cyberspace Administration Authority has continued to strengthen the protection of minors on the Internet.

On May 6, 2025, the California Privacy Protection Agency announced that it had issued an order requiring clothing retailer Todd Snyder, Inc. to change its business practices and pay a $345,178 fine to resolve alleged violations of the California Consumer Privacy Act.

In April 2025, the U.S. Department of Health and Human Services’ Office for Civil Rights announced a HIPAA enforcement settlement with Comprehensive Neurology, PC, a New York-based neurology practice, in connection with a ransomware incident that compromised the electronic protected health information of approximately 6,800 individuals.

On May 2, 2025, Virginia Governor Glenn Youngkin signed into law a bill that amends the Virginia Consumer Data Protection Act to impose significant restrictions on minors’ use of social media.

The National Computer Virus Emergency Response Center of China recently discovered 13 mobile apps in breach of cross-border transfer requirements.

On April 23, 2025, the Department of Health and Human Services’ Office for Civil Rights announced a HIPAA enforcement action against a health care network following a phishing attack that exposed patients’ electronic protected health information, which resulted in a $600,000 monetary settlement and two-year corrective action plan.

The California Privacy Protection Agency and California Attorney General recently announced the formation of a new coalition of state regulators called the Consortium of Privacy Regulators, which includes regulators from California, Colorado, Connecticut, Delaware, Indiana, New Jersey and Oregon.

On April 29, 2025, the UK Information Commissioner’s Office and the California Privacy Protection Agency signed a declaration of cooperation regarding international privacy and data protection coordination, formalizing their existing collaboration.

In April 2025, the Montana legislature passed a bill amending the Montana Consumer Data Privacy Act, to enhance protections for minors, add transparency requirements, clarify individual rights provisions, expand the law’s applicability, revise the law’s exemptions, and remove the law’s guaranteed right to cure alleged violations.

FTC Commissioners recently indicated their enforcement priorities under the Trump Administration, including enforcement of existing federal privacy laws and fostering AI innovation.