Privacy & Information Security Law Blog

The Equal Employment Opportunity Commission recently issued a fact sheet addressing the application of employment discrimination laws to the use of wearable technologies in U.S. workplaces.

On January 6, 2025, the New Jersey Division of Consumer Affairs Cyber Fraud Unit published a set of frequently asked questions and answers on the New Jersey Data Privacy Law.

On December 27, 2024, the U.S. Department of Justice issued a comprehensive final rule implementing Executive Order 14117, Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern. The Final Rule will go into effect on April 8, 2025, with the exception of certain due diligence, audit and reporting obligations, which will become effective on October 5, 2025.

On January 7, 2025, the U.S. Food and Drug Administration (“FDA”) issued draft guidance, titled “Artificial Intelligence-Enabled Device Software Functions: Lifecycle Management and Marketing Submission Recommendations” (the “Guidance”), that addresses management of cybersecurity risks affecting AI-enabled devices.

On December 30, 2024, the Connecticut Attorney General issued an advisory to consumers and businesses that new opt-out rights under the Connecticut Data Privacy Act are effective as of January 1, 2025.

On December 27, 2024, the U.S. Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) announced a Notice of Proposed Rulemaking (“NPRM”) to update the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule.  The NPRM is intended to strengthen cybersecurity protections for electronic protected health information (“ePHI”) in light of increasing cybersecurity threats to the health care sector.

On December 17, 2024, the European Data Protection Board adopted an opinion on the processing of personal data in the context of AI models. This blog entry provides a summary of the opinion. 

Earlier this month, the Federal Trade Commission’s Office of Technology and Division of Privacy and Identity Protection posted a set of recommendations related to the security risks posed by developing products like AI, targeted advertising and surveillance pricing.

In January 2025, comprehensive data privacy laws go into effect in Delaware, Iowa, Nebraska, New Hampshire and New Jersey.

Texas Attorney General Ken Paxton recently launched investigations into Character.AI and 14 other technology companies on allegations of failure to comply with the safety and privacy requirements of the Securing Children Online through Parental Empowerment Act and the Texas Data Privacy and Security Act.