Privacy & Information Security Law Blog

On April 23, 2025, the Department of Health and Human Services’ Office for Civil Rights announced a HIPAA enforcement action against a health care network following a phishing attack that exposed patients’ electronic protected health information, which resulted in a $600,000 monetary settlement and two-year corrective action plan.

The California Privacy Protection Agency and California Attorney General recently announced the formation of a new coalition of state regulators called the Consortium of Privacy Regulators, which includes regulators from California, Colorado, Connecticut, Delaware, Indiana, New Jersey and Oregon.

On April 29, 2025, the UK Information Commissioner’s Office and the California Privacy Protection Agency signed a declaration of cooperation regarding international privacy and data protection coordination, formalizing their existing collaboration.

In April 2025, the Montana legislature passed a bill amending the Montana Consumer Data Privacy Act, to enhance protections for minors, add transparency requirements, clarify individual rights provisions, expand the law’s applicability, revise the law’s exemptions, and remove the law’s guaranteed right to cure alleged violations.

FTC Commissioners recently indicated their enforcement priorities under the Trump Administration, including enforcement of existing federal privacy laws and fostering AI innovation.

On April 29, 2025, the CNIL published its Annual Activity Report for 2024. The Report provides an overview of the CNIL’s activities in 2024, including enforcement activities and other new developments.

In April 2025, the National Institute of Standards and Technology announced the release of a draft update to its voluntary Privacy Framework, “NIST Privacy Framework 1.1 Initial Public Draft.”

On April 25, 2025, the California Privacy Protection Agency opened the formal public comment period on proposed regulations for the Delete Request and Opt-Out Platform.

Democratic State Senator Anna M. Caballero introduced Senate Bill 690 (S.B. 690), which aims to curb “abusive lawsuits” under the California Invasion of Privacy Act based on the use of cookies and other online technologies, on February 24, 2025, and the Bill is now scheduled to be heard by the Senate Public Safety Committee on April 29, 2025.

On April 22, 2025, the Federal Trade Commission published in the Federal Register final amendments to the Children’s Online Privacy Protection Act Rule, which will go into effect 60 days from publication, on or about June 21, 2025, with a compliance deadline of April 22, 2026.