Privacy & Information Security Law Blog

On September 11, 2025, the Cyberspace Administration of China issued the Administrative Measures for Reporting National Cybersecurity Incidents.

Colorado Governor Jared Polis recently signed Senate Bill 25B-004 into law, which delays the enforcement date of the Colorado Artificial Intelligence Act from February 1, 2026, to June 30, 2026. The bill does not amend the substantive requirements of the Act.

On September 12, 2025, the majority of the provisions of the EU Data Act began to apply across EU Member States. The Data Act was formally adopted in November 2023 and entered into force on January 11, 2024.

The California Privacy Protection Agency Board will hold a board meeting on September 26, 2025, at 9:00 am PT. 

On September 5, 2025, the U.S. President Trump signed into law the Homebuyers Privacy Protection Act, H.R. 2808 which amends the Fair Credit Reporting Act to prohibit the furnishing of “trigger leads” except in limited circumstances.

On September 8, 2025, the U.S. Supreme Court issued an administrative stay temporarily preventing Rebecca Kelly Slaughter’s reinstatement to her former position as FTC Commissioner.

On September 10, 2025, the U.S. Department of Defense published its final rule amending the Defense Federal Acquisition Regulation Supplement to incorporate contractual requirements related to the Cybersecurity Maturity Model Certification program.

The authority of the California Privacy Protection Agency to examine companies’ conduct prior to the enactment of regulations implementing the California Consumer Privacy Act in 2023 recently has been challenged.  Last month, the CPPA announced that it had filed a petition in Sacramento County Superior Court to enforce an investigative subpoena against retailer Tractor Supply Company regarding the company’s privacy practices prior to January 1, 2023. This action marks the first time the Agency has publicly disclosed an ongoing investigation.

Qantas Airways recently announced that the company’s CEO and top executives would forfeit approximately half a million USD in compensation following a cyber incident that compromised the personal information of 5.7 million customers.

On September 4, 2025, the Court of Justice of the European Union issued a significant decision in the case EDPS v SRB C-413/23 P regarding pseudonymized data, holding that whether pseudonymized data constitutes personal data is a fact-specific determination.