Privacy & Information Security Law Blog

In May 2025, Nebraska enacted a series of laws aimed to protect children online including the Parental Rights in Social Media Act (LB383) and the Age-Appropriate Online Design Code Act (LB 504).

On May 19, 2025, President Trump signed into law the Take It Down Act, which bans the nonconsensual online publication of sexually explicit images and videos that are both authentic and computer-generated, and includes notice and takedown obligations for covered online platforms.

On May 7, 2025, the European Commission published a Q&A addressing AI literacy obligations under the EU AI Act. The Q&A provides further detail on Article 4 of the EU AI Act, clarifying the measures that entities in scope are required to employ to ensure AI literacy.

On May 21, 2025, the U.S. District Court for the District of Columbia ruled that two Democrat members of the United States Privacy and Civil Liberties Oversight Board were unlawfully terminated by President Trump.

The U.S. Department of Defense is moving towards implementing the Cybersecurity Maturity Model Certification program. When finally launched, the CMMC program will require many companies in the DOD supply chain with Controlled Unclassified Information to obtain a third-party certification confirming that they are compliant with applicable cybersecurity controls.

On May 21, 2025, the European Commission published a proposal for a new regulation simplifying certain regulatory requirements for small mid-caps, which will be companies with fewer than 750 employees and either up to €150 million in turnover or up to €129 million in balance sheet.

On May 15, 2025, the U.S. Department of Health and Human Services’ Office for Civil Rights announced a settlement with Vision Upright MRI, a small California-based radiology provider, over alleged violations of the HIPAA Security and Breach Notification Rules.

On May 8, 2025, the European Data Protection Board and the European Data Protection Supervisor adopted a joint letter addressed to the European Commission regarding the upcoming proposal to simplify record-keeping obligations under the EU General Data Protection Regulation.

As the UK Data (Use and Access) Bill reaches its final stages, the House of Commons and the House of Lords are still debating several key issues. This blog provides a summary of the outstanding issues.

On May 9, 2025, the California Privacy Protection Agency opened a formal public comment period for modifications to the text of proposed California Consumer Privacy Act regulations addressing cybersecurity audits, risk assessments, automated decisionmaking technology, insurance companies, and updates to existing CCPA regulations. The comment period will remain open until June 2, 2025.