On February 27, 2026, CalPrivacy and PlayOn settled a CCPA claim for $1.1 million. PlayOn is a digital ticketing platform used by schools and other organizations for ticketing, streaming, fundraising, concessions, merchandise sales, and website management. The settlement resolves allegations that PlayOn unlawfully “sold” and “shared” users’ personal information without providing sufficient opt-outs and notice, in violation of the CCPA. This marks the agency’s first enforcement action involving students’ data privacy.Continue Reading CalPrivacy Fines PlayOn Sports for Insufficient Opt-Out Process

On March 11, 2026, the Federal Trade Commission (“FTC” or “the Commission”) announced an Advanced Notice of Proposed Rulemaking (“ANPRM”) regarding its Rule Concerning the Use of Prenotification Negative Option Plans, commonly known as the Negative Option Rule (“the Rule”).  This ANPRM signals the beginning of a rulemaking process that

Continue Reading FTC Negative Option Rule ANPRM

On March 6, 2026, the Administration released “President Trump’s Cyber Strategy for America” alongside an Executive Order (entitled “Combating Cybercrime, Fraud, and Predatory Schemes Against American Citizens”) and accompanying Fact Sheet.  The framework set forth in the Strategy document is significantly shorter and higher-level than the prior

Continue Reading White House Releases New National Cyber Strategy and Executive Order

In February 2026, the Spanish data protection authority (Agencia Española de Protección de Datos, “AEPD”) published guidance on data protection issues related to the use of AI agents. The guidance follows an earlier, similar analysis by the UK Information Commissioner’s Office, which we discussed in a prior blog

Continue Reading Spanish Supervisory Authority Issues Detailed Guidance on Agentic AI and GDPR Compliance

On February 13, 2026, France’s highest administrative court (“Conseil d’État”) delivered an important decision clarifying the boundary between pseudonymization and anonymization under the GDPR. The ruling confirms that data which remain re‑identifiable in practice—even with some effort—must be treated as personal data under the GDPR by service providers, unless the risk of re‑identification by such providers can genuinely be regarded as insignificant.Continue Reading France’s Highest Administrative Court Upholds CNIL’s Standard On Anonymization

On February 10, 2026, federal district court Judge Jed S. Rakoff ruled from the bench in the Southern District of New York that the attorney-client privilege and the work product doctrine did not protect legal strategy materials that a criminal defendant generated using a generative AI tool, when he used

Continue Reading AI and Legal Privilege: Key Takeaways from US v. Heppner

On January 28, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published a new resource on Assembling a Multi-Disciplinary Insider Threat Management Team.  The guidance is intended to assist critical infrastructure stakeholders, which includes private sector entities across various sectors, with implementing an insider threat mitigation program that combines physical security, cybersecurity, personnel awareness, and community partnerships.  Although framed for critical infrastructure, CISA’s guidance is relevant to a broader range of organizations, including those outside of critical infrastructure sectors—a point echoed in Covington’s 2025 insider threat webinar series, discussed further below.Continue Reading CISA Releases New Guidance on Assembling Multi-Disciplinary Insider Threat Management Teams

On February 19, 2026, the UK Court of Appeal handed down its decision in DSG Retail Limited v The Information Commissioner [2026] EWCA Civ 140. The Court ruled that a controller’s data security duty applies to all personal data for which it acts as controller – irrespective of whether the information would constitute personal data in the hands of a third party (in this case, an attacker). Note that the case is concerned with events before the GDPR came into force, so the legal context is provided by UK Data Protection Act 1998 (“DPA 1998”), although the Court did take into account more recent jurisprudence, including CJEU case law.

The case adds useful colour to ongoing debates surrounding the definition of “personal data.” The Court of Appeal confirmed that a controller’s duty to implement appropriate measures to protect personal data applies to data that is “personal” from the perspective of the controller —even if a third-party attacker could not identify individuals from the exfiltrated dataset. This dovetails with the SRB v EDPS’s clarification that whether data is “personal” can depend on the context, while a controller’s obligations (such as transparency) must be assessed from the controller’s perspective at the relevant time (which, for the transparency principle, is at the time of collection of the data). (For more information on SRB v EDPS, see our prior post here.)Continue Reading UK Court of Appeal Rules on the Concept of Personal Data in the Context of Data Security

Earlier this month, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) announced a series of public town hall meetings to solicit additional stakeholder input on the Notice of Proposed Rulemaking (“Proposed Rule”) implementing the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”), which CISA published in April 2024.

Continue Reading CISA Announces Town Halls to Gather Input on CIRCIA Proposed Rule

On February 18, 2026, the European Data Protection Board (“EDPB”) published its Report on Stakeholder Event on Anonymisation and Pseudonymisation of 12 December 2025 (the Report). The Report summarises feedback from a remote stakeholder event convened to inform the EDPB’s ongoing work on Guidelines 01/2025 on Pseudonymisation (version for public consultation available here) and forthcoming guidance on anonymisation. The event gathered input from 115 participants spanning industry, NGOs, academia, law firms, and public sector bodies.

The objective of the Report is to capture stakeholder insights on how the General Data Protection Regulation (“GDPR”) applies to anonymisation and pseudonymisation, particularly following the Court of Justice of the European Union’s (“CJEU”) judgment in EDPS v SRB (C‑413/23 P). (See our previous blog post here.)Continue Reading EDPB Publishes Report on Stakeholder Event on Anonymisation and Pseudonymisation