On May 27, 2026, the Connecticut governor signed SB 4, an omnibus privacy law, which among other things, amends the Connecticut Data Privacy Act (“CTDPA”), establishes a data broker registry and accessible deletion mechanism, imposes restrictions on the use of price setting devices and surveillance pricing, and creates requirements for direct-to-consumer genetic testing companies.
Continue Reading Connecticut Enacts Omnibus Privacy Law
CISA Releases Guidance on the Careful Adoption of Agentic AI Services
Earlier this month, the Cybersecurity & Infrastructure Security Agency (CISA), in collaboration with the National Security Agency and other international partners, released guidance for organizations on adopting agentic artificial intelligence systems (i.e., systems composed of one or more agents that fundamentally rely on an AI model, such as an LLM
Continue Reading CISA Releases Guidance on the Careful Adoption of Agentic AI ServicesCISA Announces Revised Schedule of Town Halls for CIRCIA Rulemaking
On May 26, 2026, the Cybersecurity & Infrastructure Security Agency (“CISA”), announced a revised schedule of virtual town halls as part of its rulemaking implementing the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). These town halls were initially scheduled for March and April 2026 but were delayed by the lapse in funding for the Department of Homeland Security that ended on April 30, 2026, and are now scheduled to begin on June 15, 2026. The “specific topics of interest” CISA highlighted in its original announcement remain unchanged.
Continue Reading CISA Announces Revised Schedule of Town Halls for CIRCIA RulemakingSeventh Circuit Holds that BIPA Amendment Applies Retroactively
On April 1, 2026, the Seventh Circuit in Clay v. Union Pacific Railroad Company held that an amendment to the Illinois Biometric Information Privacy Act (BIPA), limiting damages to a per-person basis, applies retroactively to cases pending when the amendment was enacted in 2024. This decision limits the potential statutory damages plaintiffs may obtain for pending BIPA cases.
Continue Reading Seventh Circuit Holds that BIPA Amendment Applies RetroactivelyAI and Legal Privilege: Key Takeaways from US v. Heppner
On February 10, 2026, federal district court Judge Jed S. Rakoff ruled from the bench in the Southern District of New York that the attorney-client privilege and the work product doctrine did not protect legal strategy materials that a criminal defendant generated using a generative AI tool, when he used
Continue Reading AI and Legal Privilege: Key Takeaways from US v. HeppnerNew Jersey Enacts Amendment to its Comprehensive Privacy Law
On his last day in office, January 20, 2026, former New Jersey Governor Phil Murphy signed an amendment to the New Jersey Data Privacy Act, A5017. The bill amends the state’s comprehensive privacy law to add new data- and entity-level exemptions and to expand the definition of de-identified data. The amendment took effect immediately.
Continue Reading New Jersey Enacts Amendment to its Comprehensive Privacy LawNIST Publishes Preliminary Draft of Cybersecurity Framework Profile for Artificial Intelligence for Public Comment
On December 16, 2025, the U.S. National Institute of Standards and Technology (“NIST”) published a preliminary draft of the Cybersecurity Framework Profile for Artificial Intelligence (“Cyber AI Profile” or “Profile”). According to the draft, the Cyber AI Profile is intended to “provide guidelines for managing cybersecurity risk related to AI
Continue Reading NIST Publishes Preliminary Draft of Cybersecurity Framework Profile for Artificial Intelligence for Public CommentEnd-of-Year 2025 State and Federal Developments in Minors’ Privacy
Since our mid-year recap on minors’ privacy legislation, several significant developments have emerged in the latter half of 2025. We recap the notable developments below.
Continue Reading End-of-Year 2025 State and Federal Developments in Minors’ PrivacyCalifornia Finalizes Updates to Existing CCPA Regulations
On September 23, 2025, the California Privacy Protection Agency announced that the state’s Office of Administrative Law approved regulations that update existing California Consumer Privacy Act (“CCPA”) regulations and introduce new regulations covering cybersecurity audits, risk assessments, and automated decision-making technology. The updates to the existing regulations—which take effect on January 1, 2026—expand business obligations under the CCPA and give consumers more control over their personal information. This blog post highlights key updates to the existing regulations.
Continue Reading California Finalizes Updates to Existing CCPA RegulationsCalifornia Enacts New Privacy Laws
Recently, California Governor Gavin Newsom signed into law several privacy and related proposals, including new laws governing browser opt-out preference signals, social media account deletion, data brokers, reproductive and health services, age signals for app stores, social media “black box warning” labels for minors, and companion chatbots. This blog summarizes
Continue Reading California Enacts New Privacy Laws