Privacy and Cybersecurity

Subscribe to Privacy and Cybersecurity via RSS

On November 18, the California Privacy Protection Agency (CPPA) announced the creation of a Data Broker Enforcement Strike Force within its Enforcement Division to investigate alleged violations of the California Consumer Privacy Act and the Delete Act’s data broker registration requirements. The Agency stated that the new unit will expand its review of the data broker industry and support implementation of the Delete Request and Opt-Out Platform, which will allow consumers to submit a single deletion request to all registered data brokers beginning in January 2026.Continue Reading California’s Privacy Protection Agency Creates Data Broker Enforcement Strike Force

On October 29, the U.S. District Court for the Eastern District of Kentucky granted a preliminary injunction prohibiting the Consumer Financial Protection Bureau from enforcing its Personal Financial Data Rights Rule, also known as the open banking rule, until the Bureau completes its reconsideration of the rule. The court determined that the plaintiffs, a national bank and two banking associations, demonstrated a likelihood of success on several claims, including that the rule exceeds the Bureau’s authority under the Dodd-Frank Act and is arbitrary and capricious under the Administrative Procedure Act.Continue Reading Federal Court Halts Implementation of CFPB’s Open Banking Rule

On October 3, California Governor Gavin Newsom signed Senate Bill 446, which strengthens California’s existing data-breach disclosure requirements. The law requires businesses and individuals that conduct business in the state to notify affected consumers of a data breach within 30 calendar days of discovering or being notified of the incident. It also shortens the timeline for reporting large-scale breaches to the California Attorney General.Continue Reading California Enacts 30-Day Data Breach Notification Deadline

On September 23, 2025, the California Privacy Protection Agency (CPPA) announced that the California Office of Administrative Law approved final regulations under the California Consumer Privacy Act (CCPA). The regulations (previously discussed here) cover cybersecurity audits, risk assessments, automated decision making technology (ADMT), insurance companies, and updates to existing CCPA obligations.Continue Reading California Privacy Regulations on ADMT, Cybersecurity Audits, and Risk Assessments Receive Final Approval

On August 19, Massachusetts Attorney General Andrea Joy Campbell announced a $795,000 settlement with a property management company for alleged violations of the Massachusetts Consumer Protection Act, and the Massachusetts Data Security Law and Data Security Regulations. The AG alleged that the company failed to maintain reasonable data security practices and delayed required notifications to both regulators and consumers following multiple cybersecurity breaches.Continue Reading Massachusetts AG Secures $795,000 Settlement for Alleged Data Security and Breach Notification Failures

On July 24, the California Privacy Protection Agency (CPPA) approved a major rule package covering automated decision-making technology (ADMT), mandatory cybersecurity audits, and privacy risk assessments under the California Consumer Privacy Act (CCPA). The package narrows the definition of ADMT to tools that replace human decision making for significant decisions in areas like lending, housing, employment, education, and health care.Continue Reading California Finalizes New CCPA Rules on ADMT, Cybersecurity Audits, and Risk Assessments

On August 21, the Consumer Financial Protection Bureau published an advance notice of proposed rulemaking (ANPR) in the Federal Register to reconsider its Personal Financial Data Rights Rule under Section 1033 of the Dodd-Frank Act. The Bureau stated that it is reopening the rule in light of policy changes under new leadership and a court-ordered stay in ongoing litigation challenging the 2024 final rule.Continue Reading CFPB Reopens Data Rights Debate with New 1033 Rulemaking

On April 9, the Federal Reserve Bank of Kansas City published a research briefing examining how video game platforms are reshaping the digital payments landscape. As in-game purchases and platform-based transactions grow in volume and complexity, these developments are raising new regulatory concerns for both federal and state banking regulators.Continue Reading Kansas City Federal Reserve Bank Explores Regulatory Risks in Gaming Ecosystems

On December 3, the CFPB announced a proposed rule to enhance oversight of data brokers that handle consumers’ sensitive personal and financial information. The proposed rule would amend Regulation V, which implements the Fair Credit Reporting Act (FCRA), to require data brokers to comply with credit bureau-style regulations under FCRA if they sell income data or certain other financial information on consumers, regardless of its end use.Continue Reading CFPB Takes Aim at Data Brokers in Proposed Rule Amending FCRA

On October 22, the CFPB announced the finalization of its Personal Financial Data Rights Rule under Section 1033 of the Dodd-Frank Act. The rule aims to bring the U.S. closer to an “open banking” framework by making it easier for consumers to switch between financial institutions.Continue Reading CFPB Finalizes Personal Financial Data Rights Rule