The BR Privacy & Security Download: December 2025

California’s New Privacy Law Specialization Is a Pragmatic Move

Blank Rome LLP partner Sharon R. Klein and associate Victor J. Sandoval authored this Bloomberg Law article examining California’s new privacy law specialization and its approach to addressing the complexity of modern privacy risks.

STATE & LOCAL LAWS & REGULATION

CPPA Publishes Resource for Businesses on New CCPA Regulations: The California Privacy Protection Agency (“CPPA”) published a new resource document titled, “7 Things to Know Before 2026 CCPA Updates Take Effect” to provide information on topics business should know and prepare for with new California Consumer Privacy Act (“CCPA”) regulations taking effect on January 1, 2026. The resource reminds businesses of new requirements, such as (1) conducting risk assessments for certain types of new data processing; (2) providing consumers with a means to confirm status of opt-out requests; (3) allowing access to personal information collected as far back as January 21, 2022; (4) providing consumers with the name of the source from which they received inaccurate information or inform the source themselves that the data must be corrected; (5) maintaining accurate data; (6) accepting and making available consumer statements contesting the accuracy of health information; and (7) that personal information of consumers under 16 years of age is now considered sensitive personal information. It is possible that the CPPA may choose any or all of the new requirements listed in the resource as enforcement priorities in 2026 and beyond.

New York Attorney General Issues Alert Regarding Algorithmic Pricing: New York Attorney General Letitia James issued a consumer alert regarding algorithmic pricing and urging New Yorkers to file a complaint with the office reporting improperly disclosed cases. On November 10, 2025, New York’s Algorithmic Pricing Disclosure Act (the “Act”) took effect, requiring most companies using pricing that adjusts based on an individuals’ data, including location, income, or shopping habits, to clearly display to consumers a disclosure that prices are set using their personal data. The Act requires entities using personalized algorithmic pricing to include with such offers or advertisements a clear and conspicuous disclosure that states, “THIS PRICE WAS SET BY AN ALGORITHM USING YOUR PERSONAL DATA.” The Act includes a few exceptions, including prices offered to consumers with existing subscription-based contracts and where such price is less than the price for the products or services in the contract. However, if a covered entity is found to have violated the Act, the court may impose a civil penalty of up to $1,000.00 for each violation.

CPPA Launches Data Broker Enforcement Strike Force: The CPPA has established a Data Broker Enforcement Strike Force within its Enforcement Decision to investigate violations by data brokers of the Delete Act and the California Consumer Privacy Act, as amended by the California Privacy Rights Act and its implementing regulations (“CCPA”). The Data Broker Enforcement Strike Force builds upon the CPPA’s 2024 investigative sweep into data broker compliance with the Delete Act’s registration requirement and is intended to provide additional resources to combat potential violations and empower the CPPA to pursue additional investigations.

North Carolina and Utah Attorneys General Launch Nationwide AI Task Force: The North Carolina and Utah Attorneys General have announced the formation of a bipartisan AI Task Force. The task force, facilitated in partnership with the Attorney General Alliance, will further partner with artificial intelligence (“AI”) developers, like OpenAI and Microsoft, to identify emerging issues related to AI and develop safeguards that AI developers should follow to protect the public. Specifically, the AI task force will focus on: (1) working with law enforcement, experts, and stakeholders to identify emerging AI issues so attorneys general are equipped to protect the public; (2) developing basic safeguards that AI developers should follow to protect the public and reduce the risk of harm, especially to children; and (3) creating a standing forum to track developments in AI and coordinate timely responses as new challenges emerge.

California Approves Delete Act Regulations: The California Office of Administrative Law has approved the regulations to implement the Delete Act. The Delete Act expands upon California’s data broker registration law, requiring data brokers to register annually with the CPPA, disclose certain information about their data processing practices, and submit independent compliance audits every three years to evaluate their compliance with consumer deletion requests. The Delete Act also requires the CPPA to establish a Delete Request and Opt-out Platform (“DROP”), which allows for consumers to, through a single mechanism, submit a deletion request to all data brokers. The new regulations,which take effect on January 1, 2026, establishes the DROP via a state-hosted website, requires data brokers to access the DROP at least every 45 days to retrieve and process deletion requests, and update the DROP on the status of each deletion request within 45 days.

FEDERAL LAWS & REGULATION

FCC Rescinds Cybersecurity Ruling and Notice of Proposed Rulemaking: The Federal Communications Commission (“FCC”) issued an Order on Reconsideration rescinding its January 2025 Declaratory Ruling (the “Order”) and withdrawing the accompanying Notice of Proposed Rulemaking (“NPRM”) addressing sector-wide cybersecurity obligations. Under the January 2025 ruling, the FCC interpreted Communications Assistance for Law Enforcement Act (the “CALEA”) Section 105 as requiring telecommunications carriers to secure their networks from all unlawful access or interception by implementing certain cybersecurity practices for their systems and services. Additionally, the NPRM proposed cybersecurity rules would apply to a broad range of telecommunications providers, and require those entities to create, update, and implement cybersecurity and supply chain risk management plans and protect confidentiality, integrity, and availability of their systems and services. The FCC determined the ruling was unlawful because it adopted an erroneously broad reading of the CALEA and purported to assert the ability for the FCC to enforce this interpretation without adopting rules. The Order also declared the ruling’s approach was ineffective as it used a vague, one-size-fits-all method—offering limited guidance on risk prioritization and not considering best practices by technical and industry security standards. One Commissioner dissented, arguing that voluntary collaboration is insufficient and that enforceable baseline obligations remain necessary to address national security threats. However, the Order indicates that going forward the FCC will focus on targeted measures and public‑private collaboration to address threats.

SEC to Review Broker-Dealer Compliance with Safeguards and Incident Response Requirements: The U.S. Securities and Exchange Commission (“SEC”) released its 2026 Examination Priorities (the “Priorities”) to provide transparency on regulatory issues the SEC will focus on in the new fiscal year. According to the guidance, among other issues, the SEC will focus on reviewing registrants’ cybersecurity controls, including policies and procedures covering governance, data loss prevention, access controls, account management, and incident response and recovery (including ransomware). The SEC will also focus on training and controls to address other risks, such as AI-enabled and polymorphic malware. The Priorities address Regulation S‑ID, emphasizing that the SEC will assess whether firms have a written Identity Theft Prevention Program that reasonably identifies and detects red flags, especially around account takeovers and fraudulent transfers, and firm training on identity theft prevention. Additionally, the SEC will examine compliance with Regulation S‑P, which comes into effect for some reporting firms at the end of this year regarding privacy of consumer’s financial information and safeguarding customer information. The SEC will engage firms on their required incident response programs that detect, respond to, and recover from unauthorized access or use of customer information, provide timely notifications to affected individuals whose sensitive information was accessed or used, and maintain safeguards consistent with the amended rule.

U.S. LITIGATION

4th Circuit Rules Publication on Dark Web Meets Harm Threshold: The U.S. Court of Appeals for the 4^th Circuit held in Holmes v. Elephant Insurance Company that plaintiffs whose driver’s license numbers were posted on the dark web suffered a concrete, particularized, and actual injury-in-fact. The case stemmed from a data breach at Elephant Insurance Company in 2022, which compromised the driver’s license numbers of nearly three million people. Plaintiffs brought a putative class action alleging various injuries, including the risk of identity theft, time spent monitoring their credit, emotional distress, and, for two plaintiffs, the discovery that their driver’s license numbers were posted on the dark web. The Court applied the Supreme Court’s framework from TransUnion LLC v. Ramirez, which requires that intangible harms must bear a “close relationship” to harms traditionally recognized at common law. The Court found that the harm from having one’s driver’s license number posted on the dark web is analogous to the harm addressed by the tort of public disclosure of private information, which protects against the widespread dissemination of sensitive personal information. The Court clarified that the information need not be embarrassing or salacious; it is sufficient that the plaintiff has a justifiable reason to keep it private and that it is made accessible to many (as is the case with the dark web). Plaintiffs whose information was not publicized (Bias and Shaw) did not suffer a concrete injury because the harm addressed by the public disclosure tort is the loss of control over private information to the public, not merely to a few hackers.

Colorado Social Media Warning Law Blocked: A federal court temporarily blocked the state of Colorado from enforcing H.B. 24-1136, a statute requiring large social media services to display recurring on‑screen notices to minors about potential health effects of using their platforms. In the case, the Court agreed with the plaintiff NetChoice and held the statute constitutes compelled speech, as it forces companies to carry the state’s message on the contested topic of social media’s effect on health. Therefore, the statute would have to “further a compelling governmental interest” and be “narrowly tailored to that end”. In issuing the injunction, the Court explained that while protecting young people is a compelling governmental interest, the state can pursue it through less burdensome measures, such as issuing its own disclosures or incentivizing companies to voluntarily provide disclosures. Thus, the Court held the statute is unlikely to meet the strict scrutiny standard and is a violation of the First Amendment’s guarantee of freedom of expression. Following the injunction, the statute, which was set to go into effect on January 1, 2026, is on hold while the case moves forward, and businesses are not currently required to implement the statutory notices.

U.S. ENFORCEMENT

Texas Attorney General Opens Investigation into Chinese Affiliated Wi-Fi Security Company: Texas Attorney General Ken Paxton announced he opened an investigation into Lorex Technology Inc. (“Lorex”) regarding whether it has sold wi-fi security cameras potentially tied to systems associated with the Chinese Communist Party. The investigation will examine whether Lorex has deceptively marketed products alleged to pose national security and privacy risks as secure and suitable for residential use. The office’s announcement cited concerns that Dahua, a publicly traded Chinese company that has been designated by the U.S. Department of War as a “Chinese military company,” previously acquired Lorex in 2012. Lorex was subsequently sold in 2022 to Taiwan-based Skywatch. However, the Attorney General’s office stated that Dahua continues to supply key components for Lorex cameras. According to Paxton’s office, U.S. agencies, including the Department of Commerce and the FCC have also imposed restrictions on Dahua’s products due to national security risks. Additionally, in June 2021, the Maryland-based Security Industry Association expelled Dahua for ethics violations related to concerns about its complicity in surveillance and human rights violations. Despite the federal restrictions, the office noted that Lorex cameras remain available for purchase by Texas consumers through major retailers like Amazon and Costco. Lorex has indicated it intends to contest the allegations made by the Texas Attorney General.

California Attorney General Settles with Streaming Service for CCPA Violations: The California Attorney General settled with Sling TV LLC and Dish Media Sales LLC (“Sling TV”) over alleged CCPA violations relating to the right to opt-out of the sale or sharing of personal information. The California Attorney General alleged that Sling TV failed to provide consumers with an easy-to-use opt out method by (1) combining cookie preferences with the opt-out right, even though turning off cookies was insufficient to fully opt-out; (2) requiring consumers to look for a webform and complete confirmation steps to submit their request and requiring logged-in customers to complete such steps; (3) not providing opt-out methods within its apps on various living-room devices; (4) and not offering kids profiles that required opt-in consent for targeted advertising to children. Under the settlement, Sling TV is required to pay the California Attorney General $530,000 in civil penalties and implement changes to ensure the opt-out right is easy to execute.

California, Connecticut, and New York Attorneys General Settle with Education Software Company for Failing to Protect Student Data: The California, Connecticut, and New York Attorneys General have settled with Illuminate Education, Inc. (“Illuminate”), an education software company, for a data breach impacting the personal information of millions of students across 49 school districts. The impacted data included student name, race, whether the student received special education services or reasonable accommodations, and coded medical conditions. In December 2021, a hacker used the credentials of a former employee to create new credentials to access Illuminate’s network. Under the settlement, Illuminate is required to pay the Attorneys General a total of $5.1 million and must (1) implement appropriate access control and account management (e.g., terminating the credentials of former employees), real-time monitoring and alerts for suspicious access and activity, and safeguards to protect backup databases;(2) inform the appropriate regulators of data breaches involving student data; and (3) remind school districts to perform a review of the student data stored by Illuminate on its behalf.

Texas Attorney General Sues Provider of Online Gaming Sites Alleging Failure to Protect Children from Predators: Texas Attorney General Ken Paxton announced his office has filed a lawsuit against Roblox Corporation, an operator of one of the largest online gaming sites for children. The Texas Attorney General alleges that Roblox enables environments where minors can encounter inappropriate content and individuals with harmful intent and failed to implement adequate safeguards despite knowing the risks. The suit cites violations of Texas consumer protection laws and alleges Roblox misrepresented its safety measures.

DOJ Secures Guilty Plea in North Korean IT Worker Scheme: A Ukrainian national has pleaded guilty in federal court to participating in a sophisticated scheme involving a “laptop farm” in Washington, D.C. The operation was designed to generate income for North Korean IT workers who were covertly employed by overseas companies. According to the Department of Justice (“DOJ”), the defendant helped set up and maintain numerous laptops that created false digital identities, enabling North Korean operatives to secure remote work contracts under assumed names. This activity violated U.S. sanctions and facilitated the flow of funds to North Korea, which the government argues could support illicit programs.

SEC Dismisses Civil Enforcement Action Against SolarWinds: The U.S. Securities and Exchange Commission (“SEC”) filed a joint stipulation with Defendants SolarWinds Corporation and its Chief Information Security Officer, Timothy G. Brown, to dismiss, with prejudice, the Commission’s ongoing civil enforcement action. As stated in the joint stipulation, the Commission’s decision to seek dismissal is “in the exercise of its discretion” and “does not necessarily reflect the Commission’s position on any other case.”

INTERNATIONAL LAWS & REGULATION

European Commission Releases Digital Omnibus Regulation Proposal: The European Commission released its Digital Omnibus Regulation Proposal (“Proposal”), which includes a proposed set of amendments to EU digital legislation, including the EU General Data Protection Regulation (“GDPR”) and the EU AI Act. The amendments are intended to reduce regulatory burden on businesses, public administrations, and individuals and stimulate competitiveness. Proposed amendments to the GDPR include clarifications to the definition of personal data relating to information that an entity does not have means reasonably likely to identify the individual to which the information relates, align a controller’s obligation to notify a supervisory authority of breaches with its obligation to notify data subjects, and to extend the notification deadline to 96 hours, among other changes. Additionally, the European Commission is proposing to delay the entry into application of requirements for high-risk processing. Currently, requirements for high-risk processing are slated to go into effect in August 2026. Noting that the standards for implementation are behind schedule, the Proposal would provide that organizations would have six months from the European Commission’s confirmation that the required standards and support tools are available, to be no later than December of 2027. The proposed reforms for the EU AI Act were submitted separately in an effort to accelerate adoption of those changes.  

Australian Information Commissioner Updates Privacy Principles: The Office of the Australian Information Commissioner has revised the guidelines for the Australian Privacy Principles to align with the changes introduced by the Privacy and Other Legislation Amendment Act 2024. These updated guidelines address requirements for openness and transparency, cross-border sharing of personal information, and measures to protect personal data. The guidance outlines what constitutes reasonable steps to safeguard personal information, introduces new exceptions for cross-border data transfers, and establishes that, beginning in December 2026, privacy policies must include details about automated decision-making.

New Zealand Privacy Commissioner Issues Rule on Notice for Indirect Collection of Personal Information: The New Zealand Privacy Commissioner issued a new rule, IPP3A, on notification requirements for indirect collection of personal information (“IPP3A”). The rule will be effective May 1, 2026. IPP3A extends the existing notice obligation under Information Privacy Principle 3 of the New Zealand Privacy Act of 2020 to situations where personal information is collected indirectly—that is, from a source other than the individual concerned (e.g., third parties, public records, and other organizations). IPP3A requires organizations to inform individuals when their personal information is collected indirectly, unless an exception applies, and requires that notification should occur as soon as reasonably practicable after the indirect collection. The Privacy Commissioner emphasizes a “practicable and pragmatic” approach, balancing compliance with operational realities while maintaining transparency and trust. IPP3A resources provided by the Privacy Commissioner include a flowchart and examples to help organizations determine when notification is required and how to implement it effectively.

India Publishes AI Governance Guidelines: The government of India released AI Governance Guidelines designed to harness the transformative potential of AI for inclusive development and global competitiveness, while addressing the risks AI may pose to individuals and society. Part one of the AI Governance Guidelines sets out seven guiding principles adapted for application across sectors, including trust; human-centric design and oversight; innovation over restraint; fairness and equity; accountability; explainability; and safety, resilience, and sustainability. Part two sets forth key recommendations for AI governance. Part three sets forth an action plan that identifies key priorities in the short-, medium-, and long-term. Finally, part four is intended to provide practical guidance for businesses and regulators. Major economies such as the United States, China, the European Union, and India have all set out their visions for the future of AI regulation.

EDPB Adopts Opinion on Draft Adequacy Decision for Brazil: The European Data Protection Board (“EDPB”) announced its opinion on the European Commission’s draft adequacy decision for Brazil, which would allow personal data transfers from the EU to Brazil without additional safeguards under Article 45 of the GDPR. The opinion evaluates whether Brazil’s data protection framework provides a level of protection essentially equivalent to that in the EU. The EDPB provided a positive assessment of Brazil’s General Data Protection Law (“LGPD”) for its strong alignment with EU data protection principles and case law from the Court of Justice of the EU. The EDPB asked the European Commission to provide additional clarity on how Brazil governs data protection impact assessments and Brazilian limitations on transparency obligations, particularly where commercial and industrial secrecy may restrict disclosure. If adopted, the adequacy decision will simplify compliance for EU-based companies transferring data to Brazil, removing the need for Standard Contractual Clauses or other transfer mechanisms.

Global Privacy Enforcement Network Announces Children’s Privacy Enforcement Sweep: The Global Privacy Enforcement Network (“GPEN”) announced that GPEN members examined websites and mobile applications commonly used by children as part of the 2025 GPEN privacy sweep that took place November 3 to 7, 2025. GPEN is a group of more than thirty data protection and privacy authorities from around the world, including the U.S. Federal Trade Commission, FCC, CPPA, and the California State Attorney General. The initiative aims to increase awareness of privacy rights and responsibilities, encourage compliance with privacy legislation, identify concerns that may be addressed through targeted education or enforcement, and enhance cooperation between global data protection and privacy authorities. The results of the sweep will be compiled and published in a report in the coming months.

RECENT PUBLICATIONS & MEDIA COVERAGE