On 5 December 2025, the Act Transposing the NIS 2 Directive and Regulating Key Aspects of Information Security Management in the Federal Administration (Gesetz zur Umsetzung der NIS-2-Richtlinie und zur Regelung wesentlicher Grundzüge des Informationssicherheitsmanagements in der Bundesverwaltung (“NIS2UmsG”) (see here, in German only) became binding in Germany. According to the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik (“BSI”) (see here, in German only), roughly 29,500 companies will have to comply with the increased cybersecurity requirements adopted by the NIS2UmsG.Continue Reading Germany Transposes NIS 2 Directive – Increased Cybersecurity Requirements for Businesses

On December 22, the Federal Trade Commission (“FTC”) issued an order setting aside its 2024 final consent order against Rytr, LLC (“Rytr”) on the grounds that the facts alleged in the Rytr complaint did not violate Section 5.  The Commission further found that the Rytr order did not provide any

Continue Reading FTC Sets Aside Rytr Final Order Pursuant to White House AI Action Plan

On December 4, 2025, the German Federal Government published its Federal Modernization Agenda, setting out a series of suggested amendments to the GDPR and the Federal Data Protection Act (Bundesdatenschutzgesetz). Among the key measures, Germany seeks to shift certain responsibilities from users to manufacturers and providers of standard IT products—following the model of the Cyber Resilience Act (CRA) and the AI Act—so that organizations can deploy standard solutions more easily and in compliance with the law.

The German Data Protection Conference (Datenschutzkonferenz, DSK)—the body of federal and state data protection authorities—has adopted a resolution strongly supporting this approach. The resolution builds on recommendations the DSK first made in its 2019 evaluation of the GDPR.Continue Reading German Government Proposes GDPR Reform to Shift Responsibility to Manufacturers

The Federal Trade Commission (FTC) sent letters to 10 companies—whose identities were not publicly disclosed—on December 22, 2025, warning them about potential violations of the Consumer Reviews Rule. The Rule, which took effect in October 2024, targets deceptive online review and testimonial practices. These warning letters mark the FTC’s first

Continue Reading FTC Issues Warning Letters for Violations of Consumer Reviews Rule

The Federal Trade Commission (FTC) recently announced that it agreed to proposed consent orders with two companies that experienced recent cybersecurity incidents, Illuminate Education (“Illuminate”) and Illusory Systems, which does business as Nomad (“Illusory”), to resolve allegations that both companies’ information security practices had violated Section 5 of the FTC

Continue Reading FTC Announces 10-Year Information Security Consent Orders with Illuminate Education and Illusory Systems

On December 16, 2025, the U.S. National Institute of Standards and Technology (“NIST”) published a preliminary draft of the Cybersecurity Framework Profile for Artificial Intelligence (“Cyber AI Profile” or “Profile”).  According to the draft, the Cyber AI Profile is intended to “provide guidelines for managing cybersecurity risk related to AI

Continue Reading NIST Publishes Preliminary Draft of Cybersecurity Framework Profile for Artificial Intelligence for Public Comment

On November 21, 2025, California Attorney General Rob Bonta announced a $1.4 million settlement with Jam City, Inc. (“Jam City”), a mobile app gaming company, for alleged violations of the California Consumer Privacy Act (“CCPA”) and Unfair Competition Law (“UCL”). The Jam City settlement marks Attorney General Bonta’s sixth settlement obtained under the CCPA and reflects a continued focus on how businesses present opt-out rights mechanisms to California consumers, including minors.Continue Reading California AG Announces $1.4 Million Settlement with Mobile App Gaming Developer Over CCPA Violations

On December 11, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) released its Cybersecurity Performance Goals 2.0 (“CPG 2.0”), an update to its core set of recommended cybersecurity practices for critical infrastructure owners and operators, which we previously wrote about here.  Established by the 2021 National Security Memorandum

Continue Reading CISA Releases Cybersecurity Performance Goals 2.0 for Critical Infrastructure

On December 19, 2025, New York Governor Kathy Hochul vetoed the New York Health Information Privacy Act (“NYHIPA”).  While NYHIPA bore similarities to Washington’s My Health My Data Act (“MHMD”) and Nevada’s Health Privacy Law (“SB 370”), it had several provisions that would have raised novel compliance and legal questions.Continue Reading New York Governor Vetoes Restrictive Health Privacy Law

On December 11, 2025, the CNIL fined an Israeli company €1 million for failing to comply with its GDPR obligations after providing personalized advertising services to an EU music-streaming platform. The service helped the platform to personalize and optimize marketing campaigns to promote its streaming services.

The CNIL held that the GDPR applied to the non-EU processor under Article 3(2), on the basis that it had monitored the behavior of EU users by creating audience segments based on demographics and listening habits, on behalf of the controller.Continue Reading French CNIL Imposes €1M GDPR Fine on Israeli Ad Tech Firm