Data Privacy & Governance Hub

Key Takeaways The Supreme Court heard oral arguments on the constitutionality of geofence warrants, which require companies to turn over information from devices tracked in the vicinity of a crime during the period of interest. Geofence warrants currently operate without established constitutional standards or limitations on scope and duration. Hundreds

Key Takeaways The Cookeville Regional Medical Center experienced a ransomware attack that exposed the personal, financial, and medical information of more than 337,000 patients. The breach notification to affected individuals came nine months after the initial detection. Ransomware incidents targeting medical centers have become a popular extortion method, exposing […]

Key Takeaways House Republicans introduced the SECURE Act, which is the first comprehensive federal data privacy framework. This Act would preempt state laws and establish uniform national standards. The Act largely follows the models used by states but also includes heightened protections for minors and new national security requirements. Enforcement

Key Takeaways The Oklahoma Data Privacy Act grants residents new rights to access, correct, delete, and opt out of the sale of their personal data. Broad exemptions for nonprofits, financial institutions, and state agencies may limit the law’s effectiveness and leave gaps in consumer protection. Oklahoma law adds to a

Key Takeaways A lawsuit filed against Novartis alleges that the company used invisible tracking tools on its websites to collect and pass patients’ sensitive health information to third parties without their knowledge or consent. This case highlights a regulatory gap in the application of existing privacy law to digital data

Key Takeaways Unauthorized third parties accessed Booking.com customer data, including names, contact details, and reservation information, though financial information was reportedly not compromised. This stolen travel data enables criminals to impersonate hotels with specific reservation details, making extortion attempts far more convincing and effective. The company did not disclose how

Key Takeaways The Alabama Personal Data Protection Act (APDPA) grants residents the right to access, correct, delete, and obtain copies of their personal data. Unlike many other state frameworks, the APDPA does not require data protection impact assessments or universal opt-out preference signals and includes broader exemptions than other state

Key Takeaways California’s DROP program allows residents to submit a single request to delete their data from registered data brokers. The platform is state-run and free to use. More than 500 registered brokers are notified when a deletion request is submitted. The law applies only to brokers registered in California.

Key Takeaways Maine’s LD 1822 is one of the most comprehensive state-level data privacy bills in the country, introducing data minimization requirements, protections for sensitive data, and a ban on unnecessary biometric collection. The bill shifts the burden of data protection from consumers to companies and requires them to justify

Key Takeaways Discord is defaulting all accounts to a “teen appropriate” mode, requiring adult users to verify their age through an AI-driven inference model or through a video selfie or government ID upload. This new policy raises concerns about transparency about how much behavioral monitoring is required to train and

Key Takeaways Starlink updated its Global Privacy Policy in January, allowing the use of customers’ personal information to train artificial intelligence and machine learning models. The updated policy extends the use of data to the company’s affiliates, service providers, and third-party collaborators, who may also use it to train AI

Key Takeaways Connecticut’s Data Privacy Act stands as a pioneer among the country’s most robust data privacy measures, with recent amendments significantly strengthening protections for minors. Over 60 violation notices and warning letters were issued to companies, with over 1,800 breach notifications cited in the 2025 Annual Enforcement Report, reflecting