Data Privacy

IAPP Publishes EU Digital Laws Report 2025

By Hansenard Piou

On September 30th, the IAPP (formerly the International Association of Privacy Professionals) released its EU Digital Laws Report 2025, a comprehensive analysis explaining and synthesizing the requirements of core EU digital laws. The report aims to provide a resource to help the broadest possible class of organizations, platforms, and developers comply with the Data Governance Act, the Data Act, the Digital Markets Act, the Digital Services Act, the EU AI Act, and the NIS2 Directive.

The 75-page report, prepared collaboratively by professionals from EU law firms, academia, and a banking institution, is divided into 8 chapters:

Chapter 1: Scope and Requirements provides an overview of each law, outlining its purpose, key requirements, and the types of organizations and activities that fall within its scope.

Chapter 2: Transparency examines the role of “transparency” within each law, including documentation, public disclosure, and reporting requirements.

Chapter 3: Accountability describes the accountability measures that ensure that organizations remain compliant, including contractual terms, codes of conduct, and legal obligations.

Chapter 4: Risk Assessments details the requirements under the DSA and the AI Act to conduct risk assessments and what these assessments must contain.

Chapter 5: Individual Rights outlines individuals’ rights with respect to activities covered by the laws, including available protections and remedies.

Chapter 6: Data Governance describes how the laws may impact data governance practices, including data storage, data security, consent, user reporting, and complaint remediation.

Chapter 7: Stakeholders and EU-Level Collaboration describes the laws’ relationships with government groups and institutions at the member state and EU level.

Chapter 8: The Interplay with GDPR analyzes each law’s relationship with the General Data Protection Regulation (GDPR), comparing and contrasting overlapping provisions and subject matter.

In light of the expanding responsibilities for professionals in fields such as AI governance, cybersecurity, and data protection, this report provides a foundational guidance for a strategy to build a robust compliance program in line with these laws.

Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on global privacy, data security, and AI law. Its attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy, data security, and AI law.

Hansenard Piou is an Associate at Hintze Law PLLC with experience in global data protection issues, including kids’ global privacy laws, AADC, privacy impact assessments, GDPR, and privacy statements.  

Does the DOJ Rule Apply?

Does the DOJ Rule Apply?

This is the first in a series of blog posts about the DOJ Rule regarding Access To U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons (the “DOJ Rule”).  It provides a high-level overview of the kinds of cross-border data transfers that are regulated by the DOJ Rule. Future blog posts will more closely examine the DOJ Rule, its requirements, potential impacts, and strategies to address compliance.

Read More

California Adopts Privacy, Cybersecurity, ADMT Regulations and Amendments

California Adopts Privacy, Cybersecurity, ADMT Regulations and Amendments

By Sam Castic

The California Privacy Protection Agency (CPPA) has adopted final regulations on privacy risk assessments, cybersecurity audits, and automated decisionmaking technology (ADMT), as well as amendments to existing CCPA regulations.  Final publication of the regulations is pending review by the Office of Administrative Law, and depending on when that occurs, the regulations will likely take effect 10/1/2025 or 1/1/2026.  Some key concepts from these regulations, and actions to consider, are below.

Read More

California’s Healthline.com Enforcement Action Shows CCPA’s Teeth – and Sensitive Data Reach

California’s Healthline.com Enforcement Action Shows CCPA’s Teeth – and Sensitive Data Reach

By Mason Fitch and Kate Black

The California Attorney General’s Office (“OAG”) announced an enforcement action against Healthline.com on July 1 that marks a significant development in California Consumer Privacy Act (CCPA) enforcement. This action, accompanied by the largest fine under CCPA yet at $1.55 million, highlights critical areas of consideration for any company engaging in the advertising ecosystem as well as any company that processes sensitive personal information.

Read More

Texas District Court Vacates Majority of HIPAA Reproductive Privacy Rule

Texas District Court Vacates Majority of HIPAA Reproductive Privacy Rule

by Cameron Cantrell and Felicity Slater 

On June 19, 2025, the U.S. District Court in the Northern District of Texas vacated the vast majority of the HIPAA Privacy Rule to Support Reproductive Health Care Privacy (the “HIPAA Reproductive Privacy Rule” or “Rule”). The Department of Health and Human Services (“HHS”) published the Rule in the Federal Register in April 2024 with a compliance date of December 23, 2024. The District Court’s decision to vacate the reproductive privacy aspects of the Rule has an immediate and nationwide effect.

Read More

State Privacy Regulators Announce Formation of Collaboratory Consortium

State Privacy Regulators Announce Formation of Collaboratory Consortium

by Felicity Slater and Susan Hintze

On April 16, 2025, the California Privacy Protection Agency (CPPA) and state Attorneys General from California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon announced the formation of the bipartisan "Consortium of Privacy Regulators." The focus of the Consortium will be to foster multi-state coordination, including sharing of expertise and resources, in investigation of potential violations of and enforcement of their state's respective comprehensive privacy laws.

Read More

Takeaways From the New DOJ Guidance on Its Cross-Border Data Rule

Takeaways From the New DOJ Guidance on Its Cross-Border Data Rule

By Sam Castic

On Friday April 11, 2025, the DOJ released a Compliance Guide and more than 100 FAQs on the Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons Rule (the “DOJ Rule”).  It also released an Implementation and Enforcement Policy, which indicates it will not prioritize enforcement against companies making good faith efforts to comply until July 8, 2025. 

Read More

GenAI in the Workplace: Hong Kong PCPD Releases Checklist for Employer Policies

GenAI in the Workplace: Hong Kong PCPD Releases Checklist for Employer Policies

By Leslie Veloz and Jennifer Ruehr

The Hong Kong Office of the Privacy Commissioner for Personal Data (“PCPD”) recently published its Checklist on Guidelines for the Use of Generative AI by Employees (“Checklist”). The goal of the Checklist is to help organizations draft internal policies and procedures governing employee use of generative AI (“GenAI”) tools, especially where GenAI is used to process personal data.

Read More

Virginia Governor Signs Reproductive Health Data Restrictions into Law

Virginia Governor Signs Reproductive Health Data Restrictions into Law

by Cameron Cantrell and Felicity Slater 

On March 24, 2025, Governor Youngkin (R) of Virginia signed SB 754—which amends the Virginia Consumer Protection Act (VCPA) to restrict the collection and processing of “reproductive or sexual health information” and is enforceable through a private right of action—into law. The law will take effect July 1, 2025. 

Read More

Fourth Circuit Publishes Landmark Ruling on 21st Century Cures Act “Information Blocking”

By Cameron Cantrell and Kate Black

On March 12, 2025, the Fourth Circuit Court of Appeals ruled that (1) the information blocking prohibition in the federal 21st Century Cures Act (“Cures Act”) was plausibly violated when an Electronic Health Record (EHR) provider blocked bot access to its systems without sufficient justification, and (2) this violation may support a Maryland state law unfair competition claim, despite the Cures Act not having its own private right of action. This decision notably appears to be the first Circuit Court decision concerning the information blocking prohibition and, for parties subject to the rule, raises the risk that information blocking may be enforceable through a de facto state privacy right of action.

Read More
Don’t Sleep on Maryland: The Maryland Online Data Privacy Act Will Keep Health and Wellness Companies Up at Night — Hintze

Don’t Sleep on Maryland: The Maryland Online Data Privacy Act Will Keep Health and Wellness Companies Up at Night

Don’t Sleep on Maryland: The Maryland Online Data Privacy Act Will Keep Health and Wellness Companies Up at Night

By Felicity Slater and Kate Black

The Maryland Online Data Privacy Act (“MODPA” or the “Act”), which takes effect October 1, 2025, establishes a set of novel requirements that will have a particular impact for companies operating in the health and wellness sectors. 

Read More
Don’t Sleep on Maryland: The Maryland Online Data Privacy Act Will Keep Health and Wellness Companies Up at Night — Hintze

Hintze & Partners Recognized by Chambers in 2025 Global Rankings

Hintze & Partners Recognized by Chambers in 2025 Global Rankings

Hintze Law and its lawyers have once again been recognized in Chambers & Partners for expertise in Privacy and Data Security in the 2025 Chambers Global Guide. These recognitions include Hintze Law’s fifth year being ranked as an Elite Law Firm for Privacy and Data Security as well as the firm’s second year receiving recognition for Privacy and Data Security: Healthcare.

Read More

Final COPPA Rule Amendments: Definitional Changes

Final COPPA Rule Amendments: Definitional Changes

By Susan Hintze, Emily Litka, and Amy Lanchester 

This is Part 2 in a series of blog posts about the 2025 COPPA Final Rule. It provides a comprehensive review of the revised definitional changes to the Rule.  Subsequent posts in the coming days will delve more deeply into the direct and online notice, parental consent, and data governance requirements. Our unofficial redlined copy of the Final Rule can be found here.

Read More
Don’t Sleep on Maryland: The Maryland Online Data Privacy Act Will Keep Health and Wellness Companies Up at Night — Hintze

The FTC Issues Final COPPA Rule Amendment

The FTC Issues Final COPPA Rule Amendment

By Susan Hintze and Emily Litka

This is Part 1 in a series of blog posts about the 2025 COPPA Final Rule. It provides a high-level overview of the Final Rule. Subsequent posts in the coming days will delve more deeply into individual aspects of the Final Rule and FTC comments, the issues raised, and implications for specific industry sectors.Our unofficial redlined copy of the Final Rule can be found here.

Read More
Don’t Sleep on Maryland: The Maryland Online Data Privacy Act Will Keep Health and Wellness Companies Up at Night — Hintze

10 areas for US-based privacy programs to focus in 2025

10 areas for US-based privacy programs to focus in 2025

By Sam Castic

The post below was originally published by the IAPP at https://iapp.org/news/a/10-areas-for-privacy-programs-to-focus-in-2025.

This past year was another jammed one for privacy teams and it was not easy to stay on top of all the privacy litigation, enforcement trends, and new laws and regulations in the U.S.

Read More