Consumer Protection Dispatch

Posted June 9, 2026

Unpacking the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection Hearing on AI Security

On June 4, 2026, the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection held a hearing on “The AI Security Landscape: How Frontier Models, Agentic AI, and AI Coding Tools Are Reshaping Cybersecurity and Critical Infrastructure Resilience.” The hearing focused on how advanced AI systems are changing both sides of the cybersecurity equation: giving defenders new tools to identify, prioritize and remediate vulnerabilities, while also giving adversaries the ability to scale vulnerability discovery, exploitation, reconnaissance and malware development.

In “House Homeland Security Hearing Highlights Growing Cybersecurity and Critical Infrastructure Risks of AI,” colleagues Shruti Bhutani Arora, Brian Finch and Nathan Banks identify the key takeaways from the hearing, potential policy and rulemaking signals, and the main issue areas for clients developing, deploying or relying on AI-enabled cybersecurity, coding or infrastructure tools.

Posted May 27, 2026

California AG Announces Largest CCPA Penalty to Date in First Data Minimization Case

by Shruti Bhutani Arora, Christine Mastromonaco and Nathan D. Banks

Shruti Bhutani Arora

Christine Mastromonaco

Nathan D. Banks

On May 8, 2026, California Attorney General Rob Bonta, joined by district attorneys from San Francisco, Los Angeles, Napa and Sonoma counties, announced a proposed $12.75 million settlement with a connected vehicle services provider over alleged CCPA violations involving the collection, retention, use and disclosure of vehicle data. The California Privacy Protection Agency’s Enforcement Division assisted in the investigation, which followed a broader CPPA sweep of connected vehicle privacy practices.

Posted March 17, 2026

Email-Tracking Technology: Emerging Compliance Expectations in the U.S., EU and Beyond

by Scott Morton, Shruti Bhutani Arora, Steven Farmer, Christine Mastromonaco and Samson Verebes

Scott Morton

Shruti Bhutani Arora

Steven Farmer

Christine Mastromonaco

Samson Verebes

GettyImages-610849650-e1773765918128-300x245 The use of email-tracking technology is drawing heightened regulatory scrutiny and has become a growing target of litigation. For many organizations, these technologies, which could be in the form of a “pixel,” “beacon” or URL tracking parameters embedded in links, sit quietly in the background of marketing and operational messages. Yet from a legal and compliance perspective, they raise the same kinds of questions as online tracking tools such as cookies. This article explains what is happening and why it matters, and offers some pragmatic options for organizations to consider when relying on email engagement data.

Posted March 2, 2026

FTC Issues COPPA Policy Statement to Encourage Age Verification Technologies

by Shruti Bhutani Arora and Scott Morton

Shruti Bhutani Arora

Scott Morton

The Federal Trade Commission (FTC) has issued a significant policy statement announcing that it will not bring enforcement actions under the Children’s Online Privacy Protection Rule (COPPA Rule) against certain website and online service operators that collect, use, and disclose personal information solely for the purpose of determining a user’s age via age verification technologies.

Posted November 21, 2025

A New Era of Data Deletion: Inside California’s DROP System

by Christine Mastromonaco, Consumer Protection Team and Shruti Bhutani Arora

Christine Mastromonaco

Consumer Protection Team

Shruti Bhutani Arora

On January 1, 2026, the California Privacy Protection Agency (CalPrivacy, as it is now known) will launch the Data Rights Opt-out Platform (DROP System), an online tool enabling California residents to send a single request to over 500 data brokers requiring them to delete their personal information.

Posted April 24, 2025

The Data Security Program Compliance Guide Is Released by the DOJ

by Consumer Protection Team

Consumer Protection Team

On January 8, 2025, the U.S. Department of Justice (DOJ) issued its final rule (28 C.F.R. Part 202) implementing former President Biden’s Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” The guide outlines the requirements of a newly implemented Data Security Program (DSP) designed to prevent China, Russia and other foreign adversaries designated by the DOJ from accessing American’s sensitive personal data and U.S. government-related data.

In “DOJ Releases Its Data Security Program Compliance Guide,” colleagues Tony Phillips, Shruti Bhutani Arora, Sahar J. Hafeez, Christine Mastromonaco, Leighton Watson and Sheetal Misra discuss the key components of the DSP and offer thoughts about compliance.

Posted February 26, 2025

Apple’s $500B U.S. Manufacturing Push and New AI Server Facility in Houston: What It Means for Data Centers

by Robert A. James, Brittany D. Sandler and Samuel C. Markel

Robert A. James

Brittany D. Sandler

Samuel C. Markel

As we covered previously, President Trump has made clear that the U.S. is focused on increasing investments into building, scaling and speeding the development of AI infrastructure and data centers in the U.S., and Big Tech is responding in kind.

Posted February 18, 2025

UK Online Safety Act: New Obligations for Digital Service Providers Targeting the UK

by Mark Booth, Steven Farmer and Scott Morton

Mark Booth

Steven Farmer

Scott Morton

The UK’s Online Safety Act 2023 (OSA) is a comprehensive piece of legislation designed to regulate social media companies and search services and to increase protections for individuals online. It draws comparisons to the EU’s Digital Services Act, with both laws include provisions relating to safety and transparency—seeking to balance the need to protect people online with fundamental rights such as the right to freedom of expression and privacy. Importantly, it applies not just to digital service providers in the UK but to any service with links to the UK.

Posted February 12, 2025

California’s Significant AI laws Go into Effect

by Consumer Protection Team

Consumer Protection Team

January 1, 2025, marked the start of a series of significant AI laws going into effect in California. California’s 18 new AI laws represent a significant step toward regulating this space, establishing requirements regarding deepfake technology, AI transparency, data privacy and use of AI in the health care arena. These laws reinforce the state’s desire to be a pioneer in this space.

In California’s AI Laws Are Here—Is Your Business Ready?, Christine Mastromonaco, Shruti Bhutani Arora, Andrew Caplan, Erin Choo, Mia Rendar, Leighton Watson, Anne M. Voigts, Shani Rivaux, Johnna Purcell and Dayo Feyisayo Ajanaku provide a detailed look at the enacted legislation, addresses compliance timelines and serves as a guide for businesses as they navigate compliance with California’s evolving AI landscape.

Posted February 3, 2025

EU AI Act: First Set of Requirements Go into Effect February 2, 2025

by Steven Farmer, Scott Morton and Mark Booth

Steven Farmer

Scott Morton

Mark Booth

The first binding obligations of the European Union’s landmark AI legislation, the EU AI Act (the Act), came into effect on February 2, 2025. Essentially, from this date, AI practices which present an unacceptable level of risk are prohibited and organizations are required to ensure an appropriate level of AI literacy among staff. For a comprehensive overview of the Act, see our earlier client alert here.