Insights on Privacy, Data Protection & Data Security

On July 1, the Virginia Consumer Protection Act (VCPA), as amended by Senate Bill (SB) 754, will provide additional privacy protections for reproductive and sexual health information. The legislation expands the VCPA to expressly prohibit the unauthorized collection and use of this category of information. Businesses that violate the law may be sued by affected Virginia consumers.

There is nothing more inherently unique and personal to an individual than his or her DNA. Unlike many other types of personal information, a person’s DNA is immutable. It can be the key to unlocking extremely sensitive information, such as predisposition to certain health conditions. Unfortunately, as with all other types of personal information, it can be acquired without authorization — breached.

Welcome to the May 2025 issue of “As the (Customs and Trade) World Turns,” our monthly newsletter where we compile essential updates from the customs and trade world over the past month. We bring you the most recent and significant insights in an accessible format, concluding with our main takeaways — aka “And the Fox Says…” — on what you need to know.

Join Reed Freeman and Michelle Bowling as they present at the Privacy + Security Forum, Spring Academy on May 8, 2025.

On January 8, the US Department of Justice (DOJ) issued a final rule under Executive Order 14117, which established the Rule Preventing Access to US Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons (the Rule).

With 2025 underway, the AFS Consumer Products team highlights some of the most pressing legal issues facing the consumer products industry this year.

With 2025 underway, the AFS Health Care team highlights some of the most pressing legal issues facing the health care industry this year.

In 2025, the retail and fashion industries are bracing for a transformative year, heavily influenced by the policies of the new Trump Administration. These policies promise rapid and significant changes, particularly in areas such as trade, tariffs, and immigration, which will profoundly affect global supply chains and labor dynamics.

On January 22, Nebraska state Senator Mike Jacobson (R), at the request of Governor Jim Pillen (R), introduced the Agriculture Data Privacy Act (LB525). This is a first-of-its kind privacy bill that would specifically regulate agricultural-sector data.

In the final days of the Biden Administration, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a notice of proposed rulemaking (NPRM) to modify the Security Rule under the Health Insurance Portability and Accountability Act (HIPAA). The NPRM proposes sweeping changes that impact how health care providers, health plans, and health care clearinghouses (covered entities) and their business associates (collectively, regulated entities) implement, document, and maintain safeguards for electronic protected health information (ePHI). OCR is accepting public comments on the NPRM through March 7.

As artificial intelligence (AI) continues to develop at a rapid pace, even the most sophisticated general counsel (GC) and in-house legal teams will be hard pressed to keep up with the evolving legal landscape.

The Federal Trade Commission (FTC) will hold an informal hearing at 1:00pm EST on January 17, regarding the proposed amendment to its existing impersonation rule.

2025 is set to be another important year for US state privacy laws, with five new laws effective in January and three more coming into effect through October. New laws in Delaware, Iowa, Nebraska, and New Hampshire will go into effect on January 1, 2025, while New Jersey’s law will follow on January 15, 2025. Below, we detail these laws effective in January. Make sure to check back here in 2025 for more information on the laws effective in July and October.

Partner Matthew F. Prewitt and Associate Michelle R. Bowling will present at the National Business Institute’s (NBI) Data Privacy and Cybersecurity 2024-2025: Hot Topics and Trends course on December 17.

When one hears the term “neural data,” a brain implant comes to mind, alongside concerns about these neurotechnologies being able to read our innermost thoughts.

On September 29, California Governor Gavin Newsom vetoed SB 1047, one of the most ambitious efforts yet to establish a comprehensive artificial intelligence (AI) regulatory framework in the United States.

On June 20, a federal district court in Texas ruled that the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) exceeded its authority under the Health Insurance Portability and Accountability Act (HIPAA).

ArentFox Schiff is pleased to announce that 135 attorneys have been recognized by The Best Lawyers in America 2025, with two attorneys highlighted as “Lawyers of the Year” and 70 attorneys listed as “Ones to Watch.”

Presently, there is no overarching federal law or regulatory scheme specific to the unique challenges of AI. This places AI regulation on track to follow the same path as privacy/data collection—with the states, the courts, the industry itself, and other jurisdictions trying to fill the void.

In the absence of a federal privacy bill, nearly 20 states have passed comprehensive privacy laws. On July 1, three of these states — Florida, Oregon, and Texas — have new laws going into effect, with Montana’s effective in October.

Recently, the US Department of Homeland Security’s (DHS) Cybersecurity & Infrastructure Security Agency (CISA) issued a notice of proposed rulemaking (NPRM) which, if adopted, would require “covered entities” of critical infrastructure to report “substantial cyber incidents” to CISA within 72 hours, and to report ransomware payments within 24 hours.

Who will notify the potentially millions of individuals whose information might have been jeopardized by the massive cyberattack on Change Healthcare? Since the affiliate of UnitedHealth Group (UHG) first reported the cyberattack in February.

Have you recently visited a plaintiff lawyer’s website? If so, then you may be entitled to compensation under the most contrived California Invasion of Privacy Act (CIPA) theory yet.

The US Senate’s Bipartisan AI Policy Roadmap is a highly anticipated document expected to shape the future of artificial intelligence (AI) in the United States over the next decade.

As the federal government grapples with the complexities of comprehensive artificial intelligence (AI) regulation and competing agendas, several US states are taking matters into their own hands by computing their own solutions to the challenges posed by the rapid advancement of AI.