Privacy & Cyber Regulatory Enforcement

CalPrivacy Goes to the Board with Digital Advertising-Focused Enforcement

March 9, 2026 By Cynthia Cole, Dorian Simmons and Anna von Spakovsky

On February 27, 2026, the California Privacy Protection Agency (“CalPrivacy”) issued an order (the “Order”) requiring a sports-focused media and technology company (the “Company”) to pay a $1.10 million administrative fine for violations of the California Consumer Privacy Act (“CCPA”). The action continues California regulators’ scrutiny of how companies deploy cookies, software development kits and […]

The FTC’s COPPA Policy Statement to Incentivize Age Verification Through a More Flexible Enforcement Approach

March 5, 2026 By Cynthia Cole, Maki DePalo, Jennifer Everett and Lili Song

On February 25, 2026, the Federal Trade Commission (“FTC”) issued an enforcement policy statement announcing that the Commission will not bring enforcement actions under the Children’s Online Privacy Protection Act (“COPPA”) Rule against operators of general audience sites and services and mixed audience sites and services that collect, use, or disclose personal information for the […]

NYDFS Revises Prescriptive FAQs on Multifactor Authentication

March 5, 2026 By Kim Peretti, Kate Hanniford, Lance Taubin, Ashley Miller and Carson Kuck

Two months after the New York Department of Financial Services (“NYDFS”) updated its Frequently Asked Questions (“FAQs”), which we wrote about here, NYDFS has released updated FAQs on multifactor authentication (“MFA”) that further clarify 23 NYCRR § 500.12. As we previously reported, the FAQs from December 2025 provided prescriptive guidance, including clarifications on technical requirements […]

CISA Revives CIRCIA Rulemaking

March 2, 2026 By Kim Peretti, Lance Taubin and Scott Hilsen

Almost two years after seeking stakeholder input about a final rule under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), the Cybersecurity and Infrastructure Security Agency (CISA) announced that it will hold virtual town hall meetings for certain industry sectors in March and April 2026 to solicit additional input on the Notice […]

FTC Sends Letters Reminding Data Brokers of their Obligations under PADFAA

February 25, 2026 By Jennifer Everett, Daniel Felz, Alex Brown and Santi Villar

On February 9, 2026, the Federal Trade Commission (“FTC”) sent letters to thirteen data brokers reminding them of their obligations to comply with the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (“PADFAA”). We previously wrote an article and Peter Swire published a white paper at the Cross-Border Data Forum (“CBDF”) describing PADFAA in […]