At the SEC's insistence, tech media and telecom (TMT) companies are increasingly warning investors and the public about cyberattack risks, as well as steps they're taking when incidents are discovered. The SEC began requiring that companies report on cybersecurity practices and incidents in 2023. And TMT companies’ cybersecurity disclosures in their 2024 10-K annual reports varied widely in depth and detail: TDS' totaled a little more than 300 words; Lumen's was more than 1,400.

Data protection authorities (DPAs) may not limit the number of complaints a person files during a certain period under the EU General Data Protection Regulation (GDPR) unless they find that person is abusing the process, the European Court of Justice held Thursday (Case C-416/23). DPAs seeking to rid themselves of complaints is an EU-wide issue, though this case arose in Austria, said Austrian privacy campaigner Max Schrems.

The second U.S. state privacy law could be updated this year. Virginia’s legislative session opened Wednesday with a bill by Del. Michelle Maldonado (D) that would add protections for teens, include support for universal opt-out mechanisms and revise other parts of the 2021 Virginia Consumer Data Protection Act. Maldonado's measure would also add an AI section called the "Artificial Intelligence Training Data Transparency Act,” which includes a private right of action.

New York State Assemblymember Alex Bores (D) plans to file legislation that regulates frontier AI models later this month, with concepts similar to a bill vetoed in California last year.

New York state legislators opened their 2025 session Wednesday, introducing comprehensive and healthcare-focused privacy bills, among other measures related to consumer data. Assemblymember Nily Rozic (D) offered the 2025 version of the New York Privacy Act. However, some of it is "not aligned with other comprehensive privacy laws,” which could make compliance a challenge for businesses, warned Hinshaw & Culbertson privacy attorney Cathy Mulrow-Peattie in an email Wednesday.

A reintroduced Connecticut AI bill aims to build on the state’s 2022 comprehensive privacy law, state Sen. James Maroney (D), the privacy law’s author, said in an interview. Maroney’s second attempt at establishing AI requirements will be a priority bill for majority Democrats in the Connecticut Senate next year, Maroney, Senate President Pro Tempore Martin Looney and Majority Leader Bob Duff said in a joint announcement last month.

In what one privacy expert called a "dam-bursting moment," the European Court of Justice's General Court Wednesday ordered the European Commission (EC) to pay $412 (400 euros) to a German visitor to one of its websites because the site unlawfully transferred his personal data to the U.S. (Case T-354/22/ Bindl v. Commission). The EC said it would "carefully study" the judgment and its implications.

A comprehensive New York bill to regulate AI surfaced ahead of the state’s legislative session that opens Wednesday. The Assembly referred A-768 by Assemblymember Alex Bores (D) to the Consumer Affairs and Protection Committee.

Businesses must make incremental changes to comply with five state privacy laws effective this month, privacy experts said in interviews. Comprehensive laws took effect Jan. 1 in Delaware, Iowa, Nebraska and New Hampshire. A New Jersey law becomes effective Jan. 15, with that state’s attorney general office’s consumer affairs division soon expected to open a rulemaking.

Congress and the Trump administration should consider X platform owner Elon Musk’s unconventional ideas, including possibly shuttering the Consumer Financial Protection Bureau, Senate Republicans told us in December.