Software company PowerSchool’s failure to protect the personal information of nearly 900,000 Texas schoolchildren and educators is a violation of the Texas Deceptive Trade Practices Act and the Identity Theft Enforcement and Protection Act, alleged Attorney General Ken Paxton (R) in a lawsuit Wednesday.

The U.S. Court of Appeals for the D.C. Circuit rejected T-Mobile’s challenge of an $80 million data breach forfeiture in a unanimous opinion Friday.

A three-judge panel of the 6th U.S. Circuit Court of Appeals upheld the FCC’s data breach notification rules in an opinion Wednesday. The rules were approved 3-2 in 2023 by the previous FCC, with then-Commissioners Brendan Carr and Nathan Simington dissenting. The Ohio Telecom Association, the Texas Association of Business, CTIA, NCTA and USTelecom filed petitions for review against the rules, arguing that they were outside the FCC’s authority and violated the Congressional Review Act because Congress vetoed similar requirements included with other privacy rules in 2017. But the court said the Congressional Review Act doesn’t prevent agencies from issuing new rules that are similar to parts of rules nullified by CRA resolutions. If Congress had wanted the CRA to do that, “it could have said so,” said the opinion from Judge Jane Stranch. “That is not the language it chose.” The 2017 rules and the 2024 FCC data breach order also aren’t “substantively identical,” the opinion said.

The California Privacy Protection Agency (CPPA fined Washington-based Accurate Append $55,400 for failing to register as a data broker and pay the annual fee required by the state’s Delete Act. The company failed to register by the Jan. 31, 2024 deadline for its 2023 activities, and only registered after the Enforcement Division contacted Accurate Append, the CPPA alleged.

The California Privacy Protection Agency approved rules on automated decision-making technology and other subjects at a partially virtual meeting Thursday. CPPA Board members voted 5-0 to clear the rulemaking package, which also covers risk assessments, cybersecurity audits, insurance and updates to California Consumer Privacy Act (CCPA) regulations.

Connecticut Attorney General William Tong (D) announced an $85,000 settlement with online marketplace TicketNetwork on Tuesday, the result of an investigation into potential violations of the Connecticut Data Privacy Act (CTDPA). The AG said over two dozen cure notices were sent to the company in four separate sweeps addressing privacy notice deficiencies, and that TicketNetwork repeatedly said they have fixed the issues when that was not true.

Nebraska Attorney General Mike Hilgers (R) sued General Motors and its subsidiary OnStar on Tuesday for the alleged unlawful collection, processing and sale of sensitive driving data from state residents without their knowledge or consent. In a press conference Tuesday morning, Hilgers announced the suit, claiming violations of the Nebraska Consumer Protection Act and Uniform Deceptive Trade Practices Act.

Healthline must pay California $1.55 million under the largest proposed settlement yet under the California Consumer Privacy Act, Attorney General Rob Bonta (D) said Tuesday. The settlement, which is pending final court approval, also includes a novel injunctive term prohibiting the company “from sharing article titles that reveal that a consumer may have already been diagnosed with a medical condition,” the AG's office said.

In a 6-3 decision, the U.S. Supreme Court on Friday upheld a Texas law requiring age verification for access to porn sites. The ruling sided with Attorney General Ken Paxton (R) in support of the state's HB-1181, which the Free Speech Coalition, an adult industry trade association, challenged in a 2023 lawsuit, saying it violated the First Amendment (see 2409170012).

Texas Attorney General Ken Paxton (R) announced a nearly $1.4 billion settlement with Google in a case about the company's unlawful tracking and collecting of user's personal information, including geolocation and biometric data. Paxton filed the lawsuit against Google in October 2022, alleging violations of the Texas Capture or Use of Biometric Identifier Act (see 2210200075).