Key Takeaways

• The SEC’s agreement with defendants to dismiss, with prejudice, its case against SolarWinds Corporation (SolarWinds) and its chief information security officer (CISO) signals a retreat from aggressive, novel enforcement theories in cybersecurity disclosure cases.
• Although technical cybersecurity violations without investor harm

The wave of online safety regulation is continuing to surge, with Brazil’s recent enactment of Law No. 15,211/2025—the Digital Statute for Children and Adolescents (Digital ECA)—as the latest addition. 

On September 23, 2025, the California Privacy Protection Agency confirmed that their cyber audit regulations will at long last go into effect on January 1, 2026. 

You can be forgiven for losing track since these were first proposed in September 2023, but now is the time to start considering how they will apply to your company and budgeting for that impact. 

State Updates, Security Mandates, and the Federal Regulatory Horizon

150 consumer complaints per week. A consortium of privacy regulators. “Hundreds of open investigations.” 

The U.S. Department of Justice (DOJ) “Data Security Program” (DSP), also known as the “Sensitive Data Rule” or “Bulk Data Rule,” has prompted numerous questions about its scope and application. 

The Maryland Online Data Privacy Act (MODPA) is just around the corner, and businesses should consider preparing to address novel compliance obligations that also rank among the most stringent to date. 

California’s legislature has once again taken center stage in the national privacy conversation, passing a flurry of privacy bills during a marathon session that stretched into the night of September 12. 

With 2025 more than half over and many state legislatures adjourned for the year, we look back at significant legislative developments concerning state comprehensive consumer privacy laws. 

The Connecticut Governor signed SB 1295 into law on June 25, 2025, again amending the Connecticut Data Privacy Act (CTDPA). 

The comprehensive consumer privacy laws of Minnesota and Tennessee have recently taken effect, with the Minnesota Consumer Data Privacy Act (MCDPA) operative as of July 31, 2025, and the Tennessee Information

On June 27, 2025, the United States Supreme Court weighed in on the ongoing debate about age verification requirements for websites, holding that it is constitutional for a state to require websites that have a significant portion of adult content to implement commercial age verification systems. 

On June 2, 2025, the New Jersey Office of Consumer Protection announced proposed rules for New Jersey’s comprehensive consumer privacy law, the New Jersey D

In May 2025, Montana enacted Senate Bill 163 (SB 163), amending that state’s Genetic Information Privacy Act (MGIPA) to include protections for neurotechnology data—namely, data collected from the activity of the central or peripheral nervous system.