Johanna Skrzypczyk – Debevoise Data Blog

Announcement

Debevoise Data Blog: Top 5 Privacy Posts of 2025

By: Charu A. Chandrasekhar, Luke Dembosky, Avi Gesser, Erez Liebermann, Robert Maddox, Julie M. Riewe, Kristin Snyder, Rick Sofield, Sheena Paul, Johanna Skrzypczyk, HJ Brehmer, Martha Hirst, Suchita Mandavilli Brundage, Melyssa Eigen, Ned Terrace, Michelle Shen, Diane Bernabei and Mengyi Xu December 11, 2025

As we approach the end of the year, here are the top 5 privacy posts on the Debevoise Data Blog in 2025. Takeaways for Large Firms from the SEC’s Reg…

Artificial Intelligence

Debevoise Data Blog: Top 14 AI Posts of 2025

By: Charu A. Chandrasekhar, Andrew J. Ceresney, Courtney M. Dankworth, Avi Gesser, Robert B. Kaplan, Gordon Moodie, Jim Pastore, Julie M. Riewe, Jeff Robins, Kristin Snyder, Matt Kelly, Johanna Skrzypczyk, Karen Levy, Diane Bernabei, Michael Bloom, HJ Brehmer, Suchita Mandavilli Brundage, Melyssa Eigen, Joshua A. Goland, Martha Hirst, Gabriel Kohan, Carl Lasker, Jeremy Liss, Andreas Constantine Pavlou, Joshua Plastrik, Achutha Raman, Adam Shankman, Stephanie Thomas, Nathaniel Waldman, Annabella M. Waszkiewicz, Stan Gershengoren, William Sadd, Nicholas T. Ziebell, Patty (Virtual AI Specialist) and Sergio (Virtual AI Specialist) December 8, 2025

Why Agentic AI Often Fails and the Enduring Value of Human Judgment (11/4/2025) We’ve been doing a lot of work recently on agentic AI workflows. In this post, we share…

SEC

Takeaways for Large Firms from the SEC’s Reg S-P Webinar

By: Charu A. Chandrasekhar, Julie M. Riewe, Kristin Snyder, Sheena Paul, Johanna Skrzypczyk and Suchita Mandavilli Brundage September 28, 2025

On Thursday, September 25, 2025 the SEC held a webinar for large firms on Regulation S-P—the first of three compliance outreach events regarding its 2024 adoption of amendments to the…

Artificial Intelligence

Colorado Approves Extension of AI Regulation to Health and Auto Insurers

By: Avi Gesser, Johanna Skrzypczyk, Michael Bloom, Benjamin Leb and Ned Terrace September 9, 2025

On August 20, 2025, Colorado’s Division of Insurance (the “Division”) adopted final amendments to its regulation on the Governance and Risk Management Framework Requirements for certain insurers that use external…

CCPA

CPPA Adopts Long Awaited Rulemaking Package

By: Avi Gesser, Johanna Skrzypczyk, HJ Brehmer and Melyssa Eigen July 25, 2025

The California Privacy Protection Agency (the “CPPA”) Board met on July 24, 2025, to decide whether to adopt its comprehensive rulemaking package covering cybersecurity audits, automated decision-making technology, and other…

Artificial Intelligence

AI Discrimination Risk in Lending: Lessons from the Massachusetts AG’s Recent $2.5 Million Settlement

By: Avi Gesser, Johanna Skrzypczyk, Stephanie Thomas, Melyssa Eigen and Achutha Raman July 20, 2025

Using AI to make important decisions about individuals carries a risk of bias, especially for underwriting, credit, employment, and educational admission decisions. In this Debevoise Data Blog post, we discuss…

Artificial Intelligence

CIPA Litigation: Trends Regarding Tracking Technology and AI

By: Avi Gesser, Jim Pastore, Matt Kelly, Johanna Skrzypczyk, Gabriel Kohan, Joshua Plastrik and Annabella M. Waszkiewicz June 4, 2025

Many businesses use customer-tracking technology and other tools—such as pixels, session replay, software development kits (“SDKs”), and chatbots—to improve website user experiences, understand customer behavior, train their technology, and gauge…

Cybersecurity

Maturing Compliance with the Bulk Sensitive Data Rule (Data Security Program) before the July 8, 2025 Safe Harbor Expires

By: Luke Dembosky, Avi Gesser, Erez Liebermann, Rick Sofield, Johanna Skrzypczyk and Mengyi Xu May 28, 2025

All eyes are on the DOJ Bulk Sensitive Data Rule (28 C.F.R. Part 202), and July 8, 2025, when the recently announced good-faith safe harbor expires. The rule, which the…

CCPA

CPPA Proposed Rulemaking Package Part 3 – Privacy Requirements

By: Avi Gesser, Johanna Skrzypczyk, Mengyi Xu, Melyssa Eigen and Katie Heath May 5, 2025

In Part 1 of this series, we discussed the annual cybersecurity audit requirements in the California Privacy Protection Agency (the “CPPA”)’s proposed rulemaking package (the “Draft Regulations”). In Part 2,…

CCPA

Privacy Enforcement: Shift Toward Cookie Consent?

By: Avi Gesser, Johanna Skrzypczyk, Melyssa Eigen, Ned Terrace and Michelle Shen April 24, 2025

On March 12, 2025, the California Privacy Protection Agency (the “CPPA”) announced a decision and stipulated final order stemming from its investigation of the American Honda Motor Company’s (the “Company”…