Privacy – Debevoise Data Blog

Announcement

Debevoise Data Blog: Top 5 Privacy Posts of 2025

By: Charu A. Chandrasekhar, Luke Dembosky, Avi Gesser, Erez Liebermann, Robert Maddox, Julie M. Riewe, Kristin Snyder, Rick Sofield, Sheena Paul, Johanna Skrzypczyk, HJ Brehmer, Martha Hirst, Suchita Mandavilli Brundage, Melyssa Eigen, Ned Terrace, Michelle Shen, Diane Bernabei and Mengyi Xu December 11, 2025

As we approach the end of the year, here are the top 5 privacy posts on the Debevoise Data Blog in 2025. Takeaways for Large Firms from the SEC’s Reg…

Artificial Intelligence

CIPA Litigation: Trends Regarding Tracking Technology and AI

By: Avi Gesser, Jim Pastore, Matt Kelly, Johanna Skrzypczyk, Gabriel Kohan, Joshua Plastrik and Annabella M. Waszkiewicz June 4, 2025

Many businesses use customer-tracking technology and other tools—such as pixels, session replay, software development kits (“SDKs”), and chatbots—to improve website user experiences, understand customer behavior, train their technology, and gauge…

CCPA

CPPA Proposed Rulemaking Package Part 3 – Privacy Requirements

By: Avi Gesser, Johanna Skrzypczyk, Mengyi Xu, Melyssa Eigen and Katie Heath May 5, 2025

In Part 1 of this series, we discussed the annual cybersecurity audit requirements in the California Privacy Protection Agency (the “CPPA”)’s proposed rulemaking package (the “Draft Regulations”). In Part 2,…

CCPA

Privacy Enforcement: Shift Toward Cookie Consent?

By: Avi Gesser, Johanna Skrzypczyk, Melyssa Eigen, Ned Terrace and Michelle Shen April 24, 2025

On March 12, 2025, the California Privacy Protection Agency (the “CPPA”) announced a decision and stipulated final order stemming from its investigation of the American Honda Motor Company’s (the “Company”…

DORA

European Data Protection Roundup – January 2025

By: Robert Maddox, Martha Hirst, Ned Terrace, Olivia Halderthay and Christina Newall February 28, 2025

Our top five European data protection developments from January are: UK ransomware reporting proposals. The UK Government released a consultation on ransomware related legislative proposals, including possible reporting obligations and…

Enforcement

FTC’s Consent Order Against Marriott: Expectations for Reasonable Security

By: Erez Liebermann, Jim Pastore, Christopher S. Ford, Michael Bloom, Mengyi Xu, Achutha Raman and Michelle Shen January 30, 2025

Introduction On December 20, 2024, the Federal Trade Commission (the “FTC”) finalized a consent agreement (“Consent Order”) with Marriott International, Inc. and its subsidiary Starwood Hotels & Resorts Worldwide LLC…

Automated Decision Making

European Data Protection Roundup – June 2024

By: Robert Maddox, Friedrich Popp, Fanny Gauthier, Sophie Michalski, Léa Lascoux, Deniz Tanyolac and Samuel Thomson July 30, 2024

Our top five European data protection developments from June are: Non-material damage under GDPR: The CJEU clarified the scope of compensation for non-material damage in the context of identity theft…

Cybersecurity

The SEC Adopts Significant Cybersecurity Amendments to Reg S-P

By: Charu A. Chandrasekhar, Luke Dembosky, Avi Gesser, Erez Liebermann, Sheena Paul, Marc Ponchione, Julie M. Riewe, Jeff Robins, Kristin Snyder, Anna Moody, Johanna Skrzypczyk, Suchita Mandavilli Brundage and Ned Terrace May 17, 2024

On May 16, 2024, the SEC adopted amendments to Regulation S-P (“Reg S-P”) one year after its proposed amendments (the “Proposed Amendments”). The finalized amendments (“Amended Reg S-P”) largely track…

CJEU

European Data Protection Roundup – January 2024

By: Robert Maddox, Friedrich Popp, Fanny Gauthier, Martha Hirst, Jeevika Bali, Samuel Thomson and Alexia Turpin February 28, 2024

Key takeaways from January include: Transparency about data processing and retention: In a reminder of the importance of transparency under the GDPR, and the need for companies to make their…

Automated Decision Making

European Data Protection Roundup – December 2023

By: Robert Maddox, Friedrich Popp, Sergej Bräuer, Fanny Gauthier, Aisling Cowell, Martha Hirst, Oliver Binns, Ryan Fincham, Samuel Thomson and Alexia Turpin January 25, 2024

Key takeaways from December include: Concept of non-material damage under GDPR: In an expansive reading of the right to compensation under GDPR, a data subject’s fear that their personal data…