Following a December 29, 2025 notice published by the Cyberspace Administration of China, institutions that handle personal information of children in China must report on their handling activities by January 31 each year (starting January 31, 2026); Several recently effective U.S. state comprehensive data privacy laws impact whether/how institutions may engage in targeted advertising to minors; The same U.S. state laws also impact whether/how institutions may “sell” minors’

China’s Ministry of Public Security (“MPS”) penalized Dior Shanghai for breaching personal information protection obligations, following an investigation into a data breach incident. MPS identified the following violations during the investigation: failure to implement a cross-border transfer mechanism; failure to fully inform data subjects about how their personal information would be handled by an overseas recipient; failure to obtain separate consent for cross-border trans

On August 2, 2025, provisions of the EU AI Act addressing large “general-purpose AI” (GPAI) models took effect. The provisions include transparency and copyright compliance obligations for all GPAI models and heightened safety and security obligations for GPAI models with “systemic risk.” For institutions of higher education adopting and using AI tools powered by large GPAI models, these provisions will likely produce useful information for conducting due diligence and framin

On October 6, 2025, the final provisions of the DOJ Sensitive Data Rule took effect, completing the framework for the DOJ’s Data Security Program.  Institutions engaging in relevant data-sharing activities should move quickly to ensure compliance.    On October 6, 2025, the last provisions of 28 C.F.R. Part 202, “ Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons ” (“DOJ Rule”) took effect, completing the regulatory

On April 25, 2025, TC260 issued the recommended standard Data Security Technology – Security Requirements for Handling of Sensitive...

On July 18, 2025, the CAC issued guidance on reporting the appointment of personal information protection officers. Handlers that reached...