Email
Banner Image

"No federal privacy law? Introducing 20 states — and counting."

— IAPP contributors Omer Tene & Jacqueline Klosek

Happy 2025! And welcome back to Snippets 👋 As always, we're bringing you the latest at the intersection of privacy and tech—plus today, we've got a baby glow-up for the New Year. Here's what's happening:

  • Privacy experts explore the legal outlook for state privacy laws, health and children's data protection, data brokers, and AI.
  • Proposed amendments to the HIPAA Security Rule, meant to strengthen the law's security provisions, were released for comment.
  • The FCC's data breach reporting rule may now be on the chopping block after a loss on net neutrality.
  • And more!
P.S. Along with our updated look, Snippets is moving to a bi-weekly cadence in 2025—now hitting your inbox every other Thursday morning. See you again on January 23!
2025 OUTLOOK

States set to fill the federal privacy void in 2025
Image

 
With privacy and AI regulation stalled at the federal level—a trend experts predict will continue under the Republican trifecta—states are working to pass their own increasingly robust laws.
  • State privacy laws: By the end of 2025, 16 states will have comprehensive privacy laws in effect—with even more set to pass throughout the year.
  • Data broker crackdown: States like California, Texas, and Oregon will likely pursue stricter data broker regulations, while regulatory agencies like the FTC are set to ramp up enforcement against sensitive data misuse.
  • AI regulation: With President-elect Trump promising to repeal Biden's AI executive orders, states like Colorado, California, and Texas are already advancing their own regulations with provisions on AI decision-making, transparency, and safety.
  • Litigation surge: Despite some favorable rulings for businesses, class-action lawsuits and arbitration are still on the rise—with plaintiffs using a range of laws to bring legal challenges.
TRANSCEND NEWS

💡 Lessons for approaching a privacy transformation migration

This time of year, it’s not just calendars that have flipped. Many companies are also entering a season of fresh starts, new ideas, and reimagining their path forward.

Finding solutions that are easy to use and better address the deeply technical challenges of modern privacy regulation is top of mind for many—but moving away from legacy solutions can feel daunting.

That’s why Ron De Jesus, Transcend’s Field Chief Privacy Officer, is sharing his top three lessons for rethinking migration and embracing a smarter way forward.
HIPAA

Amended HIPAA Security Rule released for public comment
Image

Adobe Stock
The Office for Civil Rights (OCR) has released proposed amendments to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.
  • The proposed rule removes the distinction between "required" and "addressable" implementation specifications—making data encryption mandatory, with limited exceptions.
  • It also dictates specific and mandatory risk analysis steps, like reviewing technology assets, identifying threats and vulnerabilities, and assessing risk levels.
  • There would also be strict timing requirements, including a 72-hour deadline to restore lost systems and data, plus 24-hour notifications for workforce access terminations.
CHALLENGE

The FCC's data beach reporting rule under threat after net neutrality loss
Image

Andrew Harrer/Bloomberg
The Sixth Circuit court's decision to strike down the Federal Communications Commission's (FCC) net neutrality rules, and the legal precedent it set, may now threaten the agency's data breach reporting rule.
  • The court's decision on net neutrality referenced the Supreme Court's decision in Loper Bright Enterprises v. Raimondo, which overturned a longstanding doctrine allowing regulatory agencies to interpret ambiguous laws.
  • The FCC's breach reporting rule is now under scrutiny, garnering criticism from former FCC Commissioner Robert M. McDowell, who argues the FCC's enforcement of the rule constitutes an overreach of the agency's authority.
  • A new case challenging the data breach rule—citing the same Supreme Court precedent and led by the same trade group—has now been brought before the Sixth Circuit court.
IN OTHER NEWS
  • Google to face class action around mobile phone privacy.
  • Apple to settle Siri lawsuit for $95 million.
  • Cybertruck explosion case has raised privacy concerns.
  • Carnegie Mellon launches new part-time Master’s in Privacy.
  • Colorado releases updated rules ahead of privacy act amendment.
RESEARCH

How has the GDPR impacted AI innovation?
Image

 
New research is exploring whether AI development could shift to less data-intensive methods, with authors of a recent paper suggesting developers in the EU may be more motivated to make this change due to rising data processing costs.
  • The paper’s authors classified AI models into a few categories: data-intensive deep-learning models, data-saving models that use prior or repurposed knowledge, and synthetic models that generate their own training sets.
  • While patents for data-intensive models outpaced those for data-saving models in the 2010s, there was a clear shift in 2018 after GDPR went into force: transfer learning patents increased by 185%, while synthetic model patents increased by 86%.
  • The authors argue that while the GDPR has influenced a shift towards data-saving models in the EU, it also dampened innovation by placing larger compliance burdens on small businesses.
FINE

EU Commission fined for violating its own privacy laws
Image

Santiago Urquijo / Getty Images
For the first time, the EU General Court has fined the European Commission (EC) for breaching the General Data Protection Regulation (GDPR).
  • The €400 fine was awarded to a German citizen whose data was transferred to the U.S. after using the "Sign in with Facebook" option to register for a conference managed by the EC.
  • The court found that the EC violated GDPR by allowing personal data, including IP address and device information, to be transferred to Amazon and Meta in the U.S without adequate safeguards.
  • The fine highlights the strict enforcement of GDPR, which can impose penalties of up to 4% of an organization’s annual turnover.
TRANSCEND NEWS

Transcend launches the search for our CISO in residence!

Privacy and security are two distinct disciplines that are increasingly converging to address shared challenges. In fact, IDC reports that 68% of organizations’ privacy policies and initiatives are driven by the CISO.

At Transcend, we see this convergence as an opportunity to offer more to our community. That’s why we’re introducing the privacy industry’s first-ever “CISO in Residence” program—a groundbreaking initiative designed to embed security expertise into the heart of privacy leadership.
Transcend Horizontal Logo

Snippets is delivered to your inbox every Thursday morning by Transcend. We're the platform that helps companies put privacy on autopilot by making it easy to encode privacy across an entire tech stack. Learn more.

You received this email because you subscribed to Snippets. Did someone forward this email to you? Head over to Transcend to get your very own free subscription! Curated in San Francisco by Transcend.