Search right to access

Healthcare providers and their business associates frequently face difficult questions relating to when they are able to share protected health information with the family members and friends of the patients they serve. These questions often require consideration of a number of different laws and rules, such as HIPAA, Federal alcohol and drug abuse confidentiality regulations, state mental health laws, ethical obligations and so on. In what is sure to be welcomed guidance, the U.S. Department of Health and Human Services (HHS) has released new FAQs explaining how the HIPAA Privacy Rule operates to protect individuals’ privacy rights with respect to their mental health information and in what circumstances the Privacy Rule permits health care providers to communicate with patients’ family members and others.

The guidance reminds covered entities and business associates of, among other things, the heightened protections for psychotherapy notes, a parent’s right to access the protected health information of a minor child, the application of state laws that provide more stringent protections than HIPAA, and the intersection of HIPAA and FERPA in a school setting. However, many of the FAQs also address some specific issues and scenarios that will be helpful to providers and their business associates. For example, the FAQs address topics, such as:

  • Communicating with a patient’s family members, friends, or others involved in the patient’s care;
  • Communicating with the parent of a patient who is a minor;
  • Assessing the patient’s capacity to agree or object to the sharing of their information; and
  • Determining whether to tell family members, friends, or others that a patient has stopped taking prescribed medications or other therapies.

There are, for sure, clear limits on a provider’s ability to share mental health information in the circumstances described in this guidance, however, there is also considerable discretion extended to providers. For instance, when it is suspected that a patient does not have the capacity to agree or object to the sharing of personal health information, in addition to determining whether the patient in fact has lost capacity, providers have significant concerns about whether and under what circumstances they may share the patient’s mental health information in such a state. According to the FAQs, a patient has lost capacity when he or she is unconscious, and may include circumstances in which a patient is suffering from temporary psychosis or is under the influence of drugs or alcohol. In those cases and other where capacity is lost, the provider is allowed to discuss the patient’s condition or treatment with a family member if the provider believes it would be in the patient’s best interests. In making this determination about the patient’s best interests, the provider should take into account the patient’s prior expressed preferences regarding disclosures of his or her information, if any, as well as the circumstances of the current situation. Once the patient regains the capacity to make these choices for herself, the provider should offer the patient the opportunity to agree or object to any future sharing of her information.

Providers and business associates that provide mental health services or otherwise handle mental health records should review this guidance and the other applicable federal and state laws that affect their handling of this information, and make any appropriate changes in their policies and procedures. Discussing this guidance with workforce members is a good opportunity to provide another reminder about the need for privacy and security of protected health information.

Takeaways

Educational Institutions use Software as a Service platforms to facilitate operations, but doing so carries significant risk that needs to be carefully managed. Strong vendor oversight, tight contracts, and incident response planning are critical to protecting personal data down the chain.

Related links

Five Privacy Issues Higher Education Institutions Should Consider Monitoring

FAQs for Schools and Persons Affected By the PowerSchool Data Breach

An EdTech vendor whose platform is used by thousands of educational institutions recently experienced a significant cybersecurity incident impacting millions of students.  The incident left customers of the platform legally and reputationally exposed—and answering difficult questions in their local communities.  This incident is not unique and highlights the importance of vendor management to effective data protection programs.

  1. The Education Technology Sector Is a High-Value Target

Lesson: Educational institutions possess a wide range of data and have become trendy targets for attack.

Educational institutions maintain large volumes of personal data related to their students and their families, as well as their teachers and other employees. These troves of data—which may be subject to federal laws like The Family Educational Rights and Privacy Act (FERPA), as well as state reasonable safeguard and breach notification laws—have made educational institutions attractive marks for cyber attackers.  So too has their reputation for underinvesting in their data security programs.  

  1. Third‑Party Contractor≠ Reduced Liability

Lesson: Educational institutions remain legally and reputationally exposed even when their vendor stores data on their behalf.

While engaging a vendor can, in some ways, simplify the process of protecting data—because the vendor handles the logistics and incurs the costs of maintaining administrative, physical, and technical safeguards to secure that data—this is not a set it and forget it situation.  Even if the vendor stores all of the data at issue, the educational institution will be the party statutorily obligated to notify and report in the event of a breach and will likely be a defendant or subject of ensuing litigation or regulatory investigation. In other words, educational institutions can outsource the function of handling their data but cannot outsource the consequences if it’s handled improperly.

  1. The Scope of Data Covered by Data Protection Laws Is Broad

Lesson: Even breaches of less “sensitive” data create meaningful risk.

Reports indicate that the data accessed in the recent breach included names, email addresses, student IDs, and messages.  Although these data elements are less “sensitive” than SSNs, financial account information, or medical information, their breach may still trigger notification and reporting obligations under state data protection laws, like New York Education Law § 2-d.  Thus, educational institutions cannot safely assume that the disclosure of “lower risk” data eliminates legal or operational exposure.  Instead, they must conduct a thorough analysis of the incident and carefully assess resulting obligations.

  1. Operational Resilience is Necessary to Avoid Operational Disruption

Lesson: Operational disruption is a key privacy risk multiplier.

The breach occurred around final examinations for many educational institutions, disrupting students and educators alike.  It also forced operational staffs to rapidly navigate technological, availability, and continuity challenges. Operational resilience, like data backups and well-crafted and -rehearsed incident response plans, are essential to minimizing the harm caused by these incidents.

  1. Strong Risk Management Requires Continuous Vendor Monitoring

Lesson: Constant diligence is required.

Vetting vendors prior to engaging them is critical to an effective management program.  So too is carefully reviewing vendor agreements to ensure they include key data protection provisions.  But vendor management doesn’t end at the time of engagement.  Instead, it’s an ongoing process that should include, among other things, exercise of audit rights, monitoring of vendor subcontractors, and periodic revisiting of vendor agreements.  Use of vendors is unavoidable, as are vendor breaches.  Where educational institutions have control, though, and can mitigate risk, is through diligent oversight of those vendors.

***

For additional information about managing the vendors that manage your data, please contact Jackson Lewis’ Privacy, AI & Cybersecurity team.

The governor of Alabama recently signed House Bill 351, which establishes a consumer data privacy law for the state. The law takes effect May 1, 2027.

To whom does the law apply?

The law applies to controllers that conduct business in Alabama or produce products or services targeted to Alabama residents, if they either:

(1) control or process the personal data of more than 25,000 consumers, excluding data processed solely to complete a payment transaction, or

(2) derive more than 25 percent of gross revenue from the sale of personal data. 

The Act does not apply to various entities, including political subdivisions and certain public bodies, institutions of higher education, certain securities associations, certain financial institutions and GLBA-regulated data, HIPAA covered entities and business associates, certain small businesses with fewer than 500 employees that do not sell personal data, certain nonprofits with fewer than 100 employees that do not sell personal data, certain regulated entities under specified Alabama statutes, certain political organizations and data sellers serving them, and certain electric providers. 

Who is protected by the law?

The law protects “consumers,” defined as individuals who are residents of Alabama. It excludes individuals acting in a commercial or employment context.

The law also specifically allows a parent or legal guardian to exercise rights on behalf of a known child, and a guardian or conservator to exercise rights on behalf of a consumer. 

What data is protected by the law?

The law protects “personal data,” defined as information that is linked or reasonably linkable to an identified or identifiable individual. It excludes deidentified data and publicly available information. 

The defines “sensitive data” to include: data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, information about an individual’s sex life, sexual orientation, or citizenship or immigration status; genetic or biometric data processed for uniquely identifying an individual; personal data collected from a known child; and precise geolocation data. 

What are the rights of consumers?

Under the law, consumers may require a controller to do the following:

  • Confirm whether the controller, processor, or third party acting on the controller’s behalf is processing the consumer’s personal data and access that data;
  • Correct inaccuracies;
  • Delete personal data;
  • Provide a portable and, where technically feasible, readily usable copy of personal data previously provided by the consumer; and
  • Allow the consumer to opt out of processing for targeted advertising, sale of personal data, and profiling in furtherance of solely automated significant decisions. 

A controller must respond to a consumer request within 45 days, subject to a possible 45-day extension when reasonably necessary and must explain if it declines to act. 

Controllers must allow opt-out requests through a clear and conspicuous link on the controller’s website to a webpage that enables the consumer directly to opt out of targeted advertising or the sale of personal data, or to provide up-to-date contact information for submitting the opt-out request. 

What obligations do controllers have?

Controllers must:

  • Limit collection of personal data to what is adequate, relevant, and reasonably necessary for the disclosed purposes;
  • Establish, implement, and maintain reasonable administrative, technical, and physical data security practices; and
  • Provide an effective mechanism for consumers to revoke consent that is at least as easy as the method used to provide consent. 

Controllers may not process personal data for purposes that are not reasonably necessary to or compatible with disclosed purposes, process sensitive data without consent (or, for known children, outside COPPA-compliant processing), process data in violation of discrimination laws, or process personal data for targeted advertising or sell personal data without consent where the controller has actual knowledge that the consumer is at least 13 and younger than 16. 

Controllers may not deny goods or services, charge different prices or rates, or provide a different level of quality because a consumer opted out, although the law allows certain loyalty and reward programs. 

Controllers must establish and describe in the privacy notice one or more secure and reliable means for consumers to submit requests to exercise their rights and may not require consumers to create a new account to do so, though they may require the use of an existing account. 

Controllers also have obligations regarding deidentified and pseudonymous data, including taking measures to ensure deidentified data cannot reasonably be associated with an individual, refraining from reidentifying deidentified data, contractually obligating recipients of deidentified data to comply with the statutory requirements, and exercising reasonable oversight over disclosures of pseudonymous or deidentified data.

How is the law enforced?

The Alabama Attorney General may enforce violations of the Act. 

Before initiating an action, the Attorney General must issue a notice of violation to the controller. If the controller fails to correct the violation within 45 days after receipt of the notice, the Attorney General may bring an action for an injunction.

If the court finds a violation and failure to cure, it may assess a civil penalty of up to $15,000 per violation. If the controller cures within the 45-day period and provides an express written statement that the violations have been corrected and will not recur, no action may be initiated. 

If you have questions about Alabama’s new privacy law or related issues, please reach out to a member of our Privacy, Data, and Cybersecurity practice group to discuss.

Service providers often receive or access a customer’s personal information when performing contracted services. In the employment context, service providers may include payroll processors, Human Resource Information System (HRIS) or Applicant Tracking System (ATS) platforms, outsourced IT support, data storage, AI tool providers, or security services.

Under the EU and UK General Data Protection Regulations (GDPR), an employer (data controller) is required to execute a written data processing agreement (DPA) with a service provider (data processor) who will receive or access employee personal data. The DPA is intended to protect the rights of employees and ensure that service providers process their personal data in a compliant manner.

A GDPR DPA must contain a meaningful description of the processing activities (i.e., the subject matter and duration, nature and purpose, categories of personal data, and data subjects) and specific non-negotiable provisions. These mandated provisions include, for example:

  • processing solely on the data controller’s documented instructions,
  • data breach notification obligations,
  • restrictions on sub-processor engagement,
  • processor reasonable safeguards,
  • authorization for onward transfers of data,
  • assistance with data processing impact assessments and data subject access requests,
  • deletion or return of data, and
  • audit rights.

In addition, if an employer transfers employee personal data from the EU or UK to a service provider in a third country that lacks an “adequacy decision” (e.g., the U.S.) or permits the service provider to access employee personal data in the EU or UK from a third country, the parties must use an appropriate “transfer mechanism”. This may require appending the EU Standard Contractual Clauses (SCCs) or UK International Data Transfer Agreement (IDTA) to the DPA and completing a documented Transfer Impact Assessment.

While a GDPR DPA requires specific provisions, the employer may incorporate additional terms tailored to its interests. Common additions include indemnification provisions and limitations on liability for data-specific risks such as the processor’s material breach of the DPA, violation of applicable data protection law, or a personal data breach. The parties may negotiate the implementation terms for certain mandated provisions, such as the window for breach notification; the scope, frequency, and cost allocation of an audit; the manner for approving sub-processors; or whether personal data will be returned or deleted upon completion of the services. Although the DPA terms must require a processor to implement appropriate security measures to safeguard personal data, the GDPR is not prescriptive about specific measures. As a result, the employer should specify the required technical safeguards, as appropriate to the sensitivity of the employee’s personal data and the processing activity.

Despite containing required provisions, every DPA should be tailored to the specific processing activity, the nature and sensitivity of the personal data, and the employer’s risk exposure. Without this tailoring, a GDPR DPA may be non-compliant or create unnecessary risk for the employer and its personal data. To help manage this risk and prevent delays in the contracting process, employers can prepare and maintain a DPA template that reflects their interests and specific requirements and can be tailored to the processing activity.

If you have questions about drafting, reviewing, or negotiating a DPA – under the GDPR or another data protection framework – please feel free to contact the Jackson Lewis Privacy, AI & Cybersecurity team.

When assisting businesses with the commercial aspects of the California Consumer Privacy Act, we advise them that this same law, with “consumer” in its name, also applies to data related to job applicants, employees, contractors, and other California state residents. Some are surprised, but we get to work addressing some nuanced issues, as some CCPA provisions do not neatly fit the employment relationship.

Fortunately, last month, the California Privacy Protection Agency (CPPA) issued an invitation for preliminary comments on potential updates to CCPA regulations addressing notices and disclosures and the handling of employee data. So, if you have questions or concerns about the CCPA’s application to employment information, you can submit that feedback by May 20.

The CPPA is considering whether to amend existing regulations or adopt new rules governing privacy notices (e.g., privacy policies, notices at collection, and rights notices) and their application to workforce data.  In short, the CPPA is seeking stakeholder input on both consumer-facing disclosures and employment lifecycle data practices, including hiring, active employment, and offboarding. Notably, the agency is offering this opportunity not only to businesses, but also to employees, applicants, and other consumers.

Key Areas for Consideration

Employee Notice Timing and Delivery: The CPPA asks when and how employees receive notices (e.g., at hiring, during employment, or at offboarding), highlighting uncertainty around optimal timing and format for workforce-specific disclosures.

Application of CCPA Rights in the Employment Context: The CPPA also is seeking input on a pain point for employers, namely managing the exercise of consumer rights under the CCPA. This includes questions about applicant and employees’ experiences exercising access, deletion, or correction rights suggesting a need for clearer rules on scope, verification, and operational workflows for HR data. An example of one question:

Have you exercised your CCPA rights as a job applicant or employee?

a. Describe your experience exercising your rights.

b. Describe any challenges you experienced when exercising your rights.

c. Do you have any suggestions on how to improve the experience?

In some cases, employers face challenges with the nature, scope, and purpose of such consumer rights requests from applicants and employees (including former employees as well as independent contractors).

Oversight of Service Providers and Contractors: The CPPA is probing how businesses monitor vendors’ compliance (e.g., audits, testing), indicating potential future guidance on accountability frameworks and due diligence expectations in the employment data ecosystem.

As noted, the CPPA is accepting preliminary comments through May 20, 2026, and feedback at this stage may shape future proposed regulations. Contact us if you would like to discuss how these developments may impact your organization or are interested in submitting comments to help shape the regulatory process to address your business needs.

Every so often a law that was passed years ago quietly becomes a present-day compliance reality. Section 24220 of the 2021 Infrastructure Investment and Jobs Act is one of those laws. Tucked into an eleven-hundred-page infrastructure bill with little public debate, the “kill switch law” as it has come to be known by some, awaits implementing regulations. The law has triggered debates in Congress seeking to defund the law, as well as lots of hand wringing around privacy and data governance questions that businesses, fleet operators, and their legal counsel are trying to answer before the technology becomes standard equipment in new vehicles.

What the Law Actually Requires

Section 24220 directs the National Highway Traffic Safety Administration (NHTSA) to require that all new passenger vehicles be equipped with what the statute calls “advanced drunk and impaired driving prevention technology.” In practical terms, the law contemplates two types of systems:

  • A passive performance-monitoring system that continuously observes a driver’s behavior and restricts or prevents vehicle operation if the system determines the driver may be impaired; or
  • A blood-alcohol detection system that prevents or limits operation when BAC meets or exceeds the legal limit of 0.08%.

Manufacturers can deploy either type, or a combination. The technology could involve cameras monitoring eye movement, sensors analyzing steering and braking patterns, or touch-based biometric readers built into the steering wheel or ignition surface. It also could leverage AI. NHTSA is still finalizing the technical standards — a detail that matters, because the specific data collection methods will drive (no pun intended) privacy and security compliance. Notably, many of these features and capabilities – often embedded in devices referred to as “dashcams” – have already become popular in fleet vehicles.

The January 2026 Vote — and What It Means That It Failed

Earlier this year, Representative Thomas Massie introduced an amendment to a budget bill that would have defunded Section 24220 entirely, blocking NHTSA from spending any funds on implementation or enforcement. The amendment failed 229–201, with 57 Republicans joining 211 Democrats in opposition. Repeal legislation (the No Kill Switches in Cars Act, H.R. 1137) remains stalled. Barring an unexpected reversal, the mandate goes forward.

Why Privacy Lawyers Are Paying Attention

Despite concerns about “Big Brother” and references to Orwell’s novel, 1984, the statute does not give the government a remote kill switch. No federal agency can log into your vehicle and disable it. The technology would operate through onboard software, and the decision to restrict operation is made by the vehicle’s own algorithms — not by a government operator.

That distinction is real and legally significant. But it does not exhaust the privacy concerns, not by a long shot. A decision is still being made other than by the driver to restrict operation of the vehicle.

Whether the system uses cameras, eye-tracking, biometrics, or driving pattern analysis, it is continuously collecting sensitive behavioral and physiological data about the driver. It is generated, stored — somewhere — and potentially transmitted. To whom? Under what retention schedule? With what security controls? The statute is silent. NHTSA’s rules are not yet final. The answers will depend heavily on what manufacturers build and what their privacy policies and terms of service say.

Additionally, new vehicles are networked, able to connect to manufacturer cloud infrastructure, and many connect to insurers, fleet management platforms, and dealership service systems. An open question raised during the funding debate, could insurance companies or law enforcement access impairment event data without the driver’s knowledge or a warrant. The Fourth Amendment analysis in that context is genuinely unsettled.

Beyond privacy concerns, some have raised the potential for fleet-wide attacks:

Unlike traditional vehicle theft or individual hacks, networked kill switch systems create the potential for mass-casualty cyberattacks. Research from Georgia Tech has modeled scenarios where:

Simultaneously activating kill switches on millions of vehicles could shut down entire transportation networks- Supply chain disruptions from disabled commercial vehicles could affect food, fuel, and medical supply delivery- A Consumer Watchdog report estimated a fleet-wide hack could cause approximately 3,000 deaths from a single coordinated breach.

The “kill switch jail” problem.

The statute contains no provision defining how a driver challenges or overrides a lockout once the system flags impairment. There is no appeal mechanism, no defined waiting period, no human review. A false positive — a sober driver whose steering pattern triggers the algorithm — could leave that person stranded with no clear recourse, raising significant liability, worker safety, and consumer protection concerns.

The fleet and employer liability problem.

Businesses that operate vehicle fleets — delivery companies, field services organizations, transportation providers — will have vehicles generating continuous data streams about their drivers, raising employment privacy considerations: What does the employer know? When do they know it? What state monitoring disclosure obligations apply? Will the technology trigger policy and consent obligations, such as in states with strong biometric privacy laws? Are risk assessments required?

What Businesses Can Be Doing Now

As the NHTSA continues its work on implementing regulations, a few action items worth considering:

  • If your organization currently leverages similar technology in vehicles used in the business, take a look at Dashcams: There’s More Risk To Manage Than You’d Expect.
  • Fleet operators should assess what data their vehicle management agreements and manufacturer privacy policies say about impairment event data — specifically who receives it, how long it is retained, and under what circumstances it is disclosed to third parties including law enforcement. Existing driver monitoring policies may need to be reviewed and updated.
  • HR and employment counsel should evaluate whether the passive monitoring and biometric data components of compliant vehicles trigger state-level employee monitoring notification laws (several states require advance notice before monitoring employees’ electronic activity) or biometric data statutes like Illinois BIPA. The analysis will vary by jurisdiction, but the risk of inaction is higher in states with private rights of action.
  • Privacy program managers should flag newly acquired vehicles as a data asset in enterprise data inventories. Vehicle-generated data — particularly behavioral and biometric data about identified individuals — may fall within the scope of state consumer privacy laws depending on how it is collected, processed, and shared.
  • Risk and compliance teams should watch NHTSA’s rulemaking closely. The final technical standards will determine which specific data elements are collected and by what methods.

The Broader Trend

Section 24220 is not an isolated development. It reflects a broader pattern of embedded sensors and passive monitoring becoming standard infrastructure in physical environments — vehicles, workplaces, commercial buildings — generating continuous data streams about individuals going about their ordinary daily activities. The challenge, which legislatures and regulators, and businesses, are only beginning to confront, is how to govern systems that never stop collecting.

On March 20, 2026, Oklahoma’s Governor signed Senate Bill (SB) 546, which establishes a consumer data privacy law for the state. Oklahoma’s law takes effect January 1, 2027.

To whom does the law apply?

The law applies to controllers (or processors) operating in the state and handling data for:

  • at least 100,000 consumers; or,
  • at least 25,000 consumers, while earning over half of their revenue from selling personal data.

There are certain exemptions for state agencies and their service providers, financial institutions covered by the Gramm-Leach-Bliley Act, entities covered by HIPAA/HITECH, non-profit organizations, and institutions of higher education.

Who is protected by the law?

A consumer protected under the legislation is defined as an individual who is a resident of Oklahoma, acting only in an individual or household capacity. A consumer does not include a person acting in a commercial or employment context.

What data is protected by the law?

The law protects “personal data,” which means any information, including sensitive data, which is linked or reasonably linkable to an identified or identifiable individual.

“Sensitive data” is given additional protection and includes the following:

  • Personal data revealing racial or ethnic origin
  • Religious beliefs
  • Mental or physical health diagnosis
  • Sexual orientation
  • Citizenship or immigration status
  • Genetic or biometric data for uniquely identifying an individual
  • Personal data collected from a known child
  • Precise geolocation data.

What are the rights of consumers?

Under the law, consumers have the following rights:

  • To confirm whether a controller is processing their personal data
  • To correct inaccurate personal data
  • To delete personal data maintained by the controller
  • For data available in a digital format, to obtain a copy of their personal data that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance
  • To opt out of the processing of personal data for targeted advertising, sale, or certain profiling

Controllers must respond within 45 days to consumers’ requests under the law, with one additional 45-day extension when reasonably necessary. If declining to act, the controller must explain why and provide appeal instructions.

What obligations do controllers have?

Similar to other state comprehensive privacy laws that have been enacted over the last several years, controllers in Oklahoma must, among other things:

  • Comply with data minimization principles, including limiting the collection of personal data to what is adequate, relevant, and reasonably necessary;
  • Perform data protection assessments relating to certain data processing activities, including processing sensitive data;
  • Provide a reasonably accessible and clear privacy notice to consumers;
  • Include certain provisions in agreements with processors concerning personal data;
  • Maintain reasonable administrative, technical, and physical security practices
  • Avoid processing for incompatible purposes without consent
  • Avoid unlawful discrimination and discriminating against consumers for exercising their rights
  • Obtain consent before processing sensitive data and comply with COPPA for known children

How is the law enforced?

The Attorney General has exclusive authority to enforce violations of the legislation. Violators of the law may incur a fine of up to $7,500 per violation. The law makes clear that it shall not be construed as providing a basis for a private right of action for a violation of this law.

If you have questions about Oklahoma’s new privacy law or related issues, please reach out to a member of our Privacy, Data, and Cybersecurity practice group to discuss.

U.S. organizations have long focused on federal requirements governing international data transfers. But a growing wave of state enforcement—particularly in Florida and Texas—signals that regulators are increasingly scrutinizing how companies move sensitive data outside the United States, especially when foreign adversaries may be involved. Recent developments suggest organizations should reassess their data flows, vendor relationships, and ownership structures to understand where sensitive information may ultimately land.

Federal Rule Raises the Stakes on Cross-Border Data Transfers

The Department of Justice (DOJ) took a significant step in 2024 when it began implementing regulations restricting certain outbound transfers of sensitive U.S. personal data to entities linked to “countries of concern,” including China, Iran, and North Korea. The rule targets transfers of large volumes of sensitive data—such as precise location data, biometric identifiers, genomic data, and other categories—where access by foreign adversaries could pose national security risks.

As discussed in our earlier analysis of the rule, the framework focuses on transactions involving “covered data” and “covered persons,” and in some cases prohibits transfers outright or requires companies to implement security controls, diligence processes, and recordkeeping obligations. Organizations subject to the rule must examine their vendor relationships, data brokerage arrangements, and service provider agreements to determine whether the transfers fall within the regulation’s scope.

Yet while the DOJ rule represents a significant federal development, enforcement activity suggests that federal regulators are only part of the story.

States Filling the Enforcement Gap

States are increasingly stepping into what some see as a federal enforcement gap. According to recent reports, states have launched more than a dozen investigations or lawsuits related to U.S. consumer data transfers to China or other foreign actors. These actions have targeted companies across multiple sectors—not just traditional data brokers, but also firms handling consumer electronics, genetic data, and online marketplaces.

State regulators often lack explicit authority over national security concerns. As a result, they are using other tools, including consumer protection laws, unfair or deceptive practices statutes, and state privacy statutes, to investigate companies whose data practices may expose Americans’ information to foreign entities.

Texas has been among the most aggressive jurisdictions, filing actions against several companies, illustrating how states may combine allegations related to privacy practices with broader consumer protection claims. Florida, meanwhile, is emerging as another focal point for state enforcement.

Florida Launches Dedicated Unit Targeting Foreign Data Risks

In February 2026, Florida Attorney General James Uthmeier announced the creation of a new enforcement team dedicated to investigating foreign access to Americans’ data. The initiative—called the Consumer Harm from International and Nefarious Actors (CHINA) unit—will pursue both civil and criminal investigations involving foreign corporations’ data practices.

The new unit plans to focus heavily on companies that collect sensitive personal information, including biometric and demographic data. Health care organizations, in particular, may face heightened scrutiny given the sensitivity of the information they handle.

According to the attorney general’s office, the unit will ramp up subpoenas, investigations, and lawsuits under Florida consumer protection laws. The effort is designed not only to address potential risks within Florida but also to serve as a model for other states considering similar initiatives.

Florida’s Investigation Into Lorex Signals Broader Scrutiny

Florida has already begun investigating companies suspected of exposing consumer data to foreign surveillance risks. One notable example is Lorex Corp., a surveillance camera manufacturer that has faced investigations and litigation in several states over alleged connections to Chinese ownership.

As part of Florida’s inquiry, authorities reportedly compelled the company to produce extensive information about its corporate structure, contracts, and software architecture. The investigation highlights a growing focus on how foreign ownership structures or technological dependencies could create pathways for sensitive data to leave the United States.

For organizations, the Lorex matter underscores a key compliance issue: regulators are looking beyond privacy notices and security practices to evaluate who ultimately has access to data—including corporate affiliates, overseas vendors, and parent companies.

Florida’s Offshore Data Law Adds Another Layer

Florida has also enacted legislation restricting certain transfers of health data outside the United States, sometimes referred to as the state’s “Offshore Data” restrictions. The law prohibits the storage of personal health information by healthcare providers using certified electronic health record technology (CEHRT) outside the United States, its territories, or Canada.

When combined with the DOJ rule and the state’s new enforcement unit, these laws create a regulatory environment in which organizations operating in Florida—or handling data about Florida residents—may face multiple overlapping compliance obligations.

Practical Takeaways for Organizations

These developments highlight a critical shift in how regulators view cross-border data transfers. Organizations should consider taking several steps:

  • Map data flows. Companies should understand where sensitive data is stored, processed, and transmitted—including by vendors and subcontractors.
  • Assess vendor and ownership risks. Regulators are paying closer attention to foreign ownership interests, corporate affiliations, and data access rights.
  • Review contracts and technical controls. Agreements with service providers should address cross-border data transfers and incorporate appropriate safeguards.
  • Monitor state developments. State enforcement efforts are expanding rapidly and may reach companies that previously focused primarily on federal requirements.

The combined pressure from federal regulators and an increasingly active group of state attorneys general suggests that scrutiny of foreign data transfers is likely to intensify. As states continue to explore creative ways to regulate cross-border data flows, organizations may find that compliance requires not only understanding where their data goes—but also who ultimately controls it.

Some years ago, I listened to Richard Susskind speak about the “Future of Professions” and, in his view, how systems like AI might replace them. Indeed, the disruption he predicted largely has materialized in recent years, as many assess what impact AI will have on certain professional services, knowledge-based occupations, such as attorneys, accountants, healthcare professionals, etc. The jury is still out, but while most believe professions will not be eliminated entirely, there most certainly will be some impact, driving the need for adaptation to market realities.

Artificial intelligence chatbots are increasingly being deployed across industries — from healthcare portals to legal tech platforms to financial services. As these tools take on more substantive roles, lawmakers are beginning to push back. New York Senate Bill S7263, introduced last year by Sen. Gonzalez, would impose meaningful liability on businesses that allow chatbots to stray into licensed professional territory.

What the Bill Would Do

S7263 would add a new section to New York’s General Business Law targeting “proprietors” — defined as any person, business, organization, institution, or government entity that owns, operates, or deploys a chatbot to interact with users. Notably, third-party developers who merely license their chatbot technology to a proprietor are explicitly excluded from this definition, though that distinction carries its own implications (more on that below).

The bill draws a hard line around two categories of regulated conduct:

Licensed professions. The bill lists a broad set of professional fields governed under New York’s Education Law — including medicine, dentistry, optometry, psychology, chiropractic, pharmacy, nursing, physical therapy, and others. A chatbot that provides substantive responses, information, or advice that would constitute unlicensed practice of any of these professions could expose its deployer to civil liability.

Legal practice. Chatbots would also be prohibited from providing responses that would amount to practicing law without admission to the New York bar — a significant concern given the explosive growth of AI-powered legal research and document tools.

The Disclosure Requirement

Beyond limiting what chatbots can say, S7263 would impose an affirmative disclosure obligation on all proprietors: users must receive clear, conspicuous, and explicit notice that they are interacting with an AI chatbot. The notice must appear in the same language the chatbot is using and in a font no smaller than the largest text elsewhere on the page. In other words, burying a disclosure in fine print or a terms-of-service page won’t cut it.

Liability and Enforcement

The bill would create a private right of action, allowing individuals to sue directly for actual damages. If a court finds the violation was willful, the proprietor faces actual damages plus attorneys’ fees and court costs — a provision that significantly raises the stakes for deliberate non-compliance.

Critically, the bill explicitly states that a disclaimer alone is not a defense. Simply telling users they are talking to a bot does not shield a proprietor from liability if that bot is providing advice that crosses into licensed professional practice.

What Steps Would Deployers Need to Consider

If S7263 becomes law, organizations deploying customer-facing AI tools in New York should take several steps:

  • Audit chatbot scope. Review what questions your chatbot answers and whether any responses could be characterized as medical, legal, dental, psychological, or other licensed-professional advice. Restrict or redirect sensitive queries accordingly.
  • Implement robust disclosures. Design chatbot interfaces with prominent, plain-language notices that satisfy the font and language requirements in the bill.
  • Review vendor contracts. Even though third-party developers are excluded from the definition of “proprietor,” deployers should ensure their vendor agreements clearly address responsibility for chatbot behavior and include indemnification provisions.
  • Establish escalation paths. Build in clear handoffs to licensed professionals when users raise topics that fall within the bill’s restricted categories.

What Developers Should Consider

While S7263 would not directly impose liability on technology vendors and developers who license their systems to others, the bill creates downstream pressure that developers cannot ignore. Deployers will increasingly demand contractual assurances — and may seek to shift liability — when chatbot behavior triggers a claim. Developers should consider building configurable guardrails into their products that allow deployers to restrict professional-domain responses, and they should be transparent about the limitations of their systems in licensing documentation and product design.

The Bottom Line

If enacted, the law would establish that deploying AI in contexts involving regulated professional advice carries real legal risk — regardless of disclaimers. However, this and other measures like it signal an effort by professions to push back on technology that is changing the landscape for access to such services. Where this will end up remains unclear.

As Data Privacy Day 2026 approaches, organizations face an inflection point in privacy, artificial intelligence, and cybersecurity compliance. The pace of technological adoption, in particular AI tools, continues to outstrip legal, governance, and risk frameworks. At the same time, regulators, plaintiffs, and businesses are increasingly focused on how data is collected, used, monitored, and safeguarded.

Below are our Top 10 Privacy, AI, and Cybersecurity Issues for 2026.

1. AI Governance Becomes Operational and Enforceable

AI governance in 2026 will be judged less by aspirational principles and more by documented processes, controls, and accountability. Organizations using AI for recruiting, managing performance, improving efficiency and security, and creating content, among a myriad of other use cases, will be expected to demonstrate how AI systems are developed, deployed, and governed, considering a global patchwork of existing and emerging laws and regulations affecting AI and related technologies.

Action items for 2026:

  • Maintain an enterprise AI inventory, including shadow or embedded AI features.
  • Classify AI systems by risk and use case (HR, monitoring, security, consumer-facing)
  • Establish cross-functional AI governance (legal, privacy/infosec, HR, marketing, finance, operations)
  • Implement documentation and review processes for high-risk AI systems.

Learn More:

2. AI-Driven Workplace Monitoring Under Scrutiny

AI-enabled monitoring tools (dashcams, performance management solutions, wearables, etc.) are increasingly used to track productivity, behavior, communications, and engagement. These tools raise heightened concerns around employee privacy, fairness, transparency, and proportionality, especially when AI generates insights or scores that influence employment decisions.

Regulators and plaintiffs are paying closer attention to whether monitoring is over-collection by design, and whether AI outputs are explainable and defensible.

Action items for 2026:

  • Audit existing monitoring and productivity tools for AI functionality.
  • Assess whether monitoring practices align with data minimization principles.
  • Update employee notices and policies to clearly explain AI-driven monitoring.
  • Ensure human review and appeal mechanisms for AI-influenced decisions.

Learn More:

3. Biometrics Expand and So Does Legal Exposure

Biometric data collection continues to expand beyond fingerprints and facial recognition to include voiceprints, behavioral identifiers, and AI-derived biometric inferences. Litigation under Illinois’ Biometric Information Privacy Act (BIPA) remains active, but risk is spreading through broader definitions of sensitive data in state privacy laws.

Action items for 2026:

  • Identify all biometric and biometric-adjacent data collected directly or indirectly.
  • Review vendor tools to ensure compliance.
  • Update biometric notices, consent processes, and retention schedules.
  • Align biometric compliance efforts with broader privacy programs.

Learn More:

4. CIPA Litigation and Website Tracking Technologies Continue to Evolve

California Invasion of Privacy Act (CIPA) litigation related to session replay tools, chat features, analytics platforms, and tracking pixels remains a major risk area, even as legal theories evolve. AI-enhanced tracking tools that capture richer interactions only heighten exposure. Organizations often underestimate the privacy implications of seemingly routine website and chatbot technologies.

Action items for 2026:

  • Conduct a comprehensive audit of website and app tracking technologies.
  • Reassess consent banners, disclosures, and opt-out mechanisms.
  • Evaluate AI-enabled chatbots and analytics for interception risks.
  • Monitor litigation trends and adjust risk tolerance accordingly.

Learn More:

5. State Comprehensive Privacy Laws Enter an Implementation and Enforcement Phase

Organizations are no longer preparing for state privacy laws, but they are living under them. The California Consumer Privacy Act (CCPA), along with other state laws, imposes increasing operational obligations.

California’s risk assessment requirements, cybersecurity audit mandates, and automated decision-making technology (ADMT) regulations represent a significant shift toward proactive compliance.

Action items for 2026:

  • Comply with annual review and update requirements.
  • Conduct CCPA-mandated risk assessments for high-risk processing.
  • Prepare for cybersecurity audit obligations and documentation expectations.
  • Inventory and assess ADMT used in employment, monitoring, and consumer contexts.

Learn More:

6. Data Minimization Becomes One of the Most Challenging Compliance Obligations

Data minimization has moved from an abstract compliance principle to a central operational challenge. Modern AI systems, monitoring tools, and security platforms are frequently architected to collect and retain expansive datasets by default, even when narrower data sets would suffice. This design approach increasingly conflicts with legal obligations that require organizations to limit data collection to what is necessary, proportionate, and purpose-specific, not only in terms of retention, but at the point of collection itself. As regulatory scrutiny intensifies, organizations must be prepared to explain why specific categories of data were collected, how those decisions align with defined business purposes, and whether less intrusive alternatives were reasonably available.

Action items for 2026:

  • Reassess data collection across AI, HR, and security systems.
  • Implement retention limits and transfer restrictions tied to business necessity and legal risk.
  • Challenge “collect now, justify later” deployments that rely on large-scale or continuous data exports.
  • Integrate data minimization and Bulk Data Transfer rule analysis into AI governance and system design reviews.

Learn More:

7. Importance of the DOJ Bulk Transfer Rule

In 2026, bulk sensitive data transfers are no longer a background compliance issue but a regulated risk category in their own right. Under the Department of Justice’s Bulk Data Transfer Rule, which took effect in 2025, organizations must closely assess whether large-scale transfers or access to U.S. sensitive personal or government-related data involve countries of concern or covered persons. The rule reaches a wide range of transactions, including vendor, employment, and service arrangements, and imposes affirmative obligations around due diligence, access controls, and ongoing monitoring.

Action items for 2026:

  • Update data mapping activities to include sensitive data collection and data storage.
  • Catalog where bulk data transfers occur, including transfers between internal systems, vendors, and cross-border environments. Develop a compliance program that includes due diligence steps, vendor agreement language, and internal access controls.
  • Evaluate the purpose of each bulk transfer.

Learn More:

8. UK and EU Data Protection Laws Reforms

Recent and proposed amendments to UK and EU data protection laws are designed to clarify or simplify compliance obligations for organizations, regardless of sector. Changes will impact both commercial and workplace data handling practices.   

UK: Data Use and Access Act (DUAA)

The UK has enacted the Data Use and Access Act, which amends key provisions of the UK General Data Protection Regulation (UK GDPR) and the Privacy and Electronic Communications Regulations (PECR). These reforms relate to subject access requests and complaints, automated processing, the lawful basis to process, cookies, direct marketing, and cross-border transfers, among others. Implementation is occurring in stages, with changes relating to subject access requests, complaints, and automated decision-making taking effect over the next few months.

EU: Digital Omnibus Regulation

The European Commission has proposed a Digital Omnibus Regulation, which introduces amendments to the EU General Data Protection Regulation. Proposed changes include redefining “personal data”, simplifying the personal data breach notification process, clarifying the data subject access process, and managing cookies.

Action items for 2026:

  • Review forthcoming guidance from the UK Information Commissioner’s Office.
    • Implement a data subject complaint process.
    • Review existing lawful bases and purposes for processing.
    • Prepare any necessary updates for employee training.
  • Monitor the progress of the proposed Digital Omnibus Regulation.
    • Review data inventories in the event the definition of personal data is revised.
    • Update data subject access response processes.
    • Review the use and nature of any cookies deployed on the organization’s website.

Learn More:

9. Vendor and Third-Party AI Risk Management Intensifies

Most organizations buy rather than build AI technologies. They buy from vendors such as recruiting platforms, notetaking tools, monitoring applications, cybersecurity providers, and analytics services—whose systems depend on large-scale data ingestion. From procurement to MSA negotiation to record retention obligations, novel and challenging issues as organizations seek to minimize third-party and fourth-party service provider risk. Importantly, vendor contracts have not kept pace with the nature of AI models or how to allocate risk.

Action items for 2026:

  • Update vendor diligence to include privacy, security, and AI-specific risk assessments.
  • Revise contracts to address AI training data, secondary use, audit rights, and allocation of liability.
  • Monitor downstream data sharing, model updates, and cross-border or large-scale data movements.

Learn More:

10. Privacy, AI, and Cybersecurity Fully Converge

In 2026, the lines between privacy, cybersecurity, and AI will continue to blur, leaving organizations that silo these disciplines to face increasing regulatory, litigation, and operational risk.

Action items for 2026:

  • Integrate privacy, AI governance, and cybersecurity leadership.
  • Harmonize risk assessments and reporting structures.
  • Align training and compliance messaging across functions.
  • Treating privacy and AI governance as enterprise risk issues.

Learn More:

As Data Privacy Day 2026 highlights, the challenge is no longer identifying emerging risks, but it is managing them at scale, across systems, and in real time. AI, biometrics, monitoring technologies, and expanding privacy laws demand a more mature, integrated approach to compliance and governance.