The Matrix

Brands are increasingly turning to social media influencers to promote their products and services through organic and immersive content. Social media campaigns using influencers allow brands to benefit from the creativity and likeness of a content creator, resulting in advertising that can feel more natural and authentic to target audiences. Despite this shift, and even when influencers have creative freedom, the legal standards governing commercial speech have not changed; a claim that is deceptive, unfair, or unsubstantiated in a magazine ad or said by paid actors in a TV commercial is equally unlawful when it is tucked into an Instagram Story or Reel by your favorite content creator. Regardless of how organic or bespoke the content may be, brands should apply the same rigor to influencer campaigns that they employ for traditional advertising.

If your company transfers sensitive personal data of U.S. individuals to entities or persons associated with certain countries deemed foreign adversaries, two federal programs designed to address national security risks should be on your radar -- the Department of Justice’s Data Security Program (DSP) and the Protecting Americans’ Data from Foreign Adversaries Act (PADFAA). While different, both frameworks address risks of data exploitation by adversarial nations and have significant potential penalties for non-compliance. PADFAA is a law that was enacted in June 2024; the DSP is a DOJ-administered program born from an executive order, and the DOJ has announced that it will begin enforcing the framework on July 8, 2025.

On May 19, 2025, President Donald Trump signed into law the bipartisan Take It Down Act, which is aimed at combating the distribution of nonconsensual intimate imagery, including both authentic and AI-generated “deepfakes.” The law was championed by Senators Ted Cruz and Amy Klobuchar, with support from a broad coalition including victim advocates, technology companies, and law enforcement groups. 

Washington state’s My Health My Data Act (“MHMD”) goes into effect on March 31, 2024. Entities should carefully evaluate whether MHMD applies to them in light of the law’s broad applicability, an expansive definition of consumer health data, strict consent requirements and a unique private right of action. This post answers questions about which entities are subject to MHMD, and what the law requires entities to do.

Privacy and data security laws and regulations continue to evolve quickly, and companies processing personal data have an increasing array of issues to manage. As we enter 2024, below are five key considerations for companies managing privacy and data security risks.

Data breaches in the healthcare industry are a costly and legally evolving issue. The sophistication of threat actors and their ability to navigate IT systems using constantly changing tactics has made it difficult to predict and, in some cases, respond to a breach. The recent aggressive enforcement by the Federal Trade Commission (the “FTC”) of its Health Breach Notification Rule (the “HBNR”), as well as its proposed changes to the HBNR, have expanded the factors companies must consider when analyzing and responding to potential breaches of health data.

On November 22, 2023, the Federal Communications Commission issued a proposed rule that likely will considerably alter the online lead generation industry, including the use of comparison shopping websites. The proposed rule addresses a number of areas, but, notably, the rule would require texters and callers using certain regulated technologies to obtain prior express written consent from a single seller at a time to comply with the Telephone Consumer Protection Act (“TCPA”). The FCC is expected to pass the rule during its December 13, 2023 meeting. 

Last week, the FTC amended its Gramm-Leach-Bliley Safeguards Rule, supplementing the additions to the rule that it announced in 2021 and that have been in effect since June 2023. The recent amendment will require nonbank financial institutions to notify the FTC when there is an unauthorized acquisition of unencrypted customer information involving 500 or more consumers. This notification requirement, which is scheduled to go into effect in May 2024, adds to the growing list of notifications that a company must consider after a data incident, including the SEC’s recently enacted rules requiring registrants to disclose material cybersecurity incidents.

On Sept. 5, the U.S. Department of Justice announced its settlement with Verizon Business Network Services LLC, a Verizon Communications Inc. subsidiary, in which Verizon agreed to pay $4.1 million to settle certain False Claims Act allegations related to cybersecurity.

The settlement resolves allegations that Verizon's Managed Trust Internet Protocol Service, or MTIPS, which was designed to provide federal agencies with secure connections to public internet and other networks, did not satisfy certain cybersecurity controls related to contracts with the U.S. General Services Administration from 2017 to 2021.

In April 2023, Kyland Young, a star from the popular reality TV show Big Brother, brought a right of publicity claim against NeoCortext, Inc., the developer of a deepfake software called Reface. See Young v. NeoCortext, Inc., 2:23-cv-02486 (C.D.CA filed Apr. 3, 2023). Young claimed that NeoCortext’s Reface, “which uses an artificial intelligence algorithm to allow users to swap faces with actors, musicians, athletes, celebrities, and/or other well-known individuals in images and videos,” violates California’s right of publicity law. Young’s case, which is still pending in the U.S. District Court for the Central District of California, raises important questions about deepfakes and their intersection with the law as it pertains to famous figures.