The Digital Download provides a quarterly snapshot of emerging issues at the intersection of privacy, cybersecurity, and data strategy. It brings together Alston & Bird’s thought leadership, publications, events, and firm news into a single, easy‑to‑navigate resource.
Publications & Advisories
- January 28, 2026 – Kelly Hagedorn, Paul Greaves, and Hanna Hewitt published “Privacy, Cyber & Data Strategy Advisory | UK’s Data (Use and Access) Act 2025 – What Does It Change?”
- January 2026 - Kathleen Benway, Alex Brown, Maki DePalo, Jennifer Everett, Graham Gardner, and Hyun Jai Oh published “Flurry of Federal Trade Commission Activity Shows Enforcement Emphasis on Youth Protection” in Pratt’s Privacy & Cybersecurity Law Report.
- January 6, 2026 – Kim Peretti, Lance Taubin, and Carson Kuck published “Privacy, Cyber & Data Strategy Advisory | How AI Is Changing the Incident Response Landscape: What GCs Need to Know.”
- December 18, 2025 – Jennifer Everett, Dan Felz, Kate Hanniford, Jennifer Pike, and Santiago Villar published “Privacy, Cyber & Data Strategy Advisory | President Trump Signs Executive Order Aiming to Curb State AI Regulation.”
- December 17, 2025 – Our Privacy, Cyber & Data Strategy; Investment Funds; White Collar, Government & Internal Investigations; and Securities Litigation teams published “Investment Funds / Privacy, Cyber & Data Strategy Advisory | SEC Settles with Virtu over Customer MNPI Controls.”
- December 16, 2025 – Kelly Hagedorn, Wim Nauwelaerts, and Paul Greaves published “Privacy, Cyber & Data Strategy Advisory | The Data Act: 5 Things to Know About How the Data Act Mitigates Risks to Cybersecurity and Trade Secrets.”
- December 15 - Kelly Hagedorn, Wim Nauwelaerts, Paul Greaves, Alice Portnoy, and Hanna Hewitt published “The EU Data Act: 5 Things to Know About the Data Act and New Switching Requirements for Providers of Cloud Services” in The Global Regulatory Developments Journal.
- December 15 - Kelly Hagedorn, Wim Nauwelaerts, Paul Greaves, Alice Portnoy, and Hanna Hewitt published “The EU Data Act: 7 Things to Know About the Data Act and Connected Products” in The Global Regulatory Developments Journal.
- December 5, 2025 – Jennifer Everett and Dorian Simmons published “What Businesses Need to Know About California’s AI Safety Law” in Bloomberg Law.
Selected U.S. Privacy & Cyber Updates
California Attorney General Announces Investigative Sweep into “Surveillance Pricing”
On January 28, 2026, California Attorney General (AG) Rob Bonta announced an investigative sweep targeting “surveillance pricing” practices among businesses in the retail, grocery, and hotel sectors. The investigation focuses on companies that use consumers’ personal information to set individualized prices. According to the AG’s press release, surveillance pricing practices could violate the California Consumer Privacy Act (CCPA), particularly its “purpose limitation” requirement.
New York Regulates Large Artificial Intelligence Models
On December 19, 2025, just eight days after President Trump issued the Executive Order Ensuring a National Policy Framework for Artificial Intelligence to challenge burdensome state laws that regulate artificial intelligence, New York Governor Kathy Hochul signed the Responsible Artificial Intelligence Safety and Education Act (RAISE Act). The RAISE Act imposes transparency, compliance, safety, and reporting requirements on certain developers of large “frontier” AI models. The RAISE Act takes effect March 19, 2026.
DOJ Cybersecurity Enforcement Pace Shows No Signs of Slowing Down Going into 2026
As 2025 drew to a close, the U.S. Department of Justice (DOJ) announced significant developments in cases involving the allegedly deficient cybersecurity practices of two Department of Defense contractors. These two cases suggest that the federal government will continue to make DFARS 7012 compliance for companies that process controlled unclassified information an enforcement priority in 2026. They also suggest that the DOJ may be broadening its enforcement efforts.
Texas Court Blocks Smart TV Data Collection
A Texas state court has issued a temporary restraining order (TRO) blocking Hisense, a major Chinese smart TV manufacturer, from collecting data on the content viewers watch via automatic content recognition (ACR) technology. The TRO follows lawsuits that Texas Attorney General Ken Paxton filed on December 15, 2025 against Hisense and four other smart TV manufacturers alleging violations of the Texas Deceptive Trade Practices Act arising out of the collection and use of sensitive ACR data without adequate disclosure or consent.
NYDFS Releases New Prescriptive FAQs on MFA
The New York Department of Financial Services (NYDFS) has released a new set of frequently asked questions (FAQs 18–23) under 23 NYCRR Part 500, reinforcing its position that multifactor authentication (MFA) remains a critical component of a covered entity’s cybersecurity program. These FAQs provide highly prescriptive guidance, including clarifications on technical requirements for the “possession” factor and risks associated with push-based authentication methods.
California AG Announces $1.4 Million Settlement with Mobile App Provider for Alleged CCPA Violations
On November 21, 2025, California AG Rob Bonta announced a $1.4 million settlement with Jam City Inc., a mobile game app company, for alleged failures to enable in-app opt-outs from the sale and sharing of personal information across many of the company’s mobile apps as required by the CCPA.
Selected Global Privacy & Cyber Updates
European Commission Publishes Guidance for Companies Implementing the EU Cyber Resilience Act
On 3 December 2025, the European Commission published its first set of technical FAQs on the EU Cyber Resilience Act (CRA). The CRA is an EU-wide law which lays down cybersecurity requirements for ‘products with digital elements’, including Internet of Things (IoT) devices, hardware components, and certain software. It becomes fully applicable on 11 December 2027, with reporting obligations (for actively exploited vulnerabilities and significant incidents) kicking in earlier – from 11 September 2026.
Spanish DPA Highlights Privacy Risks in GenAI Content Creation
In early January 2026, the Spanish Data Protection Authority (Agencia Española de Protección de Datos, or AEPD) issued new guidance on the privacy and data protection risks associated with uploading images or photos – whether directly or indirectly identifying individuals – into generative AI tools. The guidance is particularly focused on situations when those images are hosted by third‑party online services or digital platforms.
How to Comply with the EU AI Act: Guidance from the Spanish AI Regulator
On 10 December, the Spanish supervisory authority for the EU AI Act published a set of 16 detailed guidelines and nonbinding checklists designed to help companies navigate their obligations under the AI Act, which entered into force in August 2024.
On 28 November 2025, the European Commission adopted a regulation implementing the Cyber Resilience Act – an EU-wide law which lays down cybersecurity requirements for companies that design and sell ‘products with digital elements’ (PDEs). PDEs can take many forms, including IoT devices, hardware components, and certain software.
Events
- February 25, 2026 – Alston & Bird’s Kelly Hagedorn, Kate Hanniford, and Hanna Hewitt and CrowdStrike will host a dinner and discussion in London about our predictions for the cyber threat landscape in 2026 during the IAPP UK Intensive 2026: Privacy, AI Governance & Cybersecurity Law.
- January 21, 2026 – Alston & Bird hosted a breakfast roundtable with GCs and senior in-house privacy professionals to discuss key privacy, data, cyber, and AI trends in 2026.
- January 13, 2025 – David Keating, Dorian Simmons, and Hyun Jai Oh presented “The Rise of Agentic Commerce: Innovation, Opportunity, and Risk” as a part of Alston & Bird’s AI Legal Insights: Shaping Tomorrow Webinar Series.
Press Releases
Alston & Bird Adds Technology & Privacy Partner in Silicon Valley
Alston & Bird announced today that Cynthia Cole has joined its Technology & Privacy Group as a partner in the firm’s Silicon Valley office, advancing the firm’s growth in technology transactions, data privacy, artificial intelligence, and cybersecurity throughout California and across the firm’s 13 offices.
Alston & Bird, including David Teske and Santiago Villar from the Privacy, Cyber & Data Strategy Team, represented RESICAP LP in its $89 million sale of ResiBuilt Homes LLC, a leading build-to-rent developer in high-growth markets across the Southeast, to Invitation Homes Inc.
Alston & Bird Represents Pamlico Capital in Growth Investment in CalcFocus
Alston & Bird, including Jennifer Everett, Dorian Simmons, and Lili Song from the Privacy, Cyber & Data Strategy Team, represented Pamlico Capital in its growth investment in CalcFocus, a leading provider of cloud-native policy administration and illustration solutions to the individual and group life, health, and annuity insurance markets.
Alston & Bird Represents Seemann Composites LLC in Its $220 Million Sale to Karman Space & Defense
Alston & Bird, including David Teske, Dorian Simmons, Sara Pullen, John Lesko, Andrew Rice, Anna von Spakovsky, and Christian Seremetis from the Privacy, Cyber & Data Strategy Team, represented Seemann Composites LLC in its acquisition by Karman Space & Defense. Seemann is a leader in developing and manufacturing advanced composite systems for submarine, UUV/USV, and strategic naval surface platforms for the U.S. government.
Alston & Bird Advises Cognitus Consulting on Acquisition by IBM
Alston & Bird, including Dorian Simmons from the Privacy, Cyber & Data Strategy Team, represented Cognitus Consulting in its acquisition by IBM, strengthening IBM’s AI solutions portfolio and SAP implementation capabilities by adding Cognitus’s industry-specific expertise and proprietary SAP-endorsed software assets.
“The Digital Download” is produced by Alston & Bird’s Privacy, Cyber & Data Strategy Team, led by Kim Peretti and David Keating. It is edited by Hanna Hewitt, Alice Portnoy, Andrew Rice, and Anna von Spakovsky.
For additional updates, please be sure to visit our blog at www.alstonprivacy.com.
Stay ahead of evolving ransomware threats with Alston & Bird’s Ransomware Fusion Center. Our Privacy, Cyber & Data Strategy Team offers comprehensive resources and expert guidance to help your organization prepare for and respond to ransomware incidents. Visit Alston & Bird’s Ransomware Fusion Center to learn more and access our tools.
The Digital Download, as well as any articles or other content linked to or otherwise cited by or attached to it, is not intended to constitute and should not be relied upon as or construed to be legal advice.