U.S. SEC Regulation S-P: Compliance Deadline Approaching for Smaller Entities
The U.S. Securities and Exchange Commission has issued amendments to Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information, which became effective on August 2, 2024 (the Final Amendments). For smaller entities, including registered investment advisers with less than $1.5 billion in assets under management, as well as certain broker-dealers and other SEC-regulated entities, the compliance deadline is June 3, 2026. The compliance deadline for larger entities was December 3, 2025. For a full list of entities required to comply, please see June 4, 2024 Sidley Update.
European Biotech Act I: Navigating the EDPB/EDPS Vision for the Future of Clinical Trials
On 12 March 2026, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) issued a Joint Opinion (the “Joint Opinion”) on the proposed European Biotech Act I (the “Biotech Act”). The Joint Opinion broadly supports the EU’s ambition to strengthen its biotechnology sector. However, it emphasises that data protection safeguards must be tightened, particularly where health data is involved. The recommendations signal forthcoming scrutiny during the legislative process and highlight key compliance considerations for organisations involved in clinical trials.
Geopolitics and Cybersecurity: Japan and the UK Announce Strategic Cyber Partnership Among Growing Global Focus on Privacy and Cyber Risks Posed by Foreign Actors
On January 31, 2026, the governments of Japan and the United Kingdom announced they were strengthening their cybersecurity collaboration through a bilateral Strategic Cyber Partnership (Partnership).
Texting in Texas: Texas AG Settlement Clarifies No Registration Needed for Consent-Based Text Messaging
Businesses that obtain consent prior to sending text marketing messages in Texas can breathe a cautious sigh of relief: the Texas Attorney General (Texas AG) has clarified that recent amendments to Texas’ telephone solicitation and telemarketing law enacted through Senate Bill 140 should not be interpreted to require such businesses to complete onerous registration requirements including posting of a $10,000 security bond and detailed disclosures about business owners, officers, directors and sales managers.
Regulatory Update: National Association of Insurance Commissioners Summer 2025 National Meeting
The National Association of Insurance Commissioners (NAIC) held its Summer 2025 National Meeting (Summer Meeting) August 10–13, 2025. This blog summarizes the highlights from this meeting in addition to interim meetings held in lieu of taking place during the Summer Meeting. Highlights include adoption of guidance on asset adequacy testing for reinsurance transactions, renewed focus on the risks of offshore reinsurance transactions, evaluation of insurers’ use of funding-agreement-backed note (FABN) and funding-agreement-backed securities (FABS) programs, and consideration of additional regulatory frameworks to address insurers’ use of artificial intelligence (AI).
(more…)
Texting in Texas: The State Expands Telemarketing Registration Requirements to Include Text Marketers
Texas has amended its telephone solicitation and telemarketing law (the Texas “mini-TCPA” — after the federal Telephone Consumer Protection Act) to require certain businesses that engage in text marketing to register with the Texas Secretary of State and make detailed disclosures, pay registration fees, and post a $10,000 security deposit. The amendments, which were enacted by Senate Bill 140 and went into effect on September 1, 2025, also make certain violations of the Texas mini-TCPA de facto violations of the state’s deceptive trade practices law, which includes a private right of action and can carry significant penalties. While the law includes several provisions that will likely exempt established businesses that obtain one-to-one opt-in consent for text marketing messages and other types of calls, in light of the substantial fines and private right of action, businesses will want to carefully review the application of these new amendments to their marketing programs.
New Digital Health Ecosystem and HIPAA Flexibilities Facilitate Sharing of Patient Health Information
Earlier this month, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), released a new Frequently Asked Question (FAQ) related to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, which establishes national standards to safeguard “protected health information” or “PHI.”
EU Consults on Digital Fairness Act: Big Changes Ahead for Consumer-Facing Platforms
The European Commission (Commission) has launched a public consultation on a proposed new law — the Digital Fairness Act (DFA) — aimed at strengthening consumer protection in digital markets. The goal is to fill perceived regulatory “gaps” left by recent EU digital regulations, including the Digital Services Act (DSA) and Digital Markets Act (DMA).
The Trump Administration’s 2025 AI Action Plan – Winning the Race: America’s AI Action Plan – and Related Executive Orders
On July 23, 2025, the Trump administration released its much-anticipated AI Action Plan, outlining 90 federal policy positions across three key pillars: Accelerating Innovation, Building American AI Infrastructure, and Leading in International Diplomacy and Security. These pillars are designed to guide near-term action and are underpinned by three cross-cutting priorities: protecting and promoting American workers, ensuring that artificial intelligence (AI) systems are trustworthy and free from ideological bias, and safeguarding AI from misuse, theft, or other risks posed by malicious actors. The scope of the AI Action Plan demonstrates the far-reaching impact of AI, with policy positions affecting not only technology but also trade, national security, cybersecurity, energy, labor, education, environmental regulation, antitrust, science, and financial markets.
California Privacy Protection Agency Advances Substantial Rulemaking – Cyber Audits, Risk Assessments, New Automated Decisionmaking Technologies Rights, and More
The California Privacy Protection Agency (Agency) on Thursday, July 24, 2025, approved a comprehensive set of new California Consumer Privacy Act (CCPA) regulations that the Agency has been developing for over four years. Before taking effect, the proposed regulations must still be approved by California’s Office of Administrative Law (OAL). It is possible some of these provisions may change with the OAL’s review, which must be completed within 30 business days after the Agency submits to the OAL its final rulemaking package. However, many expect that most of the proposed regulations will pass OAL review. If approved, several of the proposed regulations would be effective as of January 1, 2026. (more…)
