Dechert Cyber Bits

Connecticut Attorney General Issues First Data Privacy Fine

On July 8, the Connecticut Attorney General (“CT AG”) announced the first monetary penalty under the Connecticut Data Privacy Act (“CTDPA”).

In November 2023, the CT AG sent a CTDPA cure notice to TicketNetwork, giving the company sixty days to address alleged deficiencies in the company’s privacy notice. The alleged deficiencies included, according to the CT AG, unreadable text, the absence of key data rights, and ineffective rights mechanisms. TicketNetwork did not cure the flagged deficiencies within the designated time period and did not respond to follow-up communications from the CT AG.

The CTDPA requires, among other things, that businesses maintain clear privacy notices, including disclosure of applicable consumer rights under the CTDPA. Previously, businesses were given a “cure period” to address flagged privacy notice deficiencies, but if such deficiencies were not corrected within this cure period, the CT AG could bring an enforcement action under the CTDPA. The CTDPA’s cure period expired on January 1, 2025.

As part of TicketNetwork’s settlement with the CT AG, the company will pay an $85,000 fine and report their consumer rights request metrics to the CT AG moving forward. The CT AG has issued over two dozen deficiency notices since the law came into effect in 2023, and since the CTDPA’s cure period expired on January 1, 2025, the CT AG has begun issuing Notices of Violation—rather than a cure notice—addressed at privacy notice deficiencies.

Takeaway: States are increasingly flexing their enforcement abilities under state privacy and cybersecurity laws. As a growing number of states are implementing such laws and “cure period” exemptions begin to expire, deficiency penalties are likely to become more commonplace. The alleged deficiencies in TicketNetwork’s privacy practices serve as a reminder for companies to provide clear disclosures about data collection, usage, sharing, and retention practices in accordance with applicable laws. The settlement also serves as a reminder that businesses that receive a cure notice from a state AG should act promptly to remediate the cited deficiencies or risk incurring penalties.

EU Data Protection Bodies Endorse GDPR Simplification Proposal

On July 9, the European Data Protection Board (“EDPB”) and European Data Protection Supervisor (“EDPS”) published a joint opinion addressing the European Commission’s proposed Omnibus IV rule simplification proposal. As we covered in more depth here, the proposal seeks to ease the requirements for small and medium sized enterprises (“SMEs”) and small mid-cap enterprises (“SMCs”) to maintain records of data processing activities.

The EDPB and EDPS’s joint opinion signaled overall support for this proposal with the EDPS welcoming that “the proposed modifications to simplify and clarify the obligation to keep a record of processing are targeted and limited in nature, and do not affect the core principles and other obligations under the GDPR.” EDPB chair, Anu Talus, added that the current exemption for companies with fewer than 250 employees often fails to achieve its goal to reduce administrative burdens on SMEs and SMCs. Expanding eligibility seeks to more effectively reduce these administrative burdens for a broader range of SMEs and SMCs.

The joint opinion follows the EDPB’s recent “Helsinki Statement,” which addressed the EDPB’s planned initiative to provide more accessible tools and practical guidance on GDPR requirements, intending to facilitating more straightforward GDPR compliance. The initiatives announced in the Helsinki Statement included the development of a common template for data breach notifications to streamline notifying breaches to multiple EU data regulators.

Takeaway: The joint opinion, together with the EDPB’s “Helsinki Statement,” signal a new focus on regulating the GDPR in a more practical way. In recent years EU legislators and regulators have implemented extensive digital and tech regulation and lengthy (often somewhat esoteric) guidance. Businesses will welcome a shift in the mindset of data regulators to be more accessible and practical.

California Attorney General Secures Record Data Privacy Deal Against Healthline

The Attorney General of California (“CA AG”) announced the state’s biggest settlement to date under the California Consumer Privacy Act (“CCPA”). The settlement involves Healthline Media LLC (“Healthline”), a website publisher that allegedly used online tracking technology on its health information website to transmit personal health information about users to advertisers and third parties, without affording users the ability to opt out of such sharing.

According to the CA AG, Healthline violated the CCPA by failing to honor consumers' rights to opt out of the sale or sharing of their personal information for targeted advertising, even when consumers exercised their opt-out rights through mechanisms like Global Privacy Control signals. Healthline also was alleged to have breached the CCPA’s Purpose Limitation Principle by sharing article titles that suggested consumers may have been diagnosed with specific medical conditions, using this data for purposes beyond what was disclosed. Additionally, Healthline allegedly failed to maintain CCPA-required contracts with third parties to ensure privacy protections and misled consumers with a deceptive consent banner that did not disable tracking cookies as promised.

As part of the settlement with the CA AG, Healthline will pay $1.55 million in civil penalties. In addition, Healthline will be subject to a novel settlement term that prohibits them from sharing article titles that reveal that a consumer may have already been diagnosed with a medical condition—effectively, banning the company from engaging in these types of data transmissions. Further, Healthline must also ensure that its opt-out mechanisms work effectively, maintain a CCPA compliance program, and conduct an audit of its contracts to confirm that third parties have signed appropriate terms.

Takeaway: The Healthline enforcement action’s allegations of improper handling of opt-out requests, misleading consent banners, and unauthorized sharing of sensitive health-related data mirror the CPPA’s concerns in Honda and Todd Snyder, where businesses were penalized for collecting excessive personal information to process opt-out requests and for using webforms with "dark patterns" that complicated consumer privacy choices. Taken together, these actions highlight the importance of limiting data collection to what is strictly required, avoiding manipulative user interfaces, and active third-party vendor oversight.

UK Data Protection Reforms Spark Debate Between Industry and Digital Rights Advocates

The European Parliament has published a research paper assessing the appetite for data protection reform in the EU and ways in which the burden of compliance with the GDPR could be eased.

The paper discusses the existing European Commission proposals for limited reforms in the Omnibus IV package, but additionally considers various models and areas for more extensive reform, such as “a three-layered compliance framework – with GDPR 'Mini', 'Normal' and 'Plus' layers – based on company size and volume of data processed.” The paper also includes a review of the UK’s attempts to achieve these aims through the recently passed Data (Use and Access) Act (the “DUA Act”) – for further information on the DUA Act see our OnPoint here.

The paper concludes that the DUA Act leaves scope for “significant legal ambiguity” and that “challenges to AI training persist.” According to the paper, digital rights advocates have cautioned that the reform would undermine individuals’ data protection rights and jeopardize the renewal of the UK adequacy decision; it therefore views the DUA Act as a “cautionary insight” rather than a “direct blueprint.”

Takeaway: The paper does not reach any firm conclusions but emphasizes that data protection reform is very much on the agenda in the EU. The limited amendments proposed as part of the EU’s Omnibus IV package are unlikely to quell discussion about broader data protection reform. Instead, they can be seen as a first step of a wider process of re-evaluating the balance between data protection, on the one hand, and innovation and competitiveness, on the other. Common to many of the models of reform discussed in the paper is a more risk-based approach to regulation, but for now the burden of risk/compliance must be judged by businesses themselves. As far as the DUA Act is concerned, there is a need for some caution. The DUA Act’s impact is dependent on subsequent rules yet to be issued and despite early positive signs on adequacy from the European Commission, input from the EDPB and European Parliament is still to be sought and a final approval from Member States will be required. It is therefore a little early to form a clear view on the renewal of the adequacy decision for the UK.

SEC Strikes Deal with SolarWinds in Data Breach Case

The U.S. Securities and Exchange Commission (“SEC”) has indicated that it has reached a settlement related to one of the most wide-reaching cyberattacks in recent years. If approved, the settlement with SolarWinds Corp. (“SolarWinds”) and the company’s chief information security officer, Timothy Brown, will be the first of its kind involving fraud allegations in a cyber breach case.

The case originates from a cyberattack on SolarWinds by Russian state-linked hackers in 2019. The hackers were able to monitor SolarWinds’ customers, including U.S. federal agencies and more than 100 private companies. Of particular note, this was (i) the first instance that the SEC brought charges alleging fraud based on a cyber breach, and (ii) one of the rare examples where the SEC pursued both the business and its top executives.

The U.S. District Court received a motion from the parties, dated July 2, reporting that they had agreed to a settlement. The parties asked the Court to pause proceedings in the case while the SEC’s attorneys seek approval of the settlement by the SEC’s Commissioners. The Court approved the motion, and the parties have until September 12, 2025, to either file settlement paperwork or provide a written status update.

Takeaway: This is not the first settlement related to the SolarWinds attack. In October 2024, the SEC announced settlements totaling nearly $7 million for disclosure violations by issuers that were victims of the SolarWinds attack. Those settlements alleged that the disclosures made by these companies regarding the impact of the SolarWinds attack were materially misleading. It remains to be seen whether the current administration will adopt an expansive reading of its authority to bring enforcement cases in this area.

Dechert Tidbits

State AI Moratorium Struck from Big Beautiful Bill

On July 1, 2025, the U.S. Senate voted 99-1 to remove a provision from the “One Big Beautiful Bill Act” (H.R. 1) that would have prevented states from regulating the use of artificial intelligence (“AI”). The state AI moratorium faced pushback from lawmakers, who argued that states have appropriately taken the lead on regulating AI in the absence of effective federal legislation. Lawmakers attempted to alter the scope and timeline of the moratorium to address the criticisms but were unsuccessful.

ENISA Publishes Technical Implementation Guidance for Cybersecurity

The European Union Agency for Cybersecurity (“ENISA”) has published technical implementation guidance for implementing cybersecurity risk management measures in the EU’s NIS 2 Directive. The guidance seeks to provide practical advice, examples, and mappings of security requirements.

CNIL Finalizes Transfer Impact Assessment Guidance

The CNIL, France’s data protection authority, recently finalized its guidance (in French) on carrying out transfer impact assessments (“TIAs”) for organizations transferring data outside the European Economic Area. The CNIL’s guide provides a methodology for identifying important considerations when conducting a TIA.