On July 1, 2026, the Federal Trade Commission (“FTC”) issued a proposed policy statement addressing what it describes as the “suppression of accuracy” in artificial intelligence (“AI”) systems and is seeking public comment through July 31, 2026. The proposal was issued pursuant to Executive Order 14365, Ensuring a National Policy Framework for Artificial Intelligence, which directed the FTC to explain how Section 5 of the FTC Act applies when AI developers alter model outputs in response to state law requirements.[1]

Continue Reading FTC Seeks Comment on Proposed Policy Statement Addressing AI Accuracy and Output Steering

On June 29, 2026, in a 6-3 decision, the U.S. Supreme Court held that (1) the Federal Trade Commission’s (FTC) statutory “for‑cause” removal protection for Commissioners violates the Constitution’s separation of powers and (2) President Trump lawfully removed Rebecca Slaughter from the FTC. The Court concluded that because FTC Commissioners exercise executive power, they must be removable by the President at will rather than only for “inefficiency, neglect of duty, or malfeasance in office.”

Continue Reading Supreme Court Holds FTC Removal Protections Unconstitutional

In what continues to be a busy year for genetic privacy developments, Rhode Island has joined the growing number of states regulating direct-to-consumer (“DTC”) genetic testing with its recently enacted genetic privacy law, S 2203. With S 2203, Rhode Island is the fifth state to enact genetic privacy legislation this year, following Utah, South Dakota, Connecticut, and Vermont

Continue Reading Rhode Island Enacts Genetic Privacy Law

On June 22, 2026, the White House released two Executive Orders (EOs) on quantum technologies: Securing the Nation Against Advanced Cryptographic Attacks (EO 14412) and Ushering in the Next Frontier of Quantum Innovation (EO 14413).  Through the first EO, the White House seeks “to safeguard America’s most sensitive data, [U.S.] critical infrastructure, and the digital economy that drives jobs and growth.”  (For further reading on this topic, our Post-Quantum Cryptography: A Practical Guide provides a high-level overview of steps organizations should consider to move toward post-quantum cryptography (PQC) to protect their systems.)  The second EO, in comparison, seeks “to supercharge U.S. innovation in quantum technologies.”  Together, these EOs reflect a continued U.S. government focus on core themes in the quantum space — security and innovation.

Continue Reading Trump Administration Releases Two Executive Orders on Quantum

On June 22, the leaders of the cybersecurity agencies in Australia, Canada, New Zealand, the UK, and the U.S. issued a joint statement calling for an “urgent” focus on cyber resilience in anticipation of “frontier AI models . . . exceed[ing] current industry expectations” and “fundamentally transforming both offensive and defensive cyber capabilities” within a timeline of “months.”  The frontier AI models referenced in the statement are the latest generation of advanced AI models that are capable of identifying and exploiting security vulnerabilities, which may result in an increased cadence of cybersecurity intrusions and data loss.  In light of the growing capabilities of these models, the statement encourages organizations to avoid treating cyber risk “as a purely technical issue” or an “IT issue” and instead take a “whole-of-organization” approach to cyber resilience that treats it as a “core business risk and leadership responsibility” that is “central to operational continuity and market trust.”  The statement also proposes several “urgent” practical actions that organizations can take to reduce risk, many of which were also discussed in our recent client alert regarding key considerations for lawyers addressing cyber risks posed by frontier models. 

Continue Reading Five Eyes Cybersecurity Agencies Issue Statement Regarding AI-Related Shifts in Cybersecurity Risks, Urging Organizational Leaders to “Act Now”

Vermont recently enacted two privacy bills to regulate health-related information. These include H.639, a genetic privacy bill regulating direct-to-consumer genetic testing companies, and the Vermont Data Privacy and Online Surveillance Act (S.71), a comprehensive privacy law that extends heightened protections to “consumer health data.” You can read our full

Continue Reading Vermont Enacts Privacy Legislation to Regulate Health-Related Information

On May 26, 2026, the French data protection authority (“CNIL”) published updated versions of its Reference Methodology 001 (“MR-001”, available here in French) and Reference Methodology 003 (“MR-003”, available here in French), two key frameworks governing the processing of personal data in the context of health research.

Continue Reading CNIL Updates Two Standards For Health Research (MR-001 and MR-003)

On June 10, the Cybersecurity & Infrastructure Security Agency (CISA) released Binding Operational Directive (BOD) 26-04 on Prioritizing Security Updates Based on Risk and the accompanying Implementation Guidance. In releasing the BOD and Implementation Guidance, CISA noted that the documents are “part of CISA’s response to the current threat

Continue Reading CISA Releases Binding Operational Directive on Prioritizing Security Updates Based on Risk

On June 16, 2026, the Vermont Governor signed into law the Vermont Data Privacy and Online Surveillance Act, making Vermont the fourth state to enact a comprehensive data privacy law this year. The law will take effect on January 1, 2028.

Continue Reading Vermont Data Privacy Bill Signed into Law

On May 26, 2026, the Spanish Data Protection Agency (“AEPD”) published details of its decision to fine Amadeus IT Group, S.A. (“Amadeus”), a Madrid-headquartered technology provider for the global travel and tourism industry, EUR 18 million in connection with GDPR violations involving Amadeus’s Global Distribution System (“GDS”). Amadeus voluntarily paid the fine, less a 20% reduction, on May 29, 2025, thereby terminating the proceedings without admitting liability. The fine, one of the largest the AEPD has imposed, highlights the enforcement risks associated with repurposing personal data such as passenger data without appropriate transparency or a valid legal basis under the GDPR.

Continue Reading Amadeus IT Group Receives GDPR Fine