5 Essential Data Privacy Updates from the Past 5 Months
Staying informed about data privacy is more critical than ever. For privacy professionals, legal experts, and anyone involved in protecting sensitive information, keeping up with the latest developments is essential. Recent headlines highlight significant events that could reshape the data privacy landscape.
New York Department of Financial Services (NYDFS) Cybersecurity Updates
The New York Department of Financial Services (NYDFS) has updated its cybersecurity regulations (23 NYCRR Part 500) with a multi-year rollout of stringent new requirements.
- Key Requirements: Recent phases (May and November 2025) introduced mandatory automated vulnerability scanning, enhanced access controls, and a broader mandate for Multi-Factor Authentication (MFA) for all individuals accessing information systems.
- Compliance Deadline: Covered entities must submit their annual certification of material compliance for the 2025 calendar year by April 15, 2026.
Privacy Tip: Conduct regular cybersecurity audits and ensure MFA is implemented across all user accounts. Update your incident response plan to address modern threats like AI-manipulated deepfakes.
American Privacy Rights Act (APRA)
The American Privacy Rights Act (APRA) was introduced as a bipartisan, bicameral proposal in 2024 to establish a national data privacy standard in the U.S.
- Status: Despite significant momentum, the bill (H.R. 8818) faced challenges regarding state law preemption and civil rights provisions. It officially expired in January 2025 at the end of the 118th Congress and has not yet been reintroduced as of March 2026.
- Provisions: The draft focused on data minimization, giving users the right to opt out of targeted advertising and creating a national registry for data brokers.
Privacy Tip: Even without federal law, prepare by auditing data collection for transparency and implementing robust consent mechanisms, as many state-level laws (like those in California and Maryland) already mirror these requirements.
FCC Fines Wireless Carriers $200 Million
In April 2024, the Federal Communications Commission (FCC) finalized nearly $200 million in fines against AT&T, Verizon, and T-Mobile (including Sprint).
- The Violation: The carriers shared customers' real-time geolocation data with third-party aggregators without obtaining valid, explicit consent.
- Impact: This decision emphasizes that carriers cannot "offload" their legal obligation to obtain consent onto downstream partners.
Privacy Tip: Review third-party data-sharing agreements and ensure your consent prompts are clear and specific regarding the "what" and "who" of data sharing.
Google Halts Phaseout of Third-Party Cookies
In a major reversal in July 2024, Google announced it would no longer deprecate third-party cookies in the Chrome browser.
- The New Approach: Instead of a full phaseout, Google is pursuing a "user choice" model, allowing individuals to make informed choices about their tracking preferences across their web browsing.
- Context: This shift followed pressure from advertisers and regulators (like the UK’s CMA) who were concerned about the impact on the digital advertising ecosystem.
Privacy Tip: Continue to invest in first-party data collection and contextual advertising. Privacy-conscious consumers are still opting out of tracking, regardless of whether the technology is officially "phased out."
RockYou2024: The Largest Password Dump in History
In July 2024, a massive compilation known as "RockYou2024" was leaked, containing nearly 10 billion unique plaintext passwords.
- Details: While many of these were from older breaches, the dump included roughly 1.5 billion new entries, significantly increasing the risk of credential-stuffing attacks.
- Security Risk: The sheer volume of this data makes it a primary resource for hackers using automated tools to hijack accounts where passwords are reused.
Privacy Tip: Mandate the use of password managers and Multi-Factor Authentication (MFA). Encourage users to move toward passkeys, which are inherently resistant to these types of credential leaks.
