On April 29, 2026, the United States Supreme Court issued a unanimous opinion in First Choice Women’s Resource Centers, Inc. v. Davenport, where it held that a nonprofit suffered an injury to its First Amendment right of association when it was subpoenaed by a state attorney general to produce donor information, including donor identities.1 Justice Gorsuch, writing for the Court, held that the nonprofit petitioner could challenge the subpoena in federal court without first waiting for a state court to compel compliance.

The decision carries important privacy implications for universities, hospitals, health care nonprofits, advocacy organizations, and other entities that maintain sensitive donor, member, or supporter data. While some media coverage of the ruling has narrowly focused on the organizational mission of the petitioner, the practical upshot of the ruling is broader: a government demand for such sensitive data can be challenged in federal court immediately, before any sensitive information must be disclosed. This provides an up-front procedural safeguard for donor and member privacy.

To read the full Ropes & Gray alert, click here.

On March 20, 2026, the White House released its National Policy Framework for Artificial Intelligence (“Framework”), outlining legislative recommendations for Congress to establish a unified federal approach to AI regulation. The Framework builds on prior executive actions, including the December 2025 Executive Order (the “Executive Order”) and the Trump administration’s “America’s AI Action Plan,” and it proposes that Congress adopt legislation broadly preempting state AI laws deemed to impose “undue burdens.” This alert summarizes the Framework’s key provisions, analyzes their potential impact on state laws, and highlights considerations for healthcare and life sciences stakeholders navigating the evolving regulatory landscape. While the Framework does not itself change the current legal status of the Executive Order, it signals increased policy focus and may prompt further agency action.

Continue Reading The White House Legislative Recommendations: National Policy Framework for Artificial Intelligence and Federal Preemption of State AI Laws

As recent events indicate, American companies may be the subject of destructive data “wiper” attacks and potential data theft by Iran-linked hackers. Ongoing tensions in the Middle East underscore the stark and evolving cyberthreat landscape facing companies. These types of cyberattacks blend the regulatory and litigation exposure of a traditional data breach with the extreme business risks associated with near total operational disruption. This alert highlights potential legal implications and outlines practical steps companies should consider to strengthen preparedness.

Continue Reading When Cyberwar Hits the Corporate Home Front

On February 13, 2026, the U.S. Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) announced its civil enforcement program to implement the updates to the Substance Use Disorder (“SUD”) confidentiality provisions of the regulation at 42 CFR Part 2 (“Part 2”).1 The new enforcement program became effective February 16, 2026, in accordance with the deadline set by the 2024 Final Rule modifying Part 2 (“2024 Final Rule”).

Continue Reading HHS OCR Announces Civil Enforcement Program for Confidentiality of Substance Use Disorder Patient Records

Last week, the U.S. Supreme Court agreed to hear a case that is expected to resolve a long-developing split among federal courts of appeals over the scope of the Video Privacy Protection Act of 1988 (“VPPA”), 18 U.S.C. § 2710. In granting certiorari in Salazar v. Paramount Global, the Court will address a question that has increasingly shaped VPPA class action litigation in recent years: who qualifies as a “consumer” protected by the statute.

Continue Reading Supreme Court to Consider the Video Privacy Protection Act
12

The past year was a busy one for privacy litigation: Website tracking litigation gained momentum.  Plaintiffs repurposed legacy wiretap and video privacy statutes to target pixels, chat bots, and other AI-enabled user tools.  Courts issued decisions that altered liability theories and deepened splits over statutory terms and defenses.  Regulators remained active and staked out positions that stand to adjust private-plaintiff approaches to routine commercial website tracking.

In this post, we distill the year’s most consequential developments and what they mean for 2026.

Continue Reading On the Twelfth Day of Data… Privacy Litigation: Four Notable Developments From 2025
11

As the year draws to a close, reform of the data subject access request (DSAR) regime in the EU and the UK may turn out to be a welcome gift for organisations grappling with complex access requests. Regulators in both jurisdictions are signalling a more flexible, pragmatic approach to compliance, recognising that DSARs have often been exploited for tactical or disruptive ends.

Continue Reading On the Eleventh Day of Data… Unwrapping DSARs in 2026
day10

While 2025 may have brought questions about the level of enforcement we would see from federal regulators, there was no question that state regulators would continue to be active, especially in the financial privacy space. In 2025, we saw the New York Department of Financial Services (NYDFS) implement the final phases of amendments to its NYDFS Cybersecurity Regulation (23 NYCRR Part 500) that originally passed back in 2023 (see our earlier post on the amendments here). The final implementation phases milestones came as scheduled in May and November 2025, and just days before the final set of requirements took effect on November 1, NYDFS also issued new industry guidance on managing third-party risks. Taken together, the guidance and final amendments underscore what NYDFS will be scrutinizing in upcoming investigations and examinations: leadership oversight and documentation, complete asset inventories governed by clear policies, strict access controls and privilege management, universal multi-factor authentication coverage or well‑justified compensating controls, and credible third‑party risk management evidence.

Continue Reading On the Tenth Day of Data… Looking Back at 2025 and Ahead to NYDFS Enforcement Priorities in 2026
day9

The continued absence of a comprehensive federal privacy law once again positioned state legislatures as the primary forces behind data privacy developments in the U.S. this year. In 2025, eight new comprehensive state privacy laws took effect, adding to a growing patchwork of regulations that now spans 20 states. These laws generally reinforce established standards but introduce some important differences in applicability, exemptions, and sensitive data protections, making multi-state compliance increasingly complex.

States also continued to refine their data breach notification requirements, with notable amendments in New York, California, and Oklahoma aimed at strengthening consumer protections and reporting standards. Meanwhile, the rapid proliferation of state-level AI legislation—alongside a controversial new executive order directing federal agencies to challenge such laws—added a new layer of considerations for businesses leveraging artificial intelligence. With additional privacy laws set to take effect in 2026 and even stricter proposals on the horizon, organizations should remain proactive in adapting to this dynamic and increasingly fragmented regulatory environment.

Continue Reading On the Ninth Day of Data… State of the States: This Year’s Key Privacy Law Developments Across the U.S. States
day8

In 1950, reflecting on the future of machine intelligence, Alan Turing observed: “We can only see a short distance ahead, but we can see plenty there that needs to be done.” With several large language models, most notably OpenAI’s GPT-4.5, passing the Turing Test in 2025, some governments have taken steps towards stricter regulation this year, with others still working to determine what “needs to be done” for AI regulation in the year ahead.

Most notably, this year saw key provisions of the EU AI Act—the world’s first comprehensive AI-dedicated law—take effect. However, instead of seeing the “Brussels effect” with AI regulation, going into 2026, the global approach appears to be leaning towards that of the UK and U.S., which have led the charge for a looser regulatory environment in recent years.

Continue Reading On the Eighth Day of Data… AI Regulation – A 2025 Recap and a Look Ahead to 2026