On June 2, 2026, Connecticut Governor Ned Lamont signed Senate Bill 5 into law, designated as Public Act 26-15 and also known as the Connecticut Artificial Intelligence Responsibility and Transparency Act (the “CART Act” or “Act”).1 The CART Act is among the most comprehensive state AI laws enacted to date, creating distinct obligations for employment-related automated decision tools, consumer chatbots, frontier-model developers, generative-AI provenance, and online platforms used by minors, while also addressing AI applications in healthcare through targeted carveouts and innovation initiatives.

Continue Reading Connecticut Enacts Sweeping AI Law Covering Employment, Healthcare, and Online Safety

On June 2, 2026, President Trump signed an executive order titled “Promoting Advanced Artificial Intelligence Innovation and Security” (the “Order”), which establishes a new framework for government collaboration with the AI industry on cybersecurity and the secure deployment of advanced AI models.1 While voluntary in form, the Order builds significant institutional architecture, including classified benchmarks administered by the National Security Agency (NSA) and a government-managed pre-release review window, that marks the administration’s first direct engagement with pre-deployment evaluation of frontier AI capabilities.

This alert examines the Order’s key provisions and their implications for AI developers, critical infrastructure operators, enterprises deploying AI tools, and investors in AI-driven companies.

Continue Reading Trump’s AI Cybersecurity Order: A Voluntary Framework with Mandatory Implications

On May 14, 2026, Colorado Governor Jared Polis signed a new Colorado AI Act, S.B. 26-189 (the “2026 Act”)1, which repeals and replaces the prior Colorado AI Act, S.B. 24-205, which had passed in 2024 (the “2024 Act”) and was originally scheduled to take effect on June 30, 2026.2 As a result, the 2024 Act will not take effect, and the 2026 Act goes into effect January 1, 2027. This enactment reflects both scrutiny from the federal government3 and Colorado’s governor4 for the 2024 Act’s broad, sweeping AI regulatory framework.

Continue Reading Colorado Scales Back AI Law, with Targeted Implications for Health Care

On May 15, 2026, China’s National Medical Products Administration (“NMPA”) issued the Implementation Measures for Drug Trial Data Protection (the “Measures”), effective immediately, to formalize China’s protection regime for eligible undisclosed chemistry, manufacturing and control (CMC) and clinical study data submitted in marketing authorization applications. The Measures define the eligible products, protection periods, application process, publication mechanism, and restrictions on follow-on applications that rely on protected data.

Continue Reading China’s NMPA Issues Final Measures on Regulatory Data Protection

On April 29, 2026, the United States Supreme Court issued a unanimous opinion in First Choice Women’s Resource Centers, Inc. v. Davenport, where it held that a nonprofit suffered an injury to its First Amendment right of association when it was subpoenaed by a state attorney general to produce donor information, including donor identities.1 Justice Gorsuch, writing for the Court, held that the nonprofit petitioner could challenge the subpoena in federal court without first waiting for a state court to compel compliance.

Continue Reading Supreme Court Reinforces Donor Privacy Protections, Permitting Immediate Federal Court Challenge to State Subpoena

For almost a decade, the scientific research provisions of the General Data Protection Regulation (GDPR) have lacked authoritative, European Union (EU)-wide interpretation, leaving sponsors of clinical trials and research institutions alike to navigate a patchwork of national implementing laws. A 2019 study commissioned by the European Data Protection Board (EDPB) — the body comprising EU national data protection authorities — confirmed significant divergence among EU Member States, and interim guidance published in 2021 by the EDPB highlighted — but left unresolved — several key GDPR compliance issues facing organisations in the life sciences industry. In the years since, the COVID-19 pandemic and the United Kingdom’s post-Brexit departure from the EU framework have only sharpened the need for more specific guidance. Ropes & Gray attorneys co-authored an article published in Science magazine in October 2020 that provided a summary of the complexity in this space and potential solutions.

Continue Reading The European Data Protection Board Releases New Guidelines on the Processing of Personal Data for Scientific Research

On March 30, 2026, Governor Gavin Newsom signed Executive Order N-5-26 (the “Order”), directing California state agencies to develop new certification requirements and procurement standards for companies seeking to provide AI-enabled products or services to the state.1 The Order represents the latest move in an intensifying contest between California and the federal government over the future of AI regulation in the United States.

Continue Reading Newsom Signs Executive Order Establishing AI Vendor Certification and Procurement Framework

On March 20, 2026, the White House released its National Policy Framework for Artificial Intelligence (“Framework”), outlining legislative recommendations for Congress to establish a unified federal approach to AI regulation. The Framework builds on prior executive actions, including the December 2025 Executive Order (the “Executive Order”) and the Trump administration’s “America’s AI Action Plan,” and it proposes that Congress adopt legislation broadly preempting state AI laws deemed to impose “undue burdens.” This alert summarizes the Framework’s key provisions, analyzes their potential impact on state laws, and highlights considerations for healthcare and life sciences stakeholders navigating the evolving regulatory landscape. While the Framework does not itself change the current legal status of the Executive Order, it signals increased policy focus and may prompt further agency action.

Continue Reading The White House Legislative Recommendations: National Policy Framework for Artificial Intelligence and Federal Preemption of State AI Laws

As recent events indicate, American companies may be the subject of destructive data “wiper” attacks and potential data theft by Iran-linked hackers. Ongoing tensions in the Middle East underscore the stark and evolving cyberthreat landscape facing companies. These types of cyberattacks blend the regulatory and litigation exposure of a traditional data breach with the extreme business risks associated with near total operational disruption. This alert highlights potential legal implications and outlines practical steps companies should consider to strengthen preparedness.

Continue Reading When Cyberwar Hits the Corporate Home Front

On February 13, 2026, the U.S. Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) announced its civil enforcement program to implement the updates to the Substance Use Disorder (“SUD”) confidentiality provisions of the regulation at 42 CFR Part 2 (“Part 2”).1 The new enforcement program became effective February 16, 2026, in accordance with the deadline set by the 2024 Final Rule modifying Part 2 (“2024 Final Rule”).

Continue Reading HHS OCR Announces Civil Enforcement Program for Confidentiality of Substance Use Disorder Patient Records