Enforcement

Subscribe to Enforcement via RSS

As states continue to grapple with establishing regulatory frameworks for the most powerful artificial intelligence (“AI”) systems, New York has joined California in targeting frontier AI models with the Responsible AI Safety and Education Act (the “RAISE Act” or the “Act”).[1] Signed into law on December 19, 2025 by Governor Hochul, the Act creates a comprehensive regulatory framework for developers of the most advanced AI systems, marking New York’s entry into the vanguard of state AI safety regulation.Continue Reading New York’s RAISE Act vs. California’s TFAIA: What Companies Need to Know

For more insights and analysis from Cleary lawyers on policy and regulatory developments from a legal perspective, visit What to Expect From a Second Trump Administration.

On December 11, 2025, President Donald Trump signed an executive order titled Establishing A National Policy Framework For Artificial Intelligence (the “Order”)[1]. The Order’s policy objective is to “enhance the United States’ global AI dominance through a minimally burdensome national policy framework for AI”[2] and comes after Congress considered but did not advance federal legislation that would have preempted state AI regulation earlier this year. The Order justifies federal intervention on three grounds:Continue Reading President Trump Signs Executive Order Seeking to Preempt State AI Regulation

CJEU ruling heralded as “landmark” GDPR judgment turns on a specific set of facts and requires careful interpretation in the post-DSA regulatory reality.

Continue Reading GDPR vs. the hosting defence: How wary should online platforms be of the EU Court of Justice Russmedia judgment?

On September 29, 2025, Governor Gavin Newsom signed the Transparency in Frontier Artificial Intelligence Act (TFAIA, SB 53 or the Act)[1], establishing a comprehensive framework for transparency, safety and accountability in the development and deployment of the most advanced artificial intelligence models. Building upon existing California laws targeting AI such as AB 2013[2], the Act, which takes effect January 1, 2026 and imposes penalties up to $1 million per violation, creates immediate compliance obligations for AI developers of the most powerful frontier models.Continue Reading California Enacts Landmark AI Safety Law But With Very Narrow Applicability

As of July 8, the U.S. Department of Justice (“DOJ”) is scheduled to begin full enforcement of its Data Security Program (“DSP”) and the recently issued Bulk Data Rule after its 90-day limited enforcement policy expires, ushering in “full compliance” requirements for U.S. companies and individuals.[1] Continue Reading Enforcement Countdown: Is DOJ Ready for the Bulk Data Rule “Grace Period” to End?

On March 12, the California Privacy Protection Agency (“CPPA”) announced an enforcement action against American Honda Motor Co. (“Honda”), with a $632,500 fine for violating the California Consumer Privacy Act and its implementing regulations (“CCPA”).[1]  This action, which is the CCPA’s first non-data broker action, arose in connection with the Enforcement Division’s ongoing investigative sweep of connected vehicle manufacturers and related technologies, and serves as a cautionary tale for companies handling consumer personal information, highlighting the stringent requirements of the CCPA and the consequences of non-compliance.Continue Reading CPPA Enforcement Action Against Honda Underscores Need for CCPA Compliant Privacy Practices

On 3 February 2025, the European Commission (“EC”) published an updated version of its frequently asked questions (“FAQs”) on the EU Data Act.[1]  The Data Act, which is intended to make data more accessible to users of IoT devices in the EU, entered into force on 11 January 2024 and will become generally applicable as of 12 September 2025.Continue Reading Data Act FAQs – Key Takeaways for Manufacturers and Data Holders

Last week, the New York legislature passed the New York Health Information Privacy Act (S929) (“NYHIPA” or the “Act”)[1]. The Act, which is currently awaiting the Governor’s signature, seeks to regulate the collection, sale and processing of healthcare information, akin to Washington’s My Health My Data Act.Continue Reading New York Legislature Passes Health Data Privacy Bill

The following is part of our annual publication Selected Issues for Boards of Directors in 2025Explore all topics or download the PDF.

The SEC pursued multiple high profile enforcement actions in 2024, alongside issuing additional guidance around compliance with the new cybersecurity disclosure rules. Together these developments demonstrate a continued focus by the SEC on robust disclosure frameworks for cybersecurity incidents. Public companies will need to bear these developments in mind as they continue to grapple with cybersecurity disclosure requirements going into 2025.Continue Reading Cybersecurity Disclosure and Enforcement Developments and Predictions

On October 22, 2024, the SEC announced settled enforcement actions charging four companies with making materially misleading disclosures regarding cybersecurity risks and intrusions. These cases mark the first to bring charges against companies who were downstream victims of the well-known cyber-attack on software company SolarWinds. The four companies were providers of IT services and digital communications products and settled the charges for amounts ranging from $990,000 to $4 million.Continue Reading SEC Charges Four Companies Impacted by Data Breach with Misleading Cyber Disclosures