Katten's Privacy, Data and Cybersecurity Quick Clicks is a monthly newsletter highlighting the latest news and legal developments involving privacy, data and cybersecurity issues across the globe.
To read more issues of Katten's Privacy, Data and Cybersecurity Quick Clicks, please click here.
EU AI Act Compliance Deadline of August 2 Looming for General-Purpose AI Models
By Trisha Sircar
The European Union's Artificial Intelligence Act (the EU AI Act) is the first comprehensive artificial intelligence (AI) regulation to address AI technologies across the globe. The EU AI Act was proposed in April 2021 and published in the Official Journal of the European Union (EU) on July 12, 2024. The EU AI Act officially entered into force on August 1, 2024. The regulation has adopted a phased timeline for implementation, with key dates for compliance. Notably, the European Commission's publication of the General-Purpose AI (GPAI) Code of Practice and FAQs on July 10, 2025, indicates its unwavering stance to push forward compliance with its timeline for implementing the EU AI Act. Read more about the key dates for compliance and the European Commission’s published guidelines related to GPAI models.
You Must Be This Tall to Click: The Online Safety Act and Age-Appropriate Access
By Terry Green
With the July 25 deadline, the UK Online Safety Act (OSA) enters into a critical enforcement phase. One of the OSA’s most contentious and consequential elements is the requirement of "highly effective" age assurance for adult content providers. With more than 40 new rules in the "protection of children" phase of the OSA, which we discussed in our previous article, and a growing list of enforcement programs, such as the program into children's risk assessment duties that should be in place as of July 24, The Office of Communications (Ofcom) is making it clear: online platforms must act – or face serious consequences. Read more about Ofcom’s non-exhaustive list of "highly effective" age assurance methods that are technically accurate, robust, reliable and fair.
*Larry Wong and Lavinia Puder, trainees in Katten’s London office, contributed to this article.
California Regulator Finalizes CCPA Rules for Automated Decision Making, Cybersecurity Audits and Risk Assessments
By Trisha Sircar
On July 24, during its scheduled Board Meeting, the California Privacy Protection Agency (CPPA) Board voted unanimously to finalize rules governing the use of automated decision-making technology, risk assessments, cybersecurity audits and insurance under the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA). A final package of the regulations will be prepared and presented to California's Office of Administrative Law (OAL), which will have 30 business days to determine if the rules will become final. Read more about the compliance deadlines that will apply if the rules are finalized.
White House Reveals AI Action Plan
By Trisha Sircar
On July 23, the White House released "Winning the AI Race: America’s AI Action Plan" (Action Plan), in accordance with President Donald Trump’s January executive order on Removing Barriers to American Leadership in AI. As outlined by the White House, winning the AI race will usher in a new golden age of human flourishing, economic competitiveness and national security for the American people. The Action Plan identifies over 90 federal policy actions across three pillars — Accelerating Innovation, Building American AI Infrastructure, and Leading in International Diplomacy and Security — that the Trump Administration will take in the coming weeks and months. Read more about key policies in the White House's AI Action Plan.
EU Initiates Renewal of UK Adequacy Decision Following UK Adoption of the Data (Use and Access) Act 2025
By Anita Hodea
On July 22, the European Commission announced that it had launched the process to renew the adequacy decision for the United Kingdom (UK) and confirmed that the UK's updated data protection framework remains closely aligned with European Union (EU) standards. An adequacy decision enables the free transfer of personal data from the EU to a "third country" where that country's data protection laws are considered essentially equivalent to those of the EU, eliminating the need for additional safeguards. This follows the UK's adoption of the Data (Use and Access) Act 2025 (DUAA) on June 19. Read more about the DUAA’s impact and the European Commission’s Draft Adequacy Decision.
DORA Delegated Regulation on Threat-Led Penetration Testing Published in Official Journal
By Nathaniel Lalone and Ciara McBrien
The Delegated Regulation, which contains regulatory technical standards (RTS) on threat-led penetration testing (TLPT) requirements under the EU Digital Operational Resilience Act (DORA), was recently published in the Official Journal of the European Union. TLPT is mandatory for the "financial entities" subject to DORA, which now must meet specific impact, risk and systemic relevance criteria in relation to these testing requirements. Read more about the TLPT structure set out in the RTS and how it aligns with the EU’s threat intelligence-based ethical red teaming.
Texas Federal Court Vacates Most of 2024 HIPAA Rule on Reproductive Health Information
By Lisa Prather and Brandon von Kriegelstein
In 2024, the US Department of Health and Human Services (HHS) implemented a new privacy rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) that applied specifically to reproductive health information (2024 Rule). On June 18, Judge Matthew J. Kacsmaryk of the US District Court for the Northern District of Texas issued an opinion largely vacating the 2024 Rule. The decision in Purl v. US Department of Health and Human Services nullifies the 2024 Rule, except for technical provisions unrelated to reproductive health information. Read more about the decision and the HIPAA framework that was in place prior to the 2024 Rule and is now back in effect.