Alston & Bird Privacy, Cyber & Data Strategy Blog

Privacy & Cyber Regulatory Enforcement

NYDFS Issues Frontier AI Advisory and Guidance for Heightened Cyber Threat Environment

By , , and

On May 21, 2026, the New York Department of Financial Services (“NYDFS”) issued two Industry Letters to the organizations it regulates (“Regulated Entities”): “Heightened Cybersecurity Risks Associated with Frontier AI Models” (the “Advisory”) and “Guidance on Measures Regulated Entities Should Consider in a Heightened Cybersecurity Threat Environment” (the “Guidance”) (collectively, the “Letters”). The Letters discuss […]

May Flowers Bring Fresh Insight from CalPrivacy

By and

Increased scrutiny of data brokers, rapid scaling of enforcement operations and active opposition to federal privacy preemption are in bloom in the Golden State. On May 1, 2026, the California Privacy Protection Agency (the “Agency”) Board (the “Board”) held a public meeting to review and discuss enforcement activities, legislative developments, and international data transfer issues. […]

Colorado Replaces Landmark AI Act—Creating New Trails for AI Rules and Private AI Litigation

By , and

On May 12, 2026, the Colorado legislature passed SB 26-189, which repeals and replaces its landmark Artificial Intelligence Act. Colorado is doing away with the concept of “algorithmic discrimination” and moving instead to a notice- and disclosure-based regime focused on automated decision-making. This time, it does so without a carve-out for deployers who are small […]

Your AI Therapist May Need a Lawyer: Pennsylvania Brings Suit Against Chatbot Developer

By , , , and

Our Health Care Group investigates a lawsuit against Character.AI that raises legal risks for AI platforms presenting themselves as licensed professionals and signals tightening regulatory scrutiny. AI chatbot developers could face regulatory action, private lawsuits, and reputational harm if bots imply professional credentials or offer regulated advice Federal and state authorities are increasing scrutiny of chatbot […]

Dutch DPA Fines Taxi App €100M Over Unlawful Transfers of Personal Data to Russia, Despite Use of EU Standard Contractual Clauses

By and

On April 1, 2026, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) imposed a €100 million fine on MLU B.V., the Dutch operator of the Yango taxi app. The AP found that personal data of EU users was unlawfully transferred to affiliated entities in Russia, despite the formal use of the EU Standard Contractual Clauses […]