Insights

On March 3, 2026, a bipartisan coalition of state attorneys general and state charity regulators (the “States”) sent a letter[1]to GoFundMe expressing their concerns about GoFundMe's creation of donation web pages for more than 1.4 million charities without their prior knowledge or consent.

On February 12, 2026, a bipartisan group of legislators in Maryland proposed the Maryland Artificial Intelligence Toy Safety Act. This proposed legislation would amend the Maryland Consumer Protection Act to establish a sweeping regulatory framework for AI-enabled toys sold in the state, covering any device that uses machine learning, conversational AI, behavioral modeling, or similar computational processes and is marketed to or primarily used by children. This proposed legislation adds to a growing trend of increasing efforts, at both the federal and state levels, to regulate the use of AI in products and services used by children.  

On March 3, 2026, the Department of Labor (DOL), Department of Health and Human Services (HHS), and Department of the Treasury (TREAS) — collectively, the “Tri-Agencies” — published their fourth annual report to Congress on enforcement of the Mental Health Parity and Addiction Equity Act (MHPAEA). The 2025 Report demonstrates a shift in approach by the Tri-Agencies in its tone and content and suggests that federal regulators, and the DOL in particular, are not as active as they previously were in MHPAEA enforcement. However, federal enforcement remains ongoing, and state enforcement of mental health parity laws continues to grow. Plans and issuers must continue to maintain comprehensive compliance processes and documentation for MHPAEA compliance.

Clinical trial sponsors and all other stakeholders involved in conducting commercial clinical trials of investigational medicinal products (IMP) in the UK.

The U.S. Supreme Court’s February 20, 2026, opinion in Learning Resources. v. Trump (decided with Trump v. V.O.S. Selections), holding that the President lacks authority to impose tariffs under the International Emergency Economic Powers Act (IEEPA), is notable for many reasons — including its practical impact on the many U.S. companies who paid steep tariffs on global imports and may now be able to recover by filing suit before the Court of International Trade (CIT). That possibility and the key reasons for the High Court’s decision are discussed in our recent alert on this momentous decision.

While state attorneys general have traditionally led consumer protection enforcement, local governments are increasingly deploying their own powers to prosecute high-stakes affirmative litigation. The results speak for themselves: Los Angeles and Chicago have secured multi-million-dollar judgments and settlements in consumer deception cases over the past decade.

The Supreme Court has concluded that the International Emergency Economic Powers Act (IEEPA) does not authorize President Trump to impose tariffs.  For a detailed analysis of the decision, please see our Trade Group’s full alert.

On February 13, 2026, the U.S. Department of Homeland Security (DHS) announced upcoming virtual town hall meetings scheduled for March 2026 regarding the implementation of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).  The meetings will allow industry stakeholders to provide input to DHS to refine the “scope and burden” of the forthcoming CIRCIA final rule.

Employers are increasingly relying on artificial intelligence and automated decision systems (ADS) in workplaces across California and the world as avenues to boost productivity or achieve cost savings. However, some state legislators have raised concerns about the lack of worker protections and oversight in discipline and termination decisions made by ADS.

California Attorney General Rob Bonta announced an unprecedented investigative sweep into “surveillance pricing” practices by grocers, hotels, and retailers, marking the first state-level inquiry targeting personalized pricing under data privacy laws.

The National Institute of Standards and Technology (“NIST”) recently released draft guidelines for applying NIST’s Cybersecurity Framework to organizations adopting artificial intelligence. NIST requests public comments on its “Initial Preliminary Draft” Cybersecurity Framework Profile for Artificial Intelligence (the “Cyber AI Profile”) by midnight on January 30, 2026. 

California state and federal courts continue to see extensive litigation involving the California Invasion of Privacy Act (“CIPA”). When enacted in 1967, CIPA targeted traditional telephone wiretapping. However, its reach has expanded as new technologies enter the market. Today, private CIPA claims often concern website tracking and a business’s choice to embed analytic tools on its website.

The California Privacy Protection Agency (“CPPA”) is intensifying its oversight of data brokers with a new dedicated Data Broker Enforcement Strike Force within its Enforcement Division. The strike force will monitor and investigate data brokers’ compliance with their legal obligations under California’s Delete Act and the California Consumer Privacy Act (“CCPA”).

On December 22, 2025, the Federal Trade Commission (“FTC”) took its first step in enforcing its August 2024 Consumer Review Rule (“Rule”) that regulates online companies’ moderation and curation of user reviews, by issuing warning letters to 10 unidentified companies alerting them of their potential violations of the Rule, and cautioning that continued noncompliance could lead to enforcement action and substantial civil penalties. The FTC warning letters directed each recipient to immediately cease and desist from any non-compliant practices and required the company to confirm in writing the steps taken to ensure ongoing compliance with the Rule.

As microplastics begin making headlines and sparking scientific inquiry into the impacts of these pervasive particles, state legislators, regulators, and law enforcers—as well as private plaintiffs’ counsel—are taking action. In California, a bipartisan coalition of legislators passed AB 823, expanding the scope of an existing state ban on products containing plastic microbeads. Governor Newsom vetoed the bill, citing concerns that the ban would inadvertently slow the adoption of non-plastic alternatives.

In an effort to boost its clinical research industry, Germany has enacted the Medical Research Act or “MRA” (Medizinforschungsgesetz). The MRA introduces significant changes to various German healthcare laws and procedures.

California continues its blistering pace in enacting artificial intelligence regulations. In 2024 alone, California enacted 18 AI-related bills seeking to regulate AI tools and increase transparency around AI data disclosure.

As we have reported previously, California has enacted a pair of climate-related reporting laws that apply to large entities doing business in California (SB 253 and SB 261, as modified by SB 219). This alert provides an update on only the most recent events; please see previous alerts for a broader overview of the laws’ requirements.

Major changes have been proposed to EU AI, data and wider digital laws. On 19th November 2025, the European Union Commission issued its much anticipated Digital Omnibus Regulation Proposal, (the “Digital Omnibus”) and also its Digital Omnibus on AI Regulation Proposal, (the “AI Omnibus”). The mooted changes potentially impact the “Brussels effect” seen post GDPR and add potential complexities to the compliance efforts of businesses.

President Trump is preparing to sign an Executive Order that would seek to forestall state regulation of artificial intelligence (AI) by threatening federal lawsuits and the withholding of some federal funds. The draft, unsigned six-page Executive Order, “Eliminating State Law Obstruction of National AI Policy” (EO), the text of which has been circulating publicly since November 19, would declare it the policy of the Administration “to sustain and enhance America’s global AI dominance through a minimally burdensome, uniform national policy framework for AI.”