- within Real Estate and Construction and Strategy topic(s)
- with readers working within the Banking & Credit industries
We are honored and humbled to have been named Law360 Cybersecurity and Privacy Practice Group of the Year for 2025! Congratulations to the team and thank you to our clients for entrusting us with the types of matters that led to this honor and for your confidence in us. See links to Dechert's announcement and the Law360 announcement.
We see the future...
In case you missed it, catch up on our Cyber Bits Crystal Ball edition. See our predictions for 2026.
FTC Finalizes Order with GM and OnStar, Resolving Allegations of Sharing Consumer Geolocation Data
On January 14, 2026, the Federal Trade Commission ("FTC") announced that it had finalized its decision and order ("Order") with General Motors LLC and General Motors Holdings LLC (collectively, "GM") and OnStar, LLC ("OnStar") to resolve allegations that GM and OnStar had violated the FTC Act by collecting and selling consumers' geolocation and driving data without notification or consent.
On January 16, 2025, the FTC alleged in a draftcomplaint that GM and OnStar (i) sold consumers' geolocation data to third parties, including to reporting agencies whose reports could be used by insurers to deny or increase the cost of automobile coverage, and (ii) failed to disclose this alleged practice to consumers. That same day, the FTC announced a proposed decision and order. Neither GM nor OnStar admit any wrongdoing in connection with this matter.
The now-finalized Order is effective for twenty years and bans GM and OnStar from disclosing consumer geolocation or driving data to consumer reporting agencies for five years. In addition, among other requirements, GM and OnStar must: (i) obtain consumers' express consent, except in specified limited circumstances, prior to collecting or using the consumers' geolocation and driving data; (ii) permit consumers to withdraw their express consent; (iii) implement a data retention schedule; and (iv) destroy all consumer geolocation and driving data in GM and OnStar's possession that existed prior to the Order.
Takeaway: This settlement illustrates heightened regulatory scrutiny of the connected car industry and the monetization of vehicle data. Making clear to consumers how, if at all, their actions while driving are being tracked, analyzed, and/or sold to third parties is important. It also doubles down on the FTC's focus on precise geolocation data, which the FTC considers to be highly sensitive.
UK Data Regulator Report on Data Protection Implications of Agentic AI
The UK Information Commissioner's Office ("ICO") has published a report on the data protection implications of "agentic AI" (systems that combine generative AI with additional tools to plan and carry out tasks), noting that the technology is still at an early stage but may soon be used across a wide range of activities such as research, coding, planning and executing transactions. The report flags prospective adoption across commerce, government, the workplace, cybersecurity, medicine, and consumer-facing products, and notes that poorly implemented agentic AI systems increase the risk of data protection harms.
In its accompanying blog post, the ICO outlines an example potential use case of AI digital shopping companions. The blog sets out how these agentic AI companions could anticipate shopping needs and make proactive purchases based on learned or defined preferences or behaviors, rather than relying on specific prompts. They could also check personal bank accounts to see if a purchase is within budget, assess the effect on other spending plans, schedule purchases around seasonal sale events, and negotiate prices directly with sellers.
The ICO's report emphasizes that organizations remain responsible for data protection compliance when they develop, deploy, or integrate agentic AI systems, and it highlights that system design and architecture can amplify existing risks (or introduce new ones) such as where there are limited controls around access, monitoring, "stop" functionality, and onward sharing of information. At the same time, the ICO points to opportunities for "privacy by design" and privacy-friendly innovation, including concepts such as data protection–compliant agents, agentic controls, privacy management agents, and information governance agents.
Takeaway: The independent nature of agentic AI presents novel risks including issues around determining responsibilities in the AI supply chain, automated decision-making, increased complexity, and increased volume of personal data unnecessary to the task at hand. Organizations exploring agentic AI will want to consider whether and how existing governance tools map onto systems that can take actions, use tools, and share data with minimal human touchpoints.
CalPrivacy's Data Broker Enforcement Strike Force Reaches Two New Settlement Decisions
On January 8, 2026, the California Privacy Protection Agency ("CalPrivacy" or the "Agency") announced that its Data Broker Enforcement Strike Force has reached two new Decisions adopting Stipulated Final Orders ("Settlements").
The first Settlement involved Rickenbacher Data LLC, which does business under the name Datamasters ("Datamasters"). The Agency had alleged that Datamasters failed to register as a data broker in violation of the California Delete Act. Under the Settlement, Datamasters must, among other things: (i) pay a $45,000 fine; (ii) stop selling the personal information of Californians; and (iii) delete all previously purchased personal information of Californians.
The second Settlement was reached with S&P Global, Inc. ("S&P"). The Agency had alleged that S&P failed to register as a data broker in violation of the Delete Act. Notably, the Agency acknowledged that S&P believed that it had completed the registration, and upon realizing that registration had not been properly completed, "promptly" registered. Under the terms of the Decision, S&P is required to pay a $62,600 fine—$200 dollars for each day it went unregistered—and it must implement procedures for future registration and auditing.
Takeaway: These Settlements continue to demonstrate CalPrivacy's aggressive enforcement of the Delete Act's registration requirements for data brokers. The S&P Settlement is particularly notable because it signals the Agency is taking a strict-liability approach to companies that fail to register as required. Companies that buy or sell Californians' personal information will want to assess whether they qualify as data brokers under the Act in order to avoid enforcement scrutiny and substantial fines.
UK Government Commits to Raise Data Protection Standards in Memorandum of Understanding with UK Data Regulator
The UK government and the ICO signed a memorandum of understanding ("MOU") on January 8, 2026, positioned as a response to what the ICO described as "several serious, high-profile data breaches that undermined public trust in government, some of which also placed lives at risk."
The MOU formalizes a framework for how the ICO and government departments will work together on data protection improvements, including a commitment by the government to publish an annual assurance statement on how data is being kept safe and how new and proposed technologies and processes have been designed with trust and privacy in mind. It also contemplates earlier engagement with the ICO on projects involving significant risk or innovative use of personal data, alongside internal governance and assurance mechanisms (such as a central team to set consistent standards).
Takeaway: For organizations that: (i) sell into government; (ii) process public-sector data; or (iii) run joint programs with UK government departments, this MOU signals that a more structured data protection environment is likely to be expected from the government side. Vendors and partners to state bodies will want to plan for deeper due diligence conversations and for government customers to request more assurance and active involvement.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
