Artificial intelligence (AI) continues to move at a pace that few regulatory frameworks can match. This week alone underscored just how deeply AI is permeating every corner of the business world—from financial services, health care, and data centers to marketing technologies, web analytics, and core infrastructure. On December 11, President Trump issued a sweeping Executive Order aimed at curbing the growing patchwork of state AI laws and signaling a strong federal push toward uniformity, global competitiveness, and innovation-first AI policy. The Order sets the stage for significant legal, political, and constitutional debate, particularly around state enforcement authority, algorithmic accountability, and the future of consumer protections.
At the same time, states and regulators are not standing still. Florida’s proposed AI consumer protections, California’s continued expansion of privacy enforcement under the California Invasion of Privacy Act (CIPA), and aggressive litigation trends across the country highlight the tension between federal ambitions and state-level risk mitigation. Add to that the growing realities of GenAI in financial services, cross-border health data offshoring, AI-driven cyber threats, and the immense infrastructure demands powering AI growth, including nuclear-powered data centers, and it is clear that organizations can no longer treat AI as a siloed technology issue. AI is now a core enterprise risk, governance, and compliance issue.
In this edition of our Digital Risk Report, our team breaks down these developments with practical, business-focused guidance. From regulatory shifts and litigation risk to operational compliance strategies and emerging infrastructure trends, these articles are designed to help organizations navigate uncertainty, anticipate enforcement, and responsibly deploy AI in an increasingly complex legal environment.
Insights
Florida Targets AI Risks: Consumer Rights and Infrastructure Accountability
The first phase of the Cybersecurity Maturity Model Certification (CMMC) program began on November 10, 2025, with implementation to be rolled out incrementally over three years. This phase starts with self-assessments to give companies time to understand and apply the new requirements for DoD contracts.
In November 2025, the U.S. Environmental Protection Agency (EPA) released new guidance and resources related to cybersecurity and infrastructure resilience for water utilities
New York state agencies must create and publish a detailed public inventory of their automated decision-making tools on their websites. This includes specific employee protections against AI systems.
The U.S. Department of Education’s RISE committee concluded its November 2025 session by reaching consensus on major student loan reforms—introducing new borrowing limits, eliminating Grad PLUS loans, adopting a simplified repayment plan effective July 1, 2026, and narrowing the definition of “professional student” to specific licensure-based degree programs.
On November 20, 2025, the French data protection authority (CNIL) fined LES PUBLICATIONS CONDÉ NAST €750,000 for violations of Article 82 of the French Data Protection Act, which implements the EU ePrivacy cookie consent rules.
The enforcement action followed repeated complaints (filed by noyb) and multiple prior investigations into the vanityfair.fr website, which received over six million French visitors in a four-month period. Notably, CNIL had already issued a formal compliance order in 2021, which weighed heavily in the sanction.
Key Violations Identified CNIL found three core compliance failures: • Cookies placed without prior consent Non-essential cookies were deposited on users’ devices immediately upon landing on the site, before users interacted with the cookie banner or expressed any choice. • Misleading classification of “necessary” cookies
Certain cookies were labeled as “strictly necessary” and exempt from consent, without clear disclosure of their actual purposes, depriving users of informed choice.
Ineffective refusal and withdrawal mechanisms
Even when users clicked “Refuse all” or later withdrew consent:
New consent-based cookies were still placed, and
Previously installed cookies continued to be read.
Why This Matters
CNIL emphasized that:
Consent must be prior, informed, and effective;
“Refuse all” must work as cleanly and completely as “Accept all”; and
Cookie compliance failures after a prior regulatory warning significantly increase enforcement risk.
In setting the €750,000 fine, CNIL cited:
The scale of affected users,
The history of non-compliance, and
The company’s financial capacity.
Takeaway for Organizations
This decision reinforces CNIL’s strict stance on cookie compliance and serves as a warning that cosmetic consent banners and broken preference centers are not enough—especially for media, advertising-driven, and high-traffic websites.
The California Privacy Protection Agency (CalPrivacy) is creating a Data Broker Enforcement Strike Force within its Enforcement Division to investigate privacy violations by the data broker industry. The Enforcement Division will be reviewing the industry for compliance with the data broker registration requirement in the Delete Act, as well as for compliance with the state’s comprehensive privacy law, the California Consumer Privacy Act (CCPA)
On December 3, 2025, the California Privacy Protection Agency (CPPA) announced that it fined ROR Partners LLC (ROR Partners), a Nevada-based marketing firm, $56,600 for failing to register as a data broker under California’s Delete Act.
Jam City, in a stipulated judgment, agreed to pay $1,400,000 to resolve allegations that it failed to provide methods for consumers to opt-out of the sale of their personal information in its mobile gaming apps and failed to provide sufficient privacy protections for children, in violation of the California Consumer Privacy Act (CCPA). Despite collecting and sharing consumer personal information nearly exclusively through its mobile games, our investigation found that Jam City did not offer CCPA-compliant opt-outs in any of its 21 mobile apps. The investigation also found some Jam City games shared or sold the data of children between the age of 13 to 16 without the affirmative consent required by the CCPA. The settlement requires that Jam City provide in-app methods for consumers to opt-out of the sale or sharing of their data and must not sell or share the personal information of consumers at least 13 and less than 16 years old without first obtaining their affirmative “opt-in” consent.
Attackers accessed names, addresses, phone numbers, and emails of customers, dashers, and merchants across the U.S., Canada, Australia, and New Zealand. The breach occurred after an employee fell victim to a social engineering scam. No sensitive data (including social security numbers, driver’s license information, or payment information) was accessed.
Attackers gained access to a legacy third-party cloud file storage system used as late as 2020. No merchant funds or card numbers were accessed. A ransom was demanded—a donation in the amount demanded was made by Checkout.com to support research against cybercrimes.
Systems related to Penn’s development and alumni activities were compromised by attackers using social engineering. Undisclosed information was taken by the attackers.
User analytics data (metadata such as name, email, approximate location from IP, OS/browser info, etc.) was taken by attackers via a smishing campaign.
A University database containing information about members of the University community was compromised by malicious actors. The database included biographical information. The university stated that social security numbers, passwords, and bank/credit card details were not in this database
Certain information systems were accessed by an unauthorized party via a phone-based phishing attack. Contact details, addresses, event attendance, donation history, and other alumni‑engagement biographical info was compromised. The University stated that social security numbers, passwords, financial account, or payment card data were not involved.
.png?upscale=true&width=1200&upscale=true&name=HubSpot%20Banners%20(14).png)
%20(6).png?upscale=true&width=1200&upscale=true&name=Hubspot%20Headers%20(600%20x%20100%20px)%20(6).png)
.png?upscale=true&width=240&upscale=true&name=HubSpot%20-%20Digital%20Risk%20Report%20Images%20(2).png)
.png?upscale=true&width=240&upscale=true&name=HubSpot%20-%20Digital%20Risk%20Report%20Images%20(9).png)
.png?upscale=true&width=240&upscale=true&name=HubSpot%20-%20Digital%20Risk%20Report%20Images%20(3).png)
.png?upscale=true&width=240&upscale=true&name=HubSpot%20-%20Digital%20Risk%20Report%20Images%20(11).png)
.png?upscale=true&width=240&upscale=true&name=HubSpot%20-%20Digital%20Risk%20Report%20Images%20(12).png)
.png?upscale=true&width=240&upscale=true&name=HubSpot%20-%20Digital%20Risk%20Report%20Images%20(13).png)
%20(8).png?upscale=true&width=1200&upscale=true&name=Hubspot%20Headers%20(600%20x%20100%20px)%20(8).png)
