On March 11, 2026, the Federal Trade Commission (FTC) announced an Advance Notice of Proposed Rulemaking (ANPRM) highlighting its Rule Concerning the Use of Prenotification Negative Option Plans, seeking comment on whether the rule should be amended or supplemented to better address deceptive or unfair negative option practices.

The FTC describes negative options as marketing arrangements in which a consumer’s silence or failure to act is treated as consent to be charged for goods or services. Negative option marketing includes automatic renewals, continuity programs, free-to-pay conversions, and prenotification plans. Regulators generally focus on several considerations:

  • Are material terms clearly disclosed?
  • Did the seller obtain express informed consent?
  • Is cancellation simple and effective?

Consistent with that focus, the FTC’s March 11th notice seeks input on practices that prevent consumers from understanding key terms, lead to enrollment without express informed consent, or deter cancellation.

The FTC’s enforcement posture in this area has been active for years and is unlikely to soften. The agency cites ongoing concerns with difficult cancellation processes, unlawful retention tactics, and other barriers that keep consumers from switching or ending subscriptions. It also reports receiving thousands of complaints each year, including more than 100,000 complaints over the past five years, which signals that subscription marketing remains a regulatory priority.

As for timing, the FTC stated that once the ANPRM is published in the Federal Register, the public will have 30 days to submit comments. The agency may then proceed through review, a proposed rule, another round of comments, and potentially a final rule.

In the meantime, businesses should expect the FTC and state regulators to continue using existing authorities, including unfair and deceptive practices statutes, to challenge problematic subscription flows. The best approach is to make key terms conspicuous, obtain and retain clear evidence of affirmative consent, and offer cancellation that is straightforward, reliable, and at least as accessible as enrollment. In many cases, regulatory risk turns less on the fact of a subscription and more on whether the overall experience could be viewed as obscuring costs or limiting consumers’ ability to leave.

A federal judge has ruled that CNN must face a proposed class action alleging that its website shared consumers’ personal information with Microsoft and adtech firms without consent, in alleged violation of the California Invasion of Privacy Act (CIPA). The lawsuit challenges CNN’s alleged use of online tracking tools and the downstream sharing of data in the digital advertising ecosystem. 

According to the complaint, CNN allegedly embedded tracking tools from Microsoft, PubMatic, and OpenX that enabled those companies to collect users’ personal information and build detailed marketing profiles for targeted advertising purposes. The complaint further alleges that at least one advertiser bid on the plaintiff’s information, and that it was likely circulated far more broadly during automated real-time bidding for ad space. 

In denying CNN’s motion to dismiss, the judge said that the plaintiff adequately alleged a concrete injury sufficient for federal standing, pointing to allegations that their information was collected and sold in the online advertising marketplace in a manner described as “highly offensive.” The court also found the pleadings sufficient at this stage to claim that the tracking code functioned as a “pen register” under CIPA while noting it was premature to resolve CNN’s argument that it was exempt under a CIPA provision related to operating or maintaining its service. This decision signals that publishers using embedded adtech and analytics tools may face heightened litigation risk under CIPA when user data is collected or shared without clear, consent-based disclosures.

I have very fond memories of using a Eurail pass back in the day while backpacking through Europe as a student. I was saddened to see that Eurail was the victim of a data breach in December 2025 when attackers obtained access to travelers’ full names and contact information, including email addresses, passport details, ID numbers, bank account and health information, and published it on the dark web for sale.

The incident affected 308,777 travelers. In its notification to affected individuals, Eurail provides information on fraud alerts, credit or security freezes and urges those affected to stay “alert to suspicious messages or activity,” and obtain a free copy of your credit report.

Whether you receive a notification letter or not, it is always a good idea to check your credit report frequently.

Iran has always been a formidable cyber threat to the United States, but after the war in Iran commenced, the attacks are coming frequently and in full force. According to the Joint Cybersecurity Advisory issued on April 7, 2026, by the FBI, CISA, NSA, EPA, DOE, and Cyber Command, Iranian-based hackers are targeting operational technology devices connected to the internet, including programmable logic controllers (PLC). The Advisory notes that the PLC disruptions have been seen “across several U.S. critical infrastructure sectors through malicious interactions with the project file and manipulation of data…resulting in operational disruption and financial loss.”

The Advisory states that U.S. organizations “should urgently review the tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) in this advisory for indications of current or historical activity on their networks, and apply the recommendations listed in the Mitigations section of this advisory to reduce the risk of compromise.”

If your organization is considered critical infrastructure, it is crucial to review the Advisory, including the indicators of compromise and mitigation techniques.

Critical infrastructure operators at the water treatment plant in Minot, North Dakota, were forced to resort to manual processes when its Supervisory Control and Data Acquisition (SCADA) system became inoperable as a result of a March 14, 2026, ransomware attack. The attackers are unidentified, but it comes in the wake of the war in Iran, and both Iran and China are known to lead cyber-attacks against water utilities, which often have vulnerabilities that make them easy targets. Last month, the Water Information Sharing and Analysis Center, along with information sharing organizations for the auto, aviation, food, health, IT, national defense, oil and natural energy, and retail and hospitality industries issued a Joint Advisory to their members, including water facilities, warning them of increased cyberattacks from Iranian hackers, as well as physical attacks against critical infrastructure entities. The warning concluded by stating that “the threat environment is likely to remain highly volatile.”

Minot’s water system provides water to approximately 80,000 users. Although the water supply and quality were not affected by the attack, operators were required to manually read gauges for 16 hours while they uninstalled the compromised SCADA system. It has taken Minot over two weeks to spin up a new server.  

Since water facilities are a target for nation state cyber actors, the state of New York recently introduced cybersecurity standards for both drinking and wastewater treatment facilities. Other states will hopefully follow suit so the water supply and quality available will be less vulnerable to attack.

Critical infrastructure operators should be aware of the heightened risk, prepare for an attack, and test their incident response processes through a cybersecurity tabletop exercise that is designed to address a shut down so processes can be improved and services restored as efficiently as possible. We all depend on the basic necessities of food, water, electricity, and access to financial services, all of which could be downed by an attack and dramatically impact our lives. We depend on critical infrastructure operators to have measures in place to prevent and mitigate the effects of an attack.

Minnesota Governor Tim Walz issued an emergency executive order on April 7, 2026, dispatching the Minnesota National Guard after Winona County requested assistance following a cyber attack disrupting its “critical systems and digital services.” The attack occurred on April 6, 2026, and is “significantly impairing the county’s ability to deliver vital emergency and municipal services.”

The attackers are currently unknown, but it is further evidence of the increased threat of cyber-attacks following the war in Iran, which is the subject of a Joint Advisory issued by federal government agencies warning government agencies and critical infrastructure to prepare and prevent cyber-attacks during the war in Iran.

Despite a two-week cease fire, Iran has always been a formidable cyber adversary, and it is anticipated that the cyber-attacks will continue as normal.

While California’s wiretapping statute, the California Invasion of Privacy Act (CIPA), tends to dominate the conversation about the recent rise in wiretapping litigation, plaintiffs are also turning to other states’ wiretapping laws to target web tracking and session-replay tools. The U.S. Court of Appeals for the Third Circuit recently held that a website visitor could not pursue a Pennsylvania wiretapping claim in federal court because she did not allege a concrete enough injury to satisfy Article III of the U.S. Constitution. The case, Popa v. Harriet Carter Gifts, Inc., involves claims against a retailer, Harriet Carter, and its marketing-services provider, over alleged tracking of the plaintiff’s activity while she browsed the retailer’s website.

Article III standing is the threshold requirement to be in federal court, and it means that a plaintiff must show they were personally harmed in a concrete way, not just that a statute may have been violated. If a plaintiff cannot show a concrete injury, a federal court lacks power to decide the case. In Popa, the standing question was shaped by the Third Circuit’s earlier decision in Cook v. GameStop, Inc. 148 F.4th 153, 157 (3d Cir. 2025). There, the court held that routine website interactions, such as moving a mouse, clicking, using a search function, or adding items to a cart, do not by themselves amount to a sufficiently concrete injury for federal standing when the plaintiff did not enter sensitive or personal information during the session.

Applying that approach, the Popa panel noted that the plaintiff conceded she did not suffer an Article III injury, and the court therefore could not reach the merits of her Pennsylvania Wiretapping and Electronic Surveillance Control Act claims. Before this appeal, and prior to the Cook decision, the federal trial court had granted summary judgment to the defendants, ending the case in their favor without a trial. Because the federal courts lacked jurisdiction, the Third Circuit vacated the prior federal summary judgment ruling and instructed the district court to send the case back to state court.

For companies dealing with website-tracking claims, Popa is a reminder that in the Third Circuit, federal jurisdiction may hinge on what the user actually did on the site and whether the alleged tracking plausibly involved capturing sensitive or personal inputs, as opposed to ordinary browsing. That puts renewed focus on understanding what data a website and its vendors collect at each step of the user journey and aligning disclosures and consent mechanisms with how the technology works. And even when a case cannot stay in federal court, Popa highlights that a dispute may simply continue in state court, where the litigation may turn less on constitutional standing and more on the state statute’s scope and the specific facts of the implementation.

California Governor Gavin Newsom issued a new executive order aimed at tightening California’s procurement rules for artificial intelligence (AI) vendors and “raising the bar” for companies that want to sell AI tools to the state. The administration says the goal is to ensure contractors meet strong standards and can demonstrate responsible policies that prevent misuse, while protecting users’ safety and privacy. The announcement also frames California’s approach as a contrast to recent federal contracting “missteps,” emphasizing that AI adopted by the state should not enable bad actors to exploit data, undermine security, or violate civil rights. 

Practically, the order directs the Government Operations Agency to develop a plan for updated contracting processes and best practices that vet companies based in part on how they attest to and explain safeguards addressing key risks, including exploitation or distribution of illegal content, biased model behavior or lack of bias prevention technology, and violations of civil rights and free speech in AI tools. It also allows the state to separate its procurement authorization process for AI tools from the federal government (when needed). In addition, the governor directs the California Department of Technology to develop recommendations and best practices for watermarking AI-generated images or manipulated video consistent with state law.

The order is not only about restrictions—it also commits California to expanding generative AI use to improve public services, including a new AI-directed tool intended to help Californians navigate programs and benefits by life events, like starting a business or finding a job. Alongside that service-delivery push, the state plans a statewide engagement effort through the Engaged California program to gather input on how AI may impact the workforce, signaling that California wants both stronger guardrails and a clearer public mandate as AI adoption accelerates. To see the full executive order click here.