California SB 82 — a bill that seeks to end “infinite” arbitration clauses and limit the scope of consumer arbitration agreements to the “use, payment, or provision of the good, service, money, or credit provided by that consumer use agreement” — was signed into law by Gov. Gavin Newsom on Oct. 6, 2025. SB 82

In a significant step toward strengthening consumer privacy protections, the California Privacy Protection Agency (CPPA) board adopted a comprehensive set of updates to the California Consumer Privacy Act regulations. These long-anticipated regulations — covering cybersecurity audits, risk assessments and automated decision-making technology — mark a pivotal shift in the state’s data privacy enforcement landscape. CPPA staff

On August 25, 2025, the U.S. Department of Health and Human Services Office of Inspector General (“OIG”) issued a report analyzing Medicare billing practices for remote patient monitoring (“RPM”) services during 2024. As RPM technologies have matured and become more accessible, their availability has driven widespread adoption and enhanced patient care by enabling continuous, data-informed management outside the clinic; at the same time, this proliferation has attracted heightened government attention. The report highlights the rapid growth of RPM utilization and payments, identifies patterns that may be indicators of potential fraud and abuse, and reiterates the need for enhanced oversight by the Centers for Medicare & Medicaid (“CMS”). The OIG’s findings assist providers in assessing regulatory and compliance implications.

Sheridan Capital Partners has announced an investment in National Care Systems (NCS).

NCS, founded in 1992 and based in Brooklyn, New York, is a provider of revenue cycle management software serving skilled nursing facilities and assisted living facilities across the United States.

Sheridan, founded in 2012 and based in Chicago, is healthcare-focused firm

Regulators of data privacy laws have expressed a desire in recent months to intensify enforcement around opt-out preference signals, also known as universal opt-out mechanisms (the “Opt-Out Signals”).

Opt-Out Signals allow consumers to automatically opt-out of the sale and sharing of personal information for targeted advertising across all websites they may visit through an internet

After years of waiting, the U.S. Department of Defense (DoD) posted to the Federal Register for public inspection on September 9, 2025, a final rule implementing the Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0) standards into the Defense Federal Acquisition Regulation Supplement (DFARS) (the Final Rule), which was formally published a day later on September 10, 2025. The Final Rule’s requirements will become effective in the DFARS as of November 10, 2025, and pertain to all DoD contractors and subcontractors.  Defense contractors should ensure their compliance with the standards as soon as possible in order to maintain eligibility to compete for DoD contracts and perform DoD subcontracts, as well as to avoid bid protests and/or civil False Claims Act allegations.

In 2020, California was the first mover in state comprehensive privacy law legislation, a distinction it held for approximately three years before other states took similar action.  Indeed, eighteen additional states have passed their own privacy bills, along with many complementary laws related to children’s privacy, consumer health data privacy, biometric data privacy, and data broker practices.  Notwithstanding these efforts, California has retained its reputation as the most formidable state enforcer of privacy law protections—until now, at least.  As we explain, recent enforcement actions by the Attorneys General of Connecticut and Nebraska highlight an important shift: states beyond California are not only enacting laws aimed at safeguarding privacy, they are taking action to demonstrate that those laws have teeth.