Photo of Peter Hegel

Peter Hegel counsels clients on protection of personally identifiable information (PII) and infrastructure.

A court-ordered stay on enforcement of updates to certain parts of the California privacy regulation (the Ruling) has not slowed down enforcement of the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). In fact, the hot summer months of July and August are poised to be busy months of regulator activity. On Friday, July 14, the California Attorney General distributed a series of “inquiry letters” to certain businesses as part of an investigative sweep concerning employee privacy. Simultaneously, the California Privacy Protection Agency (CPPA) detailed its enforcement strategy for California state privacy laws in a public meeting, announcing the Agency’s plans to continue with enforcement where it is able, despite the stay on updates to the regulations. Most recently, on July 31, the CPPA announced a review of privacy practices around connected automobile data. This increased level of activity should encourage companies that have been slow to implement a compliant privacy program, including the updates that went effective on January 1, 2023.Continue Reading Full Steam Ahead: Updates in Enforcement of California Privacy Law

This Update is the third installment of the ongoing series covering Washington state’s new My Health My Data Act. The original impetus for the act was the protection of reproductive rights, and it was signed into law alongside several other pieces of legislation focused on providing abortion and gender-affirming protections. However, because of the broad

As detailed in Part 1 of this ongoing series, Washington Governor Jay Inslee signed the state’s My Health My Data Act into law on April 27, 2023. The act is a first-of-its-kind law that creates new privacy protections relating to the collection, sharing, and selling of “consumer health data.” Most of the provisions of the

Indiana Governor Eric Holcomb signed Senate Bill 5 on May 1 (effective January 1, 2026), making Indiana the seventh state to offer comprehensive privacy protections. Indiana’s new law appears to closely track Virginia’s omnibus privacy law. The law will apply to a person that conducts business in Indiana or produces products or services targeted to Indiana residents, and that meets either of the following requirements in a calendar year: (1) controls or processes the personal data of 100,000 consumers (defined as residents of Indiana “acting only for a personal, family, or household purpose”); or (2) controls or processes personal data of at least 25,000 consumers with more than 50% of annual gross revenue derived from the sale of personal data.

Similarly, both Tennessee and Montana appear to be imminently close to enacting their own state comprehensive privacy bills. The Tennessee and Montana legislatures each passed their own state bills on April 21, 2023, and each bill is expected to be signed into law by the respective governor soon.

Below, we look at some of the key similarities and differences between the new Indiana privacy law compared with the other six state omnibus privacy laws. We also highlight the key provisions of the Tennessee and Montana bills that are expected to be signed into law soon.Continue Reading Lucky Number 7…8 and 9?: Indiana Passes Privacy Law With Tennessee and Montana Hot on Its Heels

The California Privacy Protection Agency (CPPA) released a statement on March 30, 2023, announcing that the California Office of Administrative Law (OAL) had approved the first substantive rulemaking package for the California Consumer Privacy Act (CCPA), amended by the California Privacy Rights Act (CPRA). As a result of this, the CCPA regulations in this rulemaking package are finalized and, according to their terms, effective immediately.Continue Reading Crossing the Finish Line: California Regulations Effective Immediately

On March 28, Iowa Governor Kim Reynolds signed Senate File 262, effective January 1, 2025, making Iowa the sixth state to offer comprehensive privacy protections. Iowa’s new legislation appears to be the most business-friendly omnibus privacy law yet, with fewer requirements than those of other states. The law will apply to a person who conducts business in Iowa or produces products or services targeted to Iowa residents, and who meets either of the following requirements in a calendar year: (1) processes the personal data of 100,000 consumers or more (consumers defined as residents of Iowa “acting only in an individual or household context”) or (2) controls or processes the personal data of at least 25,000 consumers and derives over 50% of annual gross revenue from the sale of personal data.Continue Reading Joining the Privacy Party: Iowa Becomes the Sixth State To Adopt a Comprehensive Privacy Law

The Board of the California Privacy Protection Agency (CPPA) approved a rulemaking package covering Sections 7000–7304 of their draft regulations on February 3, 2023. The board also initiated preliminary rulemaking activities for risk assessments, cybersecurity audits, and automated decision-making. In approving the rulemaking package, the CPPA did not make substantive changes to the version of its draft regulations published in October 2022, indicating that any changes following from the more than 400 pages of public comment analysis could be advanced in future rulemaking activities.Continue Reading Almost There and Starting Again: CPPA Votes To Finalize Regulations and Launches Round Two

Introduction

While candy sales skyrocketed and trick-or-treaters donned costumes this past Halloween weekend, the California Privacy Protection Agency (Agency) Board was busy holding its first public meeting since September. Over the course of the two-day meeting on Friday and Saturday, October 28 and 29, the Agency welcomed new board member Alastair Mactaggart and discussed and debated numerous provisions of the Modified Draft Proposed California Consumer Privacy Act Regulations (Draft CCPA Regulations). Most importantly, it unanimously passed a motion directing the Agency staff to take all steps necessary to prepare and notice modifications to the text of the proposed regulatory amendments for an additional 15-day comment period.Continue Reading This is Not a Drill: CPPA Gets Closer to Finalizing Certain Privacy Regulations

The Colorado attorney general’s office sent shockwaves throughout the privacy world on September 30, 2022, when it published its proposed Colorado Privacy Act (CPA) draft rules (Draft Rules). The Draft Rules are complex and comprehensive; at 38 pages of single-spaced text, they are longer than the CPA itself. The Draft Rules are accompanied by a

Overview

2022 has been relatively quiet as it relates to state updates to breach notification laws, but Maryland made significant alterations to its general data breach notification law. Additionally, several other states made more minor changes, and the federal government issued or proposed several new data security and breach reporting requirements for certain types of