On January 13, 2025, California Attorney General (“AG”) Rob Bonta issued an advisory describing providers’ and businesses’ obligations related to the development, sale, and use of artificial intelligence (“AI”) and automated decision systems (“ADS”) in the healthcare industry (“Advisory”). The Advisory puts healthcare providers, insurers, and businesses serving the healthcare industry on notice of the […]
Privacy & Cyber Regulatory Enforcement
New York Amends Data Breach Notification Law with Immediate Implications
In late December 2024, the New York Governor signed two bills (S2659B and S2376B) amending the state’s data breach notification law (N.Y. Gen. Bus. Law § 899-aa), to expand the definition of reportable personal information and impose new covered entity reporting obligations in the event of a data breach. Effective immediately, companies will have 30 […]
CPPA Opens Formal Public Comment Period for CCPA Proposed Regulations
On November 22, 2024, the California Privacy Protection Agency (the “CPPA”) issued a Notice of Proposed Rulemaking and opened the formal comment period for its proposed regulations on updates to existing California Consumer Privacy Act (the “CCPA”) regulations, cybersecurity audits, risk assessments, automated decisionmaking technology (ADMT) and the applicability of the CCPA to insurance companies. […]
CPPA Board Advances CCPA Regulations to Formal Rulemaking; Adopts New Data Broker Regulations
On November 8, 2024, the California Privacy Protection Agency (the “CPPA”) Board advanced to formal rulemaking the California Consumer Privacy Act (“CCPA”) draft regulations on cybersecurity audits, risk assessments, automated decisionmaking technology (ADMT) and insurance. The CPPA Board also adopted the California Delete Act proposed regulations, which clarify data broker registration requirements and provide definitions […]
Massachusetts Top Court Torpedoes Website Analytics Wiretapping Class Action
On October 24, 2024, in a long-awaited decision in Vita v. New England Baptist Hospital, Massachusetts’ highest court snuffed out an attempt to use the state’s 1968 Wiretap Act to impose liability on a hospital system for its use of third-party analytics technologies on its website. The case had been closely watched by the business […]