Photo of Peter Hegel

Peter Hegel counsels clients on protection of personally identifiable information (PII) and infrastructure.

On Friday, February 9, as the country collectively packed up and prepared to head home for Super Bowl weekend, the Third Appellate District of the California Appellate Court issued an Order granting the California Privacy Protection Agency the ability to immediately enforce regulations implementing the California Privacy Rights Act, which were finalized in March 2023.

Building off of the momentum from last year’s torrent of new comprehensive state privacy laws, 2024 has begun with a bang as two more states have now entered the picture. On January 16, 2024, New Jersey became the latest state to enact comprehensive privacy legislation with the New Jersey Data Privacy Act (NJDPA). New Hampshire’s state legislature quickly followed suit by passing Senate Bill 255 and it is currently awaiting finalization before becoming law.Continue Reading Two New States Enter the Privacy Fray

California Attorney General Rob Bonta announced an investigatory sweep into popular streaming apps and devices, timed to coincide with Data Privacy Day on January 28. The California Attorney General’s Office explained that it is sending letters to such streaming services alleging a failure to comply with the requirement to offer an easy mechanism to opt out of the sale or sharing of personal information under the California Consumer Privacy Act (CCPA).Continue Reading California Announces Sweep on Streaming Services and More Enforcement To Come

The Board of the California Privacy Protection Agency (the CPPA) held its first meeting since July on Friday, September 8, 2023, and discussed the first public draft of cybersecurity audit regulations and risk assessment regulations. While the CPPA Board expressly announced that the drafts were for board meeting discussion purposes and that it has

A court-ordered stay on enforcement of updates to certain parts of the California privacy regulation (the Ruling) has not slowed down enforcement of the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). In fact, the hot summer months of July and August are poised to be busy months of regulator activity. On Friday, July 14, the California Attorney General distributed a series of “inquiry letters” to certain businesses as part of an investigative sweep concerning employee privacy. Simultaneously, the California Privacy Protection Agency (CPPA) detailed its enforcement strategy for California state privacy laws in a public meeting, announcing the Agency’s plans to continue with enforcement where it is able, despite the stay on updates to the regulations. Most recently, on July 31, the CPPA announced a review of privacy practices around connected automobile data. This increased level of activity should encourage companies that have been slow to implement a compliant privacy program, including the updates that went effective on January 1, 2023.Continue Reading Full Steam Ahead: Updates in Enforcement of California Privacy Law

This Update is the third installment of the ongoing series covering Washington state’s new My Health My Data Act. The original impetus for the act was the protection of reproductive rights, and it was signed into law alongside several other pieces of legislation focused on providing abortion and gender-affirming protections. However, because of the broad

As detailed in Part 1 of this ongoing series, Washington Governor Jay Inslee signed the state’s My Health My Data Act into law on April 27, 2023. The act is a first-of-its-kind law that creates new privacy protections relating to the collection, sharing, and selling of “consumer health data.” Most of the provisions of the

Indiana Governor Eric Holcomb signed Senate Bill 5 on May 1 (effective January 1, 2026), making Indiana the seventh state to offer comprehensive privacy protections. Indiana’s new law appears to closely track Virginia’s omnibus privacy law. The law will apply to a person that conducts business in Indiana or produces products or services targeted to Indiana residents, and that meets either of the following requirements in a calendar year: (1) controls or processes the personal data of 100,000 consumers (defined as residents of Indiana “acting only for a personal, family, or household purpose”); or (2) controls or processes personal data of at least 25,000 consumers with more than 50% of annual gross revenue derived from the sale of personal data.

Similarly, both Tennessee and Montana appear to be imminently close to enacting their own state comprehensive privacy bills. The Tennessee and Montana legislatures each passed their own state bills on April 21, 2023, and each bill is expected to be signed into law by the respective governor soon.

Below, we look at some of the key similarities and differences between the new Indiana privacy law compared with the other six state omnibus privacy laws. We also highlight the key provisions of the Tennessee and Montana bills that are expected to be signed into law soon.Continue Reading Lucky Number 7…8 and 9?: Indiana Passes Privacy Law With Tennessee and Montana Hot on Its Heels

The California Privacy Protection Agency (CPPA) released a statement on March 30, 2023, announcing that the California Office of Administrative Law (OAL) had approved the first substantive rulemaking package for the California Consumer Privacy Act (CCPA), amended by the California Privacy Rights Act (CPRA). As a result of this, the CCPA regulations in this rulemaking package are finalized and, according to their terms, effective immediately.Continue Reading Crossing the Finish Line: California Regulations Effective Immediately

On March 28, Iowa Governor Kim Reynolds signed Senate File 262, effective January 1, 2025, making Iowa the sixth state to offer comprehensive privacy protections. Iowa’s new legislation appears to be the most business-friendly omnibus privacy law yet, with fewer requirements than those of other states. The law will apply to a person who conducts business in Iowa or produces products or services targeted to Iowa residents, and who meets either of the following requirements in a calendar year: (1) processes the personal data of 100,000 consumers or more (consumers defined as residents of Iowa “acting only in an individual or household context”) or (2) controls or processes the personal data of at least 25,000 consumers and derives over 50% of annual gross revenue from the sale of personal data.Continue Reading Joining the Privacy Party: Iowa Becomes the Sixth State To Adopt a Comprehensive Privacy Law