Ten years ago, a California Court of Appeal determined that the Song-Beverly Credit Card Act of 1971 (also the Act), an act that prohibits retailers from requiring consumers’ personally identifiable information (PII) as a condition for accepting payment via a credit card, did not apply to the online purchase of physical merchandise subsequently picked up
Privacy & Data Security
HHS Announces New Director of Office for Civil Rights: What to Watch from the New Health Privacy Leader
On June 4, 2025, the U.S. Department of Health and Human Services (HHS) announced the appointment of Paula M. Stannard as the Director of the Office for Civil Rights (OCR). As Director, Stannard will lead the enforcement of the Privacy, Security, and Breach Notification Rules under the Health Insurance Portability and Accountability Act of 1996…
Using Facial Recognition? Regulators Expect Detailed Risk Assessments
By Odia Kagan
Following the Federal Trade Commission’s decision in December 2023 to ban Rite Aid from using AI facial recognition, it has become crystal clear that U.S. regulators expect a risk assessment when a retailer uses facial recognition technology.A new, and detailed, report from the New Zealand privacy commission provides helpful considerations for such Data Protection…
Different Country, Same Challenges: Lessons from a Breach That Could Have Been Prevented
A recent breach involving Indian fintech company Kirana Pro serves as a reminder to organizations worldwide: even the most sophisticated cybersecurity technology cannot make up for poor administrative data security hygiene.
According to a June 7 article in India Today, KiranaPro suffered a massive data wipe affecting critical business information and customer data. The…
EU: Brussels Court of Appeal rules on IAB Europe and the TC String – Implications for GDPR Compliance
On 14 May 2025, the Brussels Court of Appeal (Market Court) delivered the long-awaited judgement in the case concerning the Transparency & Consent Framework (“TCF”) (case no. 2022/AR/292). The Court largely upheld the findings of the Belgian Data Protection Authority (“Belgian DPA”), concluding that the TCF’s use of the Transparency and Consent String (“TC String”) fails…
Trending in Telehealth: May 2025
Trending in Telehealth highlights monthly state legislative and regulatory developments that impact the healthcare providers, telehealth and digital health companies, pharmacists and technology companies that deliver and facilitate the delivery of virtual care. Trending in May: • Controlled substances • Mental and behavioral health • Payment parity A CLOSER LOOK Proposed Legislation & Rulemaking: Alaska…
Australia’s New Ransomware Payment Reporting Law Takes Effect, Covering Both Critical Infrastructure and Other Entities
On May 30, the ransomware payment reporting requirements of Australia’s Cyber Security Act 2024 (CSA) took effect. The new requirement applies to a broad range of entities and cyber security incidents, requiring reporting after a “ransomware payment” is made. Australia is the first jurisdiction worldwide to require businesses to report ransomware payments, but pending activity…
New Jersey SLAPPs Back: New Jersey Court of Appeals Eradicates Anti-SLAPP Loophole
On May 29, 2025, the New Jersey Court of Appeals reversed dismissal in Satz v. Starr, No. A-2785-23, 2025 WL 1522032 (N.J. Super. Ct. App. Div. May 29, 2025), holding that the plaintiff’s voluntary dismissal of his claims did not preclude the defendants from seeking counsel fees and costs under New Jersey’s anti-SLAPP law, the…
CPPA Executive Director: Increased Enforcement Is Coming
By Odia Kagan
Businesses should expect to see “increased enforcement” from the California Privacy Protection Agency now that the agency has had four years to staff up and implement rules, the CPPA’s executive director said in an interview with Privacy Daily.
“Californians are increasingly aware of our complaint system,” said Tom Kemp, noting that the agency has…
Managing the Managers: Governance Risks and Considerations for Employee Monitoring Platforms
In today’s hybrid and remote work environment, organizations are increasingly turning to digital employee management platforms that promise productivity insights, compliance enforcement, and even behavioral analytics. These tools—offered by a growing number of vendors—can monitor everything from application usage and website visits to keystrokes, idle time, and screen recordings. Some go further, offering video capture,…