The California Privacy Protection Agency (CPPA) recently published two new sets of draft regulations addressing a range of cutting-edge data protection issues. Although the Agency has not officially started the formal rulemaking process, the Draft Cybersecurity Audit Regulations and the Draft Risk Assessment Regulations will serve as the foundation for the process moving forward. Discussion
CyberAdviser
Blog Authors
Latest from CyberAdviser
California’s Proposed “Delete Act” Would Create a ‘Do Not Sell’ List for Data Brokers
California continues to be at vanguard of data privacy rights. The latest effort by California legislators to protect consumer privacy rights focuses on data brokers, who under the proposed California Senate Bill 362, aka the “Delete Act,” would be required to recognize and honor opt-out signals from Californians. The law seeks to expand on…
SEC Adopts New Cybersecurity Reporting Rules, Setting Up Various Compliance Challenges
After an extensive comment period, the SEC announced on July 26 that it was formally adopting new rules for public companies governing cybersecurity disclosures. The rules had generated significant backlash from public companies, who criticized the new reporting deadlines for data security incidents as well as the mandatory cyber-risk disclosures the Rules mandate.
Adoption of…
Don’t Be Lazy: Lessons in Licensing Large Language Models
Llama? Vicuña? Alpaca? You might be asking yourself, “what do these camelids have to do with licensing LLM artificial intelligence?” The answer is, “a lot.”
LLaMa, Vicuña, and Alpaca are the names of three recently developed large language models (LLMs). LLMs are a type of artificial intelligence (AI) that uses deep learning techniques and large…
European Commission Adopts Adequacy Decision for EU-US Data Privacy Framework
On July 10, 2023, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework (Framework). The adequacy decision concludes the long process to open up new means by which companies transfer personal data from the European Economic Area (EEA) to the United States.
The Framework will be administered by the US Department…
Ruling Delaying Enforcement of CPRA Regulations Raises Complicated Legal Questions
Shortly before the July Fourth holiday, the California Superior Court issued an important, but subtly complex ruling that pushes back the date when the California Privacy Protection Agency (CPPA) may begin enforcing the latest round of privacy regulations. These regulations were finalized in March 2023 and enforce provisions of the California Privacy Rights Act (CPRA),…
The Practical and Legal Complexities of Online Age Verification
One of the most significant trends in privacy law this year has been the surge in online child protection laws in U.S. states. In a recent article for the Cybersecurity Law Report , Ballard Spahr privacy attorneys Phil Yannella, Greg Szewczyk, Tim Dickens and Emily Klode explore the legal and practical complexities associated with these…
EU AI Act Clears Another Hurdle

The European Parliament has approved a revised version of the EU Artificial Intelligence Act (AIA), which appears to be on a path to adoption by the EU later this year. The AIA is the most comprehensive legislation in the world to address the risks associated with the use of artificial intelligence. A final version of…
Texas Adds a Wrinkle to State Privacy Law Patchwork
On May 28, Texas became the sixth state this year to pass a comprehensive data protection law. Although the Texas Data Privacy and Security Act (“TDPSA”) is largely in line with the Virginia Consumer Data Protection Act and other recently passed state privacy laws, it has a few key distinctions that may cause headaches for…
Kansas Passes an Act Requiring Mortgage Companies, Supervised Lender, and Money Transmitters to Create Information Security Standards Consistent with GLBA’s Consumer Information Safeguard Rule
On April 24, the Governor of Kansas signed into law Kansas Senate Bill 44, which enacts the Financial Institutions Information Security Act (the “Act”). The Act requires credit services organizations, mortgage companies, supervised lenders, money transmitters, trust companies, and technology-enabled fiduciary financial institutions to comply with the requirements of the GLBA’s Safeguards Rule, as…
Senator Bennet Proposes Federal Commission to Regulate Artificial Intelligence
Following recent Senate testimony in which OpenAI CEO Sam Altman proposed additional Congressional oversight for the development of artificial intelligence (AI), Colorado Senator Michael Bennet has re-introduced the Digital Platform Commission Act, a bill that would enable the creation of a federal agency to oversee the use of AI by digital platforms. The proposed…
Banned: Montana Residents Face Countdown to the Last Days of TikTok
On May 17, 2023, Montana Governor Greg Gianforte signed into law a bill banning the use of the popular app, TikTok, by the general public within the state. Absent court intervention, the ban takes effect on January 1, 2024. While users of the popular app, which is owned by Chinese company ByteDance, can breathe a…
FTC Challenge to Data Broker Precise Geolocation Sale Dismissed with Leave to Amend
In a ruling published May, 4, the Federal District Court of Idaho granted defendant data broker Kochava’s motion to dismiss a complaint filed by the Federal Trade Commission (“FTC”). In its complaint, the FTC alleged that Kochava’s sale of precise consumer geolocation data constituted an unfair act or practice in violation of Section 5 of…
House Subcommittee Reconsiders the ADPPA after Iowa, Indiana, Montana, and Tennessee Move to Enact Privacy Laws

United States Capitol Building
As we have previously posted, it has been an active year on the state privacy law front. Indeed, the number of states with privacy laws is about to nearly double in a matter of months, with Iowa, Indiana, Montana, and Tennessee have already passed or are about to pass comprehensive…
Washington State Poised to Pass Consumer Health Privacy Law
The State of Washington appears close to enacting a new law that regulates the privacy of consumer health information. If passed, the new law – the My Health My Data Act (MHMDA) –the new rules generally take effect March 31, 2024 and apply to non-governmental entities that collect, process, share, or sell health information that…
FinCEN Analyzes BEC Trends in the Real Estate Sector

On March 30, 3023, the Financial Crimes Enforcement Network (FinCEN) issued a Financial Trend Analysis focusing on business email compromise (BEC) trends and patterns in the real estate sector (referred to as “RE BEC”). The report is required under Section 6206 of the Anti-Money Laundering Act of 2020 (AMLA). This section of AMLA requires FinCEN…