Privacy & Cybersecurity

The California Privacy Protection Agency (CPPA) has issued its first Order of Decision to American Honda Motor Co. in an enforcement action under the California Consumer Privacy Act (CPPA). Although the investigation arose from the CPPA’s ongoing review of data privacy practices by connected car manufacturers and other related technologies, there are some important takeaways for every business covered by the CCPA.

Visit our Mintz Matrix page with the latest edition of the Mintz Matrix, which is a 50-state resource we have maintained since 2009 to break down and summarize requirements of U.S. state data breach notification laws.

The following is a summary comparison between the currently passed NY HIPA and WA MHMDA.

India’s first comprehensive data privacy law, the Digital Personal Data Protection Act (“DPDPA”), was enacted in August 2023, thereby marking a significant step towards regulating the processing of personal data in India.

Read about the second part of the United States Copyright Office’s report on Copyright and Artificial Intelligence, which focuses on the question of how AI affects copyrightability.

In 2024, the Department of Justice ramped up cybersecurity enforcement under the Civil Cyber-Fraud Initiative (CCFI), targeting entities that failed to safeguard PHI and PII in federally funded contracts. Key cases highlight trends in False Claims Act litigation and underscore the importance of cybersecurity compliance heading into 2025.

In response to an alarming increase in the size and frequency of large-scale data breaches involving protected health information, the U.S. Department of Health & Human Services Office for Civil Rights (OCR) dropped a bit of a year-end bombshell:  proposed HIPAA Security Rule amendments. Learn more.

Check out our comprehensive 2024 State Data Privacy Law Round-Up for the latest US State laws in data privacy. While consumer data privacy laws are still relatively new, we are beginning to see evidence of enforcement in some states and far greater attention and resource expenditure internally from businesses working hard to determine which laws apply to their organizations and what steps are necessary to ensure compliance. 

On April 4, 2024, Kentucky Governor Andy Beshear (D) signed the Kentucky Consumer Data Protection Act (“KCDPA”) into law, with a slow roll to the date it takes effect on January 1, 2026. The KCDPA goes a bit easier on businesses and (1) does not impose a requirement to provide a universal opt-out mechanism, and (2) has a permanent cure provision that will afford violators ongoing opportunities to rectify alleged violations of the law. Learn more about the Kentucky Consumer Data Protection Act.

Last fall at the Safeguarding Health Information: Building Assurance Through HIPAA Security 2024 conference, U.S. Department of Health & Human Services Office for Civil Rights (OCR) promised that before year’s end, it would publish amendments to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. On December 27, 2024, OCR made good on that promise and released an unpublished version of the Security Rule amendments proposal.

Minnesota Governor Tim Walz (D) signed into law the Minnesota Consumer Data Privacy Act, which will take effect on July 31, 2025. Learn more about the Minnesota Consumer Data Privacy Act.

Every year, Mintz provides analysis of the regulatory developments affecting public companies as they approach fiscal year-end filings with the Securities and Exchange Commission and annual shareholder meetings. This memorandum highlights key considerations to guide you through the 2025 year-end reporting process.

Everything you need to know about the Delaware Personal Data Privacy Act as it becomes effective on January 1, 2025. Here's what impacted companies need to gear up and prepare for.

The Nebraska Data Privacy Act (or NEDPA) becomes effective on January 1, 2025.  This relatively short period between signature and effective date left little time for impacted companies to prepare; however, Nebraska’s approach to applicability criteria has cast a specifically tailored net focused on businesses selling personal data of Nebraska residents.

Iowa's consumer privacy law is taking effect soon. Learn more about the Iowa Consumer Data Protection Act or “IACDPA” which becomes effective on January 1, 2025.

Learn about the Oregon Consumer Privacy Law which took effect in July of 2024.

Dark Patterns come into focus as the California Privacy Protection Agency (CPPA) issues September 4 Enforcement Advisory.

In June, the U.S. Court of Appeals for the Ninth Circuit affirmed a social media company’s summary judgment win on BIPA claims, in a sophisticated ruling providing a plausible path forward for technology companies and others offering facial matching services.

The RIDTPPA provides privacy rights to Rhode Islanders and imposes obligations on covered entities largely in line with several other U.S. state privacy laws.