CPRA Rulemaking Begins with an Invitation by the New California Privacy Protection Agency

By Justin Yedor, Stanton Burke, and Jeewon K. Serrato

For businesses awaiting guidance on how to comply with the California Privacy Rights Act (the “CPRA”), the new California Privacy Protection Agency (“CPPA”) began the rulemaking process on September 22, 2021 with an Invitation for Preliminary Comments on Proposed Rulemaking (the “Invitation for Comment”).  In the Invitation for Comment, the CPPA specifically highlights eight areas in which the Agency is particularly interested in receiving comments, though it welcomes comments in any other area subject to regulation under the CPRA.  The Agency also published Tips for Submitting Effective Comments to help guide the process.  The deadline to submit comments is November 8, 2021.  Read below for practical takeaways on the CPRA rulemaking process and why businesses may want to participate.

The CPPA’s Plan for Promulgating Regulations

The CPRA established the CPPA as a first-of-its-kind administrative agency solely dedicated to protecting the privacy of Californians’ personal information.  The CPPA is charged with enforcing the CPRA as well as issuing regulations interpreting the statute.  The CPRA specifically lists 22 topics to be addressed by the regulations.  As we saw with the California Consumer Privacy Act (the “CCPA”), the contents of these regulations can be crucial in understanding how to comply with the law.  With the CPRA going into effect on January 1, 2023, businesses now have 15 months to complete the compliance program for the CPRA.

Continue Reading

FTC Issues Statement Warning Health Apps to Notify Consumers About Data Breaches

The U.S. Federal Trade Commission (FTC) issued a policy statement on Sept. 15, 2021, warning that the decade-old Health Breach Notification Rule (the rule) – which applies to companies that handle personal health records or collect health data –  to notify consumers, the FTC and, in some cases, the media about data breaches. “In practical terms, this means that entities covered by the rule who have experienced breaches cannot conceal this fact from those who have entrusted them with sensitive health information.”

Introduced in 2009 as part of the American Recovery and Reinvestment Act of 2009, the rule extends to entities that are not subject to the Health Insurance Portability and Accountability Act but may operate in the healthcare space. During an open meeting on Wednesday, by a vote of 3-2, the FTC clarified the reach of the rule, indicating that it applies to health apps and devices that often “fail to invest in data security, leaving users exposed.” The FTC specifically called out health apps and wearable devices that track diseases, diagnoses, treatments, medications, fitness, fertility, sleep, mental health, diet, and other vital areas. Continue Reading

International Data Protection Update – Summer 2021

This update highlights some of the international data protection issues that caught our attention, and the attention of our clients, over the summer.


China’s Data Security Law and Personal Information Protection Law – This summer, the People’s Republic of China passed two new data protection laws. The Data Security Law (DSL) passed in June and is in effect as of September 1. The DSL applies broadly to data use and data processing activities, including those that take place outside China, when they could harm China’s national security or public interests or the legal rights and interests of Chinese citizens and organizations. The DSL outlines data security requirements that aim to safeguard data through comprehensive data security management, ongoing assessments, regulatory reporting, and effective risk monitoring and remediation. Many of the required protections depend on how data is classified under the DSL. Sanctions for noncompliance include monetary penalties and business license revocation or suspension.

Continue Reading

David A. Carney Recognized as Cybersecurity & Privacy MVP by Law360

I’m delighted today to focus on a key player in BakerHostetler’s Digital Assets and Data Management group. David Carney is an exceptional lawyer who is on the cutting edge of privacy litigation in the United States. His work on a series of high-profile matters over the past six years has established important parameters regarding plaintiff claims, damages, and the scope of litigation in this evolving area of law.

We’re very proud of his most recent accomplishment – being named a 2021 Law360 MVP in the category of Cybersecurity & Privacy. It’s a public acknowledgement of what we have known for years – David is a major force in privacy law.

Continue Reading

SEC Cybersecurity Actions Against Registered Firms for Business Email Compromises Emphasize Importance of MFA

On August 30, 2021, the Securities and Exchange Commission (“SEC”) announced three settled orders against several investment advisers, broker-dealers, and dual registrants for violations of Regulation S-P allegedly resulting from business email compromises that each exposed or potentially exposed the personal information of thousands of customers.[1] These enforcement actions underscore the following lessons for broker-dealers and investment advisers of all stripes.

Continue Reading

Craig Carpenter Discusses His Career Path on “Careers in Data Privacy” Podcast

On September 9, Craig Carpenter joined an episode of “Careers in Data Privacy,” a podcast that interviews data privacy professionals to learn about the journey they took to get to where they are today. During the episode, Craig talked about his science background and his time at Clemson University, his decision to go to law school, and his interests in technology which led him to a legal career in data privacy and technology transactions.

Listen to the podcast here.

Ohio Proposes Comprehensive Privacy Legislation

Ohio recently became the latest state to consider enacting comprehensive privacy legislation. On July 13, 2021, the Ohio Personal Privacy Act (House Bill 376) was introduced into the Ohio House of Representatives with the backing of Ohio Governor Mike DeWine and Lt. Governor Jon Husted. If passed, OPPA would establish consumer data rights for natural persons who are residents of Ohio acting only in individual or household contexts, not residents acting in a business capacity or employment context, such as contractors, job applicants, officers, directors or owners. The bill would also require certain businesses to comply with a framework of data standards, similar to other states such as California, Virginia and Colorado.

Continue Reading

SEC Scrutinizes Use of Fintech by Broker-Dealers and Investment Advisers

The Securities and Exchange Commission (“SEC”) recently issued a request for information and public comment on the use of new and emerging technologies by investment advisers and broker-dealers that suggests potential regulatory action to come.[1] According to its release, the SEC is seeking to understand how registrants — whether online brokerages, robo-advisers, internet investment advisers, or more traditionally-operated firms — use various digital engagement practices, interactive websites and mobile applications, or artificial intelligence to serve retail investors.

Continue Reading

The Impact of Data Security Incident Trends on Commercial Transactions: Part I – M&A

The 2021 edition of BakerHostetler’s annual Data Security Incident Response Report – a report based on the firm’s experience with data security incident response and litigation over the past year – features a number of important insights previously covered on this blog including trends in global breach notification, healthcare industry risks and ransomware.

The Report is a helpful tool for companies to identify and respond to trends in data privacy and security, especially as it relates to litigation, enforcement and risk management. But, while this may not be as obvious, the data privacy and security risk trends identified in the Report have also impacted general corporate transactions. Many different types of transactions, from M&A to product/service development to standard commercial service agreements, have been impacted by the data privacy and security trends highlighted in the Report. In this series, we’ll look at how some of the trends highlighted in the Report have had an impact on commercial transactions over the past year, and at some of the key data privacy and security sensitivities for businesses considering or involved in these transactions.

Continue Reading

Lindsey Carpino Takes Top Prize in Inaugural AALL Innovation Showcase

Carpino recognized as “showcase winner” in all three type-of-library categories

The American Association of Law Libraries’ (AALL) recently recognized BakerHostetler’s legal content services supervisor, Lindsey Carpino, for her role in developing “Review-it,” a crowd sourced review tool that shares feedback on legal resource tools to the community at large. “Review-it” swept all three type-of-library categories at the first-ever AALL Innovation Showcase.

“This award illustrates that Lindsey is a leader in the world of technological advancement,” said director of Legal Content and Research Services Katherine Lowry. “We are extremely lucky to have such an amazing team of innovators, like Lindsey, at BakerHostetler, and recognitions like this spotlight the importance of involving legal content and research services in data-rich projects.” Continue Reading