State Privacy Regulators Announce Formation of Collaboratory Consortium

On April 16, 2025, the California Privacy Protection Agency (CPPA) and state Attorneys General from California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon announced the formation of the bipartisan "Consortium of Privacy Regulators." The focus of the Consortium will be to foster multi-state coordination, including sharing of expertise and resources, in investigation of potential violations of and enforcement of their state's respective comprehensive privacy laws. 

The press release quotes Michael Macko, the CPPA’s head of enforcement, observing that CPPA officials have “seen firsthand how misuse of data can harm Californians, whether it's information about their health, location, kids, identity, and more.” This suggests that sensitive personal information — including health information, kids’ data, and precise location data, which have taken center stage for new privacy laws and enforcement in recent years — is likely to be a priority for the Consortium. 

While state privacy law enforcers have been open about engaging in informal information-sharing for years and some have even coordinated multi-state settlement negotiations, the formation of the Consortium marks the first formalization of such collaboration in the privacy context and may signal a potential uptick of multistate privacy enforcement action. This possibility is significant for businesses, whose potential liability may increase in the context of more coordinated lawsuits and settlement negotiations brought under the comprehensive privacy laws of multiple states. In the past, coordinated efforts among state enforcers have tended to yield high combined settlement amounts

State enforcement collaboration may also be intended to address a commonly cited concern with state level privacy enforcement: that State Attorney Generals offices lack resources to engage in robust investigation into data collection and use practices. Such collaboration could indicate that state enforcement authorities are gearing up to increase their privacy-related enforcement activity in response to a perceived de-prioritization of privacy issues at the federal level, including at the Federal Trade Commission

Notably, Texas — which has emerged as one of the most active state privacy regulators — is not a Consortium member. 

Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on global privacy, data security, and AI law. Its attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy, data security, and AI law.

Felicity Slater is an Associate at Hintze Law PLLC representing companies on AI, privacy, and cybersecurity issues.

Susan Hintze is Co-Managing Partner at Hintze Law PLLC. Recognized by Chambers, Legal 500, & Best Lawyers, Susan and her firm are leaders in their field. Susan serves on the International Association of Privacy Professionals (IAPP) Board of Directors and is an IAPP Westin Emeritus Fellow. She is also co-chair of the firm’s Regulatory Defense Group.

Takeaways From the New DOJ Guidance on Its Cross-Border Data Rule

Takeaways From the New DOJ Guidance on Its Cross-Border Data Rule

By Sam Castic

On Friday April 11, 2025, the DOJ released a Compliance Guide and more than 100 FAQs on the Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons Rule (the “DOJ Rule”).  It also released an Implementation and Enforcement Policy, which indicates it will not prioritize enforcement against companies making good faith efforts to comply until July 8, 2025. 

Read More

GenAI in the Workplace: Hong Kong PCPD Releases Checklist for Employer Policies

GenAI in the Workplace: Hong Kong PCPD Releases Checklist for Employer Policies

By Leslie Veloz and Jennifer Ruehr

The Hong Kong Office of the Privacy Commissioner for Personal Data (“PCPD”) recently published its Checklist on Guidelines for the Use of Generative AI by Employees (“Checklist”). The goal of the Checklist is to help organizations draft internal policies and procedures governing employee use of generative AI (“GenAI”) tools, especially where GenAI is used to process personal data.

Read More

Virginia Governor Signs Reproductive Health Data Restrictions into Law

Virginia Governor Signs Reproductive Health Data Restrictions into Law

by Cameron Cantrell and Felicity Slater 

On March 24, 2025, Governor Youngkin (R) of Virginia signed SB 754—which amends the Virginia Consumer Protection Act (VCPA) to restrict the collection and processing of “reproductive or sexual health information” and is enforceable through a private right of action—into law. The law will take effect July 1, 2025. 

Read More

French Competition Authority Fines Apple €150M Alleging Market Power Abuse of Ad Privacy System

French Competition Authority Fines Apple €150M Alleging Market Power Abuse of Ad Privacy System

By Susan Hintze and Hansenard Piou 

Note that the Autorité has not yet been published the decision in question as it is in process of redacting information relating to trade secrets. Please check back for updates. 

Read More
Don’t Sleep on Maryland: The Maryland Online Data Privacy Act Will Keep Health and Wellness Companies Up at Night — Hintze

Fourth Circuit Publishes Landmark Ruling on 21st Century Cures Act “Information Blocking”

By Cameron Cantrell and Kate Black

On March 12, 2025, the Fourth Circuit Court of Appeals ruled that (1) the information blocking prohibition in the federal 21st Century Cures Act (“Cures Act”) was plausibly violated when an Electronic Health Record (EHR) provider blocked bot access to its systems without sufficient justification, and (2) this violation may support a Maryland state law unfair competition claim, despite the Cures Act not having its own private right of action. This decision notably appears to be the first Circuit Court decision concerning the information blocking prohibition and, for parties subject to the rule, raises the risk that information blocking may be enforceable through a de facto state privacy right of action.

Read More
Don’t Sleep on Maryland: The Maryland Online Data Privacy Act Will Keep Health and Wellness Companies Up at Night — Hintze

Don’t Sleep on Maryland: The Maryland Online Data Privacy Act Will Keep Health and Wellness Companies Up at Night

Don’t Sleep on Maryland: The Maryland Online Data Privacy Act Will Keep Health and Wellness Companies Up at Night

By Felicity Slater and Kate Black

The Maryland Online Data Privacy Act (“MODPA” or the “Act”), which takes effect October 1, 2025, establishes a set of novel requirements that will have a particular impact for companies operating in the health and wellness sectors. 

Read More
Don’t Sleep on Maryland: The Maryland Online Data Privacy Act Will Keep Health and Wellness Companies Up at Night — Hintze

Hintze & Partners Recognized by Chambers in 2025 Global Rankings

Hintze & Partners Recognized by Chambers in 2025 Global Rankings

Hintze Law and its lawyers have once again been recognized in Chambers & Partners for expertise in Privacy and Data Security in the 2025 Chambers Global Guide. These recognitions include Hintze Law’s fifth year being ranked as an Elite Law Firm for Privacy and Data Security as well as the firm’s second year receiving recognition for Privacy and Data Security: Healthcare.

Read More

Hintze Law PLLC Attorneys Selected for 2025 LCLD Fellows and Pathfinder Programs

Hintze Law PLLC Attorneys Selected for 2025 LCLD Fellows and Pathfinder Programs

Hintze Law is pleased to announce the two attorneys that have been chosen to participate in the Leadership Council on Legal Diversity’s (LCLD) professional development programs for 2025! Partner Sam Castic has been selected for the LCLD Fellows Program, designed for high-potential mid-career attorneys that have demonstrated strong leadership capabilities. Senior associate Emily Litka will represent Hintze Law in the LCLD Pathfinders Program, which recognizes early-career attorneys who exhibit signs of an emerging leader within their organization. 

Read More
Don’t Sleep on Maryland: The Maryland Online Data Privacy Act Will Keep Health and Wellness Companies Up at Night — Hintze

Final COPPA Rule Amendments: Definitional Changes

Final COPPA Rule Amendments: Definitional Changes

By Susan Hintze, Emily Litka, and Amy Lanchester 

This is Part 2 in a series of blog posts about the 2025 COPPA Final Rule. It provides a comprehensive review of the revised definitional changes to the Rule.  Subsequent posts in the coming days will delve more deeply into the direct and online notice, parental consent, and data governance requirements. Our unofficial redlined copy of the Final Rule can be found here.

Read More
Don’t Sleep on Maryland: The Maryland Online Data Privacy Act Will Keep Health and Wellness Companies Up at Night — Hintze

New York Legislature Passes Extraordinarily Restrictive Health Data Privacy Bill

New York Legislature Passes Extraordinarily Restrictive Health Data Privacy Bill

By Mike Hintze and Felicity Slater

Last year, we wrote about a proposed New York State law that would have significant impacts for entities that process health and wellness related data. That bill failed to pass before the 2024 legislative session ended. But today, in the early days of the 2025 session, the New York State legislature has passed Senate Bill S929 (SB S929), which is essentially unchanged from last year’s bill.  

Read More
Don’t Sleep on Maryland: The Maryland Online Data Privacy Act Will Keep Health and Wellness Companies Up at Night — Hintze

Workplace Privacy – 5 Things I’m Keeping in Mind for 2025

Workplace Privacy – 5 Things I’m Keeping in Mind for 2025

By Jennifer Ruehr

Many of us are returning to work this month with New Year’s resolutions, predictions, and lists top of mind, and top of inbox.  As I turn back to work, I’m thinking ahead to how U.S. laws and regulations are going to impact my clients from a workforce perspective.  Here’s what is top of mind for me right now: 

  1. Fair Credit Reporting Act 

  2. State law AI requirements 

  3. Biometrics in the workplace 

  4. Genetic data risk 

  5. Workplace monitoring 

Read More

The FTC Issues Final COPPA Rule Amendment

The FTC Issues Final COPPA Rule Amendment

By Susan Hintze and Emily Litka

This is Part 1 in a series of blog posts about the 2025 COPPA Final Rule. It provides a high-level overview of the Final Rule. Subsequent posts in the coming days will delve more deeply into individual aspects of the Final Rule and FTC comments, the issues raised, and implications for specific industry sectors.Our unofficial redlined copy of the Final Rule can be found here.

Read More
Don’t Sleep on Maryland: The Maryland Online Data Privacy Act Will Keep Health and Wellness Companies Up at Night — Hintze

10 areas for US-based privacy programs to focus in 2025

10 areas for US-based privacy programs to focus in 2025

By Sam Castic

The post below was originally published by the IAPP at https://iapp.org/news/a/10-areas-for-privacy-programs-to-focus-in-2025.

This past year was another jammed one for privacy teams and it was not easy to stay on top of all the privacy litigation, enforcement trends, and new laws and regulations in the U.S.

Read More

The EDPB Releases an Opinion on AI Model Development and Deployment

The EDPB Releases an Opinion on AI Model Development and Deployment

By Emily Litka

On December 18th, in response to a request from the Irish Supervisory Authority (“SA”), the European Data Protection Board (the “EDPB”) published an opinion (the “Opinion”) on the application of the GDPR to certain aspects of AI model development and deployment.

Read More

Congratulations to Jennifer Ruehr on Promotion to Co-Managing Partner

Congratulations to Jennifer Ruehr on Promotion to Co-Managing Partner

Hintze Law PLLC is thrilled to announce Jennifer Ruehr’s promotion from Partner to Co-Managing Partner, joining forces with Susan Hintze to lead our firm into an exciting future. Together, they will oversee the day-to-day operations of the firm and provide strategic management oversight and leadership to drive our continued success. 

Read More
Don’t Sleep on Maryland: The Maryland Online Data Privacy Act Will Keep Health and Wellness Companies Up at Night — Hintze

In ‘Holy Redeemer’ Settlement Agreement, OCR Continues to Prioritize Privacy Protections for Reproductive Health Information

In ‘Holy Redeemer’ Settlement Agreement, OCR Continues to Prioritize Privacy Protections for Reproductive Health Information

by Felicity Slater and Kate Black

On November 26, 2024, the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced a resolution agreement and corrective plan with Pennsylvania’s Holy Redeemer Hospital (Holy Redeemer). The agreement settles OCR’s claim that Holy Redeemer disclosed a patient’s protected health information (PHI)—including intimate reproductive health details—without a permissible purpose or valid authorization from the patient in violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule

Read More

A Last-Minute Push for a Reproductive Health Privacy Law in Michigan

A Last-Minute Push for a Reproductive Health Privacy Law in Michigan

By Mike Hintze and Felicity Slater 

On November 7, 2024, the Michigan legislature introduced Senate Bill 1082 / House Bill 6077, the Reproductive Data Privacy Act (the “RDPA” or the “act”). The act was introduced in the aftermath of the 2024 election cycle as Michigan Democrats brace to lose control of the House in 2025. At a hearing in the Senate Committee on Housing and Human Services, lawmakers backing the RDPA expressed a hope to pass the act before the year’s end. 

Read More