Data Privacy

Hintze Lawyers Recognized in 2026’s Best Lawyers in America

This year, eight of Hintze Law’s attorneys have been recognized by Best Lawyers® across a variety of categories, marking a significant milestone for the firm. Every one of our associates earned recognition, reflecting both the breadth of talent within our team and the dedication each attorney brings to their practice.

Partners Alex Schlight and Taylor Widawski received recognition this year; both partners being recognized in the Technology Law area and Alex also recognized in Privacy and Data Security Law, joining long-standing Best Lawyers® honorees Susan and Mike Hintze. In the last year, both Alex and Taylor also received recognition as SuperLawyers, highlighting their ongoing leadership and expertise in privacy law. In addition, Alex and Taylor serve as co-chairs of Hintze Law’s Artificial Intelligence + Machine Learning Privacy group, with Taylor also holding the role of co-chair for the firm’s Fintech + Financial Services Privacy group.

We are also proud of our associates, all of whom earned recognition for their expertise in Privacy and Data Security Law for the first time this year:  Cameron Cantrell, Hansenard Piou, Felicity Slater, and Leslie Veloz. Their inclusion among this year’s honorees reflects not only their individual skill and dedication, but also the strength of our expertise, collaboration, and commitment to professional growth as a firm. This milestone is a testament to the hard work they have invested in their practices, the high standards they uphold for our clients, and the bright future they represent for our team.

Susan Hintze, Co-Managing Partner, has been voted the 2026 "Lawyer of the Year" for Information Technology Law in Seattle and recognized in the practice areas of Advertising Law.

Mike Hintze, Partner, has achieved continued recognition in the Information Technology Law and Technology Law practice areas.

Recognition in The Best Lawyers in America® is based on the geographic region and practice areas of the lawyers. Recognized lawyers are selected by peers based on professional expertise and are also evaluated by The Best Lawyers in America®

Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on global privacy, data security, and AI law. Its attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy, data security, and AI law.

California Adopts Privacy, Cybersecurity, ADMT Regulations and Amendments

The California Privacy Protection Agency (CPPA) has adopted final regulations on privacy risk assessments, cybersecurity audits, and automated decisionmaking technology (ADMT), as well as amendments to existing CCPA regulations.  Final publication of the regulations is pending review by the Office of Administrative Law, and depending on when that occurs, the regulations will likely take effect 10/1/2025 or 1/1/2026.  Some key concepts from these regulations, and actions to consider, are below.

Privacy risk assessments

Article 10 of the new regulations contain requirements for risk assessments.  Risk assessments will be required when any of the following triggers apply:

  1. personal information is "sold" or "shared" (for cross-context behavioral advertising);

  2. sensitive personal information is processed;

  3. automated decisionmaking technology ("ADMT") is used for certain significant decisions;

  4. automated processing occurs to infer or extrapolate certain matters or characteristics about a person based on systematic observation in their capacity as an educational program applicant, job applicant, student, employee, or independent contractor;

  5. automated processing occurs to infer or extrapolate certain matters or characteristics about a person based on their presence in a sensitive location (e.g., medical facility, shelter, place or worship, etc.); or

  6. personal information is processed for certain ADMT training purposes.

While the first three triggers are similar to ones in other states, they will have a broader impact since the CCPA also applies to personal information of employees, candidates, and B2B business contacts.  The last three triggers are not similar to ones that exist in other states.

Documented risk assessments must cover a number of specific topics that are detailed in the regulations, including regarding the purposes, types of personal information, specific operational elements of processing, risks and benefits, safeguards, ADMT processing, assessment contributors and approver details.  Companies may need to update privacy assessment processes to include this additional scope, and additional resources may be needed to support assessment processes.

There are some additional expectations for risk assessments under these regulations:

  • Risk assessments must be based on involvement of knowledgeable stakeholders at the organization.

  • Risk assessments must be approved by the business decisionmaker for the processing activity.

  • Risk assessments must be reviewed and updated at least every three years, and whenever there is a material change to a processing activity.

Unlike other states, California will also require proactive submission of certain assessment information to the State.  The full assessments won't need to be submitted, but details on the number of assessments, processing activities involved, and types of personal information involved, will need to be submitted.  Also, the executive team member with responsibility over the risk assessment process (like a General Counsel) must submit an attestation (under penalty of perjury) that risk assessments were conducted.  This requirement must be complied with by April 1, 2028, and will apply for risk assessments conducted in 2026-2027. 

In the months ahead, companies that are subject to the CCPA should consider:

  • Updating assessment triggers so that assessments are conducted when these risk assessments are required;

  • Validating that current assessment processes cover required components for risk assessments, and if not, planning to close any gaps by 2026;

  • Confirming business stakeholders understand when assessments are required, and that business processes trigger assessments when required, and

  • Socializing upcoming certification requirements with the executive team member that will be accountable, including any outstanding resource needs that will be required to support required certifications.

Cybersecurity audit regulations

Article 9 of the regulations contain the new cybersecurity audit requirements.  For many companies, these may be the most comprehensive cybersecurity audit requirements required under U.S. law.

Cybersecurity audits will be required for businesses:

  • with $25M+ in global annual revenue that process: (i) personal information of 250k+ consumers/employees per year; or (ii) sensitive personal information of 50k+ consumers/employees per year; or

  • that make 50% or more of their revenue from selling or sharing personal information. 

Audits must be independent, and conducted by an external entity or internal team that reports directly to an executive team member that does not oversee cybersecurity.  Many companies' existing internal security assessment processes may not satisfy the independence requirements in the regulations.

Audits must cover eighteen components of the cybersecurity program noted in the regulation, including elements that may be beyond the scope of current security programs or audits.  These include:

  • Multifactor authentication, authentication, and password requirements

  • Encryption of personal information in transit and at rest

  • Access controls, account management, and management of privileged accounts

  • Personal information and asset inventories

  • Hardware and software configuration and patch management

  • Vulnerability scanning and penetration testing

  • Logging and log monitoring

  • Network monitoring and intrusion defense

  • Antivirus and malware protection

  • Network segmentation

  • Port, service, and protocol management

  • Cybersecurity threat awareness and monitoring

  • Cybersecurity training and education

  • Secure development and coding protocols, reviews, and testing

  • Vendor management and monitoring

  • Personal information retention and deletion protocols

  • Security incident response processes, and

  • Business continuity and data recovery capabilities.

Audits must cover entire calendar years, starting with calendar year 2027 for some businesses, and 2028 or 2029 for others.  Audit reports are required, and must include a number of details specified in the regulations.

Annual certifications that the audit has been completed, and was independent, must be submitted to the CPPA (under penalty of perjury) by the executive team member who was directly responsible for the business's audit compliance.

For next steps, companies should consider:

  • Determining whether they are in-scope, and if so, by when they must comply;

  • If in scope, assessing whether existing audit practices meet independence requirements;

  • Assessing whether each of the 18 domains the audit must cover are addressed in current audit practices, and for any gaps, planning to address by the end of 2026 or before the audit requirements apply; and

  • Socializing the requirements and any resource needs with the executive team member that will make the required certifications.

Automated decisionmaking technologies

Article 11 of the regulations contain requirements for companies that make certain uses of ADMT.  The ADMT regulations won't impact all companies, but they should be reviewed to determine if they apply.

ADMT means technology that processes personal information and uses computation to replace or substantially replace human decisionmaking.  Companies that use ADMT to make certain significant decisions have additional obligations under the regulations.  These significant decisions include ones that result in the provision or denial of:

  • financial or lending services,

  • housing,

  • education enrollment or opportunities,

  • employment or independent contracting opportunities or compensation, or

  • healthcare services.

There are requirements for pre-use notices before these ADMT uses occur.  Requirements for the notices include:

  • Presenting them where or before personal information used for the in-scope ADMT processing will be collected (or if already collected, before it is used for in-scope ADMT);

  • Including the specific purpose for using the in-scope ADMT;

  • Detailing how it the ADMT works to make decisions, and how outputs are used;

  • Disclosing alternative processes for making significant decisions if consumers opt-out; and

  • Listing how consumers can opt-out, and exercise their right to access.

Consumers have rights to opt-out of uses of ADMT to make significant decisions, subject to certain exceptions in the regulations.  The regulations include a number of operational requirements for how businesses need to accept and honor these opt-out requests.

Consumers have rights to "access ADMT" by requesting details about its use to make significant decisions.  The regulations have operational requirements for how these rights need to be offered and honored, and specify a number of details that need to be provided in response to the right.

Companies must come into compliance with these ADMT regulations by January 1, 2027.

As next steps, consider:

  • Assessing if existing company practices will be subject to these ADMT regulations;

  • Updating AI and/or privacy assessment processes to identify when new proposed AI or personal information processing practices will be subject to these ADMT regulations; and

  • If in scope for these regulations, beginning planning for how pre-use notices and individual rights will be addressed before the regulations become effective.

Additional CCPA regulation updates

In addition to adopting the new regulations above, the CPPA also approved amendments to the existing CCPA regulations.  These amendments impact the regulations regarding:

  • obtaining consent;

  • practices that constitute dark patterns;

  • where and how connected devices and AR/VR providers need to inform people of their rights to opt-out of sales and "sharing";

  • where and how businesses need to inform people or their rights to limit uses and disclosures of sensitive personal information;

  • individual rights fulfillment obligations (including for correction, opt-out of sale/sharing via GPC or opt-out signal, and to know/access),  which may require process or operational changes for some businesses;

  • New metrics reporting for ADMT related DSRs for certain businesses; and

  • Requiring businesses to display whether opt-out signals like GPC have been honored on a website.

As a next steps, consider:

  • Reviewing these updates, particularly your company seeks to obtain consent, offers choices regarding the processing of personal information, and for sensitive personal information usage and sharing;

  • Validating that individual rights processes address the updated requirements; and

  • Planning to display on your website that the GPC signal has been honored.

Companies that agree to act as service providers or contractors under the CCPA will also have obligations under the regulations (and independent of contract terms) to cooperate with their business customers in: (1) the business's completion of its cybersecurity audit (including providing all relevant information requested to complete the audit); and (2) the business's risk assessments (including providing all facts necessary to conduct the risk assessment). 

Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on global privacy, data security, and AI law. Its attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy, data security, and AI law.

Sam Castic is a Partner with Hintze Law, chair of the firm’s Retail Group, and co-chair of the Cybersecurity and Breach Response Group and FinTech + Financial Services Group. As a former chief privacy officer, he helps companies build, scale, and right-size privacy programs and strategies.

California’s Healthline.com Enforcement Action Shows CCPA’s Teeth – and Sensitive Data Reach

California’s Healthline.com Enforcement Action Shows CCPA’s Teeth – and Sensitive Data Reach

By Mason Fitch and Kate Black

The California Attorney General’s Office (“OAG”) announced an enforcement action against Healthline.com on July 1 that marks a significant development in California Consumer Privacy Act (CCPA) enforcement. This action, accompanied by the largest fine under CCPA yet at $1.55 million, highlights critical areas of consideration for any company engaging in the advertising ecosystem as well as any company that processes sensitive personal information.

Read More

Texas District Court Vacates Majority of HIPAA Reproductive Privacy Rule

Texas District Court Vacates Majority of HIPAA Reproductive Privacy Rule

by Cameron Cantrell and Felicity Slater 

On June 19, 2025, the U.S. District Court in the Northern District of Texas vacated the vast majority of the HIPAA Privacy Rule to Support Reproductive Health Care Privacy (the “HIPAA Reproductive Privacy Rule” or “Rule”). The Department of Health and Human Services (“HHS”) published the Rule in the Federal Register in April 2024 with a compliance date of December 23, 2024. The District Court’s decision to vacate the reproductive privacy aspects of the Rule has an immediate and nationwide effect.

Read More

Hintze & Partners Recognized by Chambers in 2025 USA Rankings

Hintze & Partners Recognized by Chambers in 2025 USA Rankings

Hintze Law PLLC is delighted to announce the Chambers & Partners recognition of Susan Hintze, Mike Hintze, Sam Castic, and Mason Fitch in its USA Guide 2025. These recognitions include the firm’s sixth year being nationally ranked in Privacy and Data Security, and third year in Privacy & Data Security: Healthcare.

Read More

State Privacy Regulators Announce Formation of Collaboratory Consortium

State Privacy Regulators Announce Formation of Collaboratory Consortium

by Felicity Slater and Susan Hintze

On April 16, 2025, the California Privacy Protection Agency (CPPA) and state Attorneys General from California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon announced the formation of the bipartisan "Consortium of Privacy Regulators." The focus of the Consortium will be to foster multi-state coordination, including sharing of expertise and resources, in investigation of potential violations of and enforcement of their state's respective comprehensive privacy laws.

Read More

Takeaways From the New DOJ Guidance on Its Cross-Border Data Rule

Takeaways From the New DOJ Guidance on Its Cross-Border Data Rule

By Sam Castic

On Friday April 11, 2025, the DOJ released a Compliance Guide and more than 100 FAQs on the Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons Rule (the “DOJ Rule”).  It also released an Implementation and Enforcement Policy, which indicates it will not prioritize enforcement against companies making good faith efforts to comply until July 8, 2025. 

Read More

Virginia Governor Signs Reproductive Health Data Restrictions into Law

Virginia Governor Signs Reproductive Health Data Restrictions into Law

by Cameron Cantrell and Felicity Slater 

On March 24, 2025, Governor Youngkin (R) of Virginia signed SB 754—which amends the Virginia Consumer Protection Act (VCPA) to restrict the collection and processing of “reproductive or sexual health information” and is enforceable through a private right of action—into law. The law will take effect July 1, 2025. 

Read More

French Competition Authority Fines Apple €150M Alleging Market Power Abuse of Ad Privacy System

French Competition Authority Fines Apple €150M Alleging Market Power Abuse of Ad Privacy System

By Susan Hintze and Hansenard Piou 

Note that the Autorité has not yet been published the decision in question as it is in process of redacting information relating to trade secrets. Please check back for updates. 

Read More
Don’t Sleep on Maryland: The Maryland Online Data Privacy Act Will Keep Health and Wellness Companies Up at Night — Hintze

Hintze & Partners Recognized by Chambers in 2025 Global Rankings

Hintze & Partners Recognized by Chambers in 2025 Global Rankings

Hintze Law and its lawyers have once again been recognized in Chambers & Partners for expertise in Privacy and Data Security in the 2025 Chambers Global Guide. These recognitions include Hintze Law’s fifth year being ranked as an Elite Law Firm for Privacy and Data Security as well as the firm’s second year receiving recognition for Privacy and Data Security: Healthcare.

Read More

Final COPPA Rule Amendments: Definitional Changes

Final COPPA Rule Amendments: Definitional Changes

By Susan Hintze, Emily Litka, and Amy Lanchester 

This is Part 2 in a series of blog posts about the 2025 COPPA Final Rule. It provides a comprehensive review of the revised definitional changes to the Rule.  Subsequent posts in the coming days will delve more deeply into the direct and online notice, parental consent, and data governance requirements. Our unofficial redlined copy of the Final Rule can be found here.

Read More
Don’t Sleep on Maryland: The Maryland Online Data Privacy Act Will Keep Health and Wellness Companies Up at Night — Hintze

The FTC Issues Final COPPA Rule Amendment

The FTC Issues Final COPPA Rule Amendment

By Susan Hintze and Emily Litka

This is Part 1 in a series of blog posts about the 2025 COPPA Final Rule. It provides a high-level overview of the Final Rule. Subsequent posts in the coming days will delve more deeply into individual aspects of the Final Rule and FTC comments, the issues raised, and implications for specific industry sectors.Our unofficial redlined copy of the Final Rule can be found here.

Read More
Don’t Sleep on Maryland: The Maryland Online Data Privacy Act Will Keep Health and Wellness Companies Up at Night — Hintze

In ‘Holy Redeemer’ Settlement Agreement, OCR Continues to Prioritize Privacy Protections for Reproductive Health Information

In ‘Holy Redeemer’ Settlement Agreement, OCR Continues to Prioritize Privacy Protections for Reproductive Health Information

by Felicity Slater and Kate Black

On November 26, 2024, the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced a resolution agreement and corrective plan with Pennsylvania’s Holy Redeemer Hospital (Holy Redeemer). The agreement settles OCR’s claim that Holy Redeemer disclosed a patient’s protected health information (PHI)—including intimate reproductive health details—without a permissible purpose or valid authorization from the patient in violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule

Read More

A Last-Minute Push for a Reproductive Health Privacy Law in Michigan

A Last-Minute Push for a Reproductive Health Privacy Law in Michigan

By Mike Hintze and Felicity Slater 

On November 7, 2024, the Michigan legislature introduced Senate Bill 1082 / House Bill 6077, the Reproductive Data Privacy Act (the “RDPA” or the “act”). The act was introduced in the aftermath of the 2024 election cycle as Michigan Democrats brace to lose control of the House in 2025. At a hearing in the Senate Committee on Housing and Human Services, lawmakers backing the RDPA expressed a hope to pass the act before the year’s end. 

Read More

Hintze Law PLLC Recognized in 2025’s Best Law Firm Rankings

Hintze Law PLLC Recognized in 2025’s Best Law Firm Rankings

We are pleased to share that Hintze Law has been recognized for excellence in Information Technology Law and Technology Law in the 2025 edition Best Law Firms® rankings. The firm has been ranked in these areas both nationally and in the Seattle area.  

Read More

California Enacts "genAI" Laws That Introduce New Privacy and Transparency Requirements, Amongst Others 

California Enacts "genAI" Laws That Introduce New Privacy and Transparency Requirements, Amongst Others 

By Emily Litka

In September 2024, California Governor Gavin Newsome signed a number of new generative AI (“genAI”) bills into law. These laws address risks associated with deepfakes, training dataset transparency, use of genAI in healthcare settings, privacy, and AI literacy in schools. California is the first US state to enact such sweeping genAI regulations.

Read More

FTC Introduces Novel Ban in Its Settlement with NGL Labs and Scrutinizes AI Representations

By Emily Litka

On July 9, 2024, The Federal Trade Commission (FTC) and the Los Angeles District Attorney’s Office (LA DA) reached a settlement with NGL Labs, the maker of the “NGL: ask me anything” app and its co-founders. The complaint alleged violations of the Federal Trade Commission Act (FTC Act), the Children’s Online Privacy Protection Act (COPPA), the Restore Online Shoppers’ Confidence Act (ROSCA), and similar California state laws. In the complaint, the FTC and LA DA also brought claims against NGL’s cofounders individually. 

Read More