State Privacy Regulators Announce Formation of Collaboratory Consortium

April 17, 2025 in CPPA, Data Privacy, State Legislation

On April 16, 2025, the California Privacy Protection Agency (CPPA) and state Attorneys General from California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon announced the formation of the bipartisan "Consortium of Privacy Regulators." The focus of the Consortium will be to foster multi-state coordination, including sharing of expertise and resources, in investigation of potential violations of and enforcement of their state's respective comprehensive privacy laws.

The press release quotes Michael Macko, the CPPA’s head of enforcement, observing that CPPA officials have “seen firsthand how misuse of data can harm Californians, whether it's information about their health, location, kids, identity, and more.” This suggests that sensitive personal information — including health information, kids’ data, and precise location data, which have taken center stage for new privacy laws and enforcement in recent years — is likely to be a priority for the Consortium.

While state privacy law enforcers have been open about engaging in informal information-sharing for years and some have even coordinated multi-state settlement negotiations, the formation of the Consortium marks the first formalization of such collaboration in the privacy context and may signal a potential uptick of multistate privacy enforcement action. This possibility is significant for businesses, whose potential liability may increase in the context of more coordinated lawsuits and settlement negotiations brought under the comprehensive privacy laws of multiple states. In the past, coordinated efforts among state enforcers have tended to yield high combined settlement amounts.

State enforcement collaboration may also be intended to address a commonly cited concern with state level privacy enforcement: that State Attorney Generals offices lack resources to engage in robust investigation into data collection and use practices. Such collaboration could indicate that state enforcement authorities are gearing up to increase their privacy-related enforcement activity in response to a perceived de-prioritization of privacy issues at the federal level, including at the Federal Trade Commission.

Notably, Texas — which has emerged as one of the most active state privacy regulators — is not a Consortium member.

Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on global privacy, data security, and AI law. Its attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy, data security, and AI law. 

Felicity Slater is an Associate at Hintze Law PLLC representing companies on AI, privacy, and cybersecurity issues.

Susan Hintze is Co-Managing Partner at Hintze Law PLLC. Recognized by Chambers, Legal 500, & Best Lawyers, Susan and her firm are leaders in their field. Susan serves on the International Association of Privacy Professionals (IAPP) Board of Directors and is an IAPP Westin Emeritus Fellow. She is also co-chair of the firm’s Regulatory Defense Group.

Fourth Circuit Publishes Landmark Ruling on 21st Century Cures Act “Information Blocking”

March 24, 2025 in Data Privacy, Health + Biotech Privacy

By Cameron Cantrell and Kate Black

On March 12, 2025, the Fourth Circuit Court of Appeals ruled that (1) the information blocking prohibition in the federal 21st Century Cures Act (“Cures Act”) was plausibly violated when an Electronic Health Record (EHR) provider blocked bot access to its systems without sufficient justification, and (2) this violation may support a Maryland state law unfair competition claim, despite the Cures Act not having its own private right of action. This decision notably appears to be the first Circuit Court decision concerning the information blocking prohibition and, for parties subject to the rule, raises the risk that information blocking may be enforceable through a de facto state privacy right of action.

Don’t Sleep on Maryland: The Maryland Online Data Privacy Act Will Keep Health and Wellness Companies Up at Night

February 14, 2025 in Data Privacy, State Legislation, Health + Biotech Privacy

By Felicity Slater and Kate Black

The Maryland Online Data Privacy Act (“MODPA” or the “Act”), which takes effect October 1, 2025, establishes a set of novel requirements that will have a particular impact for companies operating in the health and wellness sectors.

Hintze & Partners Recognized by Chambers in 2025 Global Rankings

February 13, 2025 in Data Privacy, Health + Biotech Privacy, Hintze Law Recognitions

Hintze Law and its lawyers have once again been recognized in Chambers & Partners for expertise in Privacy and Data Security in the 2025 Chambers Global Guide. These recognitions include Hintze Law’s fifth year being ranked as an Elite Law Firm for Privacy and Data Security as well as the firm’s second year receiving recognition for Privacy and Data Security: Healthcare.

New York Legislature Passes Extraordinarily Restrictive Health Data Privacy Bill

January 22, 2025 in State Legislation, Health + Biotech Privacy

By Mike Hintze and Felicity Slater

Last year, we wrote about a proposed New York State law that would have significant impacts for entities that process health and wellness related data. That bill failed to pass before the 2024 legislative session ended. But today, in the early days of the 2025 session, the New York State legislature has passed Senate Bill S929 (SB S929), which is essentially unchanged from last year’s bill.

Workplace Privacy – 5 Things I’m Keeping in Mind for 2025

January 21, 2025 in Technology Law, Workplace Privacy, Artificial Intelligence, GenAI, FCRA

By Jennifer Ruehr

Many of us are returning to work this month with New Year’s resolutions, predictions, and lists top of mind, and top of inbox. As I turn back to work, I’m thinking ahead to how U.S. laws and regulations are going to impact my clients from a workforce perspective. Here’s what is top of mind for me right now:

Fair Credit Reporting Act
State law AI requirements
Biometrics in the workplace
Genetic data risk
Workplace monitoring

The EDPB Releases an Opinion on AI Model Development and Deployment

January 08, 2025

By Emily Litka

On December 18th, in response to a request from the Irish Supervisory Authority (“SA”), the European Data Protection Board (the “EDPB”) published an opinion (the “Opinion”) on the application of the GDPR to certain aspects of AI model development and deployment.

Hintze Law PLLC Recognized in 2025’s Best Law Firm Rankings

November 07, 2024 in Technology Law, Information Technology Law, Hintze Law Recognitions

We are pleased to share that Hintze Law has been recognized for excellence in Information Technology Law and Technology Law in the 2025 edition Best Law Firms® rankings. The firm has been ranked in these areas both nationally and in the Seattle area.

Hintze Law Privacy Updates

November 22, 2021 in Global Privacy Updates

By Emeka Egwuatu

Our latest snapshot of recent privacy law developments from around the world.

Virginia Passes Comprehensive Data Privacy Law

March 08, 2021 in State Legislation

By Charlotte Lunday

On March 2, 2021, Virginia Governor Ralph Northam signed the Virginia Consumer Data Protection Act (VCDPA) into law. The VCDPA, which takes effect January 1, 2023, will look familiar to those who work with the GDPR and California’s Consumer Privacy Act and Privacy Rights Act (CCPA and CPRA, respectively). Companies that have already invested in GDPR and CCPA/CPRA compliance will find that most VCDPA obligations are similar to what they have already addressed in some form for Europe and California. But the new Virginia law also contains some novel provisions, such as excluding a broad range of “publicly available information” from the definition of personal data, contractual requirements for sharing de-identified data, and establishing an appeals process for data rights requests.

FTC Issues Enforcement Policy Statement on COPPA and Voice Recordings

October 23, 2017 in COPPA, FTC

By Smriti Chandrashekar

On October 23, 2017, the U.S. Federal Trade Commission (“FTC”) issued guidance on the online collection of certain audio voice recordings from children under the age of 13. The guidance, in the form of an “enforcement policy statement” discusses the application of the Children’s Online Privacy Protection Act (“COPPA”) to such recordings.

FTC Updates COPPA Verifiable Consent Guidance

July 17, 2014 in COPPA, FTC

The FTC has updated its Children's Online Privacy Protection Act (COPPA) FAQs providing new guidance regarding verifiable parental consent, including an alternative method of verification, clarifying ability of operators to use third parties to obtain consent; and the potential liability of those third parties consent providers.