Skip to content
vCard Download
By clicking on the Submit button below, you are downloading the Loeb contact's vCard

Hashed & Salted: Vol. 4, Issue 4

Client Alerts/Reports

Hashed & Salted | A Privacy and Data Security Update

California Gets Regulations In Under the Wire, But Legislation Stalls!

As the Summer of Privacy fades into fall, California is—unsurprisingly—in the privacy news. The California Privacy Protection Agency (CPPA) succeeded in finalizing proposed regulations under the California Consumer Privacy Act (CCPA) at its scheduled board meeting July 24, narrowly avoiding a November 2025 reset of the rulemaking process.

As we noted in our last issue, the agency voted in November 2024 to commence formal rulemaking on the regulations, starting the clock running. After a public comment period from Nov. 22, 2024, to Feb. 19, 2025, and a number of rounds of revisions, the agency in May approved amendments to the proposed regulations covering automated decision making technology (ADMT), cybersecurity audits, risk assessments and insurance, as well as updates to the existing CCPA regulations. The resulting comment period closed June 2, giving the staff a short period of time to prepare final regulations for approval. The regulations have been sent to the California Office of Administrative Law, which must approve them before they can take effect.

In other California privacy news, efforts by the California Assembly to amend the California Invasion of Privacy Act (CIPA) stalled as SB690 has been placed on hold. SB690 specifically exempted communications intercepts for commercial business purposes from CIPA’s scope, defined a commercial business purpose broadly as the processing of personal information that is either performed to further a business purpose or subject to a consumer’s opt-out rights, and provided that neither trap and trace technology nor pen registers include devices or processes used for commercial business purposes. The earliest the Assembly could reconsider SB690 is 2026.

In the absence of a comprehensive federal privacy law, state privacy laws continue to shape and reshape the regulatory landscape. Maryland’s Online Data Privacy Act goes into effect on Oct. 1, bringing with it strict purpose limitation obligations. Looking ahead, the last set of comprehensive privacy laws from Indiana, Kentucky and Rhode Island will go into effect on Jan. 1, 2026. Check out our privacy law app for more details on what each law requires.

As a result of the proliferation of state privacy laws, the Network Advertising Initiative (NAI), an industry self-regulatory organization, has announced the sunsetting of its opt-out mechanism, effective Sept. 15. The organization cited as its reasons that the legacy opt-out tools “[don’t] align with the direction of NAI’s self-regulatory program going forward,” adding that these existing tools were not designed for compliance with the state privacy laws that have been enacted in the past few years. Companies updating their privacy policies should consider removing links to the NAI mechanism.

In our first article, “The DOJ’s New Bulk Data Transfer Rule: What Every Business Needs To Know—and Do—Now,” Eyvonne Mallett, of counsel at Loeb, discusses the Bulk Data Transfer Rule, a transformative new regulation introduced by the U.S. Department of Justice (DOJ). While the rule took effect in April, certain affirmative compliance obligations, including due diligence, audits and reporting, become enforceable starting Oct. 6, 2025.

In our second article, “A Cautionary Tale About Algorithmic Pricing Software,” associate Sarah Rubenstein Polak explains algorithmic pricing, as well as the privacy, consumer protection and antitrust concerns related to pricing tools that use personal, nonpublic or competitively sensitive data.

And our special team member spotlight for this issue is Christopher Victory, a second-year law student at George Mason University – Antonin Scalia School of Law. Christopher interned this summer with both Loeb & Loeb and the Future of Privacy Forum through the Federal Communications Bar Association Pipeline Program. In his spotlight, Christopher talks about discovering privacy law through his search for a summer internship, developing his interest in how different countries enforce their privacy and data security laws and the challenges companies operating across jurisdictions face in developing global compliance strategies, and how he developed a lifelong interest in the competitive marching arts. Christopher’s article on privacy enforcement in South Korea and Japan will be featured in our next issue of Hashed & Salted.

In This Issue:

The DOJ’s New Bulk Data Transfer Rule: What Every Business Needs to Know—and Do—Now

In a sweeping move to bolster national security and safeguard sensitive information, the DOJ has introduced a transformative regulation: the Bulk Data Transfer Rule. While the rule took effect in April, certain affirmative compliance obligations—such as due diligence, audits and reporting—become enforceable starting Oct. 6, 2025. This rule marks a significant shift in how American businesses must manage the flow of personal and government-related data—especially when that data could end up in the hands of foreign adversaries.

Read more here.

A Cautionary Tale About Algorithmic Pricing Software

The use of algorithmic pricing software, including dynamic and competitive pricing, raises fairness and privacy concerns when the data is based on personal, nonpublic or competitively sensitive data. Businesses must carefully manage these pricing tools and the associated data input sources to comply with consumer protection, privacy and antitrust laws, as well as to stay aware of any discriminatory or collusive pricing practices.

Read more here.

Team Member Spotlight: Future of Privacy Forum US Policy Intern Christopher Victory

How did you develop your area of focus?

When I entered law school, I did not have a clear direction and initially viewed the legal field through a traditional binary lens, either as a transactional or litigation attorney. While exploring internship opportunities during my 1L year, I came across the Federal Communications Bar Association’s pipeline program, which offered placements in the tech and privacy law space. I applied and was fortunate to gain experience at both the Future of Privacy Forum and Loeb & Loeb. These experiences exposed me to the dynamic and rapidly evolving nature of privacy law, where attorneys are constantly challenged to craft innovative solutions to novel issues. That environment—one that rewards creativity and adaptability—is what continues to draw me to this field.

What is exciting you/grabbing your attention right now?

I’ve become increasingly interested in how different countries are enforcing their respective privacy laws—especially as global compliance becomes a growing challenge for companies operating across jurisdictions. Unlike the U.S., which lacks a comprehensive federal privacy framework and has instead seen a patchwork of state-level laws, many foreign governments have taken a more centralized and proactive regulatory approach. For example, the European Union’s General Data Protection Regulation (GDPR) has been aggressively enforced by data protection authorities, with fines exceeding €1.5 billion in 2023—targeting leading tech companies for violations ranging from unlawful data transfers to opaque consent mechanisms. In South Korea, the Personal Information Protection Commission has ramped up enforcement, issuing multimillion-dollar fines against companies in 2022 for tracking users without proper consent.

What fascinates me most is the legal uncertainty created by these diverging enforcement trends and evolving regulatory standards. U.S. companies must now not only monitor state legislation like the California Consumer Privacy Act and the Virginia Consumer Data Protection Act but also anticipate how foreign regulators may interpret extraterritorial provisions in laws like the GDPR or South Korea’s Personal Information Protection Act. That uncertainty and the strategic cross-border thinking that developing global privacy laws demand continue to grab my attention.

What’s something people would be surprised to learn about you?

Something most people would be surprised to learn about me is that I was a full-on band kid in high school. I played baritone saxophone in the symphonic band, marched tuba in marching band and even marched cymbals in the indoor drumline. Although I haven’t picked up an instrument since graduation, that experience has shaped a big part of who I am. I carry a deep appreciation for the discipline, teamwork and creativity it instilled in me. I still follow the competitive marching arts closely through organizations like Drum Corps International and Winter Guard International. I also keep up with contemporary band composers like John Mackey, whose work continues to push the boundaries of wind ensemble music. It’s a world most people outside the activity don’t know much about, but for me, it remains a meaningful, comfortable and inspiring part of my life.

Events Spotlight

AI Governance and Risk Management
Privacy, Security & Data Innovations Chair Jessica Lee will speak as a member of the panel in this Loeb-sponsored IAB webinar Sept. 11, on how the use of artificial intelligence (AI) in digital advertising is impacting common advertising use cases like audience targeting, content creation, measurement and more.

IAB Privacy Compliance Salon
Loeb is proud to sponsor the IAB Privacy Compliance Salon taking place on Oct. 29, where Privacy, Security & Data Innovations Chair Jessica Lee will be speaking during the session “Beyond the Buzz: Practical Approaches to Governing AI in Adtech.”

IAB Inaugural Commerce Media Network Workshop
Loeb is proud to sponsor and host IAB’s inaugural Commerce Media Network Workshop, a complimentary half-day workshop providing attendees with a practical and strategic deep dive into the legal frameworks shaping the development and operation of commerce media networks (CMNs). Privacy, Security & Data Innovations Deputy Chair Caroline Hudson will be speaking at the Nov. 12 event, to be held at Loeb’s New York office.

2025 IAB State Privacy Law Summit
Loeb is proud to sponsor the 2025 IAB State Privacy Law Summit, taking place Nov. 13 at Jay Conference Chelsea in New York City.

In Case You Missed It

IAB | Untangling the Issues in Commerce Media Networks
Loeb is proud to have sponsored and worked with IAB to develop the white paper “Untangling the Issues in Commerce Media Networks: Key Considerations Under U.S. State Privacy Laws,” offering timely and practical privacy insights into the legal and compliance considerations in developing CMNs. Operated by retailers, travel companies and other consumer-facing businesses, CMNs leverage first-party data to deliver targeted, measurable campaigns while navigating increasingly complex privacy regulations.

IAB | AI Governance and Risk Management Playbook
Loeb is proud to have sponsored and worked with IAB to develop the white paper “Governance and Risk Management Playbook,” designed to help brands, agencies and publishers navigate the evolving AI legal landscape with practical guidance for responsible implementation across key advertising use cases.

What Ad Ops Teams Need To Know About Privacy Now | Loeb & Loeb LLP
Jessica Lee, Loeb’s chief privacy and security partner and chair of the firm’s Privacy, Security & Data Innovations practice, is featured in an AdMonsters Q&A article discussing how evolving state privacy laws, age-gating challenges, downstream vendor liability, consent frameworks, AI tools and heightened regulatory scrutiny are reshaping the landscape for ad operations (Ad Ops) teams.

Featured Loeb Quick Takes

Sign up for our Hashed & Salted newsletter by creating an account and selecting Privacy, Security & Data Innovation as your area of interest here.

Related Services

Related Professionals

Also See