Skip to content

It looks like we may have content for your preferred language. Would you like to view this page in English?

By clicking on the Submit button below, you are downloading the Loeb contact's vCard.
Error with download

Hashed & Salted: Vol. 4, Issue 3

Client Alerts/Reports

Hashed & Salted | A Privacy and Data Security Update

Welcome to the Summer of Privacy!

As we hit the middle of 2025, California is once again the focus of our attention, as both its legislators and regulators are attempting to square privacy protections with developing technology such as artificial intelligence (AI), automated decision-making technology (ADMT) and website tracking tools.

On the regulatory front, the California Privacy Protection Agency continues to push forward with proposed regulations as it races against a November 2025 deadline that would reset the rulemaking process if the regulations aren’t finalized.

On May 1, the Agency met to discuss and approve amendments to proposed regulations governing cybersecurity audits, risk assessments, ADMT and insurance, as well as updates to the existing California Consumer Privacy Act regulations. The Agency voted in November 2024 to commence formal rulemaking on the regulations, starting the clock running on finalizing and sending the proposed regulations to the Office of Administrative Law for review. The recent round of revisions is meant to address comments received during the public comment period, from Nov. 22, 2024, to Feb. 19, 2025.

In particular, the revised draft contains substantial changes to the regulations governing ADMT, including significantly narrowing the definition of ADMT so that the regulations now apply to technology that replaces or substantially replaces human decision-making rather than executing a decision or substantially facilitating human decision-making. The amendments also removed the stand-alone definition of technology, which included AI and machine learning, among other technologies, although AI-enabled tools and systems that meet the definition of ADMT are covered by the regulations. The changes to the ADMT provisions also narrow the scope of business activities that trigger obligations under the regulations to “significant decisions”—those involving financial services, housing, education, employment and health care services—and expressly exclude advertising to consumers.

The amendments triggered another, albeit much abbreviated, comment period that closed June 2, with the goal that the staff prepare final regulations for approval at the board meeting scheduled for July 24. Whether this is doable, given the number of questions and discussions around key points across the regulations, remains to be seen.

At the same time, the California Legislature is taking up a number of privacy bills, including SB690, which amends the California Invasion of Privacy Act (CIPA), California’s wiretap statute. The amendments are an effort to give relief to businesses that have been swept up in the flood of claims for violations of CIPA related to the use of website tracking tools and technologies, such as cookies, pixels and beacons, as well as session replay technology. (For a deeper look at privacy claims related to session replay technology, read “Understanding Session Replay: Legal Risks and How to Mitigate Them” in this issue.) In recent months, a number of cases have been filed against AdTech companies, signaling the plaintiff’s bar is expanding the scope of the businesses it’s targeting.

SB690 specifically exempts communications intercepts for commercial business purposes from the scope of CIPA and defines a commercial business purpose as the processing of personal information that is either performed to further a business purpose or subject to a consumer’s opt-out rights as defined by California statute. The amendments also specify that neither pen registers nor trap and trace devices include devices or processes used for commercial business purposes. The original draft of the bill also included a retroactivity provision that would allow it to be applicable to any cases pending as of Jan. 1, 2026, but that provision was struck from the Senate’s most recent amendments. SB690 passed the Senate on June 3 and is being considered by the Assembly.

In other privacy news, industry self-regulatory organization the Network Advertising Initiative (NAI) is sunsetting its opt-out mechanism as of Sept. 15. The organization cited as its reasons that the legacy opt-out tools “[don’t] align with the direction of NAI’s self-regulatory program going forward,” adding that these existing tools were not designed for compliance with the state privacy laws that have been enacted in the past few years. Companies updating their privacy policies should consider removing links to the NAI mechanism.

In our first article, “23andMe Bankruptcy Sparks Data Privacy Concerns. Should It?” partner Allison Cohen and associate Teddy Shelby look at 23andMe’s bankruptcy filing and the uncertainty around protecting the company’s cache of customers’ genetic data. Last month, the court-appointed Consumer Privacy Ombudsman (CPO) in In Re 23andMe Holdings released a 200-plus page report assessing the privacy implications of the proposed sale of the company’s assets as part of its Chapter 11 bankruptcy proceedings. In our second article, “23andMe Bankruptcy: The Privacy Ombudsman’s Report,” Privacy, Security & Data Innovations Chair Jessica Lee summarizes key highlights from the CPO’s Report.

In our third article, “Understanding Session Replay: Legal Risks and How to Mitigate Them,” Allison Cohen explores the rise of litigation alleging that session replay tools, which record websites’ and apps’ user interactions, amount to illegal wiretaps or surveillance and proactive measures that can help avoid such claims.

In our team member spotlight, partner Nate Hole talks about the evolution of his 21-year practice at Loeb helping clients across industries take smart risks in today’s data and privacy ecosystem as well as why his family’s summer includes a lot of running and lemonade—all for a great cause.

In This Issue:

23andMe Bankruptcy Sparks Data Privacy Concerns. Should It?

As the news of 23andMe’s bankruptcy filing sinks in, questions are arising about the company’s stockpile of customers’ genomic data in the event the company is acquired. While some privacy advocates are urging customers to delete their data from 23andMe’s database, it may not be necessary. Existing federal, state and local consumer protection laws are designed to protect consumer data privacy, and 23andMe is known for its strict privacy protections. Any buyer must adhere to these standards.

Read more here.

23andMe Bankruptcy: The Privacy Ombudsman’s Report

The court-appointed CPO in the 23andMe bankruptcy last month released a 200+ page report giving his opinion on a number of questions about the privacy implications of the proposed sale of 23andMe’s assets as part of its Chapter 11 proceedings. In the June 11 report the CPO expresses concern that because the data at issue includes genetic information, which is inherently identifiable, incredibly sensitive and poses serious risks to consumers, that the sale of that information in connection with bankruptcy poses a privacy risk that is not addressed by existing laws.

Read more here.

Understanding Session Replay: Legal Risks and How to Mitigate Them

Session replay tools allow organizations to see how users interact with their websites or apps in real time by tracking clicks, scrolls, keystrokes, mouse movements and page views. But nearly 2,000 suits have been filed over this surveillance technology, mostly in California under state privacy laws. So far, courts are divided on how to adjudicate these claims. Businesses using session replay tools can, however, protect themselves by implementing several key practices on their websites.

Read more here.

Team Member Spotlight: Nate Hole

How did you develop your area of focus?

I started my career at Loeb 21 years ago and, from the start, I’ve worked with companies on new ways of reaching and engaging consumers and new technologies to deliver products and services. Data has always been a foundational component of those plans, and the past decade or so has brought the privacy component more to the forefront. Being able to help clients with a cross-functional perspective that bridges data, privacy, technology and marketing issues—and seeing the growth of our group in those areas—has been very rewarding.

What is exciting you/grabbing your attention right now?

Our practice has always been about understanding the practical risks and finding ways to take the smart ones—but that’s more critical today than it ever has been. Across industries, we see business needing more agility than ever to operate in today’s environment: moving faster, doing more with less, and balancing more uncertainty and different types of risk than ever before. Add to the mix state privacy laws, questions about shifts (or lack of shifts) in regulatory priorities at the federal and state level, and potentially transformative technologies like AI—it’s a time of incredible opportunity to get things right.

What’s something people would be surprised to learn about you?

For the past several years, our family has raced triathlons with Team Bright Side, a charity that raises money for pediatric cancer research. When the training and racing inevitably get difficult, there’s a little extra boost knowing that it’s to help make a difference in a much greater cause. Our 8- and 10-year-olds have joined the team in the past few years, racing the Chicago Kids Triathlon and doing their own fundraising—we have a LOT of lemonade stands in the summer!

Events Spotlight

  • Privacy, Security & Data Innovations Chair Jessica Lee spoke as part of the Outside Counsel Roundtable – Assessing the Privacy Regulatory Landscape, where she and her fellow panelists provided a deep dive into the U.S. privacy enforcement landscape. The panel was part of the two-day NAI 2025 Summit: Moving Privacy Forward, held May 21 – 22 in San Francisco.
  • Partner Robyn Mohr and associate Chanda Marlowe presented “The AI Double-Edge: Balancing Learning Analytics and Student Privacy” on May 9 at the Privacy + Security Forum: Spring Academy in Washington, proudly sponsored by Loeb & Loeb. They discussed how educational institutions can use AI-driven insights while protecting student data in compliance with the Family Educational Rights and Privacy Act.
  • Jessica Lee, Loeb’s chief privacy and security partner and chair of the firm’s Privacy, Security & Data Innovations practice, ran the “Critical Privacy Concepts in Advertising, Sales and Marketing Technology” workshop on April 22 at the IAPP Global Privacy Summit 2025 in Washington.
  • Loeb & Loeb sponsored the IAB’s Public Policy & Legal Summit on April 22 in Washington. Privacy, Security & Data Innovations Chair Jessica Lee and Deputy Chairs Caroline Hudson and Robyn Mohr attended the event.
  • Jessica Lee also presented the session “Privacy Law Considerations for Social Media and Mobile Apps” on April 17 at PLI’s Social Media and Mobile Devices 2025: Addressing Corporate Risks conference in New York.

In Case You Missed It

Nebraska’s New Kids’ Data Privacy Law: A Privacy-by-Design Trend That Challenges Businesses | Loeb & Loeb LLP

Loeb partner Nerissa Coyle McGinn is quoted by Lexology PRO discussing Nebraska’s newly enacted Age-Appropriate Online Design Code Act and its implications for companies offering online services to minors.

DAA’s Self-Regulatory Principles Undergoing Review with Eye Toward Leveraging IBA Data with AI | Loeb & Loeb LLP

Jessica Lee, Loeb’s chief privacy and security partner and chair of the firm’s Privacy, Security & Data Innovations practice, is quoted by IAPP discussing the Digital Advertising Alliance’s (DAA) review of its Self-Regulatory Principles in light of the growing use of AI in interest-based advertising.

New COPPA Rule Compliance Considerations | Loeb & Loeb LLP

Loeb partner Nerissa Coyle McGinn is quoted in a Lexology article discussing the Federal Trade Commission’s recent updates to the Children’s Online Privacy Protection Act (COPPA) Rule and the broader implications for companies operating online services.

Featured Loeb Quick Takes

Sign up for our Hashed & Salted newsletter by creating an account and selecting Privacy, Security & Data Innovation as your area of interest here.

Services associés

Professionnels associés

Regarde aussi

© 2025 Loeb & Loeb LLP
This Web site may constitute “Attorney Advertising” under the New York Rules of Professional Conduct and under the law of other jurisdictions. Your use of our Web site or its facilities constitutes your acceptance of the Terms of Use and Privacy Policy.