Photo of Zachary Heck

Zach’s practice focuses on privacy and data security. Specifically, Zach assists clients in the areas of privacy compliance, defense litigation, class action defense and guidance in the aftermath of an information security event, including data breach. Zach has experience advising clients with respect to FTC investigations, federal privacy regulations such as HIPAA, FCRA, TCPA, and GLBA, as well as state laws governing personally identifiable information. For his clients, he also provides regulatory analysis, risk management, policy development, training and audits.

Three years after the European Commission’s (Commission) adoption of the updated Standard Contractual Clauses (SCCs), new clauses are on the horizon.

The Commission announced a recent initiative in which the SCCs would be open for public consultation beginning the fourth quarter of 2024, with potential updates to the SCCs being adopted by the Commission in the second quarter of 2025 (2025 Clauses). These 2025 Clauses offer the Commission the opportunity to address any gaps left by the current SCCs adopted on June 4, 2021.Continue Reading Another Update Already? New EU Standard Contractual Clauses on the Horizon to Further Safeguard Cross Border Data Transfers

On Aug. 15, the DoD issued another proposed rule regarding the forthcoming Cybersecurity Maturity Model Certification (CMMC) standard. As part of the release, the DoD proposed some additional verbiage for the DFARS regarding future cybersecurity obligations and offered clarifications of the requirements that it put out last December. The release also set Oct. 15, 2024 as the due date for any comments.

The rule’s highlights were split between the new, or somewhat new, additional verbiage and DoD’s clarifications of the details that it previously released. Below is a discussion of the most significant highlights:Continue Reading Is It Still CMMC 2.0? DoD Clarifies the Forthcoming Cybersecurity Standard

Last week, Vermont Governor Phil Scott vetoed one of the most-watched pieces of privacy legislation in the United States: the Vermont Data Privacy Act (VDPA). Described in H.121 as “an act relating to enhancing consumer privacy and the age-appropriate design code,” was passed by the Vermont legislature in the early morning hours on May 11, 2024. The act represented a seismic change in domestic consumer privacy rights. However, Governor Scott returned H.121 without signature, effectively vetoing the would-be watershed bill.Continue Reading Not So Fast: Vermont Governor VETOES Private Right of Action for Consumer Privacy Violations

Just past midnight on May 11, 2024, the Vermont legislature passed the Vermont Data Privacy Act (VDPA). VDPA, if signed by Governor Phil Scott, will take effect on July 1, 2025, and will make Vermont the 18th state to establish consumer privacy rights in the same vein as the California Consumer Privacy Act (CCPA). Although many state consumer privacy laws feel cookie cutter at this point, VDPA contains nuances that will require companies to strategize data management intake and processing.Continue Reading While You Were Sleeping, Vermont Passed One of the Most Stringent State Consumer Privacy Laws Yet

Artificial intelligence, referred to as “AI” for short, has had an outsized impact on nearly every aspect of human existence. If that sounds like an overstatement, it’s not— machine learning systems and generative AI tools have now been integrated into various sectors of life including healthcare, government services, industry, and education. In 2023, more than 50% of US companies reported using AI for cybersecurity/fraud management, and 97% of business owners expressed enthusiasm that AI platforms like ChatGPT will help their businesses. Several cities and municipalities have adopted protocols for how local government may use and rely upon AI as part of day-to-day duties. 

Unsurprisingly, the law has lagged well behind the impressive speed of AI’s ballooning technological development. This notwithstanding, various governmental agencies, legislative bodies, and courts have begun to assemble a regulatory regime which may help answer the million-dollar question in this brave new world: who, or what, is liable when AI goes wrong?Continue Reading Artificial Intelligence, Real Liability: Who’s on the hook when things go wrong?

Yesterday, the California Privacy Protection Agency (CPPA) issued its first enforcement advisory regarding the California Consumer Privacy Act (CCPA).  Enforcement Advisory No. 2024-01(the Advisory) is solely devoted to data minimalization, which the CPPA describes as “a foundational principle in the CCPA.” An enforcement advisory is not an implementing rule, regulation, or law; it is not even an interpretation of the law or legal advice. Instead, CPPA enforcement advisories are intended to be informational bulletins to inform the public about nascent legal privacy issues that CPPA is engaging with at a given time. Continue Reading California Privacy Protection Agency Issues “Minimal” Guidance on CCPA in First Enforcement Advisory

Last December, the Department of Defense (“DoD”) published its proposed rule setting forth cybersecurity requirements for defense contractors and subcontractors. These requirements are designated with a particular Cybersecurity Maturity Model Certification (CMMC) level that is associated with the contractor’s procurement. As the second iteration of CMMC, 2.0 demonstrates an escalating system of maturity using designated levels 1, 2, and 3.

With the proposed rule set to be finalized this year, and implementation set to take place in 2025, now is as good a time as any to understand how contractors are impacted by CMMC 2.0; as well as the requirements, the certification process, and how your organization can best prepare.Continue Reading CMMC 2.0 Is Here to Stay: Where Do We Start?

On Wednesday, February 21, 2024, California Attorney General Rob Bonta announced that his office reached a settlement with DoorDash, which addresses allegations that the company facilitated several violations of both the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA).

Following an investigation by the California Department of Justice, the CA AG’s office determined that DoorDash sold the personal information of California customers without requisite notice or an opportunity to opt-out of that sale.  The sale took place through marketing cooperatives, which are networks of businesses that share the personal information of their respective customers with one another in order for participating businesses to advertise to those same customers, regardless of any prior relationship.  In other words, by participating in marketing cooperatives and disclosing consumer personal information as part of its membership, DoorDash was able to reach new customers; in turn, the other businesses participating in the cooperative also gained the opportunity to market to DoorDash customers.Continue Reading California Delivers to DoorDash $375,000 Civil Penalty: California AG Announces Second CCPA Settlement

Late last week, the California Third District Court of Appeal (the “Court”) overturned a lower court decision delaying the enforcement of amended privacy regulations. On Friday, February 9, 2024, the Court held that the California Privacy Protection Agency (the “Agency”) had the authority to enforce its amended California Privacy Rights Act (CPRA) regulations effective immediately, meaning all businesses regulated by the CPRA are expected to be in full compliance today. Continue Reading California Appeals Court Holds CPRA’s Implementing Rules Are Immediately Enforceable

On September 18, 2023, the U.S. District Court for the Northern District of California granted technology trade association NetChoice, LLC’s request for a Preliminary Injunction in NetChoice LLC v. Bonta, a lawsuit challenging the constitutionality of the California Age-Appropriate Design Code Act (CAADCA), which the California Legislature passed last year. In granting the Preliminary Injunction, the court found that the law’s restrictions on commercial speech likely violate the First Amendment. 

Drawing inspiration from the UK Age-Appropriate Design Code, the CAADCA regulates covered businesses and their practices with respect to the collection, storage, and processing of personal data collected from children under the age of 18. CAADCA requires that the most restrictive default privacy settings be implemented for younger users and that any community standards, terms of service, and privacy settings be freely accessible and enforced. Following the September 18 ruling, the future of the CAADCA is uncertain. At the very least, the CAADCA is unlikely to be enforced on its intended effective date of July 1, 2024, as the injunction remains in place throughout the course of litigation.Continue Reading Pumping the Brakes: Federal Judge Grants Preliminary Injunction Blocking California Children’s Digital Privacy Law From Taking Effect