Photo of Matthew T. Hays

Matthew T. Hays

Subscribe to Matthew T. Hays's Posts

Matt Hays is a go-to advisor in matters relating to data sensitive projects, agreements, services and investigations. He has worked extensively with clients as they wrangle with the explosion of innovative and complicated artificial intelligence driven technologies, including the deployment of generative AI tools through internal development or sourced from a technology provider. With a background in engineering and patent law, Matt possesses a unique ability to quickly understand and assess new and complicated technologies to advise on the legal risk to your business. Working with clients in the insurance, health, tech and financial services industries, Matt’s wide experience brings a holistic approach to compliance projects that ends with a solution, and not at just identifying the problem.

Contact:Read more about Matthew T. Hays

Takeaways

  • The CCPA Dives Into Internal Governance. The new amendments introduce three major regulatory pillars: new requirements for Automated Decision-Making Technology (ADMT), mandatory annual cybersecurity audits, and a requirement for businesses to conduct pre-processing data protection risk assessments.
  • ADMT. The CCPA has adopted pre-notice, risk assessment, consumer opt-out, and access obligations, as have been found in more recent privacy laws, with regard to automated decision-making and profiling.
  • Mandatory Executive Oversight. Members of a business’s executive management team are now directly responsible for overseeing the new mandatory cybersecurity audits and risk assessments and are responsible for making the necessary related certifications to the California Privacy Protection Agency (CPPA).
  • Phased Compliance Deadlines. The new regulations will likely be effective within the next four months and have compliance deadlines extending from 2027 through 2030.

Summary

After a tortured process taking years, the California Privacy Protection Agency has finalized the long-awaited amendments to the CCPA Regulations. The final package of regulations, now spanning more than 100 pages, is pending final review by the California Office for Administrative Law (OAL). If the OAL files the regulations by August 31, 2025, they will take effect on October 1, 2025. If the filing occurs between September 1 and November 30, the regulations will take effect on January 1, 2026.Continue Reading New CCPA Regulations: Culture Change and the Rise of the ex ante Framework

Key Takeaways:

  • The Minnesota Consumer Data Privacy Act (the “Act”) follows established trends regarding transparency, data minimization, and required assessments, but represents the next evolution in consumer rights under U.S. state-by-state privacy legislation.
  • The Act provides consumers with special rights related to profiling, that is, automated processing of personal data to evaluate, analyze, or predict personal aspects of an individual, including through AI, not found in other state laws.
  • The Act requires covered organizations to adapt and expand their existing compliance programs in order to respond to these new consumer rights.

Summary:

Starting July 31, Minnesota will join the growing list of U.S. states with its own comprehensive consumer data privacy law, but with a key difference. Signed into law in 2024, the Minnesota Consumer Data Privacy Act follows the broader national trend toward stronger data protection and use standards. Like other U.S. state privacy laws, the Act requires covered organizations to:Continue Reading The Minnesota Consumer Data Privacy Act Is the Next Evolution in Consumer Privacy Rights

Takeaways

  • Increased federal deregulation and related actions are further destabilizing the already tenuous foundation of the Data Privacy Framework (DPF). European privacy regulators have been issuing guidance indicating that they expect a European pull-back from the DPF.
  • Businesses that rely on the DPF should maintain their certification, but should move now to prepare to activate alternative data transfer mechanisms, such as the standard contractual clauses, and update lapsed transfer and data privacy impact assessments.
  • Review current cloud-storage arrangements and consider regionalizing European data storage to avoid EU-to-U.S. data transfers, especially if your cloud provider is relying on DPF certification to legitimize GDPR data transfers.

After years of litigation, false starts, and invalidated frameworks, the U.S. had finally achieved a simplified path for GDPR compliant transfers of personal data from Europe. However, European reaction to the recent changes on the U.S. side of the pond indicates a wavering in the support of the EU-U.S. Data Privacy Framework (DPF) and threatens to send the U.S. back into the data transfer dark ages.Continue Reading Status Check: Support Is Quickly Eroding for the EU-U.S. Data Privacy Framework

We’re not playing horseshoes here, folks. It’s time to review your consumer privacy rights forms and mechanisms.

Key Takeaways

  • The fields relating to requests to opt-out of sale/sharing and requests to limit should only solicit the information strictly necessary to complete the request, which is likely less than the other more substantive requests (like access and delete). This applies to authorized agent opt-out requests as well.
  • For the more substantive requests (like access and delete), re-evaluate how much information is actually necessary for you to fulfill the consumer’s request. Ensure your form is not asking for anything extraneous.
  • Review your cookie consent toggles to ensure that the exact number of steps are involved in opting-out of certain cookies as they are for opting-in.
  • Ensure you have CCPA-compliant contracts with your advertising technology providers saved in your files.

Continue Reading Close Enough Is Not Good Enough When It Comes to Consumers’ Privacy Rights

As AI continues to advance at a rapid pace, two notable foreign players have emerged: DeepSeek and Qwen. These powerful AI models, developed by a Chinese lab and Alibaba, respectively, have garnered attention for their impressive capabilities and potential to disrupt the AI industry. However, alongside their technological prowess comes a host of privacy concerns that warrant closer examination. This article delves into the privacy pitfalls associated with these AI models and explores the implications for users and the broader AI ecosystem.Continue Reading Privacy Pitfalls in AI: A Closer Look at DeepSeek and Qwen

In Greek mythology, Sisyphus was punished by Hades for cheating death (twice) by forcing him to roll an immense boulder up a hill only for it to roll back down every time it neared the top. AI stakeholders know the feeling. Attempting to keep pace with the downpour of artificial intelligence-related regulation, guidance, rules and requirements emerging over the past two years feels like a mythical challenge.

At any point in time, there are 50 U.S. states, five inhabited territories, the White House, a federal district, a dozen federal agencies, a hundred-odd state agencies and a couple thousand municipalities all tackling the same question: what are the rules for a safe, legal and generally non-evil deployment of artificial intelligence tools?

Different regulators have come up with different answers to that question. What have they focused on so far?Continue Reading Understanding Trends in AI Legislation

Effective January 1, 2023, companies subject to the California Consumer Privacy Act (“CCPA”) will face heightened compliance requirements when collecting personal information about their workers, business partners, and job applicants. The partial moratoriums in the CCPA that had applied to these data sets are set to expire, meaning that the CCPA will now apply with full force come the new year. Further, the California Privacy Rights Act (“CPRA”), which amends and reenacts the CCPA, becomes fully effective on January 1, 2023, and enforced beginning July 1, 2023, with a look-back period to January 1, 2022. The CPRA provides additional obligations and consumer data rights that will further complicate covered businesses’ compliance efforts with regard to the personal information of their employees and business contacts.

What were the partial exemptions?

Continue Reading CCPA/CPRA Set To Cover Employee, Job Applicant, and Business Personal Information: A Trap for the Unwary?

It has been impossible to ignore the constant spam of news articles detailing the epidemic of malicious attempts at data disruption and theft. While the cybersecurity risks of ransomware, malicious data extraction, and business e-mail compromise have been top of mind for professionals in heavily regulated industries for some time now, data from 2020 and the first half of 2021 compels an alarming new conclusion: cybercriminals are no longer a problem just for banks, health care organizations and oil pipelines to worry about. Businesses from a wide range of previously untargeted industries are now squarely in the cross-hairs of malicious threat actors.
Continue Reading Cybercriminals Finding Success In Targeting New Industries

shutterstock_776325814

Despite its unassuming name, the EARN IT Act has substantial cybersecurity implications, its relative obscurity in today’s coronavirus-obsessed headlines notwithstanding. The Eliminating Abusive and Rampant Neglect of Interactive Technologies (“EARN IT”) Act has already caught the ire of the collective internet and technology spheres due to its dramatic alteration of the safe harbor provisions of Section 230 of the Communications Decency Act (Title V of the Telecommunications Act Of 1996). Although still in the early stages of the legislative process, curbing Section 230’s protections has already garnered substantial support from leaders in both parties, including Joe Biden and Ted Cruz. Therefore, EARN IT’s progress merits close monitoring.
Continue Reading Putting in the Work: What Does the EARN IT Act Have in Store for Average Businesses