0

Deepfakes: A New Form of Workplace Sexual Harassment

Cybersecurity , , ,

In recent years, there has been an uptick in the number of cases where images generated or edited by artificial intelligence have given rise to workplace harassment claims. Regardless of whether the conduct at issue occurred in person or off duty, courts have shown a willingness to hold employers liable, leaving employers vulnerable to significant costs from employee misconduct. 

Current Cases

Employer liability arising from AI-generated content may stem from actionable workplace harassment claims. This could include media such as falsified videos, audio and images containing sexually explicit material which features a real person without their consent. 

Current and pending litigation involving these types of claims includes:  

  • Carranza v. City of Los Angeles (Cal. Ct. App. 2025). A decision from the California Court of Appeals confirmed a $4 million dollar award issued to a female police captain where a deepfake photo of her topless circulated in the workplace. There, the dissemination in the workplace was considered actionable workplace harassment. 
  • Pearson v. State of Washington (Wash. Super. Ct. 2025). Washington State Patrol trooper Collin Pearson alleges coworkers circulated an AI-generated kissing video that created a hostile work environment based on sexual orientation.
  • Friedrichs v. Scripps Media, Inc. (M.D. Tenn. 2025). Former Nashville meteorologist Bree Smith Friedrichs alleges her employer failed to address sexually explicit deepfake images and retaliation tied to workplace sexism claims. 

What about other federal statutes? 

Workplace harassment claims often interact with Title VII of the Civil Rights Act of 1964, which prohibits discrimination on the basis of sex. Additionally, Section 230 limits liability for platforms where harmful content is posted, meaning that if, for example, an employee distributes an AI-generated non-consensual image on a workplace messaging system (e.g. Slack, Microsoft Teams Chat, etc.) the employer, as opposed to the platform, may still be held liable. Additional claims at play may include: 

  • Title VII of the Civil Rights Act of 1964. The primary federal employment law used in deepfake cases. It supports hostile work environment, sexual harassment, sex discrimination, and retaliation claims. Employers face liability if they knew of the conduct and failed to investigate or stop it.
  • TAKE IT DOWN Act. The first major federal deepfake-specific law. It criminalizes knowingly publishing nonconsensual intimate imagery, including AI-generated “digital forgeries.” Requires covered platforms to remove reported content rapidly.

Are state laws involved? 

State laws cover three categories of harm—nonconsensual intimate deepfakes, election deepfakes, and identity impersonation. Additionally, nonconsensual intimate imagery and revenge porn statutes now often explicitly include AI-generated content, prohibiting the distribution of intimate images without consent and adding an additional legal framework supportive of employee claims against employers. 

In California, there are a handful of specific laws addressing this type of AI use, which may include: 

  • AB 602 creates a civil cause of action against anyone who either creates and intentionally shares digitized sexually explicit material without the depicted person’s consent, providing broad protection against deepfake pornography. Claims arising under this statute are supplemented by strong privacy torts, publicity rights, and CA FEHA for workplace claims. 
  • SB 926 explicitly adds AI-generated depictions to CA’s existing revenge porn law. 
  • SB 1381 and AB 1831 extend CA’s protections to include AI-generated content depicting minors. 

Additional laws have been enacted in Connecticut, Michigan, New Jersey, and New York, among other states. Additionally, state and common law claims for defamation may be relevant when deepfakes create false representations that create reputational harm. Deepfake audio and video may be considered evidence of injury. 

What are my potential responsibilities as an employer? 

While the issue is specific, the issue may require comprehensive action in order to preempt potential liability. Employers may consider the following actions: 

    • Updating Policies: Ensure that workplace policies clearly prohibit dissemination of sexually explicit material, real or doctored. Draft or update a standalone AI Acceptable Use Policy that names prohibited conduct (creating, possessing, distributing deepfakes targeting coworkers) and specifies that violations are grounds for discipline up to and including termination. 
    • Incorporating Training: Equip HR, legal, and IT teams to recognize and respond to deepfake incidents effectively.
    • Refreshing Investigation and Response Protocols: Encourage prompt investigations, which may include forensic analysis, verification of metadata, and ensuring fairness in credibility assessments for both alleged victims and accused parties. 
    • Reviewing Insurance: Review employment practices liability insurance coverage to confirm whether deepfake-related harassment claims and related cyber incidents are covered. Many existing EPL policies predate generative AI and may contain gaps.

What’s next? 

This is a rapidly evolving area of employment litigation—the applications of state deepfake and AI-related statutes in workplace harassment claims are likely to turn on pending federal agency actions and court decisions, ultimately determining the limits of employer liability for their employee’s potentially harassing conduct. Concerned employers may consider monitoring this landscape closely and adjusting compliance programs as litigation continues to contour this area of law. 

0
What to know about CIPA and Shine the Light claims

What to Know About CIPA and Shine the Light Claims

Cybersecurity

Doing Business in California? What To Know About CIPA and Shine the Light Claims

  Blog Contributor: Madeline Yuki Gaudlitz, 2L at the University of Michigan Law School In recent months, companies operating in California have reported an increase in demand letters requesting damages for alleged violations under new and existing privacy laws. Under current data privacy legislation, companies can expect these claims to continue. Plaintiffs’ attorneys have relied on two statutes as a basis for their demands, the California Invasion of Privacy Act (“CIPA”) and California Civil Code § 1798.83 (“Shine the Light”).

What is CIPA?

Originally enacted in 1967 to “protect the right of privacy” of California residents, CIPA bans wiretapping, eavesdropping, or recording private communications. In recent years, Plaintiffs’ attorneys compared real-time consumer-tracking software embedded in companies’ websites to the type of behavior CIPA prohibits. In addition to imposing criminal penalties and fines of up to $10,000, the statute allows private individuals whose personal data has been intercepted by businesses to sue for $5,000 per violation.

Who does CIPA apply to?

CIPA may apply to:
  • Companies with consumer facing-websites or applications used by a California resident
  • Both companies that use these technologies in their consumer-facing website or application and third-party developers

What technologies may leave my company exposed under CIPA?

Potential CIPA liability may apply to a range of real-time consumer tracking technologies that are a standard part of website or application design, which may include:
  • Website analytics
  • Software developer kits
  • Third-party tracking pixels and software
  • Fingerprinting software
  • Application programming interfaces
  • Conversation intelligence software-as-a-service (SaaS)
  • Cookies and identity profiles
*Notably, CIPA is sensitive to the processes used to collect customers’ information. Likewise, Shine the Light may not apply to businesses that share information with third parties only for administrative or customer service purposes. To assess liability under these statutes, businesses may want to coordinate with third parties to ensure awareness of their own business practices and awareness and compliance under CIPA.

What is Shine the Light?

Originally enacted in 2003, the Shine the Light law was aimed at increasing customer awareness of how their personal information may be shared with third parties for direct marketing purposes. CIPA requires businesses to disclose their information-sharing practices upon request or allow customers to consent to information sharing. Failure to comply may result in a civil penalty of $500 per violation, and $3,000 if the violation is willful, intentional, or reckless.

Who does Shine the Light apply to?

The Shine the Light law may apply to: 1. For-profit companies with 20 or more full or part-time employees, 2. that collect personal information from California residents, and 3. that have shared customer information with third parties for direct marketing purposes 4. within the immediately preceding calendar year. Direct marketing may include spamming, telemarketing, or mail. Personal information may include name, address, e-mail address, telephone numbers, date of birth, medical or financial information, information about children, race, religion, occupation and education, and information about the transaction.

Best Practices

While these statutes impose distinct obligations, compliance may be able to be addressed by general practices that reflect their obligations to limit data collection and sharing of personal information. To work toward compliance, a company may consider:
  • Reviewing your company’s privacy policy to ensure that it accurately informs consumers in California of their privacy rights.
  • Clearly communicating your company’s privacy policy to consumers.
  • Ensuring that the consumer consents to the collection and sharing of personal information.

For CIPA

Regarding liability under CIPA, businesses may want to consider:
  • Reviewing your website or application design for features that collect personal information of users.
  • Coordinating with third party providers to ensure their awareness and compliance with CIPA risks and requirements.
  • If utilizing real-time tracking technologies, securing a consumer’s affirmative consent to data tracking.

For Shine the Light:

There are a couple of avenues that may limit risk under the Shine the Light Law:
  • Ensure that website or application design, physical store, or employees clearly disclose consumer data privacy rights.
  • Ensure that that website or application design allows consumers to actively and easily consent to personal information sharing.

OR

  • Maintain awareness of sales of customers’ personal information within the preceding year.
  • Establish a designated address–email, mail, or toll-free number–that customers may use to contact a business and request information about how their personal information is used.
  • Be prepared to disclose the types of information shared and the names and contact points for third parties that received or purchased the information within the preceding year within 30 days.

What’s Next?

In the coming years, we may see legislation that responds to the challenges CIPA claims pose to regular business operations in the digital age. SB 690 proposes an exception to CIPA liability for companies that use personal data for commercial purposes. However, the current status of this critical amendment is stalled. What we know now:
  • It will not be reconsidered until the 2026 legislative session, currently set to run from January 5-August 31, 2026.
  • Legislative history indicates that any exception would only apply to future cases, not currently pending claims or claims filed before the amendment is finalized.
  • Unanimous approval in the state senate may reflect policymakers’ concern with applying CIPA to commercial data collecting practices.
Ultimately, the amendment’s status is uncertain, but there is reason for companies to be optimistic about an eventual tapering down of CIPA claims. Despite this, businesses should remain cognizant of other regulations aimed specifically at digital data collection. Credit: Madeline Yuki Gaudlitz
0
Image of a cellular phone with the ChatGPT app open.

Overview: The EU General-Purpose AI Code of Practice

AI & Algorithms, Cybersecurity, EU , , , ,

Why Do We Need a Code of Practice?

On August 2, 2025, the general-purpose AI (GPAI) provisions of the EU AI Act went into effect. GPAI models (including models that support most generative AI, like ChatGPT), now face certain obligations in the EU, including requirements around transparency, copyright and systemic risk. However, the EU AI Act is a framework: it defines obligations but leaves technical details to harmonized standards and codes of practice. While this approach sets certain expectations and allows the EU AI Act to remain technology-neutral, it also leaves questions about how businesses substantially comply with the EU AI Act. To bridge this gap, a multi-stakeholder group drafted the General-Purpose AI Code of Practice (GPAI Code). On August 1, 2025, the European Commission issued a formal opinion confirming the GPAI Code is an “adequate tool” to help demonstrate compliance with the EU AI Act. Why is the Code significant? This opinion signals that organizations who adopt the GPAI Code may be able to demonstrate good-faith efforts to comply with the relevant provisions of the EU AI Act –  according to the Commission’s website: “The Code of Practice helps industry comply with the AI Act legal obligations…of general-purpose AI models.” In its opinion, the Commission notes that the Code provides actionable commitments and reporting mechanisms, especially for high-risk models. Additionally, the Commission emphasized that the Code provides a practical framework to demonstrate regulatory compliance. Following this endorsement, providers of GPAI models can voluntarily sign the Code, which “will reduce their administrative burden and give them more legal certainty than if they proved compliance through other methods.” Still, signatories should be aware that the Code explicitly states that adherence to the Code does not necessarily constitute evidence of compliance with the EU AI Act.

What is a General-Purpose AI Model?

A GPAI model is a component of an AI system with a wide range of possible uses, whether intentional or unintentional. It is important to note that these models are not systems in themselves but are part of AI systems. Additional elements, like user interfaces, are necessary to make these models fully operational systems. Under Article 3(63) of the EU AI Act, a GPAI model includes those trained on a “large amount of data using self-supervision at scale.”  They can be applied across sectors or tasks, usually without substantial modification, meaning GPAI models “can be integrated into a variety of downstream systems or applications.” Recital 98 of the EU AI Act states that the generality of the model can also be determined by the number of parameters, and “models with at least a billion parameters…should be considered to display significant generality and to competently perform a wide range of distinctive tasks.” GPAI models are sometimes called “foundation” or “frontier” models, and while they may include large language models (LLMs), they can also process audio, physical, textual or visual data, powering systems like DALL-E, GPT-4, Gemini, LaMDA, SEER, ALIGN, and more.

How are general-purpose AI models regulated?

Under the EU AI Act, the chapter on GPAI both addresses generative AI and outlines some of the most stringent requirements under the Act. However, all requirements for GPAI under the EU AI Act are directed to providers as opposed to deployers. Providers of GPAI models have a range of obligations under the EU AI act, both directly to supervising authorities and onward to AI providers who integrate the GPAI models into their systems. Obligations of Providers of GPAI Models If a provider places a GPAI model on the EU market, or integrates such a model into its own AI system on the EU market, it must:
  • Prepare and maintain technical documentation for regulators. This should include at least a general description of the GPAI model, including the tasks it’s designed to perform and the types of systems in which it can be integrated; acceptable use policies; and information on training process.
  • Prepare and maintain documentation for downstream providers. This should include information that allows the downstream AI system providers to comply with their own obligations under Article 53(1)(b). Similar to the technical documentation, this includes but is not limited to a general description of the model, and a description of its elements and development process.
  • Prepare an EU copyright policy. This policy should establish a means to comply with EU regulations on copyright and related rights.
  • Prepare and publish a summary of training content. Using the template provided by the AI Office, providers of GPAI must share a comprehensive summary of AI training information. This should allow stakeholders to exercise their rights by informing them of the information used to train the GPAI model.
  • Cooperate with relevant authorities and appoint an authorized representative. Providers must also cooperate with relevant authorities, and if they are established outside the EU, appoint an authorized representative located in the EU.
It is notable that under Recital 85, the EU AI Act states that GPAI systems “may be used as high-risk systems by themselves or be components of other high-risk systems.” Therefore, the providers of GPAI systems must work closely with providers of high-risk AI systems to ensure compliance with any requirements of high-risk systems under the Act. Obligations of Providers of GPAI Models with Systemic Risk What does “systemic risk” mean? GPAI models with systemic risk include models that reasonably pose foreseeable negative effects relating to major accidents, disruption of critical sectors, serious consequences to public health and safety, public and economic security, democratic processes, and the dissemination of false or discriminatory content, or other similar effect. Under Article 51(1) of the EU AI Act, a GPAI model will be classified as having systemic risk if:
  • It has high impact capabilities, or
  • It is designated by the Commission to have high impact capabilities based on the criteria in Annex XIII (i.e., the number of parameters in the model, the size of the data set, the amount of computation used to train the model, etc.).
What are the additional obligations for these models? In addition to the requirements for all GPAI models, those with systemic risk have additional obligations related to:
  • Model evaluation, assessment, and mitigation of systemic risks;
  • Incident management and reporting; and
  • Cybersecurity protections and technical documentation.
Because there are differences in the obligations between GPAI systems generally and GPAI systems with systemic risk, this classification procedure should be noted by providers of GPAI systems; it is essential to understand where each GPAI model falls, and what requirements the model has under the EU AI Act. According to Article 52(6), a list of GPAI models with systemic risk will be published and updated by the European Commission, but it has not been published at the time of writing.

What is the General-Purpose AI Code of Practice?

While not legally binding, providers of GPAI models can use the Code of Practice to demonstrate compliance with their obligations under the EU AI Act. The Code consists of three chapters on 1) transparency, 2) copyright, and 3) safety and security. The first two chapters apply to all providers of general-purpose AI models, providing a way to demonstrate compliance with obligations under Article 53 of the AI Act. The final chapter applies only to general-purpose AI models with systemic risk under Article 55 of the AI Act. Chapter 1: Transparency Among other things, this chapter requires signatories to create and maintain documentation for all GPAI models distributed within the EU for up to ten years. There are exceptions for models that are free, open-source, and do not pose systemic risk. When completing this documentation, signatories must use a standard Model Documentation Form, which includes information on licensing, technical specifications, training data, and other parameters of the GPAI model. The Code encourages publication of this information to promote transparency. Chapter 2: Copyright This chapter requires signatories to create and maintain a copyright policy that complies with the EU’s legal standards. This includes, but is not limited to, ensuring that data collected by web crawling is lawfully accessible, and certain websites flagged for copyright infringement are avoided. Importantly, signatories must designate a contact for copyright holders to submit complaints, along with a process for handling those complaints. Chapter 3: Safety & Security (GPAI with systemic risk only) One of the main elements of this chapter is the requirement for signatories to develop a state-of-the-art Safety and Security Framework before releasing any GPAI model categorized as posing a systemic risk. Additionally, systemic risks should be identified and inventoried, and before progressing with development or deployment, the signatories should weigh the relative risks and determine if they are acceptable, among other requirements.

What’s next?

The Code will be monitored and reviewed at regular intervals by the AI Office, and may be updated in response to emerging risks, technological developments, or incidents involving general-purpose AI models.
0
Flag of California, depicting a large brown bear beside a red star, above the words "California Republic."

CCPA Draft Regulations Sent for Final Approval

California, CCPA, Cybersecurity , , ,
On July 24, 2025 the California Privacy Protection Agency (CCPA) board voted 5-0 to finalize Draft Regulations to the California Consumer Privacy Act (CCPA). The CPPA sent the rulemaking package to the Office of Administrative Law, which has 30 days to approve the regulations. The rulemaking process for these Draft Regulations began in 2022, and while the regulations have been narrowed since the prior proposal, the Draft Regulations will significantly impact how companies manage automated decisionmaking technology (ADMT), conduct risk assessments, and implement cybersecurity audits. Additionally, California’s regulatory process requires the CCPA to respond to public comments with their rationale for accepting or rejecting the suggestion. This requirement provides additional context and guidance for interpreting the intent of the Draft Regulations as they go into effect. What’s New? A Summary of Key Changes The Draft Regulations contain significant changes from the prior proposal – along with a 9-page explanation of changes. Most notably, the Draft Regulations roll back several of the most highly debated elements, while streamlining and clarifying other requirements:
  • References to “Artificial Intelligence” have been removed, significantly tightening the scope of ADMT systems.
  • First-party advertising removed from ADMT definition, narrowing the requirements needed for this type of processing.
  • Risk assessments are streamlined, and the scope of the types of data processing activities that trigger risk assessments has been narrowed.
  • Cybersecurity audits are clarified, and the CPPA included a “cybersecurity audit report” which should be produced during the audit process.

ADMT: Narrower Definition, Clearer Application

The Draft Regulations significantly narrow the scope of ADMT systems. Previously, ADMT systems included any technology that “substantially facilitated” human decisionmaking. Now, the Draft Regulations limits ADMT to systems which “substantially replace” human decisions. In practical terms, this may mean that only technologies which operate without human review or override fall under the ADMT rules. Importantly, the CPPA also removed first-party behavioral advertising from the definition of ADMT. Previously, businesses raised strong concerns that including this category within the ADMT definition would impose unnecessary burdens on common advertising practices. Businesses also voiced that including first-party behavioral advertising in the definition of ADMT went beyond Proposition 24, which provides the basis for amending the CCPA.

Risk Assessments: Who, What, and When?

While risk assessments remain a key part of the Draft Regulations, the CPPA has refined when they apply and what they must include. Who Needs to Conduct a Risk Assessment? Under the Draft Regulations, covered businesses that fall under the California Consumer Privacy Act (CCPA) “whose processing…presents significant risk to consumers’ privacy” must conduct a risk assessment. However, the newest version of the Regulations narrows what processing activities present “significant risk.” These activities include but are not limited to:
  • Selling or sharing personal information, which may require specific contractual obligations per the CCPA and current CCPA Regulations.
  • Processing sensitive personal information, as defined in the CCPA, including financial information, precise geolocation, health information and children’s personal information.
  • Using automated decisionmaking technology for a “significant decision” concerning a consumer, including those that impact availability of financial or lending services, housing, education enrollment or opportunities, employment or independent contracting opportunities or compensation, or healthcare services.
  • Using automated processing to profile a consumer through systematic observation when the individual is acting as an educational program application, job applicant, student, employee, or independent contractor for the covered business.
  • Using automated processing to profile a consumer based on their presence in a sensitive location, including healthcare facilities, domestic violence shelters, food pantries, housing/emergency shelters, educational institutions, political party offices, legal services offices, union offices, and places of worship.
  • Using personal information to train AI that could be used to make significant decisions concerning consumers, train facial- or emotional-recognition or other technology to verify a consumer’s identify or conducts physical or biological identification or profiling of a consumer.
While these risk assessments no longer apply to the previous expanded version of ADMT, they will apply to processing if the technology substantially replaces human decisionmaking for “significant decisions.” For example, if a covered business videotapes job interviews and uses AI to determine who to hire without human involvement, the covered business must conduct a risk assessment because of its use of ADMT for a significant decision concerning the consumer. What is Required for a Risk Assessment? As part of an effort to streamline and clarify the risk assessments required under the Draft Regulations, the CPPA defined a “risk assessment report” as the document that every covered business is required to create upon conducting the assessment. The CPPA provides a newly articulated goal for risk assessments: “[R]estricting or prohibiting the processing of personal information if the risks to privacy of the consumer outweigh the benefits resulting from processing to the consumer, the business, other stakeholders, and the public.” Additionally, the addition of the risk assessment report and changes in requirements may ease compliance efforts. To complete a risk assessment, a covered business should document, among other things:
  • The purpose of processing, the types of data involved, and any sensitive categories of personal information.
  • How the business plans to use the data, or otherwise collect, disclose or process the information, along with the retention period for the information.
  • How the business interacts with consumers, and whose data they process, along with the number of consumers whose information will be processed.
  • The disclosures made to consumers, and any other disclosures that the covered business plans to make, along with the names of service provides, contractors, or third parties to whom the information will be disclosed and the purpose for that disclosure.
  • The benefits, negative impacts, and safeguards of the planned processing.
  • Whether or not the business will initiate the processing subject to the risk assessment.
  • The individuals who provided information, as well as who the document was reviewed and approved by.
  If a covered business is using ADMT, the business must also identify:
  • The logic of the ADMT, including any assumptions or limitations of the logic; and
  • The output of the ADMT and how the covered business will use that output to make a significant decision.
The CPPA also clarifies that the risk assessment process may include involvement by external parties. Finally, a covered business must submit the following risk assessment information, among other things, to the Agency:
  • The business’s contact information, the information of the person submitting the assessment, and the date of certification.
  • The time period covered by the submission, and the number of risk assessments conducted or updated during that time.
  • Whether the risk assessments involved the processing of each of the categories of personal information identified in the CCPA.
  • A specific attestation, which certifies the business conducted a risk assessment for the processing activities involving significant decisions, subject to the penalty or perjury.
The individual submitting the information to the Agency must be a member of the covered business’s executive management team who is: 1) directly responsible for the business’s risk assessment compliance; 2) has sufficient knowledge to provide accurate information regarding the assessment; and 3) has the authority to submit the assessment information to the Agency. In addition, the Agency or Attorney General may require a covered business to submit its risk assessment reports at any time, within 30 days of the request. When Should Risk Assessments Be Conducted? According to the Proposed Rules, a covered business must conduct and document a risk assessment before beginning any processing activities that present a significant risk to consumers’ privacy. At least once every three years, the covered business must review and update their assessment. The covered business must also update a risk assessment whenever there is a material change relating to the processing activity, no later than 45 days from the material change. The covered business must retain its risk assessments – including original and updated versions – for as long as the processing continues or for five years after the completion of the risk assessment, whichever is later. What if I Have Already Conducted A Risk Assessment? There have been significant changes to the Draft Regulations regarding how covered businesses can use comparable assessments to satisfy the risk assessment criteria. New additions provide that a covered business may use a risk assessment that it has prepared for another purpose, provided that the assessment contains or is paired with all the required information to meet the Proposed Regulation’s requirements.

Cybersecurity Audits: Who, What, and When?

Among the added definitions is the “cybersecurity audit report” – the document that covered businesses must create as part of the cybersecurity audit. Similar to changes regarding risk assessments, this inclusion was part of the streamlining and clarification efforts of the CPPA. The scope and requirements of the cybersecurity audit – and the resulting audit report – have also been modified. Who Needs to Complete a Cybersecurity Audit? According to the Draft Regulations, every covered business whose processing of information presents a “significant risk” to consumers’ security must complete a security audit. While this language is similar to the requirements of the risk assessment, “significant risk” is defined slightly differently in the context of a cybersecurity audit. According to the Draft Regulations, a “significant risk” that warrants a cybersecurity audit includes but is not limited to covered businesses which:
  1. Derive 50% of more of its annual revenue from selling or sharing consumer’s personal information; or
  2. Had a gross annual revenue of $25M in the preceding calendar year (adjusted for inflation), and
    1. Processed the information of 250,000 or more consumers or households in the last year; or
    2. Processed the sensitive information of 50,000 or more consumers in the last year.
Covered businesses that are required to complete a cybersecurity audit must do so using a “qualified, objective, independent processional (‘auditor’) using procedures and standards accepted in the profession of auditing.” This audit may be internal or external to the covered business, but a qualified auditor must have knowledge of cybersecurity and know how to audit a business’s cybersecurity program, according to the changes in the Draft Regulations. What Should the Cybersecurity Audit Assess? Initially, the cybersecurity audit must assess how the covered business’s cybersecurity program protects personal information against unauthorized access, destruction, use, modification and disclosure, as well as how the program protects against unauthorized activity resulting in the loss of availability to that information. The cybersecurity audit must also assess the strength of a covered business’s cybersecurity program across such as, but not limited to:
  • Authentication and encryption;
  • Access control and account management;
  • Software and hardware inventories;
  • Patch and configuration management;
  • Network security, antivirus, and antimalware;
  • Incident response and business continuity;
  • Vendor oversight;
  • Data retention and disposal; and
  • Employee and contractor training.
The covered business’s auditor must also create a detailed cybersecurity audit report, documenting:
  • What was assessed and why. The report should describe the processes, activities, and components of the business’s cybersecurity program, the criteria used for the audit, along with the specific evidence examined to make decisions and assessments.
  • Evidence reviewed. The report must also include why these elements were appropriate for the audit, and how the evidence examined supports the findings.
  • Gaps or weaknesses found. The report should describe, in detail, the status of any gaps or weaknesses and any additional components that the auditor deemed to increase the risk of unauthorized activity. The report should also document the business’s plan to address these gaps and/or weaknesses.
  • Auditor information and certification. The report should also include the auditor’s information, as well as a statement by the highest-ranking auditor that certifies that they completed an independent review of the business’s cybersecurity program and information system, exercised objective and impartial judgement on all issues within the scope of the audit and did not rely primarily on assertations or attestations by business management to create the audit.
When Should Cybersecurity Audits Be Conducted? The final determination of when a covered business must conduct their first cybersecurity audit is based on the business’s annual gross revenue. If a business meets the audit thresholds, it may be time to start thinking about a compliance plan. First audit reports will be due:
  • April 1, 2028, for covered businesses with over $100 million in gross annual revenue;
  • April 1, 2029, for covered businesses with $50 million to $100 million in gross annual revenue; and
  • April 1, 2030, for covered businesses with under $50 million in revenue.
Each audit must cover the previous calendar year from January to January, with reports completed within the following three months. What if I Have Already Conducted A Cybersecurity Audit? As with the risk assessment, a covered business may use a cybersecurity audit, assessment, or evaluation that it has prepared for another purpose – provided that the audit meets all the requirements of the Draft Regulations, on its own or through supplemental information. The Draft Regulations provide, as an example, that a covered business may use the NIST Cybersecurity Framework 2.0 “and meets all the requirements of this Article.”

What Comes Next?

On July 24, 2025, the CPPA sent the rulemaking package to the Office of Administrative Law, which has 30 days to approve the regulations. The CPPA’s Draft Regulations signal a more measured approach to emerging technologies, such as AI. Still, these Draft Regulations carry out the CPPA’s mandate to issue regulations, reinforcing the agency’s commitment to privacy and security. For executives, the potential adoption of the Draft Regulations could be a strategic inflection point: Whether they are responsible for legal, compliance, data governance or information security, these Draft Regulations should prompt a reassessment of data practices, internal documentation and audit readiness. The publication of these Draft Regulations is also an opportunity to engage more deeply with operational teams. These rules will require clear cross-functional coordination, and organizations that begin building these bridges sooner will be better positioned to meet regulatory expectations and reinforce consumer trust in coming years. Compliance Deadlines: Compliance with these Draft Regulations will be required once they are approved by the Office of Administrative Law. The deadlines include:
  • ADMT Regulations: January 1, 2027
  • Privacy Risk Assessments: December 31, 2027
  • Cybersecurity Audits:
    • For businesses with $100+ million in annual gross revenue: April 1, 2028.
    • For businesses between $50 million and $100 million in annual gross revenue: April 1, 2029.
    • For businesses with less than $50 million in annual gross revenue: April 1, 2030.
 
0

Overview of New York’s Child Data Protection Act

Children, Cybersecurity, New York, State Privacy Laws, United States , , , , ,
In June 2024, New York Governor Kathy Hochul signed the New York Child Data Protection Act (Act) into law, which will go into effect on June 20, 2025. Per the Act’s justification, “[c]hildren now live much of their lives online,” including learning, socializing, shopping. They also “make mistakes online, and they discover who they are online,” and, accordingly, they should be able to do so without the “concern of omnipresent monitoring and recording.” The Act enables this through two major provisions:
  1. if a digital service knows a user is a minor (or if the service is primarily directed to minors), it will “default to only being able to use that child’s data in a way that is strictly necessary to provide the service;” and
  2. digital services using third-party service providers must “contractually restrict those third parties from using the personal data of minors except for specified purposes” and include additional safeguards to help ensure compliance.
The Office of the New York State Attorney General has also released Implementation Guidance to clarify key questions raised in the rulemaking process.

Scope & Applicability

This Act applies only to conduct occurring in the state of New York. This means that commercial conduct that takes place outside of New York is not covered by the Act if: 1)  the user was outside of the state or 2) no data collected while the user was in the state was used.
  • Covered Users. The Act imposes restrictions on processing information of “covered users.” This includes users of websites, online services, or connected devices (the “Websites”) who are: 1) actually known by the operator to be a minor (under 18), or 2) who are using Websites primarily directed to minors.
  • Operator. An operator is defined as any person who offers Websites, who alone – or jointly with others – controls the purposes and means of processing personal data. Notably, one who acts as both a controller and processor shall comply with obligations for both roles, depending on the purposes and means of processing personal data.
  • Personal data. This definition includes any data that identifies or could be reasonably linked, directly or indirectly, with a specific natural person or device.

Substantive Provisions

Processing Restrictions. The Act provides that, among other things, an operator shall not process the personal data of a covered user collected through the Sites, unless one of the following applies:
  1. the user is 12 or younger, and processing is permitted under COPPA;
  2. the user is 13 or older and the processing is “strictly necessary”; or
  3. the user is 13 or older and the processor has received informed consent.
Strictly Necessary Processing. The term “strictly necessary” includes, among other things, processing that is required to:
  • Provide or maintain a specific product or service requested by the covered user;
  • Conduct the operator’s internal business operations (excluding those that relate to marketing, advertising, research and development, providing products or services to third parties, pr prompting covers users to use the Site when it is not in use); and
  • Identify and repair technical errors that impair functionality.
According to the Implementation Guidance, processing that is “strictly necessary” to provide a process or service required by a covered user depends on the “expectations of a reasonable covered user,” similar to the guidance provided under the CCPA regulations. The Guidance also clarifies that business operations “shall not include any activities relating to marketing, advertising, research and development, [or] providing products or services to third parties.” Informed Consent. If the information being processed is not “strictly necessary,” the operator will need informed consent, through either: 1) a device communication or signal, or 2) an informed consent request. A request for informed consent should, among other things:
  1. be made separately from any part of the transaction.
  2. clearly and conspicuously state that the processing is not strictly necessary, and consent is not mandatory to continue using the Websites.
  3. clearly present an option to refuse to provide consent as the most prominent option.
Additionally, the user should be able to revoke consent at any time as easily as they provided it.

Enforcement

The New York Attorney General may bring an action or special proceeding to enjoin any violation of this Act, and to obtain civil penalties of up to $5,000 per violation. Further, the Act gives the New York Attorney General authority to issue rules and regulations ad necessary, and according to the Implementation Guidance, the Office of the Attorney General intends to issue these rules. The Implementation Guidance also states that, until such rules are finalized, the Office of the Attorney General will exercise discretion in pursuing enforcement actions, taking good-faith compliance efforts of covered businesses into account.

Effective Date

The Act goes into effect on June 20, 2025.
1 2 3 4