The California Privacy Protection Agency (CPPA) recently published two new sets of draft regulations addressing a range of cutting-edge data protection issues. Although the Agency has not officially started the formal rulemaking process, the Draft Cybersecurity Audit Regulations and the Draft Risk Assessment Regulations will serve as the foundation for the process moving forward. Discussion
Philip N. Yannella
yannellap@ballardspahr.com | 215.864.8180 | view full bio
As Practice Leader of Ballard Spahr's Privacy and Data Security Group, and Practice Leader of the firm's E-Discovery and Data Management Group, Philip N. Yannella provides clients with 360-degree advice on the transfer, storage, and use of digital information.
Phil regularly advises clients on the Stored Communications Act (SCA), Computer Fraud and Abuse Act (CFAA), EU-US Privacy Shield, General Data Protection Regulation (GDPR), Defense of Trade Secrets Act, PCI-DSS, Telephone Consumer Protection Act (TCPA), New York Department of Financial Services Cybersecurity Regulations, ISO 27001 compliance, HIPAA Security Rules, and FTC enforcement activity, as well as eDiscovery issues—leveraging his experience serving as National Discovery Counsel for more than two dozen companies in nationwide litigation. He harnesses his deep knowledge of privacy, data security, and information governance laws to help multinational companies develop global information governance programs to comply with overlapping, and sometimes conflicting, laws. Phil serves on the advisory board for the ACC Foundation's Cybersecurity Survey, the largest survey of in-house counsel on cybersecurity issues.
California’s Proposed “Delete Act” Would Create a ‘Do Not Sell’ List for Data Brokers
California continues to be at vanguard of data privacy rights. The latest effort by California legislators to protect consumer privacy rights focuses on data brokers, who under the proposed California Senate Bill 362, aka the “Delete Act,” would be required to recognize and honor opt-out signals from Californians. The law seeks to expand on…
SEC Adopts New Cybersecurity Reporting Rules, Setting Up Various Compliance Challenges
After an extensive comment period, the SEC announced on July 26 that it was formally adopting new rules for public companies governing cybersecurity disclosures. The rules had generated significant backlash from public companies, who criticized the new reporting deadlines for data security incidents as well as the mandatory cyber-risk disclosures the Rules mandate.
Adoption of…
Ruling Delaying Enforcement of CPRA Regulations Raises Complicated Legal Questions
Shortly before the July Fourth holiday, the California Superior Court issued an important, but subtly complex ruling that pushes back the date when the California Privacy Protection Agency (CPPA) may begin enforcing the latest round of privacy regulations. These regulations were finalized in March 2023 and enforce provisions of the California Privacy Rights Act (CPRA)…
The Practical and Legal Complexities of Online Age Verification
One of the most significant trends in privacy law this year has been the surge in online child protection laws in U.S. states. In a recent article for the Cybersecurity Law Report , Ballard Spahr privacy attorneys Phil Yannella, Greg Szewczyk, Tim Dickens and Emily Klode explore the legal and practical complexities associated with these…
EU AI Act Clears Another Hurdle

The European Parliament has approved a revised version of the EU Artificial Intelligence Act (AIA), which appears to be on a path to adoption by the EU later this year. The AIA is the most comprehensive legislation in the world to address the risks associated with the use of artificial intelligence. A final version of…
Texas Adds a Wrinkle to State Privacy Law Patchwork
On May 28, Texas became the sixth state this year to pass a comprehensive data protection law. Although the Texas Data Privacy and Security Act (“TDPSA”) is largely in line with the Virginia Consumer Data Protection Act and other recently passed state privacy laws, it has a few key distinctions that may cause…
Senator Bennet Proposes Federal Commission to Regulate Artificial Intelligence
Following recent Senate testimony in which OpenAI CEO Sam Altman proposed additional Congressional oversight for the development of artificial intelligence (AI), Colorado Senator Michael Bennet has re-introduced the Digital Platform Commission Act, a bill that would enable the creation of a federal agency to oversee the use of AI by digital platforms. The proposed…
Washington State Poised to Pass Consumer Health Privacy Law
The State of Washington appears close to enacting a new law that regulates the privacy of consumer health information. If passed, the new law – the My Health My Data Act (MHMDA) –would take effect March 31, 2024 and apply to non-governmental entities that collect, process, share, or sell health information that can be linked…
Webinar Recording – Artificial Intelligence: An Overview of the U.S. and EU Regulatory Landscape
The emergence of tools like ChatGPT has demonstrated the tremendous business potential for artificial intelligence. At the same time, businesses need to be aware of the growing patchwork of laws and regulations in the U.S. and EU governing the development and use of AI. In this webinar, Ballard Spahr privacy & data security lawyers…