Data Privacy & Cybersecurity
GDPR, CCPA/CPRA, HIPAA, breach notification, privacy programs, AI regulation, data governance
CLO Primer
Data privacy has evolved from a compliance checkbox to a strategic business and reputational issue. The CLO is responsible for ensuring that the company's data practices comply with an increasingly complex patchwork of global, federal, and state laws — and that the company is prepared to respond rapidly and defensibly to a data breach. At a tech or healthcare company, this is a full-time domain requiring a dedicated privacy counsel or Chief Privacy Officer reporting to the CLO.
The regulatory landscape in the US has fragmented dramatically. In the absence of a federal comprehensive privacy law, 19+ states now have comprehensive consumer privacy laws effective through 2026, each with different definitions of "personal information," different consent mechanisms, different rights, and different enforcement approaches. California's CPRA (operationalized through the CPPA) remains the gold standard and de facto national floor.
For companies handling health data — including medtech, digital health, and wellness apps — HIPAA creates a separate compliance framework for covered entities and business associates, with specific breach notification requirements and significant civil/criminal penalties. Importantly, not all health data is HIPAA-covered: consumer health apps, employer wellness programs, and wearables typically are not, but they're increasingly subject to FTC enforcement.
The SEC's cybersecurity disclosure rules (effective December 2023) require public companies to report material cybersecurity incidents on Form 8-K within four business days, and to make annual disclosures about cybersecurity risk management and governance in Form 10-K. This creates a direct intersection between cybersecurity and securities compliance that the CLO must manage.
Key Concepts
Reference topics — deep-dive primers coming soon
- GDPR: lawful basis, data subject rights, DPIAs, SCCs for international transfers, DPA fines
- CCPA/CPRA: consumer rights, opt-out of sale/sharing, sensitive PI, CPPA enforcement
- State privacy law matrix: VA, CO, CT, TX, FL, OR, MT, TX, TX — effective dates and variations
- HIPAA: covered entities, business associates, PHI definition, minimum necessary standard
- HIPAA breach notification: 60-day rule for covered entities; HHS breach portal
- SEC cybersecurity disclosure rules: Form 8-K Item 1.05 (material incidents, 4 BD), Form 10-K
- FTC Section 5 authority over unfair/deceptive data practices; Safeguards Rule
- State breach notification laws: 50-state map, notification windows, regulators to notify
- Privacy program structure: data inventory/mapping, ROPA, vendor management, DSARs
- Vendor due diligence: DPA/BAA requirements, security questionnaires, audit rights
- AI regulation: EU AI Act high-risk systems, state AI bills, FTC AI guidance
- Children's privacy: COPPA, state age-appropriate design codes (CA, TX)
- Cross-border data transfer mechanisms: SCCs, BCRs, DPF (EU-US)
- Incident response plan: detection, containment, notification, forensics, post-incident review
- Data retention and deletion policies — aligning business needs with legal minimization requirements