Photo of Niloufar Massachi

Niloufar Massachi

Contact:Read more about Niloufar Massachi

Until late August 2023, California’s data protection law, the California Consumer Privacy Act, or “CCPA,” only provided for future rulemaking on automated decision-making, including profiling, on risk assessments, and on cybersecurity audits. However, during a board meeting it held this past Friday, September 8th, the California Privacy Protection Agency (“CPPA” or “Agency”), which shares enforcement authority of the CCPA with the California Attorney General, discussed a new set of draft regulations (“Regs”) it released for Agency discussion purposes in late August 2023. While not yet part of the official rulemaking, the draft and the discussions around it provides direction on its upcoming rulemaking on these topics. We will refer to the draft and related commentary as the “Roadmap.” Most notably, the Roadmap proposes that condensed versions of assessments and audits completed by businesses pursuant to their CCPA obligations be filed with the CPPA and sets forth detailed obligations surrounding such assessments and audits. The implication of this is that it may become obvious to the Agency which companies are or are not conducting assessments or audits and thus complying with their CCPA obligations. It may also provide the Agency an easily accessible way to review the evaluate businesses’ practices, especially with regard to higher risk processing activities. Furthermore, the Agency’s Roadmap suggests assessment requirements that not only incorporate, but exceed, what is required in the Colorado regulations, including risk / harm assessments of any monitoring of personnel or students, or monitoring of consumers in public places. We will be co-hosting a webinar with Ankura to take a deeper dive into what companies should be doing regarding assessments and audits. Register here to join us on October 18 to learn more.

Continue Reading California’s Potential Approach to Regulations on Risk Assessments and Cybersecurity Audits Could Be a Game Changer

Part 1 of How to Approach DPAs in view of Final CCPA Regs: A Series

This is the first in our series of blog posts on top considerations for approaching data processing terms required under the state privacy laws that have, or will, come into effect this year, namely the California Consumer Privacy Act, as

Join SPB’s Kyle Fath and Niloufar Massachi for a timely webinar hosted by the Association of National Advertisers (ANA) on Tuesday, March 14 at 1 PM EST (10 AM PST).  The ANA program will offer an engaging discussion on navigating unique compliance challenges in the digital advertising ecosystem.

Key areas of focus will include:

  • Analysis

In a CLE webinar earlier this week, Malcolm Dowden (Partner, London) and Niloufar Massachi (Associate, Los Angeles) discussed evaluating, drafting, and updating vendor agreements to meet the privacy and security requirements of new US privacy laws and the GDPR.

Continue Reading Malcolm Dowden and Niloufar Massachi Discuss Vendor Contracting Requirements Under New US Privacy Laws and the GDPR

The California Consumer Privacy Act (CCPA) currently has limited carve-outs for personal information (PI) collected from a job applicant, employee, owner, director, officer, medical staff member, or independent contractor of a business acting in such capacity (including, without limitation, communications, emergency contact and benefits PI) (HR data). An even broader exception applies to B-to-B communications and related PI (e.g., vendor, supplier and business customer contacts and communications) (B-to-B data). As a result, businesses subject to the CCPA are not currently required to honor CCPA rights requests received from persons concerning HR data and B-to-B data. These carve-outs are set to sunset on January 1, 2023, when the California Privacy Rights Act (CPRA), which substantially amends the CCPA, goes into full effect, at which point HR data and B-to-B data will be fully subject to all of the requirements of the CCPA/CPRA. Many business administrators had hoped that either the California legislature would extend the HR data exceptions (or maybe even make them permanent), or a federal law that limited data subject rights to traditional consumers would pass and preempt CCPA/CPRA. It is now clear that the former is impossible and the latter is highly unlikely. Accordingly, many companies have a lot to do by year-end to prepare to stand up a CCPA/CPRA program for HR data and B-to-B data.

Continue Reading HR and B-to-B Data Compliance Deadline Looming – Legislative Efforts to Extend California Consumer Privacy Act Exemptions Fail

Regulations governing biometric data collection, use, and processing have already been complex and strict with the Illinois’ Biometric Information Privacy Act (“BIPA”) as well as the biometrics laws in Washington and Texas. BIPA, which has a private right of action, has generated a flood of class action litigation. New York City has recently added to the mix by passing two new biometrics laws, the Tenant Data Privacy Act (“TDPA”) and an amendment to the New York City Administrative Code (“NYC Administrative Code”), both of which set forth requirements when it comes to processing of biometric data that expand consumers’ rights and impose obligations on processing biometric data.

Continue Reading New Laws on Biometric, RFD and Other “Sensitive” Data Collection and Use