Good Morning Everyone,
California privacy rule-making and enforcement kept the spotlight this week while two large healthcare providers reminded us—again—that third-party and email risks can quickly snowball into major breaches. The CPPA’s revamped CCPA regulations (and a related bundle of privacy bills) promise lighter first-year costs but tighter oversight on automated decision-making and cybersecurity audits. At the same time, a national retailer’s $345 K fine shows that broken consent flows are costly, and an ambitious reform bill aims to dial down California’s pixel-tracking litigation boom. Rounding things out, Ascension disclosed four vendor-driven breaches, and Onsite Mammography confirmed that a single compromised mailbox exposed 357 K patients. The common thread: whether it’s vendors, pixels, or inboxes, weak links invite both regulators and attackers. Dive into the details below. Dive into the details below:
Regulatory Updates
CCPA Rulebook Remix Heads Back to Public Comment
On May 1 the CPPA board voted to circulate a heavily revised draft of the CCPA regulations: the term “artificial intelligence” is stripped out, cybersecurity audits will phase in over three years, and “Automated Decision-Making Technology” now covers only tools that “substantially replace human decision-making.” Staff estimate the makeover could shave 66 % off first-year compliance costs; comments close June 2, with a final package slated for November 2025. Learn more at Clark Hill
Privacy Bill Bundle Gains CPPA Support
The board also threw its weight behind four bills that would tighten data-handling rules on multiple fronts: AB 1355 (location tracking), SB 44 (neural data), SB 361 (data-broker transparency) and SB 468 (security duties for high-risk AI). If legislators adopt staff-requested tweaks giving the CPPA direct enforcement powers over SB 468, businesses processing sensitive data should brace for another regulatory watchdog. Learn more at Clark Hill
CIPA Reform Advances as Courts Cool to Pixel Lawsuits
Senate Bill 690 cleared the Public Safety Committee on Apr 29 and would exempt routine “commercial business purposes” from California’s 1960s-era wiretap law—potentially defanging the recent wave of pixel-tracking suits and applying retroactively. Courts are already leaning that way: two SDNY cases were tossed for lack of concrete harm, and the Northern District of California granted summary judgment in Torres v. Prudential after finding no “in-transit” interception by a session-replay vendor. Learn more at Clark Hill
Enforcement Actions
CPPA Enforcement Action — Opt-Out Glitch Costs a Retailer $345 K
A national clothing chain learned that vendor oversight is non-negotiable when the CPPA fined it $345,178 after a mis-configured privacy portal blocked cookie-opt-outs for 40 days and forced shoppers to hand over extra ID. The order stresses that delegating consent management to third-party tools offers zero shield if you don’t test and monitor them yourself. Learn more at Clark Hill
Data Breach Notices
Ascension hit by a string of vendor incidents
In separate disclosures, the 140-hospital system revealed four 2024-era breaches tied to former business partners, Missouri law firm SAKG, telehealth provider Access TeleCare, and wound-care vendor Restorix Health. Impacted data ranges from demographics and Social Security numbers to clinical details; one incident alone affected patients across five states. Ascension says no internal systems were compromised but is “implementing enhanced measures” to curb future vendor risk. Learn more at TechTarget
Onsite Mammography mailbox hack exposes 357 K patients
A phishing email let an attacker slip into one employee’s inbox last October, and a months-long review has now confirmed that 357,265 patients had PII and PHI swept up—including SSNs, driver’s-license and credit-card numbers, plus detailed medical data. The imaging provider says no other systems were touched and is offering a year of free credit monitoring; investigators see no misuse so far, but the incident spotlights how a single unprotected mailbox can become a breach of major-event scale. Learn more at Security Week
Closing Thoughts
This week underscores a three-part checklist for every covered entity and business associate: (1) track the fast-moving CCPA/CIPA landscape—draft rules, bills, and fines signal where regulators will look next; (2) harden consent portals, pixels, and other “small” web assets that can leak data at scale; and (3) treat every mailbox like a crown-jewel system, with phishing controls and continual monitoring. Third-party diligence and tech hygiene are no longer optional buffers—they’re frontline defenses against both lawsuits and headlines.
Stay vigilant and stay secure!
