Service providers often receive or access a customer’s personal information when performing contracted services. In the employment context, service providers may include payroll processors, Human Resource Information System (HRIS) or Applicant Tracking System (ATS) platforms, outsourced IT support, data storage, AI tool providers, or security services.
Under the EU and UK General Data Protection Regulations (GDPR), an employer (data controller)
If 2025 was the year website-tracking claims became impossible to ignore, 2026 is the year those cases began to mature. Courts are looking beyond whether a pixel, cookie, chat tool, or session-replay script was present on a site. Instead, they are focusing more closely on what data was collected, when it was collected, what disclosures users saw, whether consent was
A recent Inc. article highlights an unsettling controversy involving Delve, a Y Combinator-backed compliance startup, and allegations that strike at the heart of how organizations rely on SOC (System and Organization Controls) 2 reports which evaluate an organization’s internal controls over security, availability, and privacy.
According to the report, a whistleblower investigation alleges that Delve generated fraudulent audit reports, fabricated
When assisting businesses with the commercial aspects of the California Consumer Privacy Act, we advise them that this same law, with “consumer” in its name, also applies to data related to job applicants, employees, contractors, and other California state residents. Some are surprised, but we get to work addressing some nuanced issues, as some CCPA provisions do not neatly
Every so often a law that was passed years ago quietly becomes a present-day compliance reality. Section 24220 of the 2021 Infrastructure Investment and Jobs Act is one of those laws. Tucked into an eleven-hundred-page infrastructure bill with little public debate, the “kill switch law” as it has come to be known by some, awaits implementing regulations. The law has
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced a HIPAA enforcement action against an employer-sponsored group health plan. The action resulted in a payment to HHS of $245,000 and a two-year corrective action plan. While HIPAA enforcement is common in the healthcare sector, actions directly against employer-sponsored group health plans are not
In recent years, many organizations have installed dashcams in their vehicles to improve safety and compliance, reduce costs, and better understand what’s happening in the field. Dashcams can be extremely useful for these purposes, giving organizations visibility into risky driver behaviors and misuse of company property. They can also lower insurance costs and provide valuable evidence in litigation. To provide
A putative class action filed in December 2025 in the U.S. District Court for the Central District of Illinois offers a reminder that AI meeting assistant and transcription tools potentially carry significant legal exposure when organizations deploy them without appropriate governance guardrails in place. It also serves as a reminder to apply strong governance principles when evaluating and deploying these
On March 20, 2026, Oklahoma’s Governor signed Senate Bill (SB) 546, which establishes a consumer data privacy law for the state. Oklahoma’s law takes effect January 1, 2027.
To whom does the law apply?
The law applies to controllers (or processors) operating in the state and handling data for:
U.S. organizations have long focused on federal requirements governing international data transfers. But a growing wave of state enforcement—particularly in Florida and Texas—signals that regulators are increasingly scrutinizing how companies move sensitive data outside the United States, especially when foreign adversaries may be involved. Recent developments suggest organizations should reassess their data flows, vendor relationships, and ownership structures to understand