Understanding how the latest changes to California privacy law may impact New York companies
Businesses located in and outside of California may be subject to additional obligations pursuant to the California Consumer Privacy Act (CCPA), as amended this year. The amendments include steeper fines for violations of the CCPA and its accompanying regulations. The CCPA amendments also modify existing rights, while additional proposed regulatory changes impose new obligations regarding cybersecurity audit record retention, risk assessment deadlines, and procedures for utilizing automated decision-making technology (ADMT), among other things. This article highlights some amendments of interest that took effect on Jan. 1, 2025, as well as regulatory proposals that may take effect as early as Oct. 31, 2025.
Covered businesses that meet certain threshold revenue and activity requirements, share common branding with a business subject to the CCPA, or have certain business relationships with other companies subject to the CCPA, should pay attention to these amendments, with more on the horizon.
Increased fines
Fines for certain violations increased as follows:
Unintentional violation: Fine increased from $2,500 to $2,663 per violation.
Intentional violation: Fine increased from $7,500 to $7,988 per violation.
Intentional violations involving minors: Fine of $7,988 per violation for those involving minors under 16 years of age.
Civil penalties: Civil penalties for each person per incident range from $107 to $799, whichever is greater.
New obligations of covered businesses
The amendments also modify existing rights of and add obligations imposed on businesses. Those obligations include:
Neural data: This information, generated by measuring activity of the nervous system, is considered 'sensitive personal information.' The same privacy protections afforded to sensitive personal information (e.g., precise geolocation, citizenship, racial or ethnic origin) extend to neural data, including consent to collect or use and complying with requests to delete or opt out of sharing.
Opt-out in mergers: Entities that acquire other businesses through mergers and acquisitions must honor opt-out requests made to the acquired company.
The California Privacy Protection Agency (CPPA), a state agency established to implement and enforce the CCPA, also proposed regulatory changes that would create new obligations on businesses which may take effect later this year:
Audit record retention: A covered business, not just the auditor, must now keep a record of its annual cybersecurity audits for at least five years.
Risk assessment: While no deadline previously existed, covered businesses must now update their privacy risk assessments within 45 days of any material change (that introduces new risks or may weaken personal data protections) in data processing activities.
ADMT: Covered businesses will be required to provide information about their use of ADMT in significant decision-making (e.g., financial services, employment screening, pricing) upon a resident's request. Businesses must also accommodate a resident's appeal of the business's use of ADMT or opt out of ADMT.
The proposed regulatory amendments are subject to change based on comments submitted to the CPPA after the time of writing.
Compliance strategy
Businesses need to determine whether they are subject to the CCPA directly or through entities with which they have business relationships. To assist in this analysis and in developing a compliance program, businesses should consider their data collection, processing and transfer activities, evaluate sufficiency of risk assessment and audit procedures, and review opt-out mechanisms. To assist in this process, experts who are well-versed in these issues and your industry may be particularly helpful.
Anna Mercado Clark, Partner and Chief Information Security Officer at Phillips Lytle, is the Co-Leader of the firm's Technology Industry Team. She can be reached at aclark@phillipslytle.com or 212-508-0466.
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Forbes
30-05-2025
- Forbes
Securing The Future: How Big Data Can Solve The Data Privacy Paradox
Shinoy Vengaramkode Bhaskaran, Senior Big Data Engineering Manager, Zoom Communications Inc. As businesses continue to harness Big Data to drive innovation, customer engagement and operational efficiency, they increasingly find themselves walking a tightrope between data utility and user privacy. With regulations such as GDPR, CCPA and HIPAA tightening the screws on compliance, protecting sensitive data has never been more crucial. Yet, Big Data—often perceived as a security risk—may actually be the most powerful tool we have to solve the data privacy paradox. Modern enterprises are drowning in data. From IoT sensors and smart devices to social media streams and transactional logs, the information influx is relentless. The '3 Vs' of Big Data—volume, velocity and variety—underscore its complexity, but another 'V' is increasingly crucial: vulnerability. The cost of cyber breaches, data leaks and unauthorized access events is rising in tandem with the growth of data pipelines. High-profile failures, as we've seen at Equifax, have shown that privacy isn't just a compliance issue; it's a boardroom-level risk. Teams can wield the same technologies used to gather and process petabytes of consumer behavior to protect that information. Big Data engineering, when approached strategically, becomes a core enabler of robust data privacy and security. Here's how: Big Data architectures allow for precise access management at scale. By implementing RBAC at the data layer, enterprises can ensure that only authorized personnel access sensitive information. Technologies such as Apache Ranger or AWS IAM integrate seamlessly with Hadoop, Spark and cloud-native platforms to enforce fine-grained access control. This is not just a technical best practice; it's a regulatory mandate. GDPR's data minimization principle demands access restrictions that Big Data can operationalize effectively. Distributed data systems, by design, traverse multiple nodes and platforms. Without encryption in transit and at rest, they become ripe targets. Big Data platforms like Hadoop and Apache Kafka now support built-in encryption mechanisms. Moreover, data tokenization or de-identification allows sensitive information (like PII or health records) to be replaced with non-sensitive surrogates, reducing risk without compromising analytics. As outlined in my book, Hands-On Big Data Engineering, combining encryption with identity-aware proxies is critical for protecting data integrity in real-time ingestion and stream processing pipelines. You can't protect what you can't track. Metadata management tools integrated into Big Data ecosystems provide data lineage tracing, enabling organizations to know precisely where data originates, how it's transformed and who has accessed it. This visibility not only helps in audits but also strengthens anomaly detection. With AI-infused lineage tracking, teams can identify deviations in data flow indicative of malicious activity or unintentional exposure. Machine learning and real-time data processing frameworks like Apache Flink or Spark Streaming are useful not only for business intelligence but also for security analytics. These tools can detect unusual access patterns, fraud attempts, or insider threats with millisecond latency. For instance, a global bank implementing real-time fraud detection used Big Data to correlate millions of transaction streams, identifying anomalies faster than traditional rule-based systems could react. Compliance frameworks are ever-evolving. Big Data platforms now include built-in auditability, enabling automatic checks against regulatory policies. Continuous Integration and Continuous Delivery (CI/CD) for data pipelines allows for integrated validation layers that ensure data usage complies with privacy laws from ingestion to archival. Apache Airflow, for example, can orchestrate data workflows while embedding compliance checks as part of the DAGs (Directed Acyclic Graphs) used in pipeline scheduling. Moving data to centralized systems can increase exposure in sectors like healthcare and finance. Edge analytics, supported by Big Data frameworks, enables processing at the source. Companies can train AI models on-device with federated learning, keeping sensitive data decentralized and secure. This architecture minimizes data movement, lowers breach risk and aligns with the privacy-by-design principles found in most global data regulations. While Big Data engineering offers formidable tools to fortify security, we cannot ignore the ethical dimension. Bias in AI algorithms, lack of transparency in automated decisions and opaque data brokerage practices all risk undermining trust. Thankfully, Big Data doesn't have to be a liability to privacy and security. In fact, with the right architectural frameworks, governance models and cultural mindset, it can become your organization's strongest defense. Are you using Big Data to shield your future, or expose it? As we continue to innovate in an age of AI-powered insights and decentralized systems, let's not forget that data privacy is more than just protection; it's a promise to the people we serve. Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Business Journals
30-05-2025
- Business Journals
Understanding how the latest changes to California privacy law may impact New York companies
Businesses located in and outside of California may be subject to additional obligations pursuant to the California Consumer Privacy Act (CCPA), as amended this year. The amendments include steeper fines for violations of the CCPA and its accompanying regulations. The CCPA amendments also modify existing rights, while additional proposed regulatory changes impose new obligations regarding cybersecurity audit record retention, risk assessment deadlines, and procedures for utilizing automated decision-making technology (ADMT), among other things. This article highlights some amendments of interest that took effect on Jan. 1, 2025, as well as regulatory proposals that may take effect as early as Oct. 31, 2025. Covered businesses that meet certain threshold revenue and activity requirements, share common branding with a business subject to the CCPA, or have certain business relationships with other companies subject to the CCPA, should pay attention to these amendments, with more on the horizon. Increased fines Fines for certain violations increased as follows: Unintentional violation: Fine increased from $2,500 to $2,663 per violation. Intentional violation: Fine increased from $7,500 to $7,988 per violation. Intentional violations involving minors: Fine of $7,988 per violation for those involving minors under 16 years of age. Civil penalties: Civil penalties for each person per incident range from $107 to $799, whichever is greater. New obligations of covered businesses The amendments also modify existing rights of and add obligations imposed on businesses. Those obligations include: Neural data: This information, generated by measuring activity of the nervous system, is considered 'sensitive personal information.' The same privacy protections afforded to sensitive personal information (e.g., precise geolocation, citizenship, racial or ethnic origin) extend to neural data, including consent to collect or use and complying with requests to delete or opt out of sharing. Opt-out in mergers: Entities that acquire other businesses through mergers and acquisitions must honor opt-out requests made to the acquired company. The California Privacy Protection Agency (CPPA), a state agency established to implement and enforce the CCPA, also proposed regulatory changes that would create new obligations on businesses which may take effect later this year: Audit record retention: A covered business, not just the auditor, must now keep a record of its annual cybersecurity audits for at least five years. Risk assessment: While no deadline previously existed, covered businesses must now update their privacy risk assessments within 45 days of any material change (that introduces new risks or may weaken personal data protections) in data processing activities. ADMT: Covered businesses will be required to provide information about their use of ADMT in significant decision-making (e.g., financial services, employment screening, pricing) upon a resident's request. Businesses must also accommodate a resident's appeal of the business's use of ADMT or opt out of ADMT. The proposed regulatory amendments are subject to change based on comments submitted to the CPPA after the time of writing. Compliance strategy Businesses need to determine whether they are subject to the CCPA directly or through entities with which they have business relationships. To assist in this analysis and in developing a compliance program, businesses should consider their data collection, processing and transfer activities, evaluate sufficiency of risk assessment and audit procedures, and review opt-out mechanisms. To assist in this process, experts who are well-versed in these issues and your industry may be particularly helpful. Anna Mercado Clark, Partner and Chief Information Security Officer at Phillips Lytle, is the Co-Leader of the firm's Technology Industry Team. She can be reached at aclark@ or 212-508-0466.
Time Business News
27-05-2025
- Time Business News
Mastering Instagram API: Best Practices for 2025 and Beyond
In the rapidly evolving world of social media technology, staying ahead requires more than just intuition—it demands expertise and an in-depth understanding of powerful tools like the Instagram API. As businesses and developers gear up for 2025 and beyond, mastering this essential interface has become a critical factor in achieving digital success. The Instagram API serves as a vital bridge, enabling seamless integration between Instagram's vast ecosystem and third-party applications. From marketers seeking deeper customer insights to developers building innovative tools, the Instagram API offers a robust platform to harness Instagram's extensive data and functionalities. Understanding the Instagram API: A 2025 Snapshot Before diving into strategies, it's important to grasp what the Instagram API truly entails. This application programming interface allows authorized access to Instagram's features, including content publishing, analytics, and user interaction data. Recent updates have enhanced the API's capabilities, particularly the Instagram Graph API and Instagram Reels API, empowering businesses to leverage video content and engagement metrics more effectively than ever before. With Instagram becoming a hub for short-form video, influencer marketing, and dynamic visual storytelling, the Instagram API now plays a pivotal role in optimizing content distribution and performance tracking. Professionals who master this API position themselves at the forefront of digital marketing innovation. Best Practices for Using the Instagram API in 2025 Effective use of the Instagram API requires adherence to industry-leading best practices. Security stands paramount: proper authentication and authorization protocols safeguard data integrity while ensuring compliance with privacy regulations like GDPR and CCPA. Efficiently managing API requests and respecting rate limits protect your applications from downtime or restrictions, allowing uninterrupted data flow. Leveraging the Instagram Graph API unlocks valuable business insights—tracking follower engagement, content reach, and audience demographics with precision. Meanwhile, the Instagram Reels API enables creators and brands to tap into the burgeoning demand for engaging, short-form video content. Staying updated on API changes and utilizing real-time analytics fosters smarter decision-making and campaign agility. Innovations Shaping the Instagram API Landscape The future of the Instagram API is intrinsically linked to cutting-edge innovations. Artificial intelligence and machine learning advancements are enhancing automated content moderation, facilitating effective social screening to protect communities. Augmented Reality (AR) integration is revolutionizing user experiences, offering interactive filters and immersive brand storytelling directly accessible via API endpoints. Moreover, the growing emphasis on video content requires API capabilities that support creation, management, and detailed analytics of visual media. Businesses leveraging these innovations will gain competitive advantage, building richer engagement strategies that resonate with diverse audiences. Social Screening and Ethical Use of Instagram API In an era of heightened digital responsibility, ethical use of the Instagram API cannot be overstated. Social screening through API-powered monitoring helps detect harmful content, misinformation, and abusive behavior swiftly and efficiently. Combining automated tools with human oversight ensures balanced moderation, maintaining platform safety while respecting user expression. Forward-thinking organizations prioritize transparency and accountability when utilizing API data. This approach not only protects users but also enhances brand reputation and trustworthiness in the digital community. Future-Proofing Your Instagram API Integration Adaptability is the key to longevity. To future-proof your Instagram API integration, adopt modular and scalable development practices. Anticipate upcoming updates by regularly reviewing official API documentation and engaging with developer communities. Continuous learning and proactive adjustments will keep your solutions robust and aligned with Instagram's evolving platform. Brands that successfully navigate API changes demonstrate resilience and thought leadership, setting industry benchmarks and inspiring innovation. Conclusion Mastering the Instagram API is no longer optional—it is an essential skill for businesses, marketers, and developers aiming to thrive in 2025 and beyond. By following best practices, embracing innovation, and committing to ethical usage, professionals can unlock the full potential of Instagram's platform. Staying proactive and informed will ensure sustained growth, meaningful engagement, and long-term success. For those ready to harness the power of the Instagram API, the time to act is now. Stay tuned for more expert insights, and make sure to share this guide with peers who seek to elevate their social media strategies. TIME BUSINESS NEWS
