Photo of Natalie Maas

Natalie Maas

Natalie is an associate in the firm’s San Francisco office, where she is a member of the Food, Drug, and Device, and Data Privacy and Cybersecurity Practice Groups. She advises pharmaceutical, biotechnology, medical device, and food companies on a broad range of regulatory and compliance issues.

Natalie also maintains an active pro bono practice, with a particular focus on health care and reproductive rights.

Contact:Read more about Natalie MaasEmail

On November 4, 2025, Senator Bill Cassidy (R-LA), chair of the Senate Health, Education, Labor, and Pensions (“HELP”) Committee, introduced the Health Information Privacy Reform Act (“HIPRA”). HIPRA seeks to extend protections similar to those provided under the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively, “HIPAA”) to certain health information collected by entities not currently regulated by HIPAA. HIPRA also proposes modifications and calls for guidance related to certain existing provisions of HIPAA as well as Part 2 (related to substance use disorder medical history).Continue Reading U.S. Senate Introduces the Health Information Privacy Reform Act

On October 30, 2025, California Attorney General Bonta announced a $530,000 settlement related to allegations that Sling TV, an internet-based live TV service, violated the California Consumer Privacy Act (“CCPA”) and the California Unfair Competition Law. This is the first enforcement action arising from the California Department of Justice’s (“DOJ”) investigative sweep of streaming services and connected TVs, which was announced in January 2024.Continue Reading California Attorney General Announces $530,000 CCPA Settlement with Sling TV

On September 30, 2025, the California Privacy Protection Agency (“Agency”) announced a decision and $1.35 million fine to resolve allegations that Tractor Supply Co. (“Tractor Supply”) violated the California Consumer Privacy Act (“CCPA”). The settlement comes after the Agency filed a petition to enforce an investigative subpoena against Tractor Supply. In addition to imposing the Agency’s largest fine to date, the settlement also marks the Agency’s first enforcement action related to job applicant personal data. Similar to the enforcement actions against American Honda Motor Co., Inc. and Todd Snyder, Inc., the Agency continues to focus on how businesses facilitate consumer rights under the CCPA.Continue Reading California Privacy Agency Fines Tractor Supply $1.35 Million Over CCPA Violations

On September 24, Senate Democratic Leader Chuck Schumer (D-N.Y.), Senator Maria Cantwell (D-Wash.), and Senator Ed Markey (D-Mass.) introduced the Management of Individuals’ Neural Data (“MIND”) Act of 2025, which would require the Federal Trade Commission (“FTC”) to conduct a study and provide a report examining the governance of “neural data” under existing law and identify additional areas for federal regulation.  The bill would also require the Office of Science and Technology Policy (“OSTP”) to issue guidance regarding federal agencies’ use of certain neurotechnology.Continue Reading Congress Introduces Neural Data Bill

On July 1, 2025, California Attorney General Bonta announced a $1.55 million settlement, pending court approval, related to allegations that Healthline.com, a website where consumers can read informational articles about medical and health topics, violated the California Consumer Privacy Act (“CCPA”) and the California Unfair Competition Law.Continue Reading California Attorney General Announces $1.55M CCPA Settlement with Healthline.com

Since the beginning of 2025, there have been a flurry of bills introduced at the state and federal level related to genetic privacy, which follows a similar trend over the past several years.  These bills have focused on a range of issues, including general genetic privacy, national security implications of “foreign adversaries” accessing genetic information, the privacy practices of direct-to-consumer (“DTC”) genetic testing companies, and the transfer of genetic data as part of bankruptcy proceedings, among others.  We summarize a subset of such bills moving through state and federal legislatures below.

State Legislation

Montana SB 163

On May 1, the Montana governor signed SB 163 to amend the state’s Genetic Information Privacy Act (“MT GIPA”), which was originally enacted in 2023.  Effective October 1, 2025, there will be several changes to the law, including:

  • Creating Deidentification Exemption: The original version of MT GIPA did not contain an express exemption for deidentified data.  SB 163 amends the law to include an express exemption for the use of deidentified genetic data for certain research purposes.  Specifically, SB 163 includes an exemption for “deidentified genetic data obtained from a third party to the extent that the data is used to conduct internal, medical, or scientific research.”  The deidentification standard is similar to the standard adopted under many comprehensive state privacy laws and other state DTC genetic privacy laws.
  • Waiver of Certain Rights in the Clinical Trial Context: The law provides that consumers’ rights to access and delete data, destroy samples, and revoke consent must be waived in a limited context related to the collection of genetic data as part of a clinical trial if certain conditions are met, including prescriptive requirements for consent.  Specifically:
    • The relevant entity generally must obtain express and informed written consent for participation in a clinical research trial, including the collection and use of any genetic data, which must, among others, be in accordance with the good clinical practice (“GCP”) guideline issued by the international council for harmonisation of technical requirements for pharmaceuticals for home use and include the entity’s biological sample and data retention, sharing, and use policies.
    • The biological sample and genetic data must be utilized for clinical research purposes only.

SB 163 states that these requirements are meant to “supersede all exceptions to, and waivers of” informed consent pursuant to the federal Common Rule.  However, it is not clear how this new limited exemption is meant to interact with the existing exemption for entities that are engaged in collecting, using, or analyzing genetic data or biological samples in the context of scientific or clinical research with express consent of the individual and in accordance with human subject research frameworks, including GCP, the federal Common Rule, or FDA’s human subjects research regulations at 21 C.F.R. parts 50 and 56.Continue Reading Multiple States Enact Genetic Privacy Legislation in a Busy Start to 2025

On September 20, 2024, California Governor Newsom signed into law SB 976, the Protecting Our Kids from Social Media Addiction Act (the “Act”). The Act defines and prohibits an “addictive internet-based service or platform” from providing an “addictive feed” to a minor unless the platform has previously obtained verifiable parental consent. The Act will take effect on January 1, 2025, and the California Attorney General will promulgate regulations on age assurance and parental consent by January 1, 2027. This post summarizes the law’s key provisions. The law includes several technical definitions and exceptions, which are explained at the end of this post.Continue Reading California Passes Law to Protect Minors from “Addictive Feeds”

On June 18, 2024, Louisiana enacted HB 577, prohibiting “social media platforms” with more than 1 million users globally from displaying targeted advertising to Louisiana users that the platform has actual knowledge are under 18 years of age and from selling the sensitive personal data of such users. The

Continue Reading Louisiana Bans Targeted Advertising to Minors on Social Media Platforms