Skip to content
Photo of David A. Zetoony

David Zetoony, Co-Chair of the firm's U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation.

On April 17, 2023, the Washington State Legislature passed the “My Health My Data Act” (WMHMDA or the Act), which took effect for most companies March 31, 2024. Unlike other modern state privacy laws that purport to regulate any collection of “personal data,” WMHMDA confers privacy protections only upon “consumer health data.” This

  1. Cybersecurity Rules by the SEC and the EU – Both the Security and Exchange Commission’s public company cybersecurity disclosure and breach notification rules as well as the implementation of the EU NIS 2 Directive will drive increased focus from management and the board on cybersecurity risks, preventive measures, and incident response. Expect to see another

On April 27, 2023, Washington’s Governor signed Washington’s My Health, My Data Act (WMHMDA or the Act).* Starting March 31, 2024, most entities subject to the Act will have certain obligations toward “consumer health data,”[1] including providing consumers with the right to access their information, withdraw their consent to certain processing, and request the

Probably not.

Most modern state privacy laws attempt to carve out organizations that process de minimis amounts of personal information, or whose business activities do not monetize data. While the specific thresholds differ between states, many of the new statutes only apply to organizations that control or process personal information relating to at least 100,000

The GDPR allows individuals to request that their information be deleted in the following situations:[1]

  • Organizations must delete data upon request if the data was processed based solely on consent. The GDPR recognizes that organizations may process data based on six alternate lawful grounds.[2] One of these is where a person has given

The right of correction (sometimes called the “right of rectification”) refers to a person’s ability to request that an organization fix any inaccuracies in the personal data it holds about them.[1] Correction is sometimes referred to as an absolute right in the context of the GDPR, because unlike some other rights conferred by the

The right to access refers to a person’s ability to request that a controller confirms whether it has personal data about them and to receive information about the processing and a copy of that information. While the GDPR confers a right of access, this right predates the GDPR and can be found within other EU

Not necessarily. 

Under the GDPR, controllers are required to provide information relating to what personal data they process, and how that processing takes place. 

If the personal data the organization includes in AI prompts has been collected directly from individuals, those individuals should be provided with a copy of the organization’s privacy notice “at the

Under the GDPR, controllers are required to provide individuals with information relating to what personal data is processed, and how that processing takes place. Some supervisory authorities have specifically taken the position that organizations which use personal data to train an artificial intelligence (AI) must draft and publish a privacy notice that provides “data subjects

Data is typically needed to train and fine-tune modern artificial intelligence (AI) models. AI can use data—including personal information—to recognize patterns and predict results.

The GDPR permits controllers to process personal information if one (or more) of the following six lawful processing purposes applies:[1]

  1. Consent. A company may process personal information if it collects