Photo of Natalie Maas

Natalie Maas

Natalie is an associate in the firm’s San Francisco office, where she is a member of the Food, Drug, and Device, and Data Privacy and Cybersecurity Practice Groups. She advises pharmaceutical, biotechnology, medical device, and food companies on a broad range of regulatory and compliance issues.

Natalie also maintains an active pro bono practice, with a particular focus on health care and reproductive rights.

Contact:Read more about Natalie MaasEmail

On May 6, 2025, the California Privacy Protection Agency (“CPPA”) announced a decision and $345,178 fine related to allegations that Todd Snyder, Inc. violated the California Consumer Privacy Act (“CCPA”) and requirements to change its business practices.Continue Reading Clothing Retailer, Todd Snyder, Inc., Settles CPPA Allegations Regarding California Consumer Privacy Act Violations

On March 26, 2025, Utah Governor Spencer Cox signed into law SB 142, the App Store Accountability Act (the “Act”), enacting the country’s first state law that requires app store providers to verify the age of all users and places obligations on app developers. An “app store provider” is defined as “a person that owns, operates, or controls an app store that allows users in [Utah] to download apps onto a mobile device.” A “developer” is defined as “a person that owns or controls an app made available through the app store in the state.”

The law goes into effect on May 7, 2025, and the obligations on app store providers and developers are not effective until May 6, 2026. Some key provisions are outlined below.Continue Reading Utah Enacts App Store Accountability Act

On March 5, 2025, Senators Bill Cassidy (R-LA) and Gary Peters (D-MI) introduced the federal Genomic Data Protection Act (“GDPA”).  The Senators introduced the same bill at the end of last year, but the bill stagnated, and Congress adjourned soon after.  Notably, as part of his February 2024 white paper, Senator Cassidy specifically called for the regulation of genetic data collected by direct-to-consumer genetic testing companies, pointing to several states that have enacted laws regulating these companies over the past several years.Continue Reading U.S. Senate Introduces Genomic Data Protection Act

On March 13, 2025, the U.S. District Court for the Northern District of California issued an order granting NetChoice’s preliminary injunction against the entire California Age-Appropriate Design Code (CA AADC). The court held that NetChoice is likely to succeed on the merits of its facial First Amendment challenge because CA AADC is content-based, and it likely fails strict scrutiny. It is yet to be seen whether California will appeal; however, this order has the potential to be persuasive in challenges of other AADC-style state laws.Continue Reading District Court Enjoins Enforcement of the California Age-Appropriate Design Code Act

On January 22, the New York state legislature passed the New York Health Information Privacy Act (S929 / A2141) (“NYHIP”). If signed into law, NYHIP would join Washington and Nevada in a growing trend of states regulating consumer health information. Though NYHIP contains many similarities with laws in Washington and Nevada, there are a few unique provisions, as discussed below. Among them, NYHIP applies to “Regulated Health Information” or “RHI” that is defined as “any information that is reasonably linkable to an individual, or a device, and is collected or processed in connection with the physical or mental health of an individual.” Unlike the health privacy laws in Washington and Nevada, NYHIP does not provide an inclusive list of health data.

NYHIP would require regulated entities to obtain a “valid authorization” prior to processing RHI unless such processing is “strictly necessary” for certain enumerated purposes, including providing a product or service requested by the individual or certain limited internal business operations. NYHIP does not clarify what it means for a processing activity to be considered “strictly necessary.”

Where such an authorization is required, a valid authorization must, among other requirements: 

  • Be made at least twenty-four (24) hours after an individual creates an account or first uses the requested product or service; and
  • If multiple categories of processing are involved, provide an ability to “provide/withhold” authorization for each category separately.

Continue Reading New York Legislature Passes Health Privacy Act

On September 20, 2024, California Governor Newsom signed into law SB 976, the Protecting Our Kids from Social Media Addiction Act (the “Act”). The Act defines and prohibits an “addictive internet-based service or platform” from providing an “addictive feed” to a minor unless the platform has previously obtained verifiable parental consent. The Act will take effect on January 1, 2025, and the California Attorney General will promulgate regulations on age assurance and parental consent by January 1, 2027. This post summarizes the law’s key provisions. The law includes several technical definitions and exceptions, which are explained at the end of this post.Continue Reading California Passes Law to Protect Minors from “Addictive Feeds”

On September 26, 2024, the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS OCR”) announced that it had settled its cybersecurity investigation with Cascade Eye and Skin Centers, P.C. (“Cascade”), a privately-owned health care provider in Washington.  For background, HHS OCR is responsible for administering and enforcing the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations, which include the HIPAA Privacy, Security, and Breach Notification Rules (collectively, “HIPAA”).  Among other things, HIPAA requires that regulated entities take steps to protect the privacy and security of patients’ protected health information (“PHI”).Continue Reading HHS OCR Settles Ransomware Cybersecurity Investigation for $250,000

On June 18, 2024, Louisiana enacted HB 577, prohibiting “social media platforms” with more than 1 million users globally from displaying targeted advertising to Louisiana users that the platform has actual knowledge are under 18 years of age and from selling the sensitive personal data of such users. The law amends the effective date of the state social media law, the Louisiana Secure Online Child Interaction and Age Limitation Act (“the SOCIAL Act”), to July 1, 2025. HB 577 also will take effect on July 1, 2025. This post summarizes the law’s key provisions.Continue Reading Louisiana Bans Targeted Advertising to Minors on Social Media Platforms

Last month, the Federal Trade Commission (“FTC”) announced its enforcement action against telehealth firm, Cerebral, Inc. (“Cerebral”), for its alleged unauthorized disclosures of consumers’ sensitive personal health information and other sensitive data to third parties for advertising purposes in violation of the FTC Act.  The complaint also alleges that Cerebral violated the Opioid Addiction Recovery Fraud Prevention Act (“OARFPA”), and the Restore Online Shoppers’ Confidence Act (“ROSCA”), which permits the court to order permanent injunctive relief, civil penalties, and other monetary relief for actions in violations of specific sections of the FTC Act, the OARFPA, and the ROSCA.  According to the proposed order, Cerebral must pay more than $7 million in civil penalties and consumer refunds.  In addition, Cerebral will be banned from using or disclosing consumers’ personal and health information (including online identifiers, such as IP addresses or other persistent identifiers) for advertising and must obtain consumers’ affirmative express consent before disclosing such information to outside parties.

Below is a discussion of the complaint and proposed order.Continue Reading FTC Announces Health Privacy Enforcement Action Against Telehealth Company, Cerebral