Recent court rulings in California Invasion of Privacy Act (CIPA) cases may signal that judges are more skeptical about what counts as an actual injury under violations of the statute, said privacy lawyers: That could lead to more decisions in favor of businesses over plaintiffs. However, the lawyers said there's a long way to go before a definitive ruling is made.

Privacy experts said they’re closely watching how a direct relationship is defined in California Privacy Protection Agency draft rules for the Delete Request and Opt-Out Platform (DROP), an upcoming data deletion mechanism required by the California Delete Act. The CPPA last week posted draft rule changes to data broker registration rules (see 2502270066). The board is scheduled to weigh the draft and get a DROP update from staff at its meeting Friday.

Privacy Daily is providing readers with the top stories from last week, in case you missed them. All articles can be found by searching on the title or by clicking on the hyperlinked reference number.

The U.S. District Court for Western Washington partially dismissed a class-action complaint Tuesday claiming that a hospital violated the Health Insurance Portability and Accountability Act (HIPAA) and other laws. Plaintiffs alleged that Overlake Hospital Medical Center implemented the Facebook Tracking Pixel and other browser plugins on its website, then disclosed website users' information to third parties, including Facebook and Google, without consent, in violation of HIPAA and the center's privacy policies.

The Consumer Financial Protection Bureau’s proposed data broker rule exceeds the CFPB's authority under the Fair Credit Reporting Act (FCRA), tech and open finance groups told the agency in comments this week (see 2503030069).

A Maryland Democrat and state retailers rallied for a bill that would remove teeth from data minimization rules in the Maryland Online Data Privacy Act (MODPA) during a livestreamed hearing Tuesday. But consumer groups lambasted HB-1365, as they did shortly after it was introduced last month (see 2502100032), arguing that it would gut the privacy law that takes effect Oct. 1.

Washington state bills requiring privacy and AI transparency are apparently dead after missing a Friday cutoff to clear fiscal committees in the legislature. However, child privacy bills in the House and Senate cleared their respective fiscal committees in time.

Senate Republicans expect a straightforward path to confirming FTC nominee Mark Meador, which would allow the commission’s Republican majority to act on two privacy rulemakings.

Maryland should create an AI working group instead of passing high-risk AI legislation modeled after Virginia’s potential AI law, tech industry representatives told Maryland’s Senate Finance Committee on Thursday.

Vermont Rep. Monique Priestley (D) criticized a comprehensive privacy bill introduced Thursday in the state Senate. Sen. Thomas Chittenden (D) introduced S-93 on the same day that the Senate Institutions Committee started walking through the Senate version (S-71) of Priestley’s previously introduced H-208, which also seeks a broad data privacy law (see 2502130013).