Some technology articles age well. Here’s one on the HIPAA Security Rule: https://www.stoelprivacyblog.com/2025/01/articles/hipaa/a-deeper-dive-into-the-proposed-modifications-to-the-hipaa-security-rule/. The proposed modifications to the HIPAA Security Rule, published in the Federal Register on January 6, 2025, are still not in final form. The final action is expected next month. Once in final form, I will publish another article. As the HIPAA Security Rule has not been updated since 2013, it is quite likely that the resulting article will be relevant for quite some time.

Our article on data broker privacy compliance (https://www.stoel.com/insights/publications/data-broker-privacy-compliance-our-top-5-list) is still relevant, and the topic itself is perhaps even more timely because data brokers in California are required to access (and to start actioning deletion requests) DROP (Delete Request and Opt-Out Platform) starting August 1, 2026. Just this morning I heard a message from CalPrivacy (otherwise known as the California Privacy Protection Agency) about DROP on my drive to work. Last week, I saw a postcard from a member of the California Assembly informing constituents about DROP. 566 data brokers are listed on the California Data Broker Registry. As of January 26, 2026, per CalPrivacy, more than 176,000 Californians had registered for DROP. In a press release issued by the California Attorney General on February 18, 2026, CalPrivacy stated that more than 225,000 California residents had signed up for DROP. It seems that DROP is resonating with California consumers. Also, other state legislatures appear to be following suit, with a DROP-like bill in Vermont (HB 211), for example, currently under consideration by the Senate Committee on Economic Development, Housing and General Affairs. Notably, however, the bill passed by the House replaces an accessible deletion mechanism mandate with the authorization of a study regarding the said mechanism. Put otherwise, California may still be considerably ahead of the curve. 

Here’s another, more recent one, on securing agentic AI: https://www.stoelprivacyblog.com/2026/02/articles/ai/securing-and-contracting-agentic-ai/. This one, from February 2026, may be somewhat ahead of the curve. Fast forward six, twelve, or possibly even more months, and more than likely this article will be timely.

Beyond those few, it’s hard to tell which technology law articles will age well, which will become or continue to be the signal, and which will quickly become the noise. Similarly, it’s hard to tell which technologies will enter the mainstream, and when and whether any of them will create new legal issues, strain existing legal frameworks, or require the development of new paradigms. Case in point: artificial intelligence. I taught a Technology Transactions Law course in Spring 2019. During our first class, we discussed an article on how AI may impact the workforce and, specifically, what AI might mean for the practice of law. In retrospect, this was quite prescient. I had worked on deals involving machine learning technologies, certainly cutting edge for that time. I had also done a fair amount of data licensing, so the course reader included materials on that as well. I, and likely most, did not anticipate the generative AI explosion that followed several years later. It was time to retool, which was precisely the point of the AI article that we discussed in January 2019. The retooling cycle has only accelerated, which is exciting, but also daunting.

It is axiomatic that the Internet lives forever. Unsurprisingly, a cloud computing article that I authored in 2010 is still available online. The technology, and my thinking on the legal risks and opportunities, have evolved, but the article is still there for anyone to read, I hope with a grain of salt. The website does state that the article is more than ten years old, an eternity in the world of cloud computing, and a considerably longer period in the still-nascent world of artificial intelligence. To be sure, change is good. We just need to be honest with ourselves and humble.

While some technology law articles are still relevant long after they are published, others, especially on legislative updates, and in particular on bills in the California legislature have a much shorter shelf life. We are in the homestretch of the current two-year session cycle, with August 31, 2026, as the deadline for passing proposed bills. Some bills start off strong but then hit a wall. After being passed by the Senate, SB 690 (Ane act to amend Sections 631, 632, 632.7, 637.2, and 638.50 of the Penal Code, relating to crimes) has been languishing in the Assembly Committee on Privacy and Consumer Protection since last July. SB 690 attempted to align the California Invasion of Privacy Act and the California Consumer Privacy Act. Others, e.g., SB 923 (Consumer privacy requests: deletion request records and request submission methods), currently scheduled for a hearing at the Senate Appropriations Committee on April 20, 2026, seem poised to follow a more linear course. SB 923 would amend a law (the California Consumer Privacy Act) that has now been amended seemingly countless times since being passed in 2018. The situation is fluid, but this, of course, is not news.

In the meantime, and in the same vein, practitioners and business owners are faced with an increasingly complex landscape, with the (strong) temptation to over-architect provisions in view of the current signal-noise dichotomy. Such provisions certainly do not improve deal velocity and may not adequately mitigate risk either. Further, such provisions may only confuse a court, which may be asked to determine the meaning of a provision, without necessarily the full context and at a time when the technology and legal landscape look quite different. With this backdrop, a more generalized approach may be preferable, with a laser focus on the known and probable risks attendant to a given transaction. Clarity and conciseness in drafting become key. Further, where possible, adding appropriate audit rights, especially where non-compliance is difficult to detect, is vital.  

Until next month.

About the Global Privacy & Security Blog

Learn More

Contracts, laws and regulations require privacy compliance, and good business practices demand it. This blog is designed to inform our clients and readers about developing privacy issues and regulatory updates, and provide alerts on cyber security stories and data breaches that impact various data privacy and security requirements.