Photo of Kathryn Rattigan

Kathryn Rattigan

Subscribe to Kathryn Rattigan's Posts

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.

Contact:Read more about Kathryn Rattigan

California companies may have less time than they think to prepare for privacy audits. The California Privacy Protection Agency’s (CPPA) new Audits Division, created in February 2026, is expected to begin assessing companies’ compliance with the California Consumer Privacy Act (CCPA) this year, according to Executive Director Tom Kemp. This is a notable remark because—while

The California Consumer Privacy Act (CCPA) continues to stand apart as the only comprehensive state privacy law in the U.S. that applies to personal information relating to employees, job applicants, and independent contractors. Since that coverage expanded in January 2023, many employers have had to navigate the difficult task of applying a consumer privacy framework

California’s new Delete Request and Opt-Out Platform (DROP) goes live on August 1, 2026, and the compliance stakes are enormous. State officials have warned that a single missed deletion cycle could create theoretical penalty exposure of $1.5 billion for one data broker. That number reflects how aggressively the Delete Act is designed to work. One consumer request can

As corporate legal departments continue adopting AI, the conversation is shifting from experimentation to strategy. According to the Thomson Reuters Institute’s 2026 State of the Corporate Law Department Report, nearly half of legal departments now report department-wide AI adoption, and technology has become a top strategic priority for many general counsel.

That momentum

A federal judge has ruled that CNN must face a proposed class action alleging that its website shared consumers’ personal information with Microsoft and adtech firms without consent, in alleged violation of the California Invasion of Privacy Act (CIPA). The lawsuit challenges CNN’s alleged use of online tracking tools and the downstream sharing of data in the digital advertising ecosystem. 

According

California Governor Gavin Newsom issued a new executive order aimed at tightening California’s procurement rules for artificial intelligence (AI) vendors and “raising the bar” for companies that want to sell AI tools to the state. The administration says the goal is to ensure contractors meet strong standards and can demonstrate responsible policies that prevent misuse

Carfax, Inc. faced an early loss in a closely-watched privacy case under the federal Driver’s Privacy Protection Act (DPPA), after a judge in Maryland refused to throw out a proposed class action alleging the company sold drivers’ personal information sourced from crash and vehicle records. The plaintiff alleges that Carfax obtained his DPPA-protected personal information