Photo of Kathryn Rattigan

Kathryn Rattigan

Subscribe to Kathryn Rattigan's Posts

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.

Contact:Read more about Kathryn Rattigan

A recent ruling from the U.S. District Court for the Northern District of California underscores the limits of state privacy statutes, particularly when plaintiffs reside outside the state and the alleged misconduct lacks a clear connection to California. The decision by Judge Jacqueline Scott Corley dismissed a proposed class action against California-based analytics company Samba

A recent federal class action lawsuit challenging Home Depot Inc.’s use of facial scanning technology at self-checkout kiosks has come to a sudden halt. The plaintiff, Benjamin Jankowski, voluntarily dropped the case, with the U.S. District Court for the Northern District of Illinois granting dismissal without prejudice. Jankowski v. The Home Depot, No. 1:25-cv-09144

A recent federal court decision highlights the power of online terms and conditions, and how “choice-of-law” clauses can dramatically influence privacy litigation. In Crowell v. Audible, a Seattle judge dismissed a proposed class action alleging that Audible unlawfully shared its California customers’ browsing and listening data with Meta, finding that the case must proceed

On October 9, 2025, the Northern District of California denied Mashable, Inc.’s motion to dismiss a class action alleging violations of the California Invasion of Privacy Act (CIPA). Mashable operates a digital news and entertainment website that publishes articles and multimedia content online. The plaintiff alleged that Mashable disclosed the IP addresses and device identifiers

Mergers and acquisitions (M&A) can be transformative, but hidden compliance risks—especially regarding privacy and data protection—often lurk beneath the surface, especially regarding privacy and data protection. In California, strict laws like the California Consumer Privacy Act (CCPA) and the California Invasion of Privacy Act (CIPA) are being aggressively enforced through litigation. Plaintiffs’ firms are increasingly targeting companies whose websites

California continues to lead the way in digital privacy. Its latest step is AB 566, the California Opt Me Out Act. This new law amends the already robust California Consumer Privacy Act (CCPA) and specifically targets how internet browsers empower users to control their personal information.

AB 566 requires that all consumer web browsers (i.e., Chrome, Firefox, Safari

Lawsuits are rapidly multiplying against website operators over how user information is collected and shared. Plaintiffs are increasingly creative in asserting that website tracking tools, especially those tied to search bars, violate wiretap and related electronic communications laws. One emerging legal theory invokes “trap and trace” provisions, meant for surveillance devices, to challenge the capture

Green Diamond Resource Company, a forest management business, is seeking court approval to pay $695,000 to settle claims that it failed to adequately safeguard the personal information of about 28,000 consumers in a 2023 data breach. Gregorio v. Green Diamond Resource Co., No. 2:24-cv-00596 (W.D. Wash. 9/22/25).

The breach allegedly exposed a wide range of

A California federal court has refused to dismiss a class action lawsuit alleging that Condé Nast unlawfully installed online trackers on its websites, signaling yet another instance of courts applying a decades-old privacy statute to modern data collection practices.

The lawsuit alleges that when the plaintiff visited Condé Nast-owned publications’ websites such as The New