Noor Kalkat advises clients on a wide range of privacy, cybersecurity and technology-related matters.

Noor counsels organizations on compliance with international, federal and state privacy laws, including the California Consumer Privacy Act (CCPA), the European Union’s General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA).

Her practice includes supporting clients in complex technology transactions, intellectual property protection and licensing, software and data licensing and usage rights, and other commercial agreements involving emerging technologies. Noor also guides clients through cybersecurity incidents, providing strategic advice on breach response, regulatory obligations and remediation.

Before joining Polsinelli, Noor worked in the privacy and compliance office at the University of California, San Francisco Medical Center, where she gained experience navigating privacy issues in the healthcare and life sciences sectors.

Education

  • University of California, Hastings College of the Law (J.D., 2018)
    • The George Washington University (B.A., cum laude, 2013)

      Bar Admission

      • California, 2019

      Recognition

      • Certified Information Privacy Professional/United States (CIPP/US)
      Publications
      All Publications
      What You Need to Know About California’s Finalized CCPA Amendments: Part Two
      On July 24, 2025, the California Privacy Protection Agency (CPPA) approved final regulations (the Rule) under the California Consumer Privacy Act of 2018 (CCPA), introducing new obligations related to automated decision-making (ADMT), mandatory risk assessments for high-risk data processing and cybersecurity. While Part One of our coverage on the Rule focused on the ADMT requirements, this section turns to the Rule’s cybersecurity and risk assessment provisions. Assuming the Office of Administrative Law (OAL) approves these regulations (expected by late August 2025 based on its 30-day review period and past practices), certain provisions of the Rule could take effect on January 1, 2026. Key cybersecurity obligations are to be implemented in phases between 2027 and 2029, based on a business’s gross
      Read More
      What You Need to Know About California’s Finalized CCPA Amendments: Part One
      On July 24, 2025, the California Privacy Protection Agency (CPPA) approved final regulations (the Rule) under the California Consumer Privacy Act (CCPA) governing Automated Decision-Making Technology (ADMT), including artificial intelligence (AI) and other automated tools. The regulations also adopt a cybersecurity audit rule to impose ‘reasonable’ cybersecurity practices on businesses, which will be addressed in Part Two. The Rule introduces new consumer rights and compliance obligations for businesses using technology that makes or substantially influences decisions about consumers. While the regulations implementing the Rule are not yet fully finalized — they proceed for procedural review to the California Office of Administrative Law under the California Administrative Procedure Act — it’s not too early to consider how impending legal obligations will
      Read More