Keypoint: The settlement, which includes a $500,000 fine and injunctive relief, arises out of alleged violations of the CCPA’s children’s privacy provisions and COPPA.

On June 18, 2024, the California Attorney General announced it had reached a settlement with an online gaming company, resolving allegations that the company violated the California Consumer Privacy Act (CCPA) and federal Children’s Online Privacy Protection Act (COPPA) “by collecting and sharing children’s data without parental consent in their popular mobile app game ‘SpongeBob: Krusty Cook-Off.'” The Attorney General’s complaint and settlement were pursued in connection with the Los Angeles City Attorney’s office.

In the below article we provide a brief overview of the settlement.

Continue Reading California Attorney General Announces Third Public CCPA Enforcement Settlement

Keypoint: While the act does not include many provisions found in the more recent consumer data privacy laws, it would expand privacy notice obligations in one significant way although the applicability and scope of that requirement is unclear due to the lack of an important definition.

On June 13, 2024, the Rhode Island legislature passed the Rhode Island Data Transparency and Privacy Protection Act (SB 2500 / HB 7787). The act will now move to Governor Daniel McKee for consideration. Assuming the act becomes laws, it will go into effect on January 1, 2026.

The act is based on the Washington Privacy Act model but diverges from the prevalent forms of that model in two ways. First, the act contains a unique privacy notice requirement that would require entities to disclose the third parties to whom they sell or “may sell” personally identifiable information. However, the applicability and scope of that potentially onerous requirement is unclear because the act does not define personally identifiable information. Second, the act does not include some provisions that have become commonplace in recently passed laws such as data minimization language and an obligation to recognize universal opt-out mechanisms.

In the below article, we provide a summary of the act’s more notable provisions. As with prior bills, we have added the Rhode Island act to our chart providing a detailed comparison of laws enacted to date.

Continue Reading Rhode Island Legislature Passes Consumer Data Privacy Act

Keypoint: The Central District of California issued several wiretapping decisions in May while two decisions on the VPPA illustrate how claims fail or succeed at the pleading stage.

Welcome to the fourteenth installment in our monthly data privacy litigation report. We prepare these reports to provide updates on how courts in the United States have handled emerging data privacy trends. In this month’s post, we look at multiple courts who distinguish the Ninth Circuit’s Shopify decision and deny motions to dismiss for lack of personal jurisdiction and how courts reach opposition conclusions regarding whether the “contents” of a communication were transmitted to a third party. We also take a look at two decisions that granted and denied motions to dismiss VPPA claims, and highlight one case where the federal government has again intervened to defend the VPPA’s constitutionality.

If you are a Byte Back+ member, you will also see our coverage on recent lawsuits beyond the wiretapping and VPPA claims, including the recent trend of cases brought under pen registry laws, efforts against plaintiffs who have brought wiretapping claims in private arbitration rather than the public courts, and—new this month—the recent flood of cases brought under New Jersey’s Daniel’s Law. Interested in learning more about Byte Back+? Click here.

There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.

Continue Reading U.S. Privacy Litigation Update: May 2024

Keypoint: Assuming the bills become law and go into effect, operators of websites and online services that collect the personal data of minors and are subject to the bills will need to undertake several compliance activities.

On June 7, 2024, the New York legislature passed two bills directed at kids’ use of online technologies – the New York Child Data Protection Act (S7695) and the Stop Addictive Feeds Exploitation (SAFE) for Kids Act (S7694). The bills will next move to New York Governor Kathy Hochul for consideration. The Governor already issued a press release in support of the bills.

Conversely, NetChoice – a trade association for Internet companies – issued a press release and wrote a Daily News’ op-ed calling the bills unconstitutional. NetChoice previously challenged the constitutionality of California’s Age-Appropriate Design Code Act. NetChoice won at the trial level and the case is on appeal.

In the below article, we provide a brief summary of the two bills.

Continue Reading New York Legislature Passes Two Kids Privacy Bills

Keypoint: The California legislature is considering several bills that, if passed, would add to the nation’s emerging legal patchwork governing the use of artificial intelligence.

In mid-May, Colorado Governor Jared Polis signed the Colorado Artificial Intelligence Act (CAIA) into law, making Colorado the first state to enact legislation governing the use of high-risk artificial intelligence systems. Earlier this year, Utah enacted SB 149, which creates limited obligations for private sector companies deploying generative artificial intelligence, including disclosing its use.

The California legislature is currently considering seven AI-related bills that, if passed, would add to the growing patchwork of state AI laws. All of these bills have passed their chamber of origin and are currently being considered by the opposite chamber. While many state legislatures have already closed for the year, California’s legislative session does not end until August 31, 2024, meaning that there is still time for California to pass one or more bills.

In the below article, we briefly summarize these bills (as they are currently drafted) and identify their current status. We previously discussed four of these bills in our April 25 AI Legislation Update.

Continue Reading California AI Legislation Update: June 5, 2024

On May 17, Colorado Governor Jared Polis signed the Colorado Artificial Intelligence Act (SB 205) into law, making Colorado the first state to enact legislation that broadly addresses the use of artificial intelligence in high-risk processing activities.

On June 4, 2024, members of Husch Blackwell’s data privacy and AI team will host a webinar to take a first look at the law and what it means for your business. Click here for more information and to register.

Keypoint: The Minnesota bill contains several unique requirements and provisions, including a novel right to question the result of a profiling decision, privacy policy provisions that increase interoperability with existing state laws, and new privacy program requirements such as a requirement for controllers to maintain a data inventory.

On May 19, the Minnesota legislature passed the Minnesota Consumer Data Privacy Act (HF 4757 / SF 4782). The bill, which is sponsored by Representative Steve Elkins, was passed as Article 5 of a larger omnibus bill. The bill next moves to Governor Tim Walz for consideration.

The Minnesota bill largely tracks the Washington Privacy Act model but with some significant and unique variations. For example, the bill creates a novel right to question the result of a profiling decision and have a controller provide additional information regarding that decision. It also contains privacy policy requirements that are intended to increase interoperability with other state consumer data privacy laws. Further, the bill contains provisions requiring controllers to maintain a data inventory and document and maintain a description of policies and procedures the controller has adopted to comply with the bill’s provisions. We discuss those requirements and provisions, along with others, in the below article.

As with prior bills, we have added the Minnesota bill to our chart providing a detailed comparison of laws enacted to date.

Continue Reading Minnesota Legislature Passes Consumer Data Privacy Act

Keypoint: If signed into law, Colorado companies that process children’s data will have new requirements beginning on October 1, 2025.  

Prior to the legislature closing on May 8, Colorado lawmakers passed SB 41, which amends the Colorado Privacy Act (CPA) to add protections for children’s data privacy. If signed into law by Colorado Governor Jared Polis, it will go into effect on October 1, 2025. The bill creates new obligations for entities that offer any online service, product, or feature to minors (under 18). The bill is modeled on Connecticut’s SB 3 signed into law last June.

In the below article, we provide an overview of the obligations under SB 41 and the key differences between SB 41 and Connecticut’s SB 3.

Continue Reading Colorado Legislature Passes Children’s Data Privacy Bill

Keypoint: Last week, Colorado passed children’s privacy and artificial intelligence bills, Vermont passed a consumer data privacy bill, Maryland’s consumer data privacy and AADC bills were signed into law, and Minnesota is on the cusp of passing a consumer data privacy bill.

Below is the sixteenth weekly update on the status of proposed state privacy legislation in 2024.

Continue Reading Proposed State Privacy Law Update: May 13, 2024

Keypoint: If signed into law, Colorado will become the first state to enact legislation regulating the use of high-risk artificial intelligence systems.

On May 8, the Colorado legislature passed the Colorado Artificial Intelligence Act (SB 205). If signed by Governor Jared Polis, Colorado will become the first state to enact legislation that broadly addresses the use of artificial intelligence, in particular the use of artificial intelligence in high-risk activities. The bill is co-sponsored by Senate Majority Leader Robert Rodriguez and House Representatives Manny Rutinel and Brianna Titone.

In the below article, we first provide context and background on the bill. We then provide a summary of the bill’s provisions.

Continue Reading Colorado Legislature Passes First-in-Nation Artificial Intelligence Bill