Keypoint: Last week, several privacy and AI bills passed out of committee (with some receiving amendments) while two bills died in committee.
We are currently tracking thirteen privacy and AI-related bills that previously crossed chambers prior to the legislative deadline. With the California legislature closing on August 31, we will be providing weekly updates on the progress of these bills.
Keypoint: Last week, the California legislature returned from its summer recess and began moving forward with privacy and AI legislation prior to the August 31 session closing date.
We are currently tracking thirteen privacy and AI-related bills that previously crossed chambers prior to the legislative deadline. With the California legislature closing on August 31, we will be providing weekly updates on the progress of these bills.
Keypoint: The amendment limits claims and updates the definition of written release.
On August 2, 2024, Illinois Governor J.B. Pritzker signed SB 2979 into law. The bill amends the Illinois Biometric Information Privacy Act (BIPA) to limit the number of claims that can be brought under the law’s private right of action and updates the law’s definition of “written release” to include “electronic signature.” The below article provides a summary of the two changes.
Keypoint: Although New York lacks a consumer data privacy law, the New York Attorney General’s office has taken the position that New York’s consumer protection laws require entities to implement certain tracking technology practices.
In mid-July the New York Attorney General’s office published a Guide for Website Privacy Controls in which the office identifies “mistakes we found businesses making when deploying tracking technologies.” The guidance acknowledges that New York lacks a consumer data privacy law that regulates online tracking technologies, but takes the position that “New York’s consumer data protection laws . . . , which prohibit businesses from engaging in deceptive acts and practices, effectively require that websites’ representations concerning consumer privacy be truthful and not misleading.” According to the Attorney General, this “means that statements about when and how website visitors are tracked should be accurate, and privacy controls should work as described.”
In the below article, we provide a brief overview of the guidance and some key takeaways.
Keypoint: The Texas Attorney General reached a $1.4 billion settlement with Meta over its alleged violations of Texas’ biometric privacy law.
On July 30, 2024, the Texas Attorney General announced that it has reached a $1.4 billion settlement with Meta over its alleged violations of Texas’ “Capture or Use of Biometric Identifier” Act (CUBI). The Attorney General’s press release represents that the settlement, which arises out of a 2022 complaint, is the first under CUBI. It also represents that the settlement “is the largest privacy settlement an Attorney General has ever obtained.”
In the below article, we provide a brief overview of CUBI and the underlying allegations in the complaint.
Keypoint: The California legislature has many pending privacy and AI-related bills to consider before it closes on August 31.
The California legislature left for its summer recess on July 3 and will reconvene on August 5. Once it returns, the legislature will have twenty-six days to pass bills before it recesses for the year on August 31.
In the below article, we identify and briefly summarize the pending privacy and AI bills and where they stand in the legislative process. The bills cover a wide range of topics, including kid’s privacy, opt-out preference signals, neural data, and algorithmic discrimination. All together, we are tracking fourteen bills, one of which was signed into law on July 15. The remaining thirteen bills all passed through their chamber of origin prior to the May 24 deadline and are at various stages of consideration in the opposite chamber.
Keypoint: Courts reject personal jurisdiction arguments and suggest the Shopify decision will be overturned; Courts continue to show differing approaches to VPPA claims at the pleading stage with a large VPPA class action settlement recently approved.
Welcome to the fifteenth installment in our monthly data privacy litigation report. We would like to thank Liz Ignowski, a summer associate with Husch Blackwell, for her help with this month’s report. We prepare these reports to provide updates on how courts in the United States have handled emerging data privacy trends. In this month’s post, we look at several cases that decline to follow the Ninth Circuit’s Shopify decision, which is currently pending rehearing, and then deny motions to dismiss for lack of personal jurisdiction. We also look at how courts are deciding whether the party exception applies to a complaint, and what facts are necessary to survive a motion to dismiss on consent and the contents of a communication. Additionally, we look at three VPPA decisions from June, where courts granted, denied, or deferred motions to dismiss, showing that although new VPPA cases may have decreased, courts are still allowing these claims to proceed past the pleading stage. We also highlight a VPPA class action settlement approval that illustrates how costly these claims can be if they survive the pleading stage.
There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.
Keypoint: The settlement, which includes a $500,000 fine and injunctive relief, arises out of alleged violations of the CCPA’s children’s privacy provisions and COPPA.
On June 18, 2024, the California Attorney General announced it had reached a settlement with an online gaming company, resolving allegations that the company violated the California Consumer Privacy Act (CCPA) and federal Children’s Online Privacy Protection Act (COPPA) “by collecting and sharing children’s data without parental consent in their popular mobile app game ‘SpongeBob: Krusty Cook-Off.’” The Attorney General’s complaint and settlement were pursued in connection with the Los Angeles City Attorney’s office.
In the below article we provide a brief overview of the settlement.
Keypoint: While the act does not include many provisions found in the more recent consumer data privacy laws, it would expand privacy notice obligations in one significant way although the applicability and scope of that requirement is unclear due to the lack of an important definition.
On June 13, 2024, the Rhode Island legislature passed the Rhode Island Data Transparency and Privacy Protection Act (SB 2500 / HB 7787). The act will now move to Governor Daniel McKee for consideration. Assuming the act becomes laws, it will go into effect on January 1, 2026.
The act is based on the Washington Privacy Act model but diverges from the prevalent forms of that model in two ways. First, the act contains a unique privacy notice requirement that would require entities to disclose the third parties to whom they sell or “may sell” personally identifiable information. However, the applicability and scope of that potentially onerous requirement is unclear because the act does not define personally identifiable information. Second, the act does not include some provisions that have become commonplace in recently passed laws such as data minimization language and an obligation to recognize universal opt-out mechanisms.
In the below article, we provide a summary of the act’s more notable provisions. As with prior bills, we have added the Rhode Island act to our chart providing a detailed comparison of laws enacted to date.
Keypoint: The Central District of California issued several wiretapping decisions in May while two decisions on the VPPA illustrate how claims fail or succeed at the pleading stage.
Welcome to the fourteenth installment in our monthly data privacy litigation report. We prepare these reports to provide updates on how courts in the United States have handled emerging data privacy trends. In this month’s post, we look at multiple courts who distinguish the Ninth Circuit’s Shopify decision and deny motions to dismiss for lack of personal jurisdiction and how courts reach opposition conclusions regarding whether the “contents” of a communication were transmitted to a third party. We also take a look at two decisions that granted and denied motions to dismiss VPPA claims, and highlight one case where the federal government has again intervened to defend the VPPA’s constitutionality.
If you are a Byte Back+ member, you will also see our coverage on recent lawsuits beyond the wiretapping and VPPA claims, including the recent trend of cases brought under pen registry laws, efforts against plaintiffs who have brought wiretapping claims in private arbitration rather than the public courts, and—new this month—the recent flood of cases brought under New Jersey’s Daniel’s Law. Interested in learning more about Byte Back+? Click here.
There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.