Keypoint: The Central District of California issues a major victory for website owners facing CIPA-arbitration demands, two decisions address whether a plaintiff consented as a defense to wiretapping claims, three courts in different states each dismissed VPPA claims, and another court weighs in on the recent pen registry case theory.

Welcome to the thirteenth installment in our monthly data privacy litigation report. We prepare these reports to provide updates on how courts in the United States have handled emerging data privacy trends. A lot happened in April. In this month’s post, we look at two decisions from California that addressed whether language in the privacy policy can establish the plaintiff consented to the recording and sharing of chat communications. We also take a look at three VPPA decisions granting motions to dismiss where plaintiffs failed to allege facts that satisfy the definitional prerequisites of the statute. Additionally, we note a recent development in one pending case where the VPPA is being challenged as unconstitutional.

If you are a Byte Back+ member, you will also see our coverage on recent lawsuits beyond the wiretapping and VPPA claims, including the recent trend of cases brought under pen registry laws, efforts against plaintiffs who have brought wiretapping claims in private arbitration rather than the public courts (including a major victory for website owners), and—new this month—the recent flood of cases brought under New Jersey’s Daniel’s Law. Interested in learning more about Byte Back+? Click here.

There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.

Keypoint: Colorado employers and controllers that collect and process biometric data and identifiers will need to comply with disclosure, consent, and retention requirements beginning on July 1, 2025.

In late April, the Colorado legislature passed HB 1130, which amends the Colorado Privacy Act (CPA) to add protections for an individual’s biometric data and identifiers. Subject to the procedural formalities in the legislature, the bill will move to Colorado Governor Jared Polis for consideration. Assuming the bill becomes law, it will go into effect on July 1, 2025, and create several new obligations for entities that collect biometric data and identifiers. In addition, the bill’s requirements will apply to more entities than are currently covered by the CPA and will apply to employee data.

In the below article, we first provide a brief overview of the CPA’s existing treatment of biometric data. We then discuss the new obligations created by HB 1130.

Keypoint: Since our last update, the Connecticut Senate passed an algorithmic discrimination bill, an algorithmic discrimination bill was introduced in Colorado and passed the Colorado Senate Judiciary Committee, and an algorithmic discrimination bill passed out of a California committee.

Below is our fourth update on the status of pending US artificial intelligence (AI) legislation that would affect the private sector.

Keypoint: Last week, the Nebraska Governor signed the Nebraska Data Privacy Act into law, the Maine legislature closed without passing a consumer data privacy bill, Colorado’s biological/neural data bill was signed into law, and there were developments with bills in California, Virginia, Minnesota, Vermont, Wisconsin and Iowa.

Below is the thirteenth weekly update on the status of proposed state privacy legislation in 2024.

With its unique provisions and requirements, the Maryland Online Data Privacy Act (MODPA) adds a new dimension to state privacy law that will create additional compliance burdens for covered entities. HB privacy partner David Stauss unpacks and explains MODPA in a twenty-five minute on-demand webinar available exclusively to HB privacy clients through Byte Back+.

If

Keypoint: Nebraska is the seventeenth state legislature to pass consumer data privacy legislation with a bill that largely tracks the Texas Data Privacy and Security Act.

On April 11, 2024, the Nebraska legislature passed the Nebraska Data Privacy Act (LB 1074). We have been tracking the bill since it was first introduced under LB 1294. That bill never advanced out of committee; however, it was added to LB 1074 in late March as part of a larger multi-subject 139 page bill. The bill unanimously passed Nebraska’s unicameral legislature on April 11. It now heads to Nebraska Governor Jim Pillen. Assuming the bill becomes law, Nebraska will become either the sixteenth or seventeenth state to enact consumer data privacy legislation, depending on whether Maryland’s bill, which passed the Maryland legislature last Saturday, is enacted first.

The Nebraska bill largely tracks the Texas Data Privacy and Security Act, but with some differences we identify below. As with prior bills, we have added the Nebraska bill to our chart providing a detailed comparison of laws enacted to date. We also have added Nebraska to our sensitive data comparison chart.