On November 8, the California Privacy Protection Agency Board voted to advance the new draft CCPA regulations to formal rulemaking. In this on-demand webinar, HB privacy partner David Stauss provides a high-level summary of the proposed changes to the existing CCPA regulations. 

This is the second on-demand webinar in a four-part series analyzing the draft

On November 8, the California Privacy Protection Agency Board voted to advance the new draft CCPA regulations to formal rulemaking. In this on-demand webinar, HB privacy partner David Stauss provides a high-level summary of the draft regulations on automated decisionmaking technology (ADMT). During the Board meeting, the draft ADMT regulations were a source of many

Keypoint: The New York State Department of Financial Services (NYDFS) issued an industry letter outlining the threats posed to U.S. companies who hire remote technology workers linked to North Korea and may embezzle funds from their new employers.

On November 1, 2024, NYDFS issued guidance warning companies against an increasing risk posed from individuals applying for employment in IT roles who are in fact operating on behalf of North Korea. These applicants seek employment in order to infiltrate western companies’ computer systems and illicitly generate revenue for the North Korean regime.

AI Illustration

Keypoint: The New York Department of Financial Services (NYDFS) circulated an industry letter offering guidance to NYDFS “Covered Entities” for assessing and managing AI-related cybersecurity risks, including threats malicious actors using AI and the risks associated with a Covered Entity’s own AI systems.

The NYDFS industry letter (“Letter”) recognizes that Covered Entities can leverage AI to enhance their cybersecurity posture. The department contends that doing so would bolster entities’ compliance with NYDFS cybersecurity regulation 23 NYCRR Part 500 (“Part 500”).

Keypoint: Massachusetts’ highest court ruled the use of software that tracks users’ activity on its website does not violate the state’s Wiretap Act, which was intended to prevent the recording or interception of communications between two or more persons.

On October 24, the Massachusetts Supreme Judicial Court held the state’s wiretapping act did not apply to the collection of users’ browsing activities on websites. In Vita v. New England Baptist, Massachusetts’ highest State Court held in a 5-1 decision that although the law did not define “communication,” it nevertheless was limited to communications between individuals and did not extend to cover a user’s browsing on a website. This decision, which is limited to the Massachusetts Wiretap Act, establishes that website operators can use tracking tools like Meta Pixel and Google Analytics to gather users’ browsing data without their consent, highlighting the limitations of the decades-old surveillance laws in addressing modern privacy concerns. Notably, several California courts have reached opposite conclusions under the corresponding California wiretapping laws (commonly known as CIPA Section 631(a)).

In the below article, we provide an overview and analysis of the Massachusetts Supreme Judicial Court ruling and the potential impact on the wave of privacy litigation ongoing in California Courts.

Keypoint: California state courts weigh in on what does, and does not, qualify as a “pen registry” or “tap and trace” device while one California federal court raises whether a wiretapping claim can also allow for a CCPA privacy right of action.

Welcome to the eighteenth installment in our monthly data privacy litigation report. We prepare these reports to provide updates on how courts in the United States have handled emerging data privacy trends. In this month’s post, we examine two decisions from California Federal District Courts that dismissed chat-based wiretapping claims. We also look at four VPPA decisions (three from the same jurisdiction) that all dismissed VPPA claims under Rule 12(b)(6), showing courts’ growing lack of patience for plaintiffs’ attorneys who fail to plead such claims with specificity and under the standards established by past VPPA decisions.

Byte Back + members also get access to coverage of four pen registry decisions, one (substantial) pixel decision, an email tracking decision, plus and our coverage of oral argument in the Ninth Circuit’s Briskin v Shopify decision. Interested in learning more about Byte Back+? Contact the authors or click here.

There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.

Keypoint: Of the ten privacy- and AI-related bills passed by the California legislature in the 2024 legislative session, Governor Newsom signed seven into law and vetoed three by the September 30 deadline.

Throughout the 2024 legislative session, we have been tracking numerous privacy- and AI-related bills pending in California. Ten of those bills passed the state legislature before the legislative session ended on August 31 (nine of which passed in the final week of August). Governor Newsom had a deadline of September 30 to sign or veto the bills that passed. Of the ten total bills, he signed seven into law and vetoed three bills. Those seven bills scheduled to go into effect consist of four laws related to privacy and three laws related to AI.

The below article provides a summary of the ten bills that Governor Newsom either signed into law or vetoed.

It has been a busy year in state privacy and AI law with seven states passing consumer data privacy laws, four states amending their existing laws, multiple states passing children’s-related privacy laws, and four states passing AI-related laws. In this on-demand webinar available exclusively to Byte Back+ members, HB privacy partner David Stauss discusses those

Keypoint: The Texas Attorney General reaches a first-of-its-kind settlement with a healthcare company that provides generative AI products. 

On September 18, 2024, the Texas Attorney General announced that it had reached a settlement with a Dallas-based artificial intelligence healthcare company. The Attorney General’s press release represents that it is a first-of-its-kind settlement, resolving allegations that the company deployed its artificial intelligence (“AI”) products at Texas hospitals while making false and misleading statements about the safety of its products. 

Keypoint: The proposed draft amendments modify the Colorado Privacy Act Rules to create a process for issuing opinion letters and interpretative guidance and to address the biometric and children’s privacy amendments passed by the Colorado legislature this year.

On September 13, 2024, the Colorado Attorney General’s office published proposed draft amendments to the Colorado Privacy Act (CPA) Rules. The office also announced a rulemaking hearing on Thursday, November 7, 2024, and will accept written public comments until that date.

The draft proposed amendments create a process for issuing opinion letters and interpretive guidance. They also modify the existing language in the CPA Rules to address two bills passed by the Colorado legislature this year – SB 41 (kid’s privacy) and HB 1130 (biometric privacy). You can read more about the SB 41 and SB 1130 here and here.

In the below post, we provide a short summary of some of the more notable parts of the proposed amendments.