United States

On June 22, Texas Governor Greg Abbott (R) signed the Texas Responsible AI Governance Act (“TRAIGA”) (HB 149) into law.  The law, which takes effect on January 1, 2026, makes Texas the second state to enact comprehensive AI consumer protection legislation, following the 2024 enactment of the Colorado

Continue Reading Texas Enacts AI Consumer Protection Law

This year, state lawmakers have introduced over a dozen bills to regulate “surveillance,” “personalized,” or “dynamic” pricing.  Although many of these proposals have failed as 2025 state legislative sessions come to a close, lawmakers in New York, California, and a handful of other states are moving forward with a range

Continue Reading State Legislatures Advance Surveillance Pricing Regulations

On June 6, 2025, President Trump issued an Executive Order (“Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144”) (the “Order”) that modifies certain initiatives in prior Executive Orders issued by Presidents Obama and Biden and highlights key cybersecurity priorities for the current Administration.  Specifically, the Order (i) directs that existing federal government regulations and policy be revised to focus on securing third-party software supply chains, quantum cryptography, artificial intelligence, and Internet of Things (“IoT”) devices and (ii) more expressly focuses cybersecurity-related sanctions authorities on “foreign” persons.  Although the Order makes certain changes to prior cybersecurity related Executive Orders issued under previous administrations, it generally leaves the framework of those Executive Orders in place.  Further, it does not appear to modify other cybersecurity Executive Orders.[1]  To that end, although the Order highlights some areas where the Trump administration has taken a different approach than prior administrations, it also signals a more general alignment between administrations on core cybersecurity principles.Continue Reading White House Issues New Cybersecurity Executive Order

“Session replay” software is one of many website analytics tools targeted in wiretapping suits under the California Invasion of Privacy Act (“CIPA”).  Last month, a California federal court confirmed one of the many reasons why the use of this software does not violate CIPA section 631: A defendant cannot “read” (or attempt to read) session replay data “in transit,” as CIPA requires, because “events recorded by” this software “do not become readable content until after they are stored and reassembled into a session replay.”  Torres v. Prudential Financial, Inc., 2025 WL 1135088 (N.D. Cal. Apr. 17, 2025). Continue Reading Court Grants Summary Judgment: Website Vendor Cannot Read “Session Replay” Data “In Transit” Under CIPA

On April 28, the House of Representatives voted 409-2 to pass the Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act (“TAKE IT DOWN Act”), which criminalizes the publication of nonconsensual intimate visual depictions (“NCII”) and requires online platforms to establish a notice and takedown process for NCII. The Act, which previously had been passed by the Senate, now goes to the President’s desk for signature. President Trump has indicated that he intends to sign the bill into law.Continue Reading U.S. Congress Passes Bill Establishing Notice and Takedown Regime for Publication of Nonconsensual Intimate Visual Depictions

Does a plaintiff’s use of a website constitute consent to a privacy policy linked in the website’s footer?  A Pennsylvania federal court answered yes in Popa v. Harriet Carter Gifts, Inc., 2025 WL 896938 (W.D. Pa. Mar. 24, 2025), granting summary judgment in favor of an online retailer (Harriet Carter Gifts) and its marketing partner (NaviStone) accused of collecting data about plaintiff’s website visit in violation of the Pennsylvania Wiretapping and Electronic Surveillance Control Act (“WESCA”).Continue Reading Implied Consent to Privacy Policy in Webpage Footer Forecloses Website Wiretapping Claim

Plaintiffs’ lawyers have continued to bring privacy claims targeting businesses that use vendors to help provide beneficial chat features on their website, as we last reported here.  Late last year, a Southern District of California judge dismissed another set of privacy claims challenging the routine use of these vendor services by Tonal, a popular smart home gym company named as the sole defendant in the lawsuit.  Jones v. Tonal Systems, Inc., 751 F. Supp. 3d 1025 (S.D. Cal. 2024).

Plaintiff Julie Jones, a California resident, claimed that she had visited Tonal’s website and used its chat feature to communicate with a Tonal customer service representative.  This chat feature allegedly incorporated an API run by another company to create and store transcripts of website visitors’ chats with Tonal’s customer service representatives.  According to the complaint, this alleged conduct constituted wiretapping, which Tonal purportedly aided and abetted in violation of Sections 631 and 632.7 of the California Invasion of Privacy Act (“CIPA”).  Plaintiff also asserted other privacy claims based on the same alleged conduct, including the California Unfair Competition Law (“UCL”) and the California Constitution’s right to privacy provision.

The Court granted Tonal’s motion to dismiss each of plaintiff’s claims on multiple grounds. Continue Reading Another California Court Rejects Privacy Claims Targeting Online Chat Feature

Early this month, a Northern District of California judge dismissed, with prejudice, a putative class action complaint asserting five privacy-related causes of action, concluding the “issue of consent defeat[ed] all of Plaintiffs’ claims.”  Lakes v. Ubisoft, Inc., –F. Supp. 3d–, 2025 WL 1036639 (N.D. Cal. Apr. 2, 2025).  Specifically, the Court dismissed plaintiffs’ claims under the (1) Video Privacy Protection Act (“VPPA”); (2) Federal Wiretap Act; (3) California Invasion of Privacy Act (“CIPA”) § 631; (4) common law invasion of privacy; and (5) Article I, Section 1 of the California Constitution. Continue Reading California Court Holds Plaintiffs’ Consent Defeats Claims Involving Use of Website Pixel

On March 26, 2025, Utah Governor Spencer Cox signed into law SB 142, the App Store Accountability Act (the “Act”), enacting the country’s first state law that requires app store providers to verify the age of all users and places obligations on app developers. An “app store provider” is defined as “a person that owns, operates, or controls an app store that allows users in [Utah] to download apps onto a mobile device.” A “developer” is defined as “a person that owns or controls an app made available through the app store in the state.”

The law goes into effect on May 7, 2025, and the obligations on app store providers and developers are not effective until May 6, 2026. Some key provisions are outlined below.Continue Reading Utah Enacts App Store Accountability Act

On March 5, 2025, Senators Bill Cassidy (R-LA) and Gary Peters (D-MI) introduced the federal Genomic Data Protection Act (“GDPA”).  The Senators introduced the same bill at the end of last year, but the bill stagnated, and Congress adjourned soon after.  Notably, as part of his February 2024 white paper, Senator Cassidy specifically called for the regulation of genetic data collected by direct-to-consumer genetic testing companies, pointing to several states that have enacted laws regulating these companies over the past several years.Continue Reading U.S. Senate Introduces Genomic Data Protection Act