This week, the Supreme Court of the United States agreed to hear an appeal concerning the definition of “consumer” under the Video Privacy Protection Act (VPPA), 18 U.S.C. § 2710; long one of the most frequently litigated privacy laws. If the Court affirms the lower court’s decision, it will defeat yet another attempt by the plaintiff’s bar to penalize companies who host audio visual content on their websites.
Continue Reading Supreme Court Agrees to Resolve VPPA Circuit Split
In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.
Rewriting EU Telecom Rules: Inside the New Digital Networks Act
Attention Privacy World Readers! Do you need CLE? We have some options for you!
Key Changes To Virginia Telephone Privacy Protection Act Take Effect
Primer on 2026 Consumer Privacy, AI, and Cybersecurity Laws
FCC Extends Waiver of TCPA Consent Rule Providing “Stop One Means Stop All”
Federal Judge Enjoins Enforcement of Texas App Store Age Verification Law
2025 Video Privacy Protection Act Litigation Year in Review
Stay Ahead on Consumer Privacy News
Not a subscriber yet? Subscribe here to be among the first to receive timely updates on the fast-moving world of data privacy, security, and innovation—delivered straight to your inbox.
Looking for deeper insights and expert analysis? You can also subscribe here to our privacy attorneys’ marketing communications for thought leadership and rich content when you need a more comprehensive perspective.
The European Commission has unveiled its long‑awaited proposal for the EU Digital Networks Act (DNA), a sweeping regulation poised to reshape Europe’s telecoms and digital infrastructure landscape for decades to come. From accelerating the fiber transition to introducing an EU‑wide satellite authorization regime and simplifying market access through a single passport, the proposal signals a major shift in how connectivity services will be regulated across the EU. In a recent article on the “Global IP and Technology Law Blog,” Francesco Liberatore breaks down the key elements of the DNA, assesses what’s new, and explores what it could mean for operators, digital infrastructure providers, and the broader market. Read the full analysis.
Join Kyle Fath, Partner (Los Angeles) along with Tony Ficarotta, Vice President and General Counsel for the Network Advertising Initiative and other privacy lawyers for their webinar on: What is Ad Tech – Privacy 101. They will breakdown the complex ecosystem of Ad Tech and the intersection with privacy.
Click here for more details.
Join Julia Jacobson, Partner (New York), and Sammuel Kim, Associate (New York), for an upcoming webinar:
Join Kyle Fath, Partner (Los Angeles) for Session 8.2 at the California Lawyers Association: 2026 Annual Privacy Summit | Track B – The Next Frontier: “Necessary and Proportionate”
The California AG’s Healthline suit places cheese behind the CCPA’s “necessary and proportionate” standard for data providing. For controllers, it establishes a functional data minimization principle, especially in the connection and sharing of sensitive data. This standard parallels the GDPR’s purpose limitation but adds deeper consideration of consumer expectation. In this panel, we will compare this to the data minimization rules in the Maryland Online Data Protection Act (MODPA) and evolving Congressional proposals, offering strategies for controllers to audit practices and mitigate risk.
To register for the event, click here.
Join Julia Jacobson, Partner (New York), and Sammuel Kim, Associate (New York), for an upcoming webinar:
Join Alan Friel, Partner (Los Angeles), along with FTI Consulting Senior Managing Directors, David Manek and Colleen Yushchak, for an upcoming webinar:
Not a subscriber yet? Subscribe here to be among the first to receive timely updates on the fast-moving world of data privacy, security, and innovation—delivered straight to your inbox.
Looking for deeper insights and expert analysis? You can also subscribe here to our privacy attorney’s marketing communications for thought leadership and rich content when you need a more comprehensive perspective.
On January 1, 2026, the amendments to the Virginia Telephone Privacy Protection Act (VTPPA), Va. Code § 59.1-510 et seq., went into effect. The amendments expand the scope of the VTPPA to explicitly include both calls and texts and provide enhanced statutory damages for willful or repeated violations. With the added requirements and heightened damages, including the recovery of attorneys’ fees, we expect these changes to the VTPPA will invite a wave of litigation.
The VTPPA primarily has 5 requirements governing telephone solicitations: (1) time restrictions (§ 59.1-511); (2) identification requirements (§ 59.1-512); (3) caller identification requirements (§ 59.1-513); (4) opt-out requirements (§ 59.1-514); and (5) recently added abandoned telephone solicitation messages (§ 59.1-513.1). Under the previous iteration of the VTPPA, the restrictions were limited to “telephone solicitation calls,” (despite broadly defining “telephone solicitation” to include text messages). However, as amended, the restrictions now apply broadly to all “telephone solicitations,” making it clear that the restrictions apply to both telephone calls and text messages alike. These restrictions include:
The VTPPA provides for a private right of action and permits a “natural person” to recover statutory damages in the amount of $500 for the first violation, $1,000 for a second violation, and $5,000 for each subsequent violation. § 59.1-515(A). If a court finds that a violation is willful, then it may increase the amount of damages awarded for a first or second violation to up to $5,000. § 59.1-515(B). The VTPPA further provides for the recovery of reasonable attorney’s fees and expenses for a prevailing plaintiff (but does not provide for any fee-shifting for a prevailing defendant). § 59.1-515(C).
The VTPPA imposes joint and several liabilities on the telephone solicitor and the seller on whose behalf the solicitation is made, and it creates a rebuttable presumption that telephone solicitations are made on a seller’s behalf—regardless of whether an agency relationship exists, or if the seller directed or requested the solicitation. § 59.1-514.1. The presumption may be rebutted by clear and convincing evidence that the seller did not retain or request the telephone solicitor to make telephone solicitations on the seller’s behalf or for the seller’s benefit and that the telephone solicitations offering or advertising the seller’s property, goods, or services were made by the telephone solicitor without the seller’s knowledge or consent.
In sum, while the only new addition to the VTPPA relates to abandoned telephone solicitation calls, the recent amendments make clear that its restrictions extend to both telephone calls and text messages. As to the requirements relating to opt-out requests, the VTPPA is unambiguous compared to the current iteration of the TCPA: only the words “UNSUBSCRIBE” or “STOP” constitute valid opt-out requests. See § 59.1-514 (“In the case of a telephone solicitation via text messages, such statement shall be made by replying to the text message with the word “UNSUBSCRIBE” or “STOP”). However, given the steep statutory damages—particularly for repeated violations, which can equal up to $5,000 per violation—and the ability to recover attorneys’ fees, we expect the VTPPA will be popular amongst the plaintiff’s bar. We will keep you posted!
Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.
Stay Ahead on Consumer Privacy News
Not a subscriber yet? Subscribe here to be among the first to receive timely updates on the fast-moving world of data privacy, security, and innovation—delivered straight to your inbox.
Looking for deeper insights and expert analysis? You can also subscribe here to our privacy attorneys’ marketing communications for thought leadership and rich content when you need a more comprehensive perspective.
PrivacyWorld’s Alan Friel and Kyle Fath broke down what companies need to consider in 2026 to meet new and ongoing data laws and regulations in a Stafford / Barbri presentation on January 7, 2026. The PowerPoint is available here and includes appendices that break down details of, and compare and contrast, consumer privacy laws. Coverage includes explanations of the new CCPA regulations, new California AI laws and regulations, new regulation of teen safety, and updates to data broker obligations. For more information on assessing your compliance posture contact your Squire Patton Boggs relationship partner or Kyle or Alan.
Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.
Stay Ahead on Consumer Privacy News
Not a subscriber yet? Subscribe here to be among the first to receive timely updates on the fast-moving world of data privacy, security, and innovation—delivered straight to your inbox.
Looking for deeper insights and expert analysis? You can also subscribe here to our privacy attorneys’ marketing communications for thought leadership and rich content when you need a more comprehensive perspective.
Last October, the Federal Communications Commission (FCC or “Commission”) sought comments on modifying the “stop one means stop all” revocation of consent provision in its Telephone Consumer Protection Act (TCPA) rules. The FCC had previously delayed the effective date of the rule through April 11, 2026.
After accepting a slew of substantive initial comments from a variety of stakeholders (e.g., banks, utilities, pharmaceutical organizations) in response to its October 2025 request for input, the FCC has decided to further delay the effective date until January 31, 2027.
Continue Reading FCC Extends Waiver of TCPA Consent Rule Providing “Stop One Means Stop All”
On December 23, 2025, a federal judge enjoined enforcement of Texas’ App Store Accountability Act (SB 2420) by Texas Attorney General, Ken Paxton. The law, which was slated to go into effect on January 1, 2026, would have imposed onerous age assurance and parental consent obligations on app stores and app developers, which our expert panelists analyzed in depth in a webinar last month (and which we detailed in a FAQ).
The Orders (here and here ) come on the heels of the consolidated hearing that took place on December 16, during which U.S. District Court Judge Robert Pitman heard arguments from all parties on the Plaintiffs’ motion for a preliminary injunction. AG Paxton filed an appeal the same day. The Computer & Communications Industry Association (CCIA) originally filed suit on October 16, 2025, alleging violations of First Amendment speech protections for users, app stores, and app developers as well as unconstitutional vagueness. A separate lawsuit was filed the same day by two individual students and Students Engaged in Advancing Texas (SEAT), arguing the law burdens minors’ free speech rights. Plaintiffs in both cases filed a motion for a preliminary injunction on October 23, to which Texas Attorney General Paxton filed a response two weeks later followed by the Plaintiffs’ respective replies on November 20.
The Court noted its concerns with a few specific effects of the law: (1) imposing duties on both app stores and developers to implement the law’s age rating system and display the system to users, (2) shifting age verification duties onto app stores, (3) requiring parental consent before a minor can make an app download, app purchase, and in-app purchase, and (4) mandating app stores to revoke minors’ access to an app whenever its content rating, functionality, or user experience undergoes a “material change,” subsequently requiring parental consent.
The Court determined that the law’s coverage definition and objective of restricting content deemed harmful to minors constitute a content-based regulation. As a result, the Court applied a standard of strict scrutiny and ultimately decided the law fails both prongs of the test. First, the Court found that the State did not demonstrate a compelling interest in preventing minors’ access to the broad categories of speech encompassed by SB 2420. Second, the Court found that SB 2420 does not use the least restrictive means possible to stop minors from accessing harmful material. Additionally, the Court noted that the law is both under- and over-inclusive; the law does not restrict minors from accessing potentially harmful content on pre-downloaded apps while simultaneously prohibiting minors from “participating in the democratic exchange of views online.”
Lastly, the Court supported the CCIA’s argument that the law was unconstitutionally vague. Specifically, two portions of the law were found impermissibly vague: (1) app stores’ and developers’ liability for knowingly misrepresenting age ratings and (2) app developers’ obligations to provide notice of “significant changes.”
As AG Paxton immediately filed an appeal of the order on December 23, 2025, we expect to see developments on the injunction in the first quarter of 2026. Those interested and/or impacted by these laws should continue to follow these developments as well as any that may occur with respect to similar laws in Utah and Louisiana that are slated to go into effect in the middle of 2026, and in California, which is effective January 1, 2027.
Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.
Stay Ahead on Consumer Privacy News
Not a subscriber yet? Subscribe here to be among the first to receive timely updates on the fast-moving world of data privacy, security, and innovation—delivered straight to your inbox.
Looking for deeper insights and expert analysis? You can also subscribe here to our privacy attorneys’ marketing communications for thought leadership and rich content when you need a more comprehensive perspective.
Email this postTweet this postLike this postShare this post on LinkedIn
For years, one of the most frequently litigated privacy laws has been the Video Privacy Protection Act (“VPPA”), 18 U.S.C. § 2710, a federal statute enacted in 1988 in response to the disclosure of then-Supreme Court nominee Robert Bork’s videotape rental history by a video store to a reporter, who published the list. Despite its analogue origins, this decades-old statute has been used by the plaintiff’s bar (incentivized by the VPPA’s $2,500 per violation liquidated damages provision) in putative class action litigation brought against any business whose website contains playable videos and third-party cookies.
This past year, there were several significant court rulings in litigation under the VPPA. These decisions addressed hotly contested VPPA elements while also laying the foundation for a potential circuit split. Squire Patton Boggs’ globally ranked “Elite” Data Disputes team is well experienced defending businesses and their data practices, including in the realm of VPPA litigation and (mass) arbitration. In this article, informed by our practical experience litigating and arbitrating VPPA cases, we: (I) provide a brief primer on VPPA elements and litigation theories, (II) cover a Second Circuit decision, and other district court decisions, on the definition of personally identifiable information under the VPPA (III) address decisions from the Sixth, Seventh, and D.C. Circuits on the scope of persons who can bring VPPA claims, and (V) give an update on a recent Eighth Circuit decision regarding which businesses are subject to the VPPA. These areas are all likely to bear upon VPPA claims and ongoing litigation in 2026, making this a must read for in-house counsel and practitioners in this space.
Continue Reading 2025 Video Privacy Protection Act Litigation Year in Review
In 2025, India’s approach on AI has shifted significantly from, “Will AI change the way business is done?” to “What is the best way to adopt it to enable business expansion?” Guided by the principles of People, Planet, and Progress, “Safe and trusted AI for all” has become the motto governing India’s approach to AI. The evolving digital infrastructure, specific sector-driven regulation, techno-legal philosophy, strength of the powerful Global South, and a strong inclusion narrative are cornerstones to India’s AI journey.
There are several basic models for AI governance that are emerging globally.
The EU establishes in essence a single, horizontal rule on AI. It classifies systems as per the level of risk posed to the end user: specifically unacceptable, high, limited, and minimal. It forbids certain specific actions and provides for strict documentation, compliance, and penalty regimes for high-risk AI. For instance, Chapter II, Article 5 of the EU AI Act provides that deploying subliminal, manipulative, or deceptive techniques to distort behavior and impair informed decision-making, causing significant harm, is prohibited and rated as unacceptable under the Act.
The United States currently lacks federal AI legislation, except for concerns relating to AI affecting national security. However, several states have enacted their own AI laws. Colorado, Utah, Illinois, California and Texas all have their own AI Acts that tend to focus on bias, discrimination and civil rights in hiring and employment, as well as profiling. Much of this is already prohibited by various State privacy laws. Notably, President Trump has just issued an Executive Order prohibiting other states from passing further AI-focused laws. It will be interesting to see how this Order may impact US States going forward.
Many APAC jurisdictions aim to balance AI driven innovation with safeguards against potential abuse.
India’s AI Governance Guidelines reflect its development priorities, diversity, and the evolving digital capabilities. They are structured into four main sections:
Several factors seem to set India’s strategy apart from others. For example, India has already been regulating AI through existing laws, new guidelines, and sector-specific rules, such as those issued by the Reserve Bank of India (RBI) and the Securities and Exchange Board of India (SEBI), rather than a single or overarching AI statute.
With innovation a core focus, India intends to follow a “hands-off” approach to encourage new AI development while addressing harms through existing laws. The country’s strategy is to leverage AI for economic growth by focusing on the application of AI and using existing laws for specific issues like data privacy and discrimination.
The principle behind the sutras is that innovation should take precedence over preventative restrictions, while maintaining obligations related to safety, accountability, and fairness. The key word is accountability. India’s desired goal is to seek a more direct balance between risk and growth than perhaps the obligations imposed under the EU AI Act.
India already has rolled out various extensive and unique Digital Public Infrastructure (DPI) AI platforms, which it hopes to leverage in this implementation. These include digital solutions such as Aadhaar (equivalent to a citizen id or social security number), UPI, Digi Locker, and various data exchanges. This approach intends to utilize existing, shared digital rails for identity verification, payments, and data exchange to efficiently deliver services in crucial sectors such as healthcare, agriculture, education, and welfare, particularly focusing on low-income and rural communities.
The guidance clarifies how important it is to include legal requirements directly in AI system architecture. Some examples of this are technologies that protect privacy, standards for content authentication (like C2PA-style watermarking), and DEPA for training AI. This idea of “compliance-by-design,” similar to ‘privacy-by-design’ initially introduced in GDPR, goes beyond the stated ideas in many of the AI obligations stated elsewhere to date.
Further, India plans to set up a Technology Policy Expert Committee, an AI Governance Group (AIGG) for high-level collaborations and ordination, and a special AI Safety Institute to test models, to set standards and participate in international safety networks.
The guidelines provide for a risk assessment and classification system that focuses on national security issues and harms that may be caused to vulnerable groups (for example, deepfakes aimed at women, child safety, language, and caste bias) instead of relying on generic risk grids. This social-context approach is thought to be a better fit for India’s population and diversity than many “one-size-fits-all” models from around the world.
India focuses on using voluntary commitments, self-certifications, transparency reports, and third-party audits before putting strict responsibilities for AI, with a desire to provide stronger incentives like sandbox access, reputational badges, and targeted support. The systematic use of incentives to promote voluntary protections seems more common than in many other regimes.
It appears India aims to leverage AI governance as a diplomatic tool, particularly within the Global South, while also fostering local economic growth. The recommendations place India’s balanced, DPI-enabled, inclusion-first model at the center of global discussions, calling for active engagement in multilateral forums such as the G20, UN, OECD, and other similar bodies.
Through these efforts, India seeks to shape international standards in areas like child safety, content authentication, and safety testing – supported by initiatives such as hosting an AI Impact Summit and joining networks of AI safety institutes. At the same time, India aims to demonstrate that open, interoperable platforms can be used to deliver solutions that can be adopted widely. A combination of normative leadership (e.g. guiding principles, safety norms) and practical infrastructure (DPI, AI Mission, GPUs, and AI Kosh datasets) are what sets India apart from the rest of the world in its approach to AI governance.
Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.
Stay Ahead on Consumer Privacy News
Not a subscriber yet? Subscribe here to be among the first to receive timely updates on the fast-moving world of data privacy, security, and innovation—delivered straight to your inbox.
Looking for deeper insights and expert analysis? You can also subscribe here to our privacy attorneys’ marketing communications for thought leadership and rich content when you need a more comprehensive perspective.