Photo of Kyle Dull

Kyle Dull

Building a customer base is time-consuming and expensive. Engaging existing customers is often easier and more profitable than acquiring new customers.  In the US, email and other targeted marketing is a low-cost and high-ROI way to foster this engagement, which makes collecting customers’ email addresses (and other personal information) a high priority for marketers.  But, marketers beware: laws in California and Massachusetts that limit the collection of email addresses (and other personal information) at the point of purchase are an increasingly popular source of class action legal risk. While the laws in California and Massachusetts are popular with plaintiffs’ counsel now, several other states have similar laws, applying to different categories of information (e.g., some state laws only apply to address and telephone number) and transactions and varying enforcement mechanisms (e.g., criminal penalties or state attorney general enforcement).

Key Takeaways

  • Ensure that retail location staff understand that the collection of a customer’s personal information that is not required to complete a transaction must be the customer’s choice.  Requesting a customer email address or other contact data during the purchase process – such as for tailored discounts and rewards – is permitted as long as the customer knows it is voluntary, i.e., not required to complete the purchase transaction.  Further, to avoid errors and discourage claims clearly delineate subscriptions from transactions by separating sign-ups from purchases.
  • Check that etailer (i.e., e-commerce stores)  purchase transaction flows do not require additional personal information that is not necessary to complete the transaction and clearly disclose to customers what is and is not required. 
  • Beware of personal information collection by cookies, pixels and similar technology active on purchase transaction web pages.
  • Implement written policies and procedures – whether online or off – to document what personal information collected is mandatory vs. voluntary.

Continue Reading Collecting Personal Information during Checkout: Balancing Consumer Rights with Business Marketing

The Federal Communications Commission (“FCC” or “Commission”) continues its regulatory focus on Artificial Intelligence (“AI”) in the communications world, with the issuance of new proposed regulations designed to protect consumers from harmful AI-generated communications, targeting robocalls, automated texting, and political advertising.

The FCC has formally moved forward with a combined Notice of Proposed Rulemaking and Notice of Inquiry (“NPRM/NOI”) “to protect consumers from the abuse of AI in robocalls alongside actions that clear the path for positive uses of AI, including its use to improve access to the telephone network for people with disabilities.”

The NPRM/NOI, released on August 8, 2024, seeks public comment on many of the major provisions that Squire Patton Boggs previously reported on in the draft proposal, albeit with some changes.  These include, for example:Continue Reading FCC Moves Forward with Proposed Rules for Use of Artificial Intelligence with Robocalls and Political Advertisements

In a final push before adjourning for the summer, state legislators across the country contemplated consumer privacy laws.  Three legislatures made it to the finish line.  One – Minnesota’s state legislature passed the Minnesota Consumer Data Privacy Act on May 19th as part of an appropriations bill, which was signed by Minnesota’s governor on May 24th.  Of the other two, one is pending gubernatorial action, and the other was vetoed.

The Rhode Island Data Transparency and Privacy Protection Act (RI-DTPA) was passed by the state legislature on June 13th.  Before RI-DTPA becomes law, Governor McKee must either sign, take no action or veto it.  If signed, RI-DTPA is in force on January 1, 2026, like the Indiana Consumer Data Protection Act and Kentucky Consumer Data Privacy.

We are not, however, making assumptions about RI-DTPA’s passage.  This post was originally planned to cover the Minnesota Consumer Data Privacy Act and the Vermont Data Privacy Act, not the RI-DTPA.  On June 13th (the same day that RI-DTPA was passed), Vermont’s Governor Phil Scott vetoed the Vermont Data Privacy Act.  In his letter to Vermont’s General Assembly, Governor Scott noted that the Vermont Data Privacy Act created “big and expensive new burdens and competitive disadvantages for the small and mid-sized businesses Vermont communities rely on.”  He also noted that the private right of action is “a national outlier, and more hostile” than any other state privacy law, notwithstanding its limited scope and sunset.  He raised the possibility of a First Amendment challenge to the Age-Appropriate Design Code (Section 6), noting that “similar legislation in California has already been [preliminarily enjoined] for likely First Amendment violations.” (See here.)  A veto override was not successful.

The RI-DTPA already faces opposition from privacy advocacy organizations claiming that RI-DTPA is too weak (see, e.g., here).  Advertising associations also reportedly oppose RI-DTPA.  Nonetheless, we have highlighted some key elements of RI-DTPA in this post so you can decide for yourself, together with answers to FAQs about the Minnesota Consumer Data Privacy Act (MN-CDPA) and how it is similar to and different from the other state consumer privacy laws.Continue Reading Minnesota Makes 19: Will Rhode Island’s Privacy Law Replace Vermont’s Vetoed Privacy Law as #20?

Last week was a busy one for AI regulation. The week started and ended with big news from Colorado: on Monday, Colorado’s legislature passed “Concerning Consumer Protections in Interactions with Artificial Intelligence Systems” (SB 24-205) (Colorado AI Law) and, on Friday, Governor Jared Polis (D) signed the Colorado AI Law “with reservations” according to his letter to Colorado’s legislature. Although the Colorado legislature is the first U.S. lawmaker to pass general AI legislation, Colorado’s Governor has expressly invited Congress to replace the Colorado AI Law with a national regulatory scheme before the Colorado AI Law’s February 1, 2026, effective date.Continue Reading All Eyes on AI: Colorado Governor Throws Down the Gauntlet on AI Regulation After Colorado General Assembly Passes the Nation’s First AI Law

This week, House Committee on Energy and Commerce Chair Cathy McMorris Rodgers (R-WA) and Senate Committee on Commerce, Science and Transportation Chair Maria Cantwell (D-WA) unveiled their bipartisan, bicameral discussion draft of the American Privacy Rights Act (APRA draft).[1] Chair Rodgers’ and Chair Cantwell’s announcement of the APRA draft surprised many congressional observers after comprehensive privacy legislation stalled in 2022.Continue Reading April’s APRA: Could Draft Privacy Legislation Blossom into Law in 2024?

Acting expeditiously in part in response to recent events, the Federal Communications Commission (“FCC”) declared on February 8 that the Telephone Consumer Protection Act’s “restrictions on the use of ‘artificial or prerecorded voice’ encompass current [artificial intelligence (“AI”)] technologies that generate human voices.” Therefore, the FCC ruled “calls that use such technologies fall under the TCPA and the [FCC’s]…implementing rules and…require the prior express consent of the called party to initiate such callas absent an emergency purpose or exemption.” If telemarketing is involved, prior express written consent is required. However, contrary to other media reports, the FCC ruling neither bans use of AI, nor even requires consent to use AI to create content that is in text or that is subsequently converted into artificial voice. Rather, it merely equates AI-voice generation to other forms of artificial or prerecorded voice messages for TCPA consent purposes. Since prior express consent to use of artificial or prerecorded voice messages is what the TCPA requires, that is what the consent should cover. However, it is advised that the use of AI to generate such audio content should also be disclosed as part of the consent.Continue Reading FCC Rules Voice-Cloned Robocalls Are Covered by the TCPA as Artificial/Pre-Recorded

As state legislation increasingly regulates sensitive data, and expands the concepts of what is sensitive, the Federal Trade Commission (“FTC” or “Commission”) is honing-in on sensitive data processing in expanding its unfairness authority in relation to privacy enforcement. The FTC’s recent enforcement activities regarding location aware data is a good example. As we have previously reported here and here, Kochava, an Idaho-based data broker, is currently embroiled in a federal lawsuit with the Commission that has the potential to redefine the legal bounds of sensitive data collection, use and sharing and the data brokering industries on a federal level.Continue Reading Sensitive Data Processing is in the FTC’s Crosshairs

On January 18, during a luncheon fireside chat at the California Lawyers Association’s UCL Institute event in Los Angeles, Federal Trade Commission (“FTC”) Bureau of Consumer Protection Director Samuel Levine shared his insights on what data practices are of concern to him and to the FTC.  Companies should take heed of his comments, the highlights

On January 8, New Jersey’s General Assembly and Senate passed a consumer privacy bill, S332, which would grant New Jersey residents several rights, and obligate controllers and processors of New Jersey residents to take action. The law is similar to consumer privacy laws passed last year in other states, with some distinctions.

Note: