Artificial Intelligence

The California Consumer Privacy Act (CCPA) requires that privacy notices be updated annually, and that the detailed disclosures it proscribes be in those notices reflect the 12-month period prior to the effective (posting) date. Interestingly, failure to make annual updates was one of several alleged CCPA violations that resulted in a recent $1.35 Million administrative civil penalty by the California Privacy Protection Agency (CPPA) against retailer Tractor Supply Company. Also, three more state consumer protection laws go into effect on January 1, 2026, which will require notice and consumer rights intake changes, if applicable. Additionally, new and amended CCPA regulations will bring new obligations for businesses starting the first of the year that need to be addressed between now and then. Also recommended is a general checkup with particular attention to enforcement priorities.

Continue Reading Your Year-end U.S. Privacy “To Do” List – don’t wait until the holiday crush to become 2026-ready

Measures included in the digital package aim to cut red tape through “digital by default” services and applying the “once-only” principle, which will mandate public sector bodies across the EU to reuse citizen and business data instead of requiring it to be provided separately to different agencies.

On 16 September 2025, the European Commission (EC) launched a call for evidence to collect research and information on best practices for its upcoming digital package. This is a new round of feedback and follows earlier consultations on data regulation, cybersecurity rules, and the implementation of the Artificial Intelligence Act (AI Act).

Continue Reading EU Seeks Feedback on Proposed Digital Package To Simplify and Modernise Regulations

Date: September 10, 2025 at 12:00 PM EDT

Format: Live Video

Duration: 1 Hour

Description: With limited federal regulation on consumer protection, data privacy, and AI, states are stepping in, creating a patchwork of laws that vary widely in scope and enforcement. While California and Colorado set high standards, other states like Maryland, Minnesota, and Oregon are introducing even stricter measures. Additional laws around consumer health data, data brokers, and child/teen online safety further complicate the landscape.

This panel will explore key differences and overlaps in state laws, highlight enforcement trends, and offer practical strategies for enterprises to implement privacy programs across states and globally. Attendees will receive comparison charts to support compliance efforts.

Continue Reading State Privacy and AI Law Updates – A Live Legal Briefing You Won’t Want to Miss

Inside AI Policy reports that a survey of U.S. office workers indicates that across industries approximately half of survey respondents said that they do or would use AI contrary to company policy to make their job easier, including 42% of security sector workers.  The study published on August 20, 2025 by CalypsoAI, found that while 87% of respondents indicated that their employers had AI governance policies 52% are not prepared to follow restrictions, and 28% admitted to submitting sensitive or proprietary  data or documents so AI could complete a task; 29% used AI to generate something sent without, or with minimal, review; and 25% used AI without knowing if the use case was permissible.  The results for highly regulated industries are not better, and in some cases worse.  For instance, 60% of employees in financial services and banking indicated that they use AI tools regardless of company policy and 36% “don’t feel guilty about it.”

Continue Reading Rogue AI Usage and High-risk Data Processing Runs Rampant

Recently, Squire Patton Boggs Tokyo and Shanghai Partner Scott Warren was cited in an article in Lexology Pro, written by Victoria Hudgins, comparing the US and China AI action plans. Both plans set more aspirational goals, while establishing a framework for AI security. Read the article (subscription required).

In addition, Scott will be speaking

On June 30, 2025, the California Civil Rights Council (CRC) secured final approval for regulations addressing employment discrimination resulting from the use of artificial intelligence and other algorithms it collectively refers to as Automated-Decision Systems. Shortly after that, on July 24, 2025, the California Privacy Protection Agency Board approved its own long-anticipated regulations on cybersecurity

The EU AI Act is entering into force in stages. While most of its provisions will not apply until August 2026, key requirements for general-purpose AI (GPAI) models took effect much earlier, starting on August 2, 2025.

In anticipation of this earlier milestone, the Code of Practice for General-Purpose AI Models was published on the EU commission’s website on July 10, 2025. It is a voluntary tool, prepared by independent experts in a multi-stakeholder process involving nearly 1000 participants, (general-purpose AI model providers, downstream providers, industry organizations, civil society, rightsholders and other entities, as well as academia and independent experts). The Code represents an initial effort to translate the AI Act’s GPAI-specific obligations into practical measures.

It focuses on three central areas (Transparency, Copyright, and Safety and Security) and offers a framework that developers of GPAI models may rely on to demonstrate responsible practices in line with the EU’s evolving regulatory approach.

Continue Reading The EU’s Voluntary GPAI Code: Reflecting on Strategic Choices in an Evolving Regulatory Context

On July 23, 2025, the Trump Administration released Winning the Race: America’s AI Action Plan, signaling a decisive departure from the AI governance strategy set forth by the Biden Administration’s Executive Order 14110 (November 2023). While the previous framework focused on risk mitigation, civil rights, and regulatory oversight—particularly of advanced AI systems—the new plan

As companies begin to move beyond large language model (LLM)-powered assistants into fully autonomous agents—AI systems that can plan, take actions, and adapt without human-in-the-loop—legal and privacy teams must be aware of the use cases and the risks that come with them.

What is Agentic AI?
Agentic AI refers to AI systems—often built using LLMs but not limited to them—that can take independent, goal-directed actions across digital environments. These systems can plan tasks, make decisions, adapt based on results, and interact with software tools or systems with little or no human intervention.

Agentic AI often blends LLMs with other components like memory, retrieval, application programming interfaces (APIs), and reasoning modules to operate semi-autonomously. It goes beyond chat interfaces and can initiate real actions—inside business applications, internal databases, or even external platforms.

For example:

  • An agent that processes inbound email, classifies the request, files a ticket, and schedules a response—all autonomously.
  • A healthcare agent that transcribes provider dictations, updates the electronic health record , and drafts follow-up communications.
  • A research agent that searches internal knowledge bases, summarizes results, and proposes next steps in a regulatory analysis.

These systems aren’t just helping users write emails or summarize docs. In some cases, they’re initiating workflows, modifying records, making decisions, and interacting directly with enterprise systems, third-party APIs, and internal data environments. Here are a handful of issues that legal and privacy teams should be tracking now.

Continue Reading What is Agentic AI? A Primer for Legal and Privacy Teams