US

Mass arbitrations—where a plaintiffs’ firm brings dozens, hundreds, or thousands of identical claims against a business—is a mechanism increasingly relied upon by the plaintiffs’ bar in the past few years.  This is because mass arbitrations enable a plaintiffs’ firm to create settlement pressure by leveraging unavoidable arbitration fees borne by a business regardless of the merits of the claims filed.  Further powered by litigation funding, plaintiffs’ firms have used the mass arbitration device to bring vexatious claims and escape review of the merits or any downside risk.Continue Reading 2025 Mass Arbitration Year in Review

A Domino’s customer may proceed in her putative class action for violations of the California Invasion of Privacy Act (CIPA) against ConverseNow for its provision of an AI virtual assistant that processes restaurant telephone orders. In Taylor v. ConverseNow Technologies, Inc., Case No. 25-cv-00990-SI, 2025 WL 2308483 (N.D. Cal. Aug. 11, 2025), the Court

This fall, a federal court in California granted summary judgment in favor of a website operator for alleged violations of the California Invasion of Privacy Act (CIPA). In its decision, the Court emphasized that it was “virtually impossible” to apply CIPA to internet communications and urged the California legislature to “step up” and “speak clearly” about how internet activity should be treated under the statute in light of a deluge of claims that have been filed recently against website operators.Continue Reading California Federal Court Urges California Legislature to Clean Up “Total Mess” of State Wiretap Act, Dismisses Claim for Website Tracking

Over the past year, there has been an explosion of lawsuits targeting website analytics and tracking tools. One recent decision brought businesses another victory in challenging lawsuits alleging violations of the California Invasion of Privacy Act’s (CIPA)’s prohibition against use of “pen registers” and “trap and trace devices.” Cal. Penal Code § 638.51. In a recent ruling, a federal judge in the Central District of California dismissed one such lawsuit, holding that the claim could not be asserted in federal court.Continue Reading Federal Court Dismisses “Trap and Trace” Lawsuit for Plaintiff’s Lack of Injury

In early October, a federal court in the Northern District of Illinois refused to dismiss a privacy litigation brought against a healthcare website operator for claims under the Electronic Communications Privacy Act (ECPA). The court held that the plaintiff plausibly alleged that Defendant violated the Health Insurance Portability and Accountability Act (HIPAA) by revealing to a third party that she clicked on the login button to the healthcare provider’s patient portal, and, as a result, disclosed her individually identifiable healthcare information—even though no third-party data collection tools were installed on the patient portal itself. Hartley v. Univ. of Chi. Med. Ctr., Case No. 22-cv-5891, 2025 WL 2802317 (N.D. Ill. Oct. 1, 2025).  However, at the same time, the court dismissed certain claims arising out of Plaintiff’s use of a “find-a-physician feature,” rejecting the full scope of Plaintiff’s theories. On the balance, this decision unfortunately broadens the scope of potential liability under the ECPA and will likely result in ECPA suits being brought against website operators in the healthcare sector.Continue Reading Federal Court Holds That Button-Click Data From Public Website Can Disclose Patient Status in Violation of the ECPA

Announcing the July 31, 2025, effectiveness of Minnesota’s strict consumer privacy law (CPL), the Act’s author said in a press release that he will be personally making requests to a “long list of ‘data brokers’ … [to] provide a timely ‘test case’ that we can use to measure compliance….”  Until January 31, 2026, businesses will have 30 days to cure violations.Continue Reading Minnesota’s Comprehensive Privacy Law Takes Effect – and Enforcement Efforts Begin Immediately

On July 23, 2025, the Trump Administration released Winning the Race: America’s AI Action Plan, signaling a decisive departure from the AI governance strategy set forth by the Biden Administration’s Executive Order 14110 (November 2023). While the previous framework focused on risk mitigation, civil rights, and regulatory oversight—particularly of advanced AI systems—the new plan

Many organizations have been working diligently to comply with the 13 state consumer privacy laws (CPLs) in effect in the first half of 2025 (14 if you count Florida). Some have chosen to comply on a state-by-state basis and others have followed the high-watermark approach of applying the strictest standard from among the CPLs to all states with CPLs or on a nationwide basis. Regardless of the chosen approach, the next six months brings a new batch of CPLs, some with material differences from the earlier generations, starting as early as July 1, 2025. In addition, amendments to CPLs already in effect will bring new obligations and requirements for many businesses during the second half of 2025. Accordingly, if these changes were not prospectively addressed, now is the time to confirm which of new CPLs are applicable, and timely revise privacy notices and compliance program procedures. Also, with the increase in CPL enforcement, and the growing size and frequency of civil penalties, now is also a good time for an overall privacy compliance checkup. 

(A list of the 20 CPLs and their effective dates and applicability thresholds is included in an appendix at the end.)Continue Reading The Second Half of the Year Brings New State Privacy Obligations – Are You Ready?

State consumer privacy enforcers have been turning up the heat on recalcitrant data controllers that have incomplete, inadequate or broken consumer privacy law (CPL) protection programs.  On July 8, the Office of the Attorney General of Connecticut (CT OAG) announced a settlement with TicketNetwork, Inc related to deficiencies in the company’s privacy notice and non-compliance with consumer rights requirements. This came just a week following California’s announcement of its largest consumer privacy law settlement to date — US $1.55 million, involving an online publisher known as Healthline. A post breaking that case down will follow shortly.  Today we look at the Connecticut case.Continue Reading Connecticut’s Recent Privacy Settlement Shows that Organizations Should Remain Cognizant of Privacy Law Obligations Outside of California

The rulemaking process on California’s Proposed “Regulations on CCPA Updates, Cybersecurity Audits, Risk Assessments, Automated Decisionmaking Technology, and Insurance Companies” (2025 CCPA Regulations) has been ongoing since November 2024.  With the one-year statutory period to complete the rulemaking or be forced to start anew on the horizon, the California Privacy Protection Agency (CPPA) voted unanimously to move a revised set of draft regulations forward to public comment on May 1, which began May 9 and closes at 5 pm Pacific June 2, 2025.  The revisions cut back on the regulation of Automated Decision-making Technology (ADMT), eliminate the regulation of AI, address potential Constitutional deficiencies with regard to risk assessment requirements and somewhat ease cybersecurity audit obligations.  This substantially revised draft is projected by the CPPA to save California businesses approximately 2.25 billion dollars in the first year of implementation, a 64% savings from the projected cost of the prior draft.Continue Reading Revised Draft California Privacy Regulations Lessen Impact on Business