One of our own is helping shape the conversation. Alan Friel, Partner, and contributing author to our blog, will serve as a featured speaker in an upcoming live CLE webinar tackling one of the most rapidly developing areas of digital privacy regulatory enforcement and litigation.
In the first hour of the webinar, “Cookie Banner
The Colorado AI Act (SB24-205) is effectively frozen just weeks before its June 30, 2026 effective date, following a stay in enforcement of the law by a Magistrate Judge in the District of Colorado on April 27, 2026.
By way of background, on April 9, xAI filed suit in federal court seeking to enjoin
Recently, the United States Court of Appeals for the Seventh Circuit, in a unanimous decision, prevented plaintiffs from imposing massive liability on a company accused of violating the Illinois Biometric Information Privacy Act (“BIPA”) and held that Illinois’ 2024 amendment decreasing BIPA damages applies retroactively.
Continue Reading Seventh Circuit Holds Amendment Decreasing BIPA Exposure Applies Retroactively
On March 20, 2026, Oklahoma Governor Stitt signed the first new comprehensive state privacy law of 2026. The “Act relating to data privacy” is in force on January 1, 2027. In this post, we compare the new Oklahoma privacy law to the other 20 state consumer privacy laws already in force below.
Continue Reading Oklahoma’s New Privacy Law Sweeps In
Following unanimous votes by the California legislature and signature by the Governor, California enacted an Age-Appropriate Design Code Act (CAADCA) in September 2022 (codified at CA Civil Code Section 1798.99.28-32), as a measure purportedly “aimed at protecting the wellbeing, data, and privacy of children [under 18] using online platforms.” Industry group NetChoice soon turned to federal court and sought an injunction seeking to prevent the law from being enforced on the grounds, among others, that it violates the First Amendment and the dormant Commerce Clause of the United States Constitution and is preempted by other federal statutes addressing online child safety, including the Children’s Online Privacy Protection Act (COPPA).
Continue Reading The Future of the CA Age-Appropriate Design Code Act: What Remains, What’s Still Open to be Contested, and What Companies Must Consider for Minors’ Online Safety
In its press release relating to the Court of Justice of the European Union (CJEU) judgment of 10 February 2026 in Case C-97/23 P, the CJEU has confirmed that the action brought by an organization against a Binding Decision of the European Data Protection Board (EDPB) is admissible.
With this decision, the CJEU has clarified that organizations have a right of direct appeal against binding decisions of the EDPB on which a national authority’s decision against them is based.
Continue Reading EDPB Binding Decisions Can Be Challenged Directly by Organizations Before EU Courts
Privacy compliance has entered a new phase—one defined not only by high-profile enforcement actions but by the growing expectation that organizations implement and maintain mature information governance programs capable of validating true, system-level technical compliance rather than merely projecting the appearance of it. A spate of recent California enforcement actions makes clear that companies must be prepared to validate how privacy control’s function, including across systems, platforms, and data flows, making thoughtful, system-oriented self-assessment an increasingly important tool for aligning policy commitments with operational reality—before regulators do it for them. SPB helps client’s self-access, identify gaps and remediate issues under the cloak of privilege.
Continue Reading CalPrivacy Update: Shifting to Structural Compliance and Auditing
This week, the Supreme Court of the United States agreed to hear an appeal concerning the definition of “consumer” under the Video Privacy Protection Act (VPPA), 18 U.S.C. § 2710; long one of the most frequently litigated privacy laws. If the Court affirms the lower court’s decision, it will defeat yet another attempt by the plaintiff’s bar to penalize companies who host audio visual content on their websites.
Continue Reading Supreme Court Agrees to Resolve VPPA Circuit Split
For years, one of the most frequently litigated privacy laws has been the Video Privacy Protection Act (“VPPA”), 18 U.S.C. § 2710, a federal statute enacted in 1988 in response to the disclosure of then-Supreme Court nominee Robert Bork’s videotape rental history by a video store to a reporter, who published the list. Despite its analogue origins, this decades-old statute has been used by the plaintiff’s bar (incentivized by the VPPA’s $2,500 per violation liquidated damages provision) in putative class action litigation brought against any business whose website contains playable videos and third-party cookies.
This past year, there were several significant court rulings in litigation under the VPPA. These decisions addressed hotly contested VPPA elements while also laying the foundation for a potential circuit split. Squire Patton Boggs’ globally ranked “Elite” Data Disputes team is well experienced defending businesses and their data practices, including in the realm of VPPA litigation and (mass) arbitration. In this article, informed by our practical experience litigating and arbitrating VPPA cases, we: (I) provide a brief primer on VPPA elements and litigation theories, (II) cover a Second Circuit decision, and other district court decisions, on the definition of personally identifiable information under the VPPA (III) address decisions from the Sixth, Seventh, and D.C. Circuits on the scope of persons who can bring VPPA claims, and (V) give an update on a recent Eighth Circuit decision regarding which businesses are subject to the VPPA. These areas are all likely to bear upon VPPA claims and ongoing litigation in 2026, making this a must read for in-house counsel and practitioners in this space.
Continue Reading 2025 Video Privacy Protection Act Litigation Year in Review
One of the most significantly litigated areas of privacy law is biometric privacy. Tools that collect biometric information and biometric identifiers—including facial geometries, fingerprint scans, and voiceprints—are increasingly common for businesses across industries. Unfortunately, such tools in recent years have become focuses of the plaintiffs’ bar.
2025 saw continued developments in litigation under Illinois’ Biometric Information Privacy Act (BIPA), one of the first and most important biometric privacy laws in the country, as well as other, lesser-litigated biometric laws. Squire Patton Boggs’ globally ranked “Elite” Data Disputes team is well experienced defending businesses and their data practices, including in the realm of biometric privacy, in both litigation and arbitration, including mass arbitration. See also https://www. privacyworld.blog/2025/12/2025-mass-arbitration-year-in-review/
In this article, informed by our practical experience litigating and arbitrating biometric cases, we: (I) provide a brief primer on BIPA and then take a look at some highlights of the 2025 biometric privacy litigation space, including (II) class action and mass arbitration activity under BIPA, (III) key questions regarding defenses to BIPA claims on appeal at the Seventh Circuit, (IV) a decision contrasting BIPA with New York City’s biometric regime, (V) developments under other biometric laws enforced by attorneys general, and (VI) the intersection of AI and biometric privacy laws.
Continue Reading 2025 Year-In-Review: Biometric Privacy Litigation