California is a bellwether for privacy laws, which is why we’ve been watching carefully as recent events suggest that business-friendly interests may be gaining a foothold in what has historically been one of the most restrictive states in the country.  Since the landmark California Consumer Privacy Act (“CCPA”) went into effect in 2020, interest groups, regulators, and politicians have been battling to impact the future of the statute and related regulations.  Meanwhile, creative plaintiffs’ lawyers have turned their focus to the California Invasion of Privacy Act (“CIPA”) to argue that California’s eavesdropping statute also applies to online tracking technologies.  But recent developments related to both the CIPA and the CCPA may give businesses reason for hope.Continue Reading Is California cooling to privacy law run amok?

On April 21, 2025, a Ninth Circuit en banc panel revived (by a 10-1 decision) a putative class action against Shopify, Inc. alleging violations of privacy and data rights via use of cookies. In reversing both the district court and the original Ninth Circuit three-judge panel, the en banc panel adopted an alarmingly expansive view of specific personal jurisdiction over Internet-based companies. We hope Shopify seeks and the U.S. Supreme Court grants certiorari.Continue Reading Opening Door to Universal Jurisdiction in Internet Cases, En Banc Ninth Circuit Finds Specific Personal Jurisdiction Over Shopify

A federal court last week sustained a First Amendment challenge to a Utah law aimed at addressing the use of social media platforms by minors, holding that the law’s proponents failed to demonstrate that the law served a compelling interest or was narrowly tailored.Continue Reading NetChoice Succeeds in Striking Down Utah Social Media Law Under First Amendment

On August 13, 2024, the Texas Attorney General’s Office (Texas AGO) filed a claim under Texas’s Deceptive Trade Practices-Consumer Protection Act challenging General Motors’ collection and use of data collected from consumers regarding their driving history. The Texas AGO’s complaint implicates thorny issues regarding how companies prepare and roll out privacy disclosures to consumers. The complaint also reiterates the importance of implementing clear, informed written consent processes when collecting and using consumer data.Continue Reading Texas Attorney General Challenges General Motors’s Collection and Sale of Driving Data

In a welcome change for defendants, a recent amendment to the Biometric Information Privacy Act (“BIPA”) is expected to significantly curtail potential damages under the statute. SB 2979, which passed the General Assembly on May 16, 2024, clarifies that damages are per individual, rather than per violation, for violations of the collection provision under Section 15(b) and the disclosure provision under Section 15(d). Continue Reading BIPA Bellwether: General Assembly provides relief from “per scan” damages

For years, we were able to tell most clients experiencing a potential data security incident that they likely had at least 30 days to notify any third parties about the incident – if they concluded it was a breach.  There were, of course, exceptions in certain regulated industries, but most companies fell within the scope of the general state data breach notification statutes, none of which required a response sooner than 30 days. And for many years, we didn’t have to worry about more urgent deadlines created by federal authorities. Continue Reading Breach Response: Is 72 hours the new 30 days?

Back in July, we shared some good news out of California when a state court judge ruled that the newest regulations under the California Consumer Privacy Act (“CCPA”) could not be enforced until March 2024.  But last week, the agency charged with enforcing the CCPA – the California Privacy Protection Agency (with the confusingly similar abbreviation of the “CPPA”) – won reversal of that opinion on appeal.  The ruling now gives the CPPA the authority to begin enforcing immediately the regulations that it enacted in March 2023.Continue Reading Delay Lifted in CCPA Regulations Enforcement

Under UK data protection legislation, individuals, also called “data subjects”, have the right to make a data subject access request (DSAR) to organisations that “process” their personal data.  Similar rights are required by both the EU’s General Data Protection Regulation and the California Consumer Privacy Act.  Amongst other things, as part of a DSAR, data subjects can expect to receive a copy of their personal data.Continue Reading A Rise in DSARs: Why Can Data Subject Access Requests Be Such a Burden?

In a highly anticipated decision issued in February 2023, the Illinois Supreme Court held that a separate claim accrues under the Illinois Biometric Information Privacy Act (“BIPA” or the “Act”) (740 ILCS 14/1 et seq.) each and every time biometric data or information is collected, scanned and/or disclosed.  Defendant White Castle System, Inc. (“White Castle”) filed a petition for rehearing, seeking to overturn the Cothron decision.  On July 18, 2023, the Illinois Supreme Court denied White Castle’s petition and left in place a standard that is likely to have a profound impact on the valuation of BIPA claims.   Continue Reading BIPA Bellweather: Back to the BIPA Norm—Illinois Supreme Court Refuses to Reconsider Cothron Decision