Privacy

Subscribe to Privacy via RSS
Computer security

What was intended as a safeguard against abusive telemarketing is being twisted into a potentially far more sweeping restriction, raising serious First Amendment concerns for corporate communicators of people’s contact information. Colorado’s Prevention of Telemarketing Fraud Act’s (“PTFA”) listing provision (“Listing Provision”) threatens corporate sharing of cell phone numbers, regardless of whether these cellular phone numbers are already in the public domain. In just the past year, plaintiffs’ attorneys have filed almost 30 PTFA putative class actions, claiming that Coloradans’ cell phone numbers are presumptively private no matter how widely disseminated. In these shakedown suits, plaintiffs’ attorneys target companies for alleged knowing listing of “a cellular telephone number in a directory for a commercial purpose unless the person whose number has been listed has given affirmative consent[.]” Colo. Rev. Stat. Ann. § 6-1-304(4).Continue Reading Beware Plaintiffs Threatening the First Amendment – Colorado PTFA Listing Provision Litigation Seeks to Muzzle Freedom of Speech

The recent announcement by the states of California, Colorado and Connecticut that they are working together to carry out a joint investigative sweep has raised eyebrows across the privacy world. Last week, California Attorney General Rob Bonta, the California Privacy Protection Agency (CPPA), and the attorneys general of Colorado and Connecticut announced that they are working together to investigate businesses that refuse to honor consumers’ right to opt out of the sale or sharing of their personal data. The sweep aims especially at companies that are not processing opt-out requests made via the Global Privacy Control tool (GPC), even though it is required by law in each of the three states involved.Continue Reading Cross-State Regulatory Sweep Highlights Growing Legal Risk Around Consumer Data Opt-Outs

Faced with waves of consumer lawsuits targeting common website tools like browser cookies, tracking pixels, and live chat features, businesses are often frustrated by the outsized exposure posed by seemingly “no-injury” claims. (See, for example, last week’s post about CIPA claims.) The Ninth Circuit Court of Appeals recently provided some comfort by clarifying what a plaintiff must allege to show “concrete injury” as required for Article III standing. The court’s decision in Popa v. Microsoft Corp., No. 24-14, 2025 WL 2448824 (9th Cir. Aug. 26, 2025), strengthens defenses to online privacy claims—with broad application to other types of consumer claims as well—holding that standing requires more than just an alleged statutory violation.Continue Reading Popa v. Microsoft Corporation, et al.: Ninth Circuit Clarifies Article III Standing Requirements and Strengthens Defenses to Internet Privacy and Other Consumer Claims

cybersecurity concept Global network security technology, business people protect personal information. Encryption with a padlock icon on the virtual interface.

When we speak to clients about online privacy issues, they almost always mention the CCPA – California’s Consumer Privacy Act that regulates the collection and use of personal data. But unless they have already faced a lawsuit, pre-suit demand, or arbitration demand, our clients rarely mention the other four-letter California statute that has been the source of significant litigation over the past few years.  And that’s CIPA – California’s Invasion of Privacy Act.Continue Reading CIPA: The “Other” California Privacy Statute You Should Be Worried About

California is a bellwether for privacy laws, which is why we’ve been watching carefully as recent events suggest that business-friendly interests may be gaining a foothold in what has historically been one of the most restrictive states in the country.  Since the landmark California Consumer Privacy Act (“CCPA”) went into effect in 2020, interest groups, regulators, and politicians have been battling to impact the future of the statute and related regulations.  Meanwhile, creative plaintiffs’ lawyers have turned their focus to the California Invasion of Privacy Act (“CIPA”) to argue that California’s eavesdropping statute also applies to online tracking technologies.  But recent developments related to both the CIPA and the CCPA may give businesses reason for hope.Continue Reading Is California cooling to privacy law run amok?

On April 21, 2025, a Ninth Circuit en banc panel revived (by a 10-1 decision) a putative class action against Shopify, Inc. alleging violations of privacy and data rights via use of cookies. In reversing both the district court and the original Ninth Circuit three-judge panel, the en banc panel adopted an alarmingly expansive view of specific personal jurisdiction over Internet-based companies. We hope Shopify seeks and the U.S. Supreme Court grants certiorari.Continue Reading Opening Door to Universal Jurisdiction in Internet Cases, En Banc Ninth Circuit Finds Specific Personal Jurisdiction Over Shopify

A federal court last week sustained a First Amendment challenge to a Utah law aimed at addressing the use of social media platforms by minors, holding that the law’s proponents failed to demonstrate that the law served a compelling interest or was narrowly tailored.Continue Reading NetChoice Succeeds in Striking Down Utah Social Media Law Under First Amendment

Judge or auction gavel on Texas US America flag background. 3d illustration

On August 13, 2024, the Texas Attorney General’s Office (Texas AGO) filed a claim under Texas’s Deceptive Trade Practices-Consumer Protection Act challenging General Motors’ collection and use of data collected from consumers regarding their driving history. The Texas AGO’s complaint implicates thorny issues regarding how companies prepare and roll out privacy disclosures to consumers. The complaint also reiterates the importance of implementing clear, informed written consent processes when collecting and using consumer data.Continue Reading Texas Attorney General Challenges General Motors’s Collection and Sale of Driving Data

In a welcome change for defendants, a recent amendment to the Biometric Information Privacy Act (“BIPA”) is expected to significantly curtail potential damages under the statute. SB 2979, which passed the General Assembly on May 16, 2024, clarifies that damages are per individual, rather than per violation, for violations of the collection provision under Section 15(b) and the disclosure provision under Section 15(d). Continue Reading BIPA Bellwether: General Assembly provides relief from “per scan” damages

Protection network security computer and safe your data concept. Laptop working develop coding program with key on keyboard
Protection network security computer and safe your data concept. Laptop working develop coding program with key on keyboard

For years, we were able to tell most clients experiencing a potential data security incident that they likely had at least 30 days to notify any third parties about the incident – if they concluded it was a breach.  There were, of course, exceptions in certain regulated industries, but most companies fell within the scope of the general state data breach notification statutes, none of which required a response sooner than 30 days. And for many years, we didn’t have to worry about more urgent deadlines created by federal authorities. Continue Reading Breach Response: Is 72 hours the new 30 days?