Category Archives: U.S. State Privacy Laws

Mitigating AI Risks for Customer Service Chatbots

by Avi Gesser, Jim PastoreMatt KellyGabriel KohanMelissa Muse and Joshua A. Goland  

photos of authors

Top left to right: Avi Gesser, Jim Pastore, and Matt Kelly. Bottom left to right: Gabriel Kohan, Melissa Muse and Joshua A. Goland (photos courtesy of Debevoise & Plimpton LLP)

Online customer service chatbots have been around for years, allowing companies to triage customer queries with pre-programmed responses that addressed customers’ most common questions. Now, Generative AI (“GenAI”) chatbots have the potential to change the customer service landscape by answering a wider variety of questions, on a broader range of topics, and in a more nuanced and lifelike manner. Proponents of this technology argue companies can achieve better customer satisfaction while reducing costs of human-supported customer service. But the risks of irresponsible adoption of GenAI customer service chatbots, including increased litigation and reputational risk, could eclipse their promise.

We have previously discussed risks associated with adopting GenAI tools, as well as measures companies can implement to mitigate those risks. In this Debevoise Data Blog post, we focus on customer service chatbots and provide some practices that can help companies avoid legal and reputational risk when adopting such tools.

Continue reading

Kentucky Set to Enact Comprehensive State Privacy Law

by Lisa Sotto, Marshall Mattera, and Amanda Pervine

Lisa Sotto and Marshall Mattera (photos courtesy of Hunton Andrews Kurth LLP)

Update: On April 4, 2024, Governor Andy Beshear signed H.B. 15 into law, making Kentucky the 16th state to enact a comprehensive data privacy law.

On March 27, 2024, the Kentucky legislature passed a comprehensive data privacy bill (“H.B. 15”), which was delivered to the Governor for signature.  If H.B. 15 is enacted, Kentucky will join the growing list of states with comprehensive data privacy laws.  

Continue reading

State Governments Move to Regulate AI in 2024

by Louis W. Tompros, Arianna Evers, Eric P. Lesser, Allie Talus, and Lauren V. Valledor

Photos of authors

(Left to right) Louis W. Tompros, Arianna Evers, Eric P. Lesser, Allie Talus, and Lauren V. Valledor (Photos courtesy of Wilmer Cutler Pickering Hale and Dorr LLP)

Recently, New York Governor Kathy Hochul proposed sweeping artificial intelligence (AI) regulatory measures intended to protect against untrustworthy and fraudulent uses of AI. Presented as part of her FY 2025 Executive Budget, the bill would amend existing penal, civil rights and election laws—establishing a private right of action for voters and candidates impacted by deceptive AI-generated election materials and criminalizing certain AI uses, among other measures. Governor Hochul’s proposals are part of a wider trend of governors and state lawmakers taking more expansive measures to regulate AI that deserve attention from businesses developing and using AI.

Continue reading

U.S. Cybersecurity and Data Privacy Outlook and Review – 2024

by Alexander H. Southwell and Snezhana Stadnik Tapia

Photos of authors

From left to right: Alexander H. Southwell and Snezhana Stadnik Tapia (photos courtesy of Gibson, Dunn & Crutcher LLP)

As with previous years, the privacy and cybersecurity landscape continued to evolve substantially over the course of 2023. We recently provided a review of some of the most significant developments on this topic in the U.S. in the eleventh edition of Gibson Dunn’s U.S. Cybersecurity and Data Privacy Outlook and Review.

Below we summarize the past year’s developments and future prospects, including the wave of new privacy and cyber legal and regulatory advances at the federal and state levels. This past year, states continued to take the lead on enacting privacy legislation and branches of the federal government focused on data security, sensitive data, and artificial intelligence (“AI”). The surge of civil litigation with respect to web-tracking technologies also endured. In 2024, we expect an amplified focus on privacy and cybersecurity issues, as well as with respect to emerging technologies such as AI, to continue.

Continue reading

Navigating Compliance Risks in Robotics Applications within EU and US Legal Frameworks

by Wanda R. Lopuch Ph.D

New Technologies in the European Union and the United States

Photo of author

(Photo courtesy of author)

In the realm of technological innovation, robotics stands out due to its rapid growth and transformative potential. However, this potential brings myriad compliance risks, particularly when navigating the complex legal landscapes of the European Union (EU) and the United States (US). Below, I explore these risks, focusing on the divergent legal frameworks of the EU and the US and the challenges they pose to robotics application.

Continue reading

CPPA’s Regulatory Enforcement Restored: It’s Time to Get Compliant

 by Beth Burgin Waller and Patrick J. Austin

Photos of authors

From left to right: Beth Burgin Waller and Patrick J. Austin (photos courtesy of authors)

For businesses subject to California Consumer Privacy Act (CCPA), privacy compliance just became urgent. A California appellate court agreed on February 9, 2024 with the California Privacy Protection Agency (CPPA) that there is no statutory requirement for a one-year gap between approval of privacy regulations and enforcement of those regulations. Overturning a stay of enforcement at the trial court level, the California appellate court held that CCPA regulations can be enforceable upon finalization. This means for businesses subject to the CCPA, there is no ramp-up period between new regulations being finalized and the agency enforcing those new regulations.

Continue reading

New Wave of Website Privacy Lawsuits Under the Pen Register and Trap and Trace Device Theory

by Aidan Gross and Halyna Hnatkiv

Photos of authors

From left to right: Aidan Gross and Halyna Hnatkiv (photos courtesy of Hunton Andrews Kurth LLP)

In the latest evolution of lawsuits challenging technologies that track website users, California class action plaintiffs have begun to file under a new theory—the pen register and trap and trace device theory under Section 638.51 of the California Invasion of Privacy Act (“CIPA”).

Over the last two years, courts have seen an influx of putative class action lawsuits targeting businesses with websites that utilize technology to track users’ website interactions. Most of the lawsuits have been filed in California under CIPA. These previous lawsuits alleged a violation of section 631 of CIPA, which protects against (1) intentional wiretapping of any telegraph or telephone wire, line or cable; (2) willfully and without the consent of all parties attempting to learn the contents of a communication in transit; and (3) attempting to use or communicate information obtained as a result of engaging in either activity. The statutory penalty is $5,000 per violation.

The cases have often failed at the motion to dismiss stage. Courts have dismissed some suits for lack of standing given the absence of a concrete injury. A number of courts have found that the information collected must in itself have a reasonable expectation of privacy. Plaintiffs are now trying their luck under the pen register and trap and trace theory. Continue reading

Top 5 State Privacy Issues We’re Monitoring This Year

by Alysa Z. Hutnik and Alexander I. Schneider

Photos of authors

Alysa Z. Hutnik and Alexander I. Schneider (Photos courtesy of Kelley Drye & Warren LLP)

The year ahead promises to be busy on the state privacy front. States are continuing to fill the gap at the federal level by implementing comprehensive state laws that guarantee consumer privacy rights and regulate data sales, targeted advertising, and sensitive data.

Now, more states than ever are jumping on the bandwagon with comprehensive privacy laws on the books in more than 25 percent of U.S. states and new legislative efforts underway in many other states. In 2024, new laws in Florida, Tennessee, Texas, and Oregon will take effect, joining laws already in effect in California, Colorado, Connecticut, Utah, and Virginia. Laws focused on consumer health data take effect in Washington and Nevada in March as well.

Continue reading

New Jersey Governor Signs Comprehensive Privacy Law

by Nancy Libin, David L. Rice, John D. Seiver, and Benjamin Robbins

Photos of the authors.

From left to right: Nancy Libin, David L. Rice, John D. Seiver, and Benjamin Robbins. (Photos courtesy of Davis Wright Tremaine LLP)

On January 16, 2024, New Jersey Governor Phil Murphy signed into law Senate Bill 322 (“the Act”), making New Jersey the fourteenth state to enact a comprehensive consumer data privacy law, joining California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Florida, Texas, Oregon, and Delaware.  The Act will take effect on January 16, 2025.

Continue reading

Looking Back at Fall 2023 PCCE Events: Conference on Security, Privacy, and Consumer Protection

As we prepare for a full schedule of events in 2024, the NYU School of Law Program on Corporate Compliance and Enforcement (PCCE) is taking a moment to reflect on our busy Fall 2023 program. In this post, we review our November 17, 2023 full day conference on Security, Privacy, and Consumer Protection.

Photo of conference

(©Hollenshead: Courtesy of NYU Photo Bureau)

Continue reading