Back in July, we shared some good news out of California when a state court judge ruled that the newest regulations under the California Consumer Privacy Act (“CCPA”) could not be enforced until March 2024. But last week, the agency charged with enforcing the CCPA – the California Privacy Protection Agency (with the confusingly similar
Media & Privacy Risk Report
Latest from Media & Privacy Risk Report
Illinois Supreme Court: Collection of Biometric Data for Health Care Treatment, Payment, or Operations Is Exempt from BIPA
On November 30, 2023, the Illinois Supreme Court issued a much-anticipated decision in Mosby v. The Ingalls Memorial Hospital, answering a certified question about whether biometric information collected from health care workers is protected by the Illinois Biometric Information Privacy Act (BIPA) if that information is used for purposes related to health care treatment, payment,…
President Biden Issues Far-Reaching Executive Order on Artificial Intelligence
President Biden issued an Executive Order on October 30, 2023 designed to place the United States at the forefront of law and regulation of Artificial Intelligence (AI). The Executive Order on the “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence” creates binding disclosure requirements for companies that are either developing certain large language…
AI Versus Westlaw Copyright Bellwether Hurtles Toward Jury as Summary Judgment Largely Denied
In one of the first lawsuits to allege that generative AI companies violate the U.S. Copyright Act by using copyrighted works to train machine learning models, Judge Stephanos Bibas of the Delaware Circuit Court recently denied the majority of issues raised in cross motions for summary judgment filed by plaintiff Thomson Reuters and defendant Ross…
7th Circuit Rejects “Novel Interpretation” of Restatement, Upholds Single Publication Rule
In a recent decision in a defamation case filed against a Gannett-owned publication and the Associated Press, the Seventh Circuit rejected what it dubbed a “novel interpretation” of an established legal principle, instead upholding the doctrine known as the “single publication rule.”
The U.S. Court of Appeals for the Seventh Circuit in an opinion published…
A Rise in DSARs: Why Can Data Subject Access Requests Be Such a Burden?
Under UK data protection legislation, individuals, also called “data subjects”, have the right to make a data subject access request (DSAR) to organisations that “process” their personal data. Similar rights are required by both the EU’s General Data Protection Regulation and the California Consumer Privacy Act. Amongst other things, as part of a DSAR, data…
SEVENTH CIRCUIT FOLLOWS ILLINOIS SUPREME COURT PRECEDENT AND FINDS BIPA CLAIMS TIMELY
In a ruling that maintains the status quo created by the Illinois Supreme Court’s holding in Cothron v. White Castle System, Inc., 2023 IL 128004, the Seventh Circuit recently affirmed the trial court’s ruling that certain of the defendant’s alleged violations of the Illinois Biometric Information Privacy Act (BIPA), 740 ILCS 14/1 et seq.,…
SEC Proposes New Requirements to Address Conflicts of Interest in the Use of Artificial Intelligence and Similar Technologies
On July 26, 2023, the SEC issued proposed rules under the Securities Exchange Act of 1934 and the Investment Advisers Act of 1940 to address conflicts of interest that the SEC believes are associated with the use by broker-dealers and investment advisers of predictive data analytics (PDA) and PDA-like technologies, such as artificial intelligence (AI),…
SEC Proposes Amendments to the Internet Adviser Exemption
On July 26, 2023, the SEC issued proposed rules under the Investment Advisers Act of 1940 to narrow the types of smaller investment advisers that can register with the SEC in reliance on the Internet adviser exemption. Currently, an investment adviser with less than $25 million in assets under management that would ordinarily be too…
Cybersecurity Sheriffs Continue to Multiply and Crack Down – New SEC Rule Amps Up Public Company Pressure
Last week, a sharply divided U.S. Securities and Exchange Commission (“SEC”) significantly increased reporting requirements on public companies by adopting a Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rule (the “Rule”)[1] that requires, among many other things, reporting of “cybersecurity incidents” within only four business days of a “materiality” determination (subject…