Kyle Fath, partner in the firm’s Data Privacy, Cybersecurity & Digital Assets group and Los Angeles Office, was appointed this month to serve on the Connecticut Data Privacy Act (CTDPA) working group by the joint standing committee of the Connecticut General Assembly.

Continue Reading Kyle Fath appointed to Connecticut Privacy Legislation Working Group

On Friday, September 23, the California Privacy Protection Agency (CCPA) held a Board meeting about various CPPA administrative activities. Continue Reading Update on the California Privacy Protection Agency: Still No Date Certain for the CPRA Regulations

We head into the fourth quarter on the heels of the first public California Consumer Privacy Act (CCPA) civil penalty, while also looking ahead to the new state privacy laws in Virginia, Colorado, Connecticut, and Utah and the significant updates that the California Privacy Rights Act (CPRA) will bring to the CCPA. Considering that regulations are yet to be finalized in both California and Colorado, it is no surprise that some businesses are uncertain regarding how to proceed. To help businesses address both current risks, as demonstrated by recent enforcement, as well as the “new” 2023 privacy requirements, we have developed guidance materials, including high-level workstreams, covering the following topics:

  1. Preparing for the 2023 State Privacy Laws
  2. HR and B-to-B Data CCPA/CPRA Compliance Primer
  3. Lessons from the First CCPA Civil Penalty Case
  4. Takeaways from the First Draft of Revised CCPA/CPRA Regulations

Click here to download the guidance. More detailed guidance and workstreams, as well as model materials with customization support, are available to clients. Contact your SPB relationship partner for more information.

In a CLE webinar earlier this week, Malcolm Dowden (Partner, London) and Niloufar Massachi (Associate, Los Angeles) discussed evaluating, drafting, and updating vendor agreements to meet the privacy and security requirements of new US privacy laws and the GDPR.

Continue Reading Malcolm Dowden and Niloufar Massachi Discuss Vendor Contracting Requirements Under New US Privacy Laws and the GDPR

On Thursday, House Speaker Nancy Pelosi expressed concerns with certain features of the American Data Privacy and Protection Act (“ADPPA”) and its broad preemption provision, which as currently drafted would override the California Consumer Privacy Act (“CCPA”) and its subsequent voter- approved amendments.  The ADPPA was favorably reported by the House Committee on Energy and Commerce in July by a vote of 53-2.  The bill has not yet been scheduled for a vote on the House floor. Speaker Pelosi “commended” the Energy and Commerce Committee for its efforts, while also praising California Democrats for having “won the right for consumers for the first time to be able to seek damages in court for violations of their privacy rights.”  Speaker Pelosi noted that California leads the nation in protecting consumer privacy and it was “imperative that California continues offering and enforcing the nation’s strongest privacy rights.”  Speaker Pelosi stated that she and others would be working with Chairman Frank Pallone (D-NJ) to address concerns related to preserving  California privacy laws.  Although Speaker Pelosi’s comments cast doubt on the future of the ADPPA, we continue to believe that it will clear the House. We anticipate only modest tweaks to the preemption provision, which must be acceptable to the Republican leadership of the committee for the bill to move forward. As Speaker Pelosi noted, the bill contains a private right of action for consumers—the single most important provision to Republicans in return for strong preemption language. After more than a decade of effort, the Democratic leadership of the House will be hard pressed to let the perfect be the enemy of the really good.

Welcome to the 2022 Q2 edition of the SPB Artificial Intelligence & Biometric Privacy Quarterly Review Newsletter, your go-to source for keeping you in the know on all recent major artificial intelligence (“AI”) and biometric privacy developments that have taken place over the course of the last three months. We invite you to share this resource with your colleagues and visit Squire Patton Boggs’ Data Privacy, Cybersecurity & Digital Assets and Privacy & Data Breach Litigation homepages for more information about our capabilities and team. 

Q2 did not disappoint in the AI and biometric privacy space, with a number of noteworthy litigation, legislative, and regulatory developments having taken place in these two rapidly developing areas of law. Read on to see what has transpired over the last quarter and what you should keep your eyes on as we head into the second half of 2022.

Continue Reading SPB 2022 Q2 Artificial Intelligence & Biometric Privacy Quarterly Review Newsletter

Last week, a California federal court held that a plaintiff lacked Article III standing to bring a putative class action in federal court for violations of the Fair and Accurate Credit Transactions Act (“FACTA”) amendments to the Fair Credit Reporting Act (“FCRA”), 15 U.S.C. § 1681 et. seq. As a result, the case was remanded back to the California state court where the plaintiff chose to file his complaint.

In Kamel v. Hibbett, Inc.No. 8:22-cv-01096-RGK-E, 2022 U.S. Dist. LEXIS 130753 (C.D. Cal. July 22, 2022), the plaintiff alleged that he made a purchase with his credit card at one of the defendants’ stores and received a receipt which contained ten digits of his credit card number. 

Continue Reading California Federal Court Grants Plaintiff’s Motion to Remand FACTA Class Action to State Court

In a record-setting proposed settlement filed last week, T-Mobile has agreed to pay $350 million and boost its data security by $150 million over the next two years to resolve multidistrict litigation brought by T-Mobile customers whose data was allegedly exposed in a 2021 data breach.  Read on for the terms of the settlement, which may serve as a model in other high stakes data security cases going forward.

Recall that in August 2021, T-Mobile disclosed that it had been the victim of a cyberattack that resulted in the compromise of some current, former and prospective customers’ SSN, name, address, date of birth and driver’s license/ID information the “Data Event”).  By T-Mobile’s account, no “customer financial information, credit card information, debit or other payment information” was exposed in the attack.  Nevertheless, over 40 putative class action claims were filed seeking damages for the improper disclosure of Plaintiffs’ personal information.  In December 2021, the Judicial Panel on Multidistrict Litigation transferred and centralized the putative class actions into the MDL standing before the Western District of Missouri.

Continue Reading T-Mobile Agrees in MDL to Record Setting $350 Million Data Breach Settlement to Resolve CCPA and Other Privacy Claims

SPB Partner Beth Goldstein also contributed to this post.

With the powerful Committee on Energy and Commerce having approved a comprehensive, bipartisan privacy bill by a vote of 53-2, the US House of Representatives is one step closer to approving historic privacy legislation after over a decade of debate. Before formally reporting the legislation to the full House, the Committee adopted a substitute amendment that addressed concerns that had been raised in Subcommittee a few weeks ago. Among other provisions, the substitute amendment included the following changes:

  • The amended ADPPA provides an explicit right for the California Privacy Protection Agency (“CPPA”) to enforce the law. This is likely in response to calls by California Governor Newsom and the CPPA itself this week to eliminate the bill’s would-be preemption of the California Consumer Privacy Act (including as amended by the California Privacy Rights Act) (“CCPA”). Notably, however, preemption of the CCPA remains.
  • The definition of “third party” has been amended to provide that affiliated companies are considered a single covered entity if consumers reasonably expect them to share information with one another.
  • The substitute amendment provides a number of additional changes with respect to targeted advertising, including :
    • The FTC has the authority to establish global privacy control or “unified opt-out mechanisms” to allow individuals to opt out from targeted advertising.
    • The ADPPA retains its ban on targeted ads to an individual under 17, and also still considers information relating to such individuals as sensitive covered data, but has introduced a tiered knowledge approach with respect to an individual’s age
    • Internet browsing history over time and across third party websites or online services is now considered sensitive data.
  • Sensitive covered data has been further expanded to include race, color, ethnicity, religion, and union membership, and video data as a category of sensitive covered data has been clarified to include information showing the video content requested or selected by users of consumer generated media.

The leadership of the Committee appears to have found the sweet spot on the two major issues that have bedeviled legislators for years—how and to what extent to preempt state law and the extent to which consumers can vindicate their rights through a private right of action. The substitute amendment, for example, shortened from four year to two years after the date of enactment the date by which consumers can sue over alleged privacy violations. In addition, the substitute amendment limited forced arbitration agreements with respect to claims made by individuals facing domestic violence. With preemption and the private right of action now largely resolved, only a few additional minor issues, plus further changes to the arbitration provision, appear to stand in the way of likely House passage of the bill in September, if not before the August recess begins, on a bipartisan basis.


Earlier this month CPW’s Kristin Bryan and Kyle Fath presented a webinar on “AI and Biometrics Privacy: Trends and Developments” with the International Association of Privacy Professionals (“IAPP”), the largest global community of privacy professionals.  A recording of that webinar is available to all IAPP members and available (for CPE credit) here.

As summarized in the program description on the IAPP website:

Artificial intelligence and biometrics privacy are top-of-mind issues for companies and their privacy professionals, regardless of the industry sector in which they operate. AI will soon be regulated in the U.S. in an unprecedented manner: The patchwork of 2023 state privacy laws imposes restrictions and obligations on organizations carrying out AI, profiling and automated decision-making processes, and the Federal Trade Commission is poised to promulgate regulations on automated decision-making and related topics. Organizations employing facial recognition and other biometrics technologies are under the constant threat of putative privacy class-action litigations under Illinois’ Biometric Information Privacy Act and a handful of other state laws. With BIPA copycats and similar legislation introduced across the country, and a lack of clarity in the current case law, the risk associated with biometrics will certainly continue, and likely increase. Needless to say, global developments in these areas add further complexity to organizations with international operations.

The program addresses, among others:

  • AI, biometrics and privacy compliance — Restrictions on and obligations under forthcoming privacy laws in California, Colorado, Utah and Virginia, including with respect to profiling, automated decision-making, and sensitive data.
  • AI and biometrics litigation overview — The current litigation landscape concerning AI and biometrics, including facial recognition.
  • Legislative and regulatory priorities — Pending and anticipated legislative and regulatory developments, both federal and state, as well as globally.

Kristin and Kyle are also covering on CPW key developments regarding AI and biometric privacy in the realm of regulation, compliance and litigation.  You can check out their analyses of these issues here, here and here, with contributions from David Oberly and other team members.

For more on this, stay tuned.  CPW will be there to keep you in the loop.