Automated License Plate Reader (ALPR) technology is facing increasing legal scrutiny as courts, regulators and individuals attempt to examine and expose the various ways in which license plate data is captured, collected, shared and used. Recent disputes over ALPR technology have shifted away from issues of public safety and toward whether the private sector businesses and governmental organizations, among others, that utilize ALPR adequately disclose its use and sharing, as well as implement proper safeguards around this potentially sensitive, location-based personal information.

1. Private Sector’s Failure to Disclose Use of ALPR Technology Can Be Sufficient to Constitute Harm to Consumers

The private sector’s use of ALPR technology is facing challenges and possible legal exposure. In February of this year, California’s First Appellate District addressed the requirements imposed by the state’s ALPR Law in Bartholomew v. Parking Concepts, Inc., and in particular addressed what constitutes sufficient “harm” under the law to state a claim.1,2 In that matter, the plaintiff alleged that a parking garage owned and operated by Parking Concepts collected his license plate data without making a privacy policy regarding the collection publicly available. First, the Court determined that the parking garage camera system constituted a ALPR system under the law – that is, that it was “a searchable computerized database resulting from the operation of one or more mobile or fixed cameras combined with computer algorithms to read and convert images of registration plates and the characters they contain into computer-readable data.” But more importantly, the Court concluded that using ALPR technology without a publicly disclosed privacy policy stating when and how ALPR is collected and used violates an individual’s “right to know” of the activity, which is sufficient to allege harm under the law.

Continue Reading Automated License Plate Reader Technology Raises Concerns Over Private Sector Compliance and Government Overreach

When Colorado enacted the first comprehensive state AI law in 2024, it imported the conceptual architecture of the EU AI Act: a risk-based regime built on duties of care, risk management programs, and impact assessments. Two years later, and within a matter of weeks, the state has dismantled that legislation. On May 14, 2026, Governor Jared Polis signed Senate Bill 26-189, which repeals SB 24-205 and replaces it with a disclosure-and-rights framework focused on automated decision-making technology (“ADMT”). The new framework takes effect January 1, 2027.

The substance of the rewrite has been well-covered already. Less examined is how Colorado got here, and what the speed and direction of the pivot signal for the rest of the state AI regulatory landscape. The new bill was introduced and signed within two weeks of its introduction. The Governor’s AI Policy Working Group did the heavy lift in advance: roughly six months of stakeholder consultation produced the draft framework released on March 17, 2026. But the final two-week sprint reflects pressure to land the rewrite before the original AI Act’s June 30, 2026 effective date and amid escalating federal headwinds.

Continue Reading Colorado’s AI Reset: Two Weeks, a White House Callout, and a Pivot Away from the EU Model

Software procurement has become a central feature of modern business operations. Organizations increasingly rely on third‑party tools to support internal workflows, manage data, and deliver products and services to customers. As a result, vendor due diligence is no longer a purely procurement or contracting function. It is a core risk management exercise.

Despite this shift, many organizations still approach software procurement in a linear way. The business identifies a tool, procurement advances the deal, and Legal is brought in late to review contract terms. That approach assumes software presents a uniform level of risk.

It does not.

The legal and regulatory risk associated with software depends heavily on how the tool is used, what data it processes, and how much the business or its customers rely on its outputs. Understanding those factors early is essential to allocating risk appropriately and drafting contracts that reflect operational reality.

Continue Reading Rethinking Vendor Due Diligence: Software Procurement Starts Before the Contract

Legal500 featured an article by Seyfarth partners Kathleen McConnell and Lauren Gregory Leipold, and associate Daniel Riley“AI Governance In (and Beyond) Privacy: Regulatory Tensions in Automated Decision‑Making, the Digital Authenticity Crisis, and Restrictions on Professional Use.

The piece, published as a part of the Legal500 Country Comparative Guides, examines the rapidly evolving legal landscape governing artificial intelligence and its intersection with privacy, consumer protection, employment law, and professional responsibility.

The article highlights how US AI regulation is emerging through a fragmented mix of state privacy laws, AI‑specific statutes, ethics rules, and intellectual property doctrines, creating significant compliance challenges for organizations deploying AI at scale. The authors outline three key regulatory fronts—automated decision‑making, synthetic content and digital authenticity, and profession‑specific governance—and emphasize the need for proactive, enterprise‑wide AI governance strategies that extend beyond traditional privacy compliance.

As McConnell, Leipold, and Riley explain:

“Organizations cannot rely on any single legal regime, whether privacy, cybersecurity, or professional ethics, to define the boundaries of responsible AI use.”

The full article is available here.

When the California Privacy Protection Agency (“CalPrivacy”) announced a $1.35 million settlement in September 2025 – the largest CCPA penalty to date – one of the itemized grievances stood out for any practitioner who has wrestled with a vendor redline: the company had failed to amend or enter into third-party data protection vendor contracts by regulatory deadlines.

This hints at where state privacy enforcement is heading. The consumer-facing side of privacy compliance – notices, opt-out links, cookie banners – is visible and testable. But the back-end architecture of a compliant privacy program lives at least in part in vendor contracts, and regulators increasingly treat those contracts as evidence of program maturity (or its absence). Nowhere is this more concrete than in California’s 11 CCR § 7051.

Continue Reading The Paper Trail: State Privacy Law Contracting Requirements

The lesson from the PocketOS database deletion is not that agentic AI is dangerous. It’s about governance and controls.

You have probably seen some version of the headline by now: “AI Agent Deletes Company’s Entire Database in 9 Seconds.” It is a compelling story. But the headline, while technically accurate, obscures the far more important lesson buried in the details.

So what actually happened? PocketOS, a small SaaS company that makes software for car rental businesses, was using a popular AI-powered code editor running on Anthropic’s Claude Opus 4.6 model. The AI agent was tasked with resolving a routine issue in a staging environment. When it hit a credential mismatch, the agent decided on its own initiative to “fix” the problem by deleting a volume on Railway, the company’s cloud hosting provider. The agent found a password in an unrelated file and used it to execute a deletion command. Because of permissions made available to the agent and the way access to the infrastructure was configured, that single command using a password which was valid across all systems wiped both the production database and all associated backups.  

The agent, when asked to explain itself, produced what multiple outlets described as a “confession,” acknowledging it had violated its own safety instructions. The story has gone viral. The framing in most coverage puts the AI squarely at the center of the narrative: the agent “went rogue,” it “confessed,” it acted autonomously and destroyed a business. But the reports are not entirely accurate and usually miss the point.

Continue Reading The AI Didn’t Go Rogue. Guardrails Were Never There.

As another piece of harmonization legislation, the AI Act is unsurprisingly reminiscent in regulatory philosophy to the GDPR. Many of the same data principles (transparency, accuracy, security) are present, as is an explicit risk-based approach. Understanding precisely where there is overlap with your existing GDPR program is a head start in your AI Act compliance program design. But it is also important to recognize where the two frameworks diverge. The GDPR regulates what happens to personal data, the legal basis for collection, how it is used, how long it is kept, who can access it. The AI Act generally regulates the AI system itself – namely, how it is designed, tested, documented, governed, and deployed. While that difference in regulatory object creates structural differences in inputs and outputs, the framework itself does have a lot of commonalities.

This post suggests a strategy for efficiently building a unified compliance framework for both regimes.

Continue Reading One Compliance Program for Two Frameworks: Aligning the EU AI Act and GDPR for Efficiency

Episode 14 is now live. In this episode of Consumer Counterpoint, we sit down with Chicago partner Jay Carle to discuss the launch of Seyfarth’s new D.A.T.A. Law practice group. Jay shares insights into the group’s multidisciplinary approach and how it’s designed to help clients stay ahead of emerging data and technology challenges.

Watch Episode 14 Here:

Subscribe to the Consumer Class Defense Blog today and get notified when each new vidcast goes live.

Over the past decade, a vibrant defense‑innovation ecosystem has emerged across the U.S. and Europe, powered by venture‑backed defense tech startups, dual‑use technology companies, and commercial‑first innovators entering national‑security markets. As these companies begin collaborating with defense agencies, they encounter compliance obligations for handling sensitive government information. For those seeking to enter the US national security innovation sector, the center of attention remains on safeguarding Controlled Unclassified Information (CUI).

While the recently codified Cybersecurity Maturity Model Certification (CMMC) addresses more than CUI, its principal aim is to remediate inconsistent compliance with the implementation of the NIST SP 800-171 controls required to safeguard CUI in the Defense Federal Acquisition Supplement (DFARS). Whether or not a company sees itself as a “defense contractor,” understanding CUI and CMMC is rapidly becoming essential for participating in this expanding global ecosystem.

Against that backdrop, this post outlines CUI’s role within CMMC, identifies the primary sources of the underlying safeguarding obligations, and explains how CMMC operationalizes verification of those requirements, especially at Level 2.

Continue Reading Safeguarding Sensitive Government Information: Why the Cybersecurity Maturity Model Certification (CMMC) Matters for the Global Defense Innovation Ecosystem

Introduction

Robotics and artificial intelligence are converging at an unprecedented pace. As robotics systems increasingly integrate AI-driven decision-making, businesses are unlocking new efficiencies and capabilities across industries from manufacturing and logistics to healthcare and real estate.

Yet this convergence introduces complex legal and regulatory challenges. Companies deploying AI-enabled robotics must navigate issues related to data privacy, intellectual property, workplace safety, liability, and compliance with emerging AI governance frameworks.

The Shift: Robotics as an AI Subset

Traditionally, robotics was viewed as a standalone discipline focused on mechanical automation. Today, robotics is increasingly powered by machine learning algorithms, natural language processing, and predictive analytics—hallmarks of AI technology.

This evolution raises critical questions for legal teams:

  • Who owns the data generated by AI-enabled robots?
  • How do we allocate liability when autonomous systems make decisions without human intervention?
  • What contractual safeguards should be in place when outsourcing robotics solutions to third-party vendors?

As robotics increasingly incorporates AI functionality, traditional contract structures for hardware procurement and service agreements require significant updates. This evolution introduces new risk categories that must be addressed through precise drafting and negotiation.

Continue Reading The AI-Driven Evolution of Robotics