Episode 14 is now live. In this episode of Consumer Counterpoint, we sit down with Chicago partner Jay Carle to discuss the launch of Seyfarth’s new D.A.T.A. Law practice group. Jay shares insights into the group’s multidisciplinary approach and how it’s designed to help clients stay ahead of emerging data and technology challenges.
Safeguarding Sensitive Government Information: Why the Cybersecurity Maturity Model Certification (CMMC) Matters for the Global Defense Innovation Ecosystem
Over the past decade, a vibrant defense‑innovation ecosystem has emerged across the U.S. and Europe, powered by venture‑backed defense tech startups, dual‑use technology companies, and commercial‑first innovators entering national‑security markets. As these companies begin collaborating with defense agencies, they encounter compliance obligations for handling sensitive government information. For those seeking to enter the US national security innovation sector, the center of attention remains on safeguarding Controlled Unclassified Information (CUI).
While the recently codified Cybersecurity Maturity Model Certification (CMMC) addresses more than CUI, its principal aim is to remediate inconsistent compliance with the implementation of the NIST SP 800-171 controls required to safeguard CUI in the Defense Federal Acquisition Supplement (DFARS). Whether or not a company sees itself as a “defense contractor,” understanding CUI and CMMC is rapidly becoming essential for participating in this expanding global ecosystem.
Against that backdrop, this post outlines CUI’s role within CMMC, identifies the primary sources of the underlying safeguarding obligations, and explains how CMMC operationalizes verification of those requirements, especially at Level 2.
Continue Reading Safeguarding Sensitive Government Information: Why the Cybersecurity Maturity Model Certification (CMMC) Matters for the Global Defense Innovation EcosystemThe AI-Driven Evolution of Robotics
Introduction
Robotics and artificial intelligence are converging at an unprecedented pace. As robotics systems increasingly integrate AI-driven decision-making, businesses are unlocking new efficiencies and capabilities across industries from manufacturing and logistics to healthcare and real estate.
Yet this convergence introduces complex legal and regulatory challenges. Companies deploying AI-enabled robotics must navigate issues related to data privacy, intellectual property, workplace safety, liability, and compliance with emerging AI governance frameworks.
The Shift: Robotics as an AI Subset
Traditionally, robotics was viewed as a standalone discipline focused on mechanical automation. Today, robotics is increasingly powered by machine learning algorithms, natural language processing, and predictive analytics—hallmarks of AI technology.
This evolution raises critical questions for legal teams:
- Who owns the data generated by AI-enabled robots?
- How do we allocate liability when autonomous systems make decisions without human intervention?
- What contractual safeguards should be in place when outsourcing robotics solutions to third-party vendors?
As robotics increasingly incorporates AI functionality, traditional contract structures for hardware procurement and service agreements require significant updates. This evolution introduces new risk categories that must be addressed through precise drafting and negotiation.
Continue Reading The AI-Driven Evolution of RoboticsCalifornia Privacy Protection Agency (CPPA) Finally Voted to Adopt Much Debated Update to CCPA Regulations: What Your Business Should Know
On July 24, 2025, the California Privacy Protection Agency (“CPPA”) unanimously voted to adopt a package of Proposed Regulations for the California Consumer Privacy Act (“CCPA”), marking a significant development in California privacy law. These cover Automated Decision-making Technology (“ADMT”), mandatory Cybersecurity Audits, Risk Assessments, and clarifications for the CCPA’s applicability to Insurance Companies. The package will move into its final review stage before formal enactment, once filed with the California Office of Administrative Law.
CCPA Steering Toward Operational Compliance
This is a clear signal that privacy compliance expectations in California are trending toward a more operational phase. The new rules are designed to give Californians greater control over how their personal information is used while pushing businesses toward higher levels of transparency and accountability, especially when automated decision-making and high-risk data processing is involved. For companies, this is more than just a theoretical update – it’s a clarion call to ensure these requirements are built into day-to-day governance, technology and process design, and vendor management practices.
Continue Reading California Privacy Protection Agency (CPPA) Finally Voted to Adopt Much Debated Update to CCPA Regulations: What Your Business Should KnowCIPA’s Cookie Exception Bill (SB 690) Passes Senate, Proceeds to State Assembly
On June 3, 2025, the California Senate unanimously passed Senate Bill 690 (SB 690), a bill that seeks to add a “commercial business purposes” exception to the California Invasion of Privacy Act (CIPA).
After multiple readings on the Senate floor, SB 690 passed as amended, and will now proceed to the California State Assembly. SB
CPPA Underscores That Businesses Own CCPA Compliance – Even When Privacy Management Tools Fail
The California Privacy Protection Agency (“CPPA”) has made it abundantly clear: privacy compliance isn’t just about publishing the right disclosures – it’s about whether your systems actually work. On May 6, the agency fined Todd Snyder, Inc. $345,178 for failures that highlight a growing regulatory focus on execution of California Consumer Privacy Act (“CCPA”) compliance. The action sends a powerful message: even well-resourced companies are not insulated from enforcement if they don’t actively test and manage how privacy rights are honored in practice.
Not Just Tools – Working Tools
The action against Todd Snyder was rooted in executional failure. The company had a portal in place for consumer rights requests, but it wasn’t processing opt-out submissions – a failure that lasted for roughly 40 days, according to the CPPA. The cookie banner that should have enabled consumers to opt out of cookie tracking would disappear prematurely, preventing users from completing their requests.
The company further required users to verify their identity before opting out and requested sensitive personal information, such as a photograph of their driver’s license. The CPPA determined this was not only unnecessary, but a violation in itself. The allegations around improper verification reflect concerns raised in a CPPA Enforcement Advisory issued last year, which cautioned businesses against collecting excessive information from consumers asserting their privacy rights.
Continue Reading CPPA Underscores That Businesses Own CCPA Compliance – Even When Privacy Management Tools FailA New Year and New Compliance Requirements: Additional State Privacy Laws Take Effect in 2025
As 2025 begins, businesses across the U.S. will be required to navigate an even more expanded landscape of state-level privacy regulations. In all, eight states are introducing comprehensive privacy laws, further adding to the growing patchwork of privacy requirements in the U.S.
January is kicking off with a flurry as five states (Iowa, Delaware, Nebraska, New Hampshire, and New Jersey) implement their laws in the first two weeks. Later this year, Tennessee, Minnesota, and Maryland will join the mix. For companies operating in the U.S., staying ahead in this shifting regulatory environment is essential. Failure to comply could result in hefty penalties, legal exposure, and a loss of consumer trust.
The good news? Businesses already aligned with current privacy laws may only need minor updates to meet the new requirements. However, it is important to be aware of all consumer-facing interactions, data collections, and sharing of personal information in each state to keep a firm handle on your compliance obligations.
Continue Reading A New Year and New Compliance Requirements: Additional State Privacy Laws Take Effect in 2025BIPA LEGISLATIVE UPDATE: Governor Pritzker Signs Amendment Limiting Damages To A Single Recovery
Seyfarth Synopsis: Earlier this year, we reported that the Illinois Senate passed Senate Bill 2979 with a vote of 46 to 13, and the Illinois House of Representatives passed Senate Bill 2979 with a vote 81 to 30. This bill addressed concerns arising from recent legal interpretations of the Illinois Biometric Information Privacy Act (“BIPA,” 740 ILCS 14/ et seq.), particularly following the Illinois Supreme Court’s 2023 decision in Cothron v. White Castle System Inc., in which the Court held that a claim under BIPA accrues each time that an individual’s biometric information or identifier is captured or collected.
Continue Reading BIPA LEGISLATIVE UPDATE: Governor Pritzker Signs Amendment Limiting Damages To A Single RecoveryHHS Strengthens HIPAA Rules to Protect Reproductive Health Privacy
Seyfarth Synopsis: This past Monday, the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) issued its final rule aimed at strengthening the HIPAA Privacy rules as they are applied to reproductive health data.
On the heels of the release of the 2022 US Supreme Court decision in Dobbs v. Jackson Women’s Health Organization, the Biden Administration directed the Federal agencies to examine what they could do to protect women’s health and privacy. Shortly thereafter, HHS released guidance under HIPAA related to reproductive health care services under a health plan, focusing on information required to be disclosed by law, for law enforcement purposes, and to avert a serious threat to health or safety (see our earlier Alert here). Then, in April 2023, HHS issued proposed modifications to the HIPAA Privacy Rule aimed at these concerns. A year later, the agency finalized those rules on April 22, 2024 – the Final Rule.
Continue Reading HHS Strengthens HIPAA Rules to Protect Reproductive Health PrivacyPrivacy In Focus: BIPA’s Current Landscape and the Crucial Role of Statutory Exemptions
This blog is cross-posted on the Consumer Class Actions blog site as well.
Throughout much of 2023, businesses found themselves in a challenging position as they continued to grapple with defending against Illinois Biometric Information Privacy (BIPA) class action lawsuits. The year began on a somber note with the Illinois Supreme Court delivering unfavorable decisions on two pivotal threshold matters. However, rays of hope emerged when the same court issued two favorable decisions, one affirming union preemption, and another concerning medical exemptions under BIPA. These welcomed developments provided a reprieve for businesses contending with the longstanding challenges posed by the statute. As we navigate the complexities of BIPA, it becomes crucial for businesses to recognize and consider the various exemptions embedded within the legislation—many of which have proven effective in legal defenses over the past few years.
Continue Reading Privacy In Focus: BIPA’s Current Landscape and the Crucial Role of Statutory Exemptions