data privacy

Subscribe to data privacy via RSS

When the California Privacy Protection Agency (“CalPrivacy”) announced a $1.35 million settlement in September 2025 – the largest CCPA penalty to date – one of the itemized grievances stood out for any practitioner who has wrestled with a vendor redline: the company had failed to amend or enter into third-party data protection vendor contracts by regulatory deadlines.

This hints at where state privacy enforcement is heading. The consumer-facing side of privacy compliance – notices, opt-out links, cookie banners – is visible and testable. But the back-end architecture of a compliant privacy program lives at least in part in vendor contracts, and regulators increasingly treat those contracts as evidence of program maturity (or its absence). Nowhere is this more concrete than in California’s 11 CCR § 7051.

Continue Reading The Paper Trail: State Privacy Law Contracting Requirements
ramon-salinero-vEE00Hx5d0Q-unsplash (1)

The lesson from the PocketOS database deletion is not that agentic AI is dangerous. It’s about governance and controls.

You have probably seen some version of the headline by now: “AI Agent Deletes Company’s Entire Database in 9 Seconds.” It is a compelling story. But the headline, while technically accurate, obscures the far more important lesson buried in the details.

So what actually happened? PocketOS, a small SaaS company that makes software for car rental businesses, was using a popular AI-powered code editor running on Anthropic’s Claude Opus 4.6 model. The AI agent was tasked with resolving a routine issue in a staging environment. When it hit a credential mismatch, the agent decided on its own initiative to “fix” the problem by deleting a volume on Railway, the company’s cloud hosting provider. The agent found a password in an unrelated file and used it to execute a deletion command. Because of permissions made available to the agent and the way access to the infrastructure was configured, that single command using a password which was valid across all systems wiped both the production database and all associated backups.  

The agent, when asked to explain itself, produced what multiple outlets described as a “confession,” acknowledging it had violated its own safety instructions. The story has gone viral. The framing in most coverage puts the AI squarely at the center of the narrative: the agent “went rogue,” it “confessed,” it acted autonomously and destroyed a business. But the reports are not entirely accurate and usually miss the point.

Continue Reading The AI Didn’t Go Rogue. Guardrails Were Never There.

As another piece of harmonization legislation, the AI Act is unsurprisingly reminiscent in regulatory philosophy to the GDPR. Many of the same data principles (transparency, accuracy, security) are present, as is an explicit risk-based approach. Understanding precisely where there is overlap with your existing GDPR program is a head start in your AI Act compliance program design. But it is also important to recognize where the two frameworks diverge. The GDPR regulates what happens to personal data, the legal basis for collection, how it is used, how long it is kept, who can access it. The AI Act generally regulates the AI system itself – namely, how it is designed, tested, documented, governed, and deployed. While that difference in regulatory object creates structural differences in inputs and outputs, the framework itself does have a lot of commonalities.

This post suggests a strategy for efficiently building a unified compliance framework for both regimes.

Continue Reading One Compliance Program for Two Frameworks: Aligning the EU AI Act and GDPR for Efficiency

Episode 14 is now live. In this episode of Consumer Counterpoint, we sit down with Chicago partner Jay Carle to discuss the launch of Seyfarth’s new D.A.T.A. Law practice group. Jay shares insights into the group’s multidisciplinary approach and how it’s designed to help clients stay ahead of emerging data and technology challenges.

Watch Episode

growtika-nGoCBxiaRO0-unsplash

Introduction

Robotics and artificial intelligence are converging at an unprecedented pace. As robotics systems increasingly integrate AI-driven decision-making, businesses are unlocking new efficiencies and capabilities across industries from manufacturing and logistics to healthcare and real estate.

Yet this convergence introduces complex legal and regulatory challenges. Companies deploying AI-enabled robotics must navigate issues related to data privacy, intellectual property, workplace safety, liability, and compliance with emerging AI governance frameworks.

The Shift: Robotics as an AI Subset

Traditionally, robotics was viewed as a standalone discipline focused on mechanical automation. Today, robotics is increasingly powered by machine learning algorithms, natural language processing, and predictive analytics—hallmarks of AI technology.

This evolution raises critical questions for legal teams:

  • Who owns the data generated by AI-enabled robots?
  • How do we allocate liability when autonomous systems make decisions without human intervention?
  • What contractual safeguards should be in place when outsourcing robotics solutions to third-party vendors?

As robotics increasingly incorporates AI functionality, traditional contract structures for hardware procurement and service agreements require significant updates. This evolution introduces new risk categories that must be addressed through precise drafting and negotiation.

Continue Reading The AI-Driven Evolution of Robotics
thomas-lefebvre-gp8BLyaTaA0-unsplash

On July 24, 2025, the California Privacy Protection Agency (“CPPA”) unanimously voted to adopt a package of Proposed Regulations for the California Consumer Privacy Act (“CCPA”), marking a significant development in California privacy law. These cover Automated Decision-making Technology (“ADMT”), mandatory Cybersecurity Audits, Risk Assessments, and clarifications for the CCPA’s applicability to Insurance Companies. The package will move into its final review stage before formal enactment, once filed with the California Office of Administrative Law.

CCPA Steering Toward Operational Compliance

This is a clear signal that privacy compliance expectations in California are trending toward a more operational phase. The new rules are designed to give Californians greater control over how their personal information is used while pushing businesses toward higher levels of transparency and accountability, especially when automated decision-making and high-risk data processing is involved. For companies, this is more than just a theoretical update – it’s a clarion call to ensure these requirements are built into day-to-day governance, technology and process design, and vendor management practices.

Continue Reading California Privacy Protection Agency (CPPA) Finally Voted to Adopt Much Debated Update to CCPA Regulations: What Your Business Should Know

On May 19, 2025, the California Senate Appropriations Committee, which handles budgetary and financial matters, held a hearing on California Senate Bill 690 (SB 690).  The proposed bill would amend the California Invasion of Privacy Act (CIPA) by adding an exception to the statute which has the effect of permitting use of tracking technologies for

fatos-bytyqi-Agx5_TLsIf4-unsplash

California Senate Bill 690 (SB 690), introduced by Senator Anna Caballero, is continuing to proceed through the California state legislative process. The proposed bill would amend the California Invasion of Privacy Act (CIPA) by adding an exception to the statute which has the effect of permitting use of tracking technologies for “commercial business purposes.” CIPA

kevin-ku-w7ZyuGYNpRQ-unsplash (2)

The California Privacy Protection Agency (“CPPA”) has made it abundantly clear: privacy compliance isn’t just about publishing the right disclosures – it’s about whether your systems actually work. On May 6, the agency fined Todd Snyder, Inc. $345,178 for failures that highlight a growing regulatory focus on execution of California Consumer Privacy Act (“CCPA”) compliance. The action sends a powerful message: even well-resourced companies are not insulated from enforcement if they don’t actively test and manage how privacy rights are honored in practice.

Not Just Tools – Working Tools

The action against Todd Snyder was rooted in executional failure. The company had a portal in place for consumer rights requests, but it wasn’t processing opt-out submissions – a failure that lasted for roughly 40 days, according to the CPPA. The cookie banner that should have enabled consumers to opt out of cookie tracking would disappear prematurely, preventing users from completing their requests.

The company further required users to verify their identity before opting out and requested sensitive personal information, such as a photograph of their driver’s license. The CPPA determined this was not only unnecessary, but a violation in itself. The allegations around improper verification reflect concerns raised in a CPPA Enforcement Advisory issued last year, which cautioned businesses against collecting excessive information from consumers asserting their privacy rights.

Continue Reading CPPA Underscores That Businesses Own CCPA Compliance – Even When Privacy Management Tools Fail
philipp-katzenberger-iIJrUoeRoCQ-unsplash (1)

As 2025 begins, businesses across the U.S. will be required to navigate an even more expanded landscape of state-level privacy regulations. In all, eight states are introducing comprehensive privacy laws, further adding to the growing patchwork of privacy requirements in the U.S.

January is kicking off with a flurry as five states (Iowa, Delaware, Nebraska, New Hampshire, and New Jersey) implement their laws in the first two weeks. Later this year, Tennessee, Minnesota, and Maryland will join the mix. For companies operating in the U.S., staying ahead in this shifting regulatory environment is essential. Failure to comply could result in hefty penalties, legal exposure, and a loss of consumer trust.

The good news? Businesses already aligned with current privacy laws may only need minor updates to meet the new requirements. However, it is important to be aware of all consumer-facing interactions, data collections, and sharing of personal information in each state to keep a firm handle on your compliance obligations.

Continue Reading A New Year and New Compliance Requirements: Additional State Privacy Laws Take Effect in 2025