Photo of Kathryn Smith

Kathryn (“Katie”) Smith is an associate in the Intellectual Property Practice Group in the firm's Chicago office and a member of the Privacy and Cybersecurity Team. She is certified by the International Association of Privacy Professionals (IAPP) for CIPP/US.

Virginia’s governor recently signed into law a bill that amends the Virginia Consumer Data Protection Act. As revised, the law will include specific provisions impacting children’s use of social media. Unless contested, the changes will take effect January 1, 2026. Courts have struck down similar laws in other states (see our posts about those in Arkansas, California, and Utah) and thus opposition seems likely here as well. Of note, the social media laws that have been struck down in other states attempted to require parental consent before minors could use social media platforms. This law is different, as it allows account creation without parental consent. Instead, it places restrictions on account use for both minors and social media platforms.Continue Reading Virginia Will Add to Patchwork of Laws Governing Social Media and Children (For Now?) 

The Belgian Data Protection Authority recently ruled that a Belgian government entity, FPS Finance, cannot transfer the personal data of “accidental Americans” to the IRS. According to the decision, the transfers needed to cease for several reasons.Continue Reading Belgian DPA Finds Broad Tax Information Transfers to IRS Unlawful

The FTC’s settlement with Cleo AI gives some indication as to what we might see from the agency in the coming months. The FTC alleged, among other things, that Cleo AI’s actions violated Section 5 of the FTC Act. In particular, as reported in our sister blog, Cleo AI required people to enroll in a paid subscription plan, even though they marketed their services as free. It also made it difficult for people to cancel their subscription and made it hard to stop recurring charges. The company also failed to disclose material terms.Continue Reading Lessons from the FTC: The Cleo AI Settlement

The California Privacy Protection Agency announced this month that it, along with six other states, will be forming a new group called the “Consortium of Privacy Regulators.” (The other states are Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon.) Members include the Attorneys General from these states, as well as California’s privacy regulator (the CPPA).Continue Reading New Era of Collaboration? States Team Up to Coordinate on Privacy Laws

Over half of US states require annual compliance certifications from insurance providers. While the filing time frames for this year draw to a close, companies may want to keep them in mind not only for next year, but as a reminder of the information security programs that are expected to be in place.Continue Reading Insurance Cybersecurity Certifications: An (Updated) State Roundup

Arkansas’ second attempt at regulating minor’s access to social media – in the form of the Social Media Safety Act (SB 689) – has again been struck down as unconstitutional. The court permanently enjoined the state from enforcing the law. It was a modified version of Arkansas’ 2023 SB 396, that was also blocked. The plaintiff in both challenges was NetChoice, a group familiar to anyone following kids’ social media laws. As a result of NetChoice’s efforts, similar laws have been blocked in California, Utah, Maryland, Mississippi, Ohio, and Texas. Courts in those states, as in Arkansas, found that the laws were unduly burdensome on free speech, with overly broad content restrictions not tailored to prevent harm to minors.Continue Reading Arkansas’ Kids Social Media Law: Another One Bites the Dust

The New York Attorney General recently entered into an assurance of discontinuance with Root Insurance Company following a 2021 data incident. According to the AG, the threat actors obtained people’s drivers’ license numbers by exploiting a website error on its car insurance application portal. Namely, upon entering a publicly available name and address, the site would generate a prefilled PDF that included that person’s drivers’ license number, which numbers were pulled from third-party databases. Threat actors used an automated bot to exploit this vulnerability, and gathered drivers’ license numbers of 44,449 New Yorkers (more than half of the total 72,852 people impacted). The threat actors then used many of these people’s information to file fake unemployment claims with New York, which according to the AG, was the goal of the attack.Continue Reading Auto Insurer Settles With New York AG Over Insurance Application Platform Security Issues

Virginia’s Governor, Glenn Youngkin, vetoed a bill this week that would have regulated “high-risk” artificial intelligence systems. HB 2094, which narrowly passed the state legislature, aimed to implement regulatory measures akin to those established by last year’s Colorado AI Act. At the same time, Colorado’s AI Impact Task Force issued concerns about the Colorado law, which may thus undergo modifications before its February 2026 effective date. And in Texas, a proposed Texas Responsible AI Governance Act was recently modified.Continue Reading US State AI Legislation: Virginia Vetoes, Colorado (Re)Considers, and Texas Transforms

Utah’s governor recently signed the first law which puts age restrictions on app downloads. The law (the App Store Accountability Act, SB 142), was signed yesterday (Wednesday, March 26, 2025). We anticipate that the law may be challenged, similar to NetChoice’s challenge to the Utah Social Media Regulation Act and other similar state laws.Continue Reading Utah Pioneers App Store Age Limits

Oregon’s Attorney General released a new report this month, summarizing the outcomes since Oregon’s “comprehensive” privacy law took effect six months ago. A six-month report isn’t new: Connecticut released a six month report in February of last year to assess how consumers and businesses were responding to its privacy law.Continue Reading Oregon’s Privacy Law: Six Month Update, With Six Months to End of Cure Period

The New York Attorney General recently entered into an assurance of discontinuance with Saturn Technologies, operator of an app used by high school and college students. The app was designed to be a social media platform that assists students with tracking their calendars and events. It also includes connection and social networking features and displayed students’ information to others. This included students’ location and club participation, among other things. According to the NYAG, the company had engaged in a series of acts that violated the state’s unfair and deceptive trade practice laws.Continue Reading New York AG Settles with School App