Photo of Liisa Thomas

Liisa Thomas, a partner based in the Chicago and London offices, is Leader of the firm's Privacy and Cybersecurity Practice Group.

With the Kentucky governor recently signing into law that state’s privacy law the US now has 16 states with “comprehensive” privacy laws. This newest one will go into effect on January 1, 2026 – the same day as Indiana. It closely resembles other state privacy laws, in particular, Virginia’s privacy law. For a recap of all of the US state privacy laws and their obligations you can visit our interactive tool.Continue Reading Kentucky’s New Consumer Privacy Law: Is the Privacy Grass Greener in the Bluegrass State?

New Hampshire’s governor has signed into law the second state comprehensive privacy law of 2024. The law takes effect on January 1, 2025 – the same day as Iowa and Delaware (with New Jersey going into effect two weeks later). The law closely resembles other state privacy laws.Continue Reading New Hampshire, the Granite State, Joins Privacy Law Deluge: Sets Its Law in Stone

Earlier this month the UK privacy office put a stop to several related entities’ use of facial recognition technologies and fingerprint monitors for their employees. The UK Information Commissioner’s Office found that the companies were using the tools to monitor attendance. However, the ICO felt that the companies could have used “less intrusive technologies” -like fobs or ID cards- to accomplish the same goals. In reaching its conclusion the ICO noted that employees were allegedly not given a meaningful choice, given the “imbalance of power” between the employer and the employee. And as such employees were made to feel, the ICO believed, that clocking in and out with facial recognition/fingerprint scanning was “a requirement in order to get paid.”Continue Reading ICO Has Concerns Over Facial Recognition Use

Earlier this month, accompanying an update to a rule prohibiting the impersonation of businesses and governments, the FTC sought comments on extending the rule to prohibit impersonation of individuals. The agency indicated that it is considering expanding the rule as the result of rising complaints around “impersonation fraud,” especially those generated by AI. Comments are due by April 30, 2024.Continue Reading FTC Seeks Comments on AI Impersonation Rules

Sheppard Mullin is pleased to announce the creation of its new Privacy Law Resource Center to help companies navigate the increasing complexity of privacy and data security laws. We know that companies are struggling to keep track of and address the myriad global obligations that may affect them. These tools are aimed to help.Continue Reading Sheppard Mullin Creates Privacy Law Resource Center

As more and more states enact laws that mirror aspects of GDPR, and as companies begin to get used to the EU’s new standard contractual clauses, now may be a good opportunity for a refresh on data sharing agreements. As most in the privacy space are well aware, the laws in many states -and countries- call for certain oversight in these situations. And many require specific content to be included in contracts. What might you want to include in your contract roadmap?Continue Reading DPA 101: Do You Know Where Your Data Is?

The FCC reminded companies this month that calls containing “artificial or prerecorded voices” are regulated by TCPA. And, that the FCC considers AI-generated voices to be just the kind of “artificial” that fall within the TCPA’s regulations. This announcement was made in a declaratory ruling issued by the FCC at the start of the month.Continue Reading AI-Generated Voice Calls: New Tech, Old Rules

This month the EDPB shed light on the question of lead supervisory authorities. The issue arose in response to a question late last month from the French supervisory authority. Some background. As most international organizations are aware, GDPR provides for a “lead” supervisory authority where companies have their “main establishment” in that location. In the event, for example, if an investigation into a company’s violation of a particular provision of GDPR, the lead supervisory authority would be the sole authority to pursue the problem. This question can also come up when companies are trying to determine what authority to notify of a data breach. Without a lead supervisory authority, all supervisory authorities where there are data subjects would be able to participate.Continue Reading EDPB Provides Guidance on Determining Primary Supervisory Authority

The UK Information Commissioner’s Office recently reported that it is continuing its review of website cookie banners. It had expressed concern late last year that these banners were not giving “fair choices” because they did not make it as easy for users to reject all advertising cookies as it was for users to accept all. The ICO reached out to 53 companies and has now indicated that it will be reaching out to more companies: 100 at a time. To conduct its review, it will run a hackathon this year to develop an AI tool to comb the web for “noncompliant” banners.Continue Reading UK ICO Uses AI In Cookie Banner Review

New Jersey’s governor has signed into law the first US state comprehensive privacy law of 2024. It will go into effect January 16, 2025. For those keeping score, that puts New Jersey after Florida, Oregon, Texas (all July 1, 2024), Montana (October 1, 2024), Delaware, and Iowa (both January 1, 2025). But, before Indiana (January 1, 2026). (Visit this post for a more detailed recap).Continue Reading The Garden State Cultivates a Consumer Privacy Law – The First for 2024

From the expansion of “general privacy” laws in US states and concerns over cross-border data transfers, to global focus on artificial intelligence, surveillance and dark patterns, 2023 was a busy year. Our privacy team tracked these developments and more during 2023, and we have put together this complete resource that includes our summaries of all of the privacy law developments from 2023.Continue Reading Privacy Day 2024: A Look Back at Developments from 2023