Photo of Liisa Thomas

Liisa Thomas, a partner based in the Chicago and London offices, is Leader of the firm's Privacy and Cybersecurity Practice Group.

Pennsylvania AG Michelle Henry announced yesterday the launch of an online portal for businesses to report data breaches to the AG’s office. The portal launch comes before Pennsylvania’s new breach amendments take effect on September 26, 2024. One of the amendments will require businesses to report to the AG Office any breach that impacts more than 500 Pennsylvania residents. Businesses can provide notice to the AG using the new online portal. The law also includes specific reporting content; this content is built into the online portal. The AG’s website provides step-by-step instructions for submission.Continue Reading New Data Breach Notification Obligations for PA – and a New Reporting Portal

Verkada, a manufacturer and retailer of security cameras, has settled FTC accusations of lax security measures. The company sells its products to businesses, including schools and medical facilities. It markets its products as “plug and play:” the cameras connect to the cloud and allow customers’ remote access into both live and archived video footage. Among other features, the cameras have a “people analytics” tool that lets users “search images through facial recognition or face-matching technology.” A review of the settlement raises many reminders for companies about (1) security claims in privacy policies and marketing, (2) remediation concerns following a breach, (3) adherence to the Privacy Shield, and (4) a reminder about related (and often overlooked) laws like CAN-SPAM.Continue Reading Camera Company Will Pay $2.95 Million to Settle Security Claims

The New York Attorney General’s office and the UK Information Commissioner’s Office were busy last month when it came to children’s privacy. Both sought input from the public about regulating children’s online privacy, including on social media.Continue Reading Regulators On Both Sides of the Pond Seek Input on Children’s Privacy

A biotech company recently settled with three AGs over allegations that it had failed to protect consumer information. According to the AGs of Connecticut, New York and New Jersey, this led to a 2023 data incident. The company, Enzo Biochem, agreed to pay a $4.5 million civil penalty and take several steps to modify its information security program.Continue Reading Biotech Company Settles with Three State AGs Over Security Practices

Illinois recently updated its employment law, the Illinois Human Rights Act to prohibit discriminatory uses of AI. Artificial intelligence as defined by the amendment will cover generative artificial intelligence, not just traditional AI. The amendments are set to take effect on January 1, 2026.Continue Reading Illinois Updates Employment Law to Address Artificial Intelligence

New York Attorney General Letitia James recently released guidance for businesses and consumers about website tracking technologies. The consumer guide provided examples of common cookies, tracking technologies, and how consumers can manage both. The business guide lists steps the AG expects companies to take to avoid misleading or deceiving consumers in violation of New York’s deceptive trade practices law.Continue Reading NY AG Releases Website Privacy Guides for Businesses and Consumers

The Children’s Advertising Review Unit recently settled with KidGeni – a generative art platform intended for children- for allegedly violating both CARU’s guidelines and COPPA. According to CARU, which is a self-regulatory organization that audits the privacy practices of companies in the child space, KidGeni collected personal information without first getting parental consent. CARU began its investigation in the company’s functionality in August 2023. As part of its investigation, it reached out to the company to clarify how the site obtained prior parental consent for its children’s platform as required under both COPPA and CARU’s guidelines.Continue Reading CARU Settles With KidGeni AI Platform Over Alleged Privacy Violations 

As we enter the end of the summer, the AI regulatory steam is not slowing down. Colorado is now the first US state to have a comprehensive AI law (going into effect February 1, 2026), and the EU published its sweeping AI law in July (with rolling applicability between February 2025 and August 2026).Continue Reading AI Summer Roundup: EU and Colorado Celebrate Summer with AI Legislation

The amendment to the Colorado Privacy Act, expanding the scope of sensitive data, goes into effect today (August 6). The law will now include as sensitive information biological data that is used for identification purposes. Biological data is data generated by the technological processing of, inter alia, an individual’s physiological and biochemical properties, or a consumer’s body or bodily functions.Continue Reading Colorado’s Privacy Law Gets in on the Brain Wave Action

TracFone, the pre-paid phone company, recently settled with the FCC over allegations that the company failed to protect customer information during three different data incidents. According to the FCC, in each of the incidents, threat actors gained access to customer information, including names, addresses, and features to which customers had subscribed. The threat actors were able to gain access by exploiting vulnerabilities in the customer-facing application programming interfaces or APIs.Continue Reading Ring, Ring, it’s the FCC Calling- TracFone to Pay $16M to Settle FCC Investigation

In its ongoing concern with “dark patterns,” the FTC recently announced results of two reviews of sites and apps purportedly engaging in the practice. As a reminder, the FTC views as “dark patterns” practices or web designs that “get consumers to part with their money or data” using deceptive or manipulative means. Both of the recent reports were completed by global consortiums of regulators of which the FTC is a member.Continue Reading Websites Beware!: FTC Joins Other Regulators in Scrutinizing Alleged Dark Patterns