New York’s Local Law 144 of 2021 will finally go into effect on July 5, 2023, after several delays. As we previously discussed, the law requires employers to provide candidates for employment and promotion with notice about the use of an AI system, offer them an opt out, and audit any such systems for bias. The law is intended to benefit job applicants and may provide useful guidance for employers who wish to use AI to help eliminate workplace bias.

Continue Reading NY AI Laws Going Live Next Month

The Connecticut governor recently signed SB 1103, bringing the state into the artificial intelligence regulation fray. The law regulates state agencies, and calls on the Department of Administrative Services to perform regular assessments of systems use by these agencies. The assessment is to identify which systems use artificial intelligence and to ensure that the use does not result in unlawful discrimination or disparate impacts. The systems inventory must be conducted by December 31 of this year, and the assessment by February 1, 2024. These inventories and assessments must thereafter be conducted on an annual basis.

Continue Reading Connecticut Enters AI Fray

With the ongoing BIPA litigation activity in Illinois surrounding collection of biometrics, it can be easy to forget that other issues might surround this practice. Last month the FTC reminded companies not to forget general privacy and data security concerns. Concerns as most know, it enforces under Section 5 of the FTC Act (which prohibits deception and unfairness).

Continue Reading Don’t Forget Deception: FTC and Biometrics

Colorado’s Privacy Act regulations have now been finalized, in advance of the law’s July 1 effective date. As we have written previously, the Colorado privacy law applies to companies that conduct business in the state and either (1) control or process personal data of 100,000 Colorado consumers during a calendar year, or (2) derive revenue or receive a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of at least 25,000 Colorado consumers. The law mirrors in many ways the comprehensive privacy laws of other states.

Continue Reading Colorado Privacy Law Regulations Finalized: Time to Review Information Practices

Can unionized employees sue their employers in court for violations of Illinois’ Biometric Information Privacy Act (BIPA)? In a rare victory for BIPA defendants, the Illinois Supreme Court unanimously ruled they cannot.

Continue Reading Illinois Supreme Court Finds Federal Law Labor Preempts Union Members’ BIPA Claims

February 2023 was a momentous month for Illinois’ Biometric Information Privacy Act (BIPA). Just two weeks after imposing a 5-year time limit for all BIPA claims, the Illinois Supreme Court resolved another pressing issue. In Cothron v. White Castle System, Inc., the Illinois Supreme Court considered whether a BIPA claim accrues every time a company scans or transmits a person’s biometric identifier (e.g., fingerprint) without consent. In a closely divided 4-3 ruling, the Court answered “yes.”

Continue Reading Illinois High Court Rules “Per-Scan” Damages Can Be Awarded Under BIPA

A plaintiff has her fingerprints forever. But she doesn’t have forever to file a lawsuit for improper retention, deletion, collection, or use of her fingerprints. For years, Illinois courts have been perplexed on what statute of limitations applies to different claims under the Illinois Biometric Information Privacy Act (“BIPA”). That left an unanswered question: how long does a plaintiff have to file a BIPA claim before losing it? The Illinois Supreme Court weighed in last week, siding with the plaintiffs’ bar. In Tims v. Black Horse Carriers, Inc., that Court held that plaintiffs have five years to file any BIPA claim.

Continue Reading Illinois High Court Allows Biometric Privacy Claims to Go Back Five Years

An Illinois state appellate court’s recent ruling will impact how companies consider compliance with Illinois’ Biometric Information Privacy Act (BIPA). That court ruled companies must have a BIPA-compliant written retention-and-destruction policy in place before collecting and possessing biometric data. The decision makes clear that mere possession of biometric data triggers the duty to develop the necessary written BIPA policy. In relevant part, under BIPA’s section 15(a), companies must establish a written, publicly-available policy that governs their retention and destruction of biometric data.

Continue Reading Illinois Appellate Court Weighs in on Biometric Data Policies

On October 18, the CFPB sued a software company for utilizing their online payment platform to enroll unknowing consumers into annual subscriptions through deceptive acts and “dark pattern” techniques in violation of the CFPA and EFTA. Among other things, the complaint alleges that the company encouraged consumers to unknowingly enroll in free trials and converted the free trials into annual subscriptions through a “negative option” renewal policy (our sister blog covered “negative option” marketing in a previous post here). During this process, the company allegedly collected consumers’ registration information and consumer payments data (e.g., credit or debit card number) so that it could transmit the consumer payments data through its payments systems. 

Continue Reading CFPB Sues Payment Platform Over Dark Patterns

Companies who participate in the AdTech and digital advertising eco-system are very familiar with the Interactive Advertising Bureau and its form advertiser agreements. Those agreements can help streamline negotiations, presenting the parties with, essentially, a pre-negotiated approach to common issues. When CCPA was passed, IAB updated its form to address that law and address consumer notice and consent. With the upcoming laws in California, Colorado, Connecticut, Utah and Vermont, the document is now outdated.

Continue Reading IAB Steps In State Signal Morass