At the end of 2024 the Italian Data Protection Authority issued a 15 million euro fine in the first generative AI-related case brought under GDPR. According to Garante (the Italian authority), OpenAI trained ChatGPT with users’ personal data without first identifying a proper legal basis for the activity, as required under GDPR. The Order also alleges that OpenAI failed to notify Garante about a data breach the company experienced in March 2023. Additionally, the Order states that OpenAI did not provide proper age verification mechanisms for users under age 13. Continue Reading Don’t Forget the EU: Italy Issued First GenAI Fine of €15 Million Alleging GDPR Violations 

New York has a new AI-related law which took effect January 1. The law regulates creation and use of digital replicas of an individual’s voice or likeness and is similar to those in California and Tennessee.Continue Reading New Year, New Protections for New York Artists and AI-Generated Replicas

In the waning months of the current administration, the White House issued a memo setting forth actions focused on national security as directed in the AI Executive Order from last year. As a reminder, the order -while directed to government agencies- also had impacts on how businesses use of artificial intelligence.Continue Reading ‘All Hands on Deck’ – White House Continues to Call on Agencies for AI National Security Plan

The dust is beginning to settle from the raft of AI-related bills Governor Newsom signed last month in California. (See for example, our post about neural data.) Most of the provisions will not go into effect for another few months. Before they do, it is worth examining the impact they will have on companies’ privacy and data security practices. Most, as we outline below, may not change fundamental practice, but instead serve as a reminder to take into account privacy and data security considerations when assessing and implementing AI tools:Continue Reading The Privacy and Data Security Impact of California’s Recent AI Bills

The New York Department of Financial Services (“NYDFS”) recently published guidance on managing cyber risks related to AI for the financial services and insurance industry. Though the circular letter does not introduce any per se “new” obligations, the guidance speaks to the Agency’s expectations for addressing AI within its existing cybersecurity regulations. Continue Reading NYDFS Speaks Out on AI and its Cybersecurity Risks

Illinois recently updated its employment law, the Illinois Human Rights Act to prohibit discriminatory uses of AI. Artificial intelligence as defined by the amendment will cover generative artificial intelligence, not just traditional AI. The amendments are set to take effect on January 1, 2026.Continue Reading Illinois Updates Employment Law to Address Artificial Intelligence

As we enter the end of the summer, the AI regulatory steam is not slowing down. Colorado is now the first US state to have a comprehensive AI law (going into effect February 1, 2026), and the EU published its sweeping AI law in July (with rolling applicability between February 2025 and August 2026).Continue Reading AI Summer Roundup: EU and Colorado Celebrate Summer with AI Legislation

Much of the focus on US privacy has been US state laws, and the potential of a federal privacy law. This focus can lead one to forget, however, that US privacy and data security law follows a patchwork approach both at a state level and a federal level. “Comprehensive” privacy laws are thus only one piece of the puzzle. There are federal and state privacy and security laws that apply based on a company’s (1) industry (financial services, health care, telecommunications, gaming, etc.), (2) activity (making calls, sending emails, collecting information at point of purchase, etc.), and (3) the type of individual from whom information is being collected (children, students, employees, etc.). There have been developments this year in each of these areas.Continue Reading Mid-Year Recap: Think Beyond US State Laws!

Tennessee recently amended its 1984 right of publicity statute with passage of the ELVIS Act. The existing law already protected individuals’ rights in their image and likeness. As amended, the statute will specifically call out voice as another protected element. It will become the first right of publicity statute to address copying someone’s likeness or voice with AI technologies in two ways.Continue Reading Tennessee’s ELVIS Act Incorporates AI Considerations into Right of Publicity Protections

The Utah legislature has been busy, with another law effective May 1. This one is “privacy adjacent” but worth keeping in mind. The law, the Artificial Intelligence Policy Act, was signed into law in March. Among other things, it will require companies to respond “clearly and conspicuously” to an individual who asks if they are interacting with artificial intelligence and the communications are made in connection with laws regulated by the Utah department of commerce. (This includes the Utah Privacy Act, the state’s sales practices law, its telephone solicitation laws, and many others.)Continue Reading Utah’s New AI Disclosure Requirements Effective May 1

The Department of Health & Human Services through the Office of the National Coordinator for Health Information Technology recently updated the process for certification of health information technology. Some of the modifications are intended to address use of artificial intelligence in health IT systems. ONC’s certification is required for certain programs, such as where the health IT will be used for Medicare and Medicaid Incentive programs. It is optional for others. Those who are already certified will need to update their certifications. Those seeking new certifications will be subject to the new process.Continue Reading Out in the Open: HHS’s New AI Transparency Rule