Posted on by Justin Donoho

Data Security and Privacy Liability – Takeaways From The Sedona Conference Working Group 11 Annual Meeting in Kansas City, MO

By Justin R. Donoho

Duane Morris TakeawaysData privacy and data breach class action litigation continue to explode.  At the Sedona Conference Working Group 11 on Data Security and Privacy Liability, in Kansas City, Missouri, on May 5-6, 2025, Justin Donoho of the Duane Morris Class Action Defense Group served as a dialogue leader for two panel discussions, “Privacy and Data Security Litigation Update” and “Legislative Drafting Considerations: Lessons from Colorado’s Privacy and AI Law Intersection.”  The working group meeting, which spanned two days and had over 50 participants, produced excellent dialogues on these topics and others including unique procedural aspects of data breach class actions, data privacy primer, onward transfer of consumer PII in M&A and bankruptcy contexts, privacy and data security state regulator roundtable, and application of attorney-client privilege in the cybersecurity context.

The Conference’s robust agenda featured over 30 dialogue leaders from a wide array of backgrounds, including federal and state regulators and governmental officials, data security industry experts, in-house attorneys, cyberlaw professors, plaintiffs’ attorneys, and defense attorneys.  In a masterful way, the agenda provided valuable insights for participants toward this working group’s mission, which is to identify and comment on trends in data security and privacy law, in an effort to help organizations prepare for and respond to data breaches, and to assist attorneys and judicial officers in resolving questions of legal liability and damages.

Justin had the privilege of speaking about current trends in data privacy class actions and lessons from the intersection of the Colorado Privacy Act (CPA) and Colorado AI Act (CAIA) and how these lessons might guide future legislatures when drafting AI and data privacy statutes.  Highlights from his presentations included two recent cases resulting in helpful precedent for defendants facing cases alleging privacy violations for their uses of website advertising technologies (adtech), including a case that disposed of a claim under the California Invasion of Privacy Act under the rule of lenity (see here), and a case that dismissed an adtech class action due to failure to allege highly offensive conduct (see here).

Finally, one of the greatest joys of participating in Sedona Conference meetings is the opportunity to draw on the wisdom of fellow presenters and other participants from around the globe.  Highlights included:

  1. Litigators from both sides of the “v.” and a neutral debating early case procedural rules and practices, choice of law, and discovery mechanisms in the context of data breach class actions, with an unprompted shoutout to the Duane Morris Class Action Review for supplying statistics.
  2. Sedona Conference veterans discussing Sedona’s latest version of a data privacy primer and the proper level of detail to include in this document ten years in the making in order to keep it reasonably current to account for the rapid evolution of data privacy laws and related developments in artificial intelligence.
  3. Panelists with different backgrounds discussing the law regarding when a company that has obtained personal data with consent can and cannot transfer the data in M&A and bankruptcy contexts.
  4. A lively dialogue among some of my panelists and other participants regarding trends in decisions regarding mass arbitration protocols and whether a company’s use of website advertising technology is highly offensive to a reasonable person.
  5. Federal and state regulators discussing enforcement priorities and issuances of advisory opinions in the contexts of data breaches, alleged data privacy violations, and concerns regarding national security.
  6. Data breach litigators discussing factors to consider when conducting dual track investigations following a cybersecurity incident in order to segregate and maintain confidentiality over attorney work product and attorney-client communications.
  7. A lively dialogue among some of my panelists and other participants regarding whether compliance with AI and antidiscrimination statutes should provide a safe harbor for compliance with data privacy statutes including, for example, the heavily litigated California Invasion of Privacy Act.

Thank you to the Sedona Conference Working Group 11 and its incredible team, the fellow dialogue leaders, the engaging participants, and all others who helped make this meeting in Redmond, Washington, an informative and unforgettable experience.

Finally, I want to thank to share the exciting news that I have been selected as a new steering committee member of Working Group 11.  Thank you Sedona!  In this role, I will help lead the identification of cutting-edge issues and oversee development of principles, guidelines, commentaries and other projects representing the work product of the Sedona Conference.

For more information on the Duane Morris Class Action Group, including its Data Privacy Class Action Review e-book, and Data Breach Class Action Review e-book, please click the links here and here.

© 2009- Duane Morris LLP. Duane Morris is a registered service mark of Duane Morris LLP.

The opinions expressed on this blog are those of the author and are not to be construed as legal advice.

Proudly powered by WordPress