Category: Privacy

Posted on by Duane Morris

First Consumer-Facing AI Governance Rules Enacted in U.S.

As an important development in U.S. AI regulation, California enacted its automated decisionmaking technology (ADMT) rules in September 2025. These are the first enacted, broadly scoped, consumer-facing AI governance rules in the country. They offer opt-out rights and logic disclosures for AI-driven significant decisions affecting consumers. The rules took effect on October 1, 2025, with compliance required by January 1, 2027, for covered businesses that use ADMT in significant decisions before that date. Read the full Alert on the Duane Morris website.

Posted on by Duane Morris

Northern District of California Allows CIPA Claims Against AI Pizza Ordering Assistant to Proceed

On August 11, 2025, Judge Susan Illston of the Northern District of California denied a motion to dismiss in Taylor v. ConverseNow Technologies, Inc. (Case No. 25-cv-00990-SI), allowing claims under California’s Invasion of Privacy Act (CIPA) Sections 631 and 632 to move forward against an AI voice assistant provider. ConverseNow provides artificial intelligence voice assistant technology that restaurants, including Domino’s, use to answer phone calls, process orders and capture customer information. The plaintiff alleged that when she placed a pizza order by phone, her call was intercepted and routed through ConverseNow’s servers, where her name, address and credit card details were recorded without her knowledge or consent. Read the full Alert on the Duane Morris website.

Posted on by Duane Morris

Third Circuit Clarifies Standing Requirements for Session Replay Privacy Claims

The United States Court of Appeals for the Third Circuit issued a decision on August 7, 2025, in Cook v. GameStop, Inc. that provides important guidance on Article III standing for session replay technology challenges, affirming dismissal of a putative class action. The ruling offers clarity for companies deploying website analytics tools while establishing clearer pleading requirements for privacy plaintiffs. Read the full Alert on the Duane Morris website.

Posted on by Duane Morris

Northern District of California Dismisses CIPA “Trap and Trace” Claim Over TikTok Tracking Code

On August 6, 2025, in Mitchener v. CuriosityStream, Inc., Judge Noël Wise of the U.S. District Court for the Northern District of California dismissed with prejudice a putative class action alleging that CuriosityStream’s use of TikTok tracking software on its website violated the California Invasion of Privacy Act’s “trap and trace” provisions. The ruling follows Judge Wise’s June 24, 2025, decision in Kishnani v. Royal Caribbean Cruises Ltd., which dismissed a substantively identical complaint brought by the same plaintiffs’ counsel. The Kishnani matter is currently on appeal to the Ninth Circuit, but Judge Wise declined to delay ruling in Mitchener pending the outcome of that appeal. Read the full Alert on the Duane Morris website.

Posted on by Duane Morris

Court Revives Wiretap and CDAFA Claims Against Retailer Over Use of Embedded Website Tracking Code

A California federal court has allowed privacy claims to proceed against Rack Room Shoes based on its use of embedded tracking tools on its website—signaling that companies may face liability under both state and federal privacy laws, even where data collection is disclosed in a privacy policy. In Smith v. Rack Room Shoes, Inc. (2025 WL 2210002), decided August 4, 2025, Judge Rita Lin of the Northern District of California declined to dismiss claims brought under the federal Wiretap Act and California’s Comprehensive Computer Data Access and Fraud Act (CDAFA). Read the full Alert on the Duane Morris website.

Posted on by Duane Morris

District Court Rejects CIPA Lawsuit, Setting a Higher Standard for Privacy Plaintiffs

In some positive news for companies facing privacy claims over marketing and tracking technologies, Judge Haywood S. Gilliam Jr. of the Northern District of California has dismissed a putative class action brought under the California Invasion of Privacy Act (CIPA) against the Gap Inc. The case, Ramos v. The Gap, Inc., No. 4:23-cv-04715-HSG, challenged Gap’s use of Bluecore Inc.’s email marketing technology, which tracks whether a customer opens a marketing email, clicks a link and later interacts with the website. The court’s ruling, issued on July 29, 2025, adds to the growing body of federal precedent pushing back on expansive interpretations of Section 631(a) of CIPA in the digital context. Read the full Alert on the Duane Morris website.

Posted on by Duane Morris

Data Privacy and Consumer Protections in 2025

Duane Morris partner Michelle Hon Donovan shares insight with NBC News about the privacy laws that take effect this year.

Eight states will have privacy laws take effect this year: Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Maryland, Minnesota and Tennessee. The laws impose stricter obligations on businesses handling personal data and grant consumers the right to more transparency on how their data is collected, used and shared, according to Donovan. Not all companies will be required to comply, as each state has its own requirements and thresholds, such as Nebraska, which exempts small businesses.

Donovan said that before 2020, there were few laws across the country addressing privacy except for online privacy laws in a handful of states. Federal laws mostly focus on certain industries, she added, like the Family Educational Rights and Privacy Act and the Health Insurance Portability and Accountability Act.

Read the full article on the NBC News website.

© 2009- Duane Morris LLP. Duane Morris is a registered service mark of Duane Morris LLP.

The opinions expressed on this blog are those of the author and are not to be construed as legal advice.

Proudly powered by WordPress