California – Duane Morris TechLaw

February 17, 2026February 17, 2026 by Duane Morris

California Vetoes Automation Legislation

California Gov. Gavin Newsom has historically vetoed legislation surrounding automation. However, as he sets his sights on the White House, Newsom has been slow to set new regulations surrounding artificial intelligence while facing mounting pressure from the state’s unions. Duane Morris Partner Alex Karasik discussed the legal risks California employers should keep in mind when implementing the new technology.

Read the full article in International Employment Lawyer.

October 17, 2025October 17, 2025 by Duane Morris

Calif. Governor Rejects “No Robo Bosses” Act

By Alex. W. Karasik, Brian L. Johnsrud, and George J. Schaller

Duane Morris Takeaways: On October 13, 2025, California Governor Gavin Newsom, issued a written statement declining to sign Senate Bill 7 – called the “No Robo Bosses” Act (the “Act”). While the Act aimed to restrict when and how employers could use automated decision-making systems and artificial intelligence, Governor Newsom rejected the proposed legislation in terms of the Act’s broad drafting and unfocused notification requirements. Governor Newsom’s statement reflects an initial rebuttal to a wave of pending AI regulations as states wrestle with suitable AI guidance. Given the pro-employee tendencies of Governor Newsom and California regulators generally, this outcome is a mild surprise. Employers nonetheless should expect continued scrutiny of AI regulations before enactment.

This legislative activity surely sets the stage for what many believe is the next wave of class action litigation.

See more on the Duane Morris Class Action Defense Blog.

October 7, 2025October 7, 2025 by Duane Morris

First Consumer-Facing AI Governance Rules Enacted in U.S.

As an important development in U.S. AI regulation, California enacted its automated decisionmaking technology (ADMT) rules in September 2025. These are the first enacted, broadly scoped, consumer-facing AI governance rules in the country. They offer opt-out rights and logic disclosures for AI-driven significant decisions affecting consumers. The rules took effect on October 1, 2025, with compliance required by January 1, 2027, for covered businesses that use ADMT in significant decisions before that date. Read the full Alert on the Duane Morris website.

October 3, 2025October 3, 2025 by Duane Morris

Updated Artificial Intelligence Regulations for California Employers

With artificial intelligence developing at breakneck speed, California employment regulations are following right behind. Updated regulations issued by the California Civil Rights Council address the use of artificial intelligence, machine learning, algorithms, statistics and other automated-decision systems (ADS) used to make employment-based decisions. The updated rules, which took effect October 1, 2025, amend existing regulations, Cal. Code Regs., tit. 2, and are designed to protect against potential employment discrimination. The regulations apply to all employers with at least five employees working anywhere and at least one located within California. Read the full Alert on the Duane Morris website.

August 19, 2025August 20, 2025 by Duane Morris

Northern District of California Allows CIPA Claims Against AI Pizza Ordering Assistant to Proceed

On August 11, 2025, Judge Susan Illston of the Northern District of California denied a motion to dismiss in Taylor v. ConverseNow Technologies, Inc. (Case No. 25-cv-00990-SI), allowing claims under California’s Invasion of Privacy Act (CIPA) Sections 631 and 632 to move forward against an AI voice assistant provider. ConverseNow provides artificial intelligence voice assistant technology that restaurants, including Domino’s, use to answer phone calls, process orders and capture customer information. The plaintiff alleged that when she placed a pizza order by phone, her call was intercepted and routed through ConverseNow’s servers, where her name, address and credit card details were recorded without her knowledge or consent. Read the full Alert on the Duane Morris website.

June 26, 2024 by Duane Morris

Colorado Privacy Act’s Universal Opt-Out Provision Goes Into Effect July 1, 2024

While the Colorado Privacy Act (CPA) has already been in effect, as of July 1, 2024, companies that meet the threshold compliance criteria for CPA and that engage in the processing of personal data for purposes of targeted advertising or the sale of personal data (“covered entities”) must implement a universal opt-out mechanism, which allows users to more easily exercise their opt-out rights with these covered entities. Specifically, a universal opt-out mechanism allows a user to configure their internet browser settings, and as a result, the websites the user visits from that browser automatically receive the user’s opt-out signal. As of July 1, 2024, covered entities must recognize and honor a user’s opt-out preferences where communicated through a universal opt-out mechanism.

Read the full Alert on the Duane Morris LLP website.

November 28, 2023 by Duane Morris

Benefits and Risks of AI in California’s Generative AI Report

Following Governor Newsom’s September 2023 Executive Order on Artificial Intelligence, the California’s state administration released a report analyzing the potential benefits and risks surrounding the use of Generative Artificial Intelligence (“GenAI”) within the state government (“Report”). This is the first of many steps called for under the Executive Order.

To read the full text of this post by Milagros Astesiano and Ariel Seidner, ,please visit the Duane Morris Artificial Intelligence Blog.

December 13, 2021 by Duane Morris

TCPA Ruling: Text Asking Patient To Rate The Doctor

By Sheila Raftery Wiggins

A California federal court ruled that a text asking a patient to rate the doctor – sent minutes after the examination by a company that contracts with the health care provider to send Patient Satisfaction Surveys – does not alone satisfy an inference that the text was sent by an Automatic Telephone Dialing System (“ATDS”) within the definition of the Telephone Consumer Protection Act, 47 U.S.C. § 227 (“TCPA”). Continue reading “TCPA Ruling: Text Asking Patient To Rate The Doctor”

August 24, 2020 by Duane Morris

CCPA Regulations Amended and Effective Immediately

On August 14, 2020, the California Office of Administrative Law approved the state Department of Justice’s regulations regarding the California Consumer Privacy Act (CCPA) and filed them with the California Secretary of State. The regulations went into effect immediately.

To read the full text of this Duane Morris Alert, please visit the firm website.

February 20, 2020February 20, 2020 by Duane Morris

Proposed Modifications to CCPA Regulations – Service Providers, Authorized Agents, Minors, Nondiscrimination and Calculating the Value of Consumer Data

Note: This blog post is the last of three expanding on the information contained in an Alert on the Duane Morris LLP website.

On February 10, 2020, California’s Office of the Attorney General proposed a modified version of the California Consumer Privacy Act (CCPA) regulations first published on October 11, 2019. The initial proposed regulations were summarized in our previous Alert. The deadline for providing comments on the modified proposed regulations is February 25, 2020.

The proposed changes to the requirements for service providers, authorized agents, minors, nondiscrimination and calculating the value of consumer data as set forth in the modified regulations are summarized below.

Section 999.314 – Service Providers

Removes language from the prior version that would have prohibited a service provider from using personal information received from a person or entity it services or from a consumer’s direct interaction with the service provider for the purpose of providing services to another person or entity. Clarifies the permitted service provider uses of personal information obtained in the course of providing services to include only the following:
- Performing the services specified in the written contract;
- Retaining and employing another servicer provider as a subcontractor;
- For its own internal purposes to build or improve the quality of its services, so long as that use does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source;
- Detecting security incidents or protecting against fraudulent or illegal activities; or
- Any other purpose enumerated in the CCPA.

Clarifies that a service provider is prohibited from selling data on behalf of a business when the consumer has opted out of the sale of their personal information with the business.
Clarifies that if a service provider receives a request to know or delete, the service provider must either act on behalf of the business in responding to the request or inform the consumer that the request cannot be acted upon because it was sent to a service provider.

Section 999.317 – Training and Record Keeping Requirements

Increases the threshold for triggering certain data analytics and reporting requirements regarding consumer requests received by the business to those businesses that alone or in combination buy, receive for a commercial purpose, sell or share for a commercial purposes the personal information of over 10 million (as opposed to 4 million) consumers in a calendar year (as opposed to annually).

Section 999.326 – Authorized Agent

When a consumer uses an authorized agent to submit requests to delete and/or know on the consumer’s behalf, clarifies that the business may require the consumer to (1) provide the agent with written and signed permission to do so, (2) verify their own identify directly with the business and (3) directly confirm with the business that the provided the authorized agent permission to submit the request.
Requires authorized agents to implement reasonable security procedures and practices and restrict use of any personal information except to fulfill the consumer’s request, for verification or for fraud prevention.

Section 999.330 – Minors Under 13 Years of Age

Requires a business to establish, document and comply with a reasonable method for determining whether the person submitting a request regarding the personal information of a child under the age of 13 is the parent or guardian of that child. The regulations provide several examples of “reasonable methods,” but add language so that the list is not exclusive.

Section 999.336 – Nondiscrimination

Clarifies that a business is prohibited from offering a financial incentive or price or service difference if the business is unable to calculate a good-faith estimate of the value of the consumer’s data or cannot show the financial incentive or price or service difference is reasonably related to that value.
Confirms that a denial of a consumer’s request to know, delete or opt out for reasons permitted under the CCPA is not discriminatory. Also confirms that a price or service difference that is the direct result of compliance with federal law is not discriminatory.
Updates the illustrative examples of discriminatory and nondiscriminatory practices under the CCPA.

Section 999.337 – Calculating the Value of Consumer Data

Revenue or profit generated by the business from separate tiers, categories or classes of consumers or typical consumers whose data provides differing value is no longer an explicitly recognized consideration for determining the value of consumer data. However, there is still a catchall for determining the value of consumer data, which includes any practical and reasonably reliable method of calculation used in good faith.
For the purposes of calculating the value of consumer data, the business can consider the value of the data of “all natural persons” and not just consumers.