About
Privacy

Privacy

Tracking Privacy legal and regulatory developments.

20 entries in Legal Intelligence Tracker

LawSnap Briefing Updated May 11, 2026

State of play.

  • State enforcement is the dominant vector. The Florida AG has launched a formal investigation into OpenAI and ChatGPT citing national security concerns, and California's Privacy Protection Agency has opened rulemaking on CCPA employee data obligations — both moving through existing statutory authority without waiting for federal action .
  • Biometric and health data from consumer tech products are the sharpest compliance edge. Omnibus state privacy laws in California, Connecticut, Indiana, Kentucky, Rhode Island, Washington, and Nevada now classify facial-mapping, body-scan, and wearable health data as sensitive personal information, with state AGs actively investigating tracking practices in the fashion and beauty sectors .
  • Shadow AI inside the enterprise is a live data-breach and regulatory exposure. A 2025 Gartner survey found 69% of organizations have confirmed or suspect prohibited generative AI tool use; a third of employees admit sharing enterprise research or datasets through unsanctioned platforms .
  • Standing doctrine is tightening in federal privacy litigation. The Southern District of Florida dismissed a DPPA class action with prejudice for lack of concrete injury, signaling that data-misuse alone — without tangible financial harm — will not clear Article III in at least some circuits .
  • For counsel advising technology companies, consumer brands, or employers, the practical baseline is a multi-front exposure: state AG enforcement through existing law, an accelerating patchwork of sector-specific biometric and health-data rules, and an internal AI-governance gap that creates breach and regulatory risk before any incident occurs.

Where things stand.

  • State omnibus privacy laws are now operative across a majority of U.S. commerce. California, Connecticut, Indiana, Kentucky, Rhode Island, Washington, and Nevada have enacted consumer privacy frameworks with sensitive-data tiers covering biometrics and consumer health information; enforcement is active, not theoretical .
  • CCPA employee data coverage is hardening. The employment exemption expired January 1, 2023; the California Privacy Protection Agency is now examining whether current notice and disclosure rules require employment-specific revisions, following a 2023 AG enforcement sweep against large employers .
  • New York's synthetic-performer consent regime takes effect June 19, 2026. The Fashion Workers Act and synthetic performer disclosure laws require explicit consent before digital replication of human likenesses and mandate disclaimers for AI avatars in advertising; California has enacted parallel consent laws (AB 2602/AB 1836) .
  • Surveillance pricing is emerging as a distinct privacy-enforcement category. The FTC's Section 6(b) study on consumer-data-driven individualized pricing is active; more than 40 state bills have been introduced in 2026 targeting the practice, and the House Oversight Committee has launched a formal investigation into revenue management algorithms .
  • DPPA standing doctrine is unsettled across circuits. The S.D. Florida dismissal in Cicale v. Professional Parking Management requires tangible injury beyond data misuse; parallel DPPA cases involving Carfax's crash-report data in Maryland are surviving dismissal — courts are distinguishing data-commercialization models .
  • Shadow AI governance is an unresolved enterprise liability. A 2025 Gartner survey found 69% of organizations have confirmed or suspect prohibited generative AI tool use; 27% of employees have exposed employee data through unsanctioned tools, and 23% have input company financial information — creating HIPAA, financial-services, and state privacy exposure simultaneously .
  • Data litigation is broadening beyond tech companies. Claims centered on algorithmic bias, unauthorized data use, AI system liability, and worker surveillance now reach organizations of every size; courts are currently establishing precedents on data ownership, AI procurement obligations, and corporate accountability for algorithmic harms .
  • Federal AI regulatory framework remains contested. The White House "America's AI Action Plan" rejects broad federal regulation in favor of corporate self-management; a Sanders-AOC federal moratorium proposal represents the opposing pole; no comprehensive federal privacy or AI statute has been enacted .

Latest developments.

Active questions and open splits.

  • How far does concrete-injury standing doctrine extend in federal privacy suits? The S.D. Florida DPPA dismissal requires tangible harm beyond data misuse; the Maryland Carfax case is surviving — the split turns on data-commercialization model, but no circuit has resolved the broader question of when statutory privacy violations alone satisfy Article III .
  • Will federal preemption displace state AI and synthetic-performer consent regimes? The December 2025 White House EO seeks federal harmonization of conflicting state AI laws; New York and California have enacted consent mandates that may collide with any federal preemption framework — the interaction is unresolved before New York's June 19 effective date .
  • What constitutes an adequate CCPA employee privacy notice? The CalPrivacy Agency's rulemaking is examining whether current rules require employment-specific revisions; until final rules issue, employers face uncertainty about what notice architecture satisfies the statute .
  • Where is the line between lawful dynamic pricing and actionable surveillance pricing? Regulators are drawing a distinction between market-condition-based pricing and consumer-data-driven individualized pricing, but no court has defined the boundary; companies using revenue management algorithms face simultaneous FTC investigation and multi-state legislative exposure .
  • What governance framework satisfies the duty to prevent shadow AI data exposure? No regulator has issued guidance on what internal controls are required; HIPAA, financial-services, and state privacy regulators could each assert jurisdiction over breaches originating from unsanctioned employee AI use, and the allocation of liability between employer and tool provider is untested .
  • How will courts allocate liability for algorithmic harms across the data supply chain? Early litigation is establishing precedents on data ownership, AI procurement obligations, and corporate accountability for algorithmic bias and worker surveillance — the rules are being written in real time, with no settled framework .

What to watch.

  • CalPrivacy Agency final rules on CCPA employee data notices — whatever issues from this rulemaking will become the compliance floor for all California employers and a template other states will reference.
  • New York Fashion Workers Act and synthetic performer disclosure law enforcement posture after the June 19, 2026 effective date — first enforcement actions will define what "explicit consent" and "clear disclaimer" require in practice.
  • EU AI Act labeling requirements effective August 2026 — the penalty structure (up to €15 million) will drive multinational compliance decisions that affect U.S. operations.
  • FTC Section 6(b) surveillance pricing study output and any resulting rulemaking — the agency's framing of the dynamic-pricing versus consumer-data-pricing distinction will set the enforcement standard nationally.
  • Whether additional state AGs follow Florida's template of investigating AI companies through existing consumer protection and national security authority — the Florida OpenAI probe is the leading indicator of a broader enforcement pattern.
  • Resolution of the DPPA circuit split on concrete injury — if the Maryland Carfax case produces a ruling inconsistent with the S.D. Florida dismissal, a circuit conflict on statutory privacy standing becomes a cert-worthy question.

20 Contributing Entries

ChatGPT and Claude Account Sharing Leads to Privacy Breaches, Data Mix-ups, and Cybersecurity Risks

Users are sharing login credentials for premium AI services—ChatGPT Plus and Claude Pro—exposing themselves to serious privacy breaches. Connor Effrain, a 22-year-old digital fundraising associate, shared his ChatGPT account and inadvertently gave others access to sensitive health information about his Crohn's disease and personal details he had discussed with the chatbot. Both OpenAI and Anthropic explicitly prohibit account sharing in their terms of service, classifying these subscriptions as single-user only. The platforms detect concurrent sessions and suspend accounts that violate this rule.

Anthropic Calls for Global AI Freeze Amid Control Concerns

Anthropic, the AI startup behind Claude, has publicly called for a global freeze on advanced AI development, conditional on other companies agreeing to the same restraint. The proposal stems from mounting concerns about AI agent behavior and data security, particularly after recent incidents in which rogue AI agents deleted entire production databases in seconds. Anthropic's position aligns with the Future of Life Institute's open letter urging all AI labs to pause training of systems more powerful than GPT-4 for at least six months, with a suggestion that governments should intervene if private coordination fails.

OpenAI Restricts GPT-5.6 Access Following Trump Administration Security Demand

OpenAI has restricted public access to GPT-5.6, its newest AI model, limiting deployment to 20 government-approved partners following security concerns raised by the Trump administration. The company confirmed the limitation aligns with federal reviews evaluating cybersecurity risks tied to the model's advanced capabilities. OpenAI stated explicitly that while it will comply with current security protocols, mandatory pre-release White House approvals should not become standard regulatory practice for AI developers.

New Study Exposes Dangerous Flaws in AI Chatbots for Mental Health

A University of Minnesota study has documented that over 100 AI chatbots marketed as mental health support tools contain dangerous flaws in crisis response and therapeutic quality. Researchers from the computer science and psychology departments, led by assistant professor Stevie Chancellor, tested systems from OpenAI, Meta, and Character AI. The findings show these chatbots frequently provide harmful responses to suicide inquiries, discriminate against people with mental health conditions, and fail to recognize crises. In controlled testing, licensed therapists responded appropriately 93% of the time compared to AI systems responding appropriately less than 60% of the time.

First Circuit Affirms Dismissal of Bayamón Medical Data Breach Case for Untraceable Injury

The First Circuit Court of Appeals has affirmed dismissal of a data breach class action against Bayamón Medical Center, ruling that the plaintiff failed to establish Article III standing. In Santos-Pagán v. Bayamón Medical Center, the court acknowledged that plaintiff Santos-Pagán suffered concrete injury from actual misuse of her information following BMC's 2019 ransomware attack. However, the court held she did not plausibly allege that her injuries were traceable to the breach itself—a fatal gap under Article III's "fairly traceable" requirement. The decision turns on a straightforward principle: allegations of identity-related harm occurring after a data breach do not establish standing without specific factual allegations connecting the breach to the misuse.

DOJ export indictment triggers new probe of Super Micro’s controls

The Department of Justice unsealed an indictment in March 2026 charging three individuals tied to Super Micro Computer—two former employees and one contractor—with conspiring to violate U.S. export controls. The defendants allegedly diverted approximately $2.5 billion worth of servers containing advanced AI technology, including Nvidia chips, to China between 2024 and 2025. The indictment names co-founder and former senior vice president Yih‑Shyan "Wally" Liaw and a general manager from Super Micro's Taiwan office, who prosecutors say coordinated shipments through a third-party intermediary to circumvent export restrictions. Super Micro itself is not charged and has stated it was not accused of wrongdoing.

AI Startup Shift Offers Free NYC Home Cleaning for Robot Training Data

Shift, an AI training startup backed by Microagi, has launched a free home cleaning service in New York City with a novel data-collection twist: customers allow cleaners to wear head-mounted cameras that record first-person footage of their homes. The footage is anonymized and licensed to AI labs and robotics companies developing physical-AI models for household robots. The service collected thousands of bookings within hours of its NYC launch. Faces and screens in videos are automatically blurred; no audio is captured.

NJ firm Daida acquires Scan-Optics to expand document processing capabilities

Daida, a New Jersey-based business process and document management company owned by HiGro Group, has acquired Scan-Optics LLC, a Connecticut provider of intelligent document processing and digital transformation services. The deal closed in late June 2026. Financial terms were not disclosed. This marks Daida's sixth add-on acquisition under HiGro ownership and its second in 2026, following the earlier purchase of Foveonics Document Solutions.

Jury consultant weighs juror perception in AI chatbot harm lawsuits

Character Technologies and its Character.AI chatbot platform face the first state lawsuit alleging the company violated consumer and data-protection laws by targeting children and facilitating self-harm. Kentucky Attorney General Russell Coleman filed the complaint on January 8, 2026. Separate litigation from Texas parents makes similar allegations—that the chatbot promoted self-harm, violence, and sexual content—and seeks to shut down the platform until safety defects are remedied.

Vermont Governor Signs S.71 to Become 24th State with Comprehensive Privacy Law

On June 16, 2026, Governor Phil Scott signed S.71, the Vermont Data Privacy and Online Surveillance Act, into law. Vermont becomes the 24th state with a comprehensive consumer privacy statute. The law grants residents rights to access, delete, and limit use of their personal data, while imposing obligations on data controllers around data minimization, targeted advertising, and sensitive data sales. It takes effect January 1, 2028, giving businesses two years to comply.

Fort Lauderdale Woman Arrested for Proxy-Testing Teacher Certification Exams in Florida

Fort Lauderdale tutor Kashaundra Knowles, 37, was arrested on June 11 by the Fort Lauderdale Police Department and Attorney General James Uthmeier's office for operating a proxy-testing scheme targeting the Florida Teacher Certification Examinations and other professional licensing exams. Knowles charged clients $1,000 per test to impersonate them during exams, securing passing scores for individuals who had not earned them legitimately. Some of her clients were already employed by Broward County Public Schools, meaning unqualified individuals obtained or maintained teaching certificates through fraud.

Florida AG Uthmeier and Roku Reach Resolution on Digital Privacy Enforcement

Florida Attorney General James Uthmeier has reached a negotiated settlement with Roku, Inc. over violations of the state's Digital Bill of Rights. The agreement requires Roku to strengthen child protection features and expand parental controls, effectively resolving Florida's enforcement action without court judgment. The settlement marks the first publicized enforcement resolution under the FDBR involving a major digital platform.

CA AG Bonta Announces First-of-Its-Kind Settlement with Carbon Health and Co-Founder

California Attorney General Rob Bonta announced a settlement with Carbon Health Technologies, Inc., its affiliated medical groups, and co-founder Eren Bali requiring the company to restructure its ownership to comply with California's ban on the corporate practice of medicine. The settlement resolves allegations that Carbon Health used a non-medical corporate entity to own and control its medical practice operations in violation of state law. Carbon Health also faced claims of false advertising, unlawful consumer contracts, and improper billing practices. The company will pay $4.4 million in penalties; Bali will pay $100,000. Carbon Health denies wrongdoing but agreed to the settlement.

New GOP Congress Signals Aggressive Oversight of Big Tech and Universities

Congressional Republicans are preparing a broad oversight campaign targeting Big Tech platforms, social media companies, and universities. GOP leaders have signaled plans to investigate alleged censorship of conservative viewpoints, data security failures, and the use of generative AI in the technology sector, while simultaneously scrutinizing higher education institutions for foreign ties and diversity initiatives. These investigations will proceed through existing congressional oversight authority rather than new legislation, with information requests and subpoenas likely to follow initial inquiries.

Minnesota AG Sues Earned Wage Access Provider Over Alleged Payday Lending Violations

On June 10, 2026, Minnesota's Attorney General sued an app-based earned wage access provider, alleging its "Instant Cash" product operated as an unlicensed lender in violation of the Minnesota Consumer Small Loan Act and Consumer Short-Term Loan Act. The complaint charges that the company issued tens of thousands of advances to Minnesota consumers with annual percentage rates regularly exceeding 300%—some surpassing 700%—far above the state's 50% APR cap. The AG further alleges the provider failed to disclose these rates, circumvented payday lending laws by marketing advances as "non-recourse" and "voluntary," and denied users the ability to cancel or extend loans within the app.

FTC halts Genesis Tech subscription scheme network over hidden recurring charges

The Federal Trade Commission has obtained a temporary federal court order halting what it describes as a sprawling subscription-fraud operation run by Genesis Tech and related companies. According to the FTC's complaint, the network lured consumers with free or discounted offers, then enrolled them in auto-renewing subscriptions, charged them without authorization, and made cancellation difficult or impossible. The case targets 15 corporations and eight individuals, including Genesis Tech founder-CEOs Vladimir Mnogoletny and Vasily Ulianov, along with co-defendants Stamatis Skianis, Oksana Kucher, Iryna Oleksyn, Olga Garbuzenko, Rostyslav Ivanitsa, and Viktoriia Savchuk. The network marketed products including MadMuscles, Harna, Unimeal, Nebula, PDF Guru, and Lumi through deceptive landing pages that buried subscription terms, added unauthorized or duplicate charges, and obstructed cancellation requests.

Australia Enforces World-First Social Media Ban for Under-16s

Australia became the first nation to enforce a blanket ban on social media use by children under 16 on December 10, 2025, triggering the deletion of approximately 4.7 million underage accounts. The Online Safety Amendment (Social Media Minimum Age) Act 2024 requires ten major platforms—including TikTok, Instagram, Snapchat, X, Facebook, Reddit, Threads, Twitch, Kick, and YouTube—to take "reasonable steps" to prevent minors from creating or maintaining accounts. The law imposes penalties of up to A$49.5 million on companies that fail to comply. Age verification occurs through facial scanning or identity document submission, with narrow exemptions for educational and health support services.

DOJ Joins xAI Lawsuit to Block Colorado AI Anti-Discrimination Law[1][2][7]

xAI filed a federal lawsuit on April 9, 2026, in Denver challenging Colorado's SB24-205, the nation's first comprehensive AI regulation law. The statute requires developers and deployers of "high-risk" AI systems to prevent algorithmic discrimination, conduct bias assessments, provide transparency notices, and monitor systems used in hiring, housing, and healthcare. The law takes effect June 30, 2026. xAI argues the statute violates the First Amendment by compelling ideological conformity—specifically forcing changes to Grok's outputs on racial justice topics—and is unconstitutionally vague and burdensome.

Meta pauses AI training program tracking employee keystrokes after internal leak

Meta shut down its Model Capability Initiative, a keystroke and screen-monitoring program designed to train AI agents, two months after launch following an internal data breach. The company had announced the program in April 2026 to collect employee activity data—keystrokes, mouse movements, and screen recordings—ostensibly to teach AI systems to navigate software interfaces. A security incident classified as severity level 2 exposed private employee conversations, performance data, and transcriptions across the company, prompting Meta to halt the initiative and allow workers to request exemptions or pause monitoring for up to 30 minutes at a time.

FTC says reported imposter-scam losses hit $3.5B in 2025

The Federal Trade Commission reported that consumers lost $3.5 billion to imposter scams in 2025, making them the most commonly reported fraud type. The broader fraud landscape was worse: across all categories, Americans filed 3 million fraud reports totaling $15.9 billion in losses. Imposter scams—where fraudsters pose as government officials, businesses, or family members—remain the highest-volume fraud category, though other schemes like investment fraud may generate larger per-incident losses.

mail Subscribe to Privacy email updates

Primary sources. No fluff. Straight to your inbox.

Also on LawSnap