Privacy & Data Protection

Subscribe to Privacy & Data Protection via RSS
Business, Technology, Internet and network concept. Labor law, Lawyer, Attorney at law-GettyImages-1331137712-Sm

Crowell attorneys have closely monitored developments related to the California Invasion of Privacy Act (“CIPA”). In particular, we have watched plaintiffs attempt to extend this wiretapping law to encompass website chatbot communications that are managed by third parties.

The Ninth Circuit Court of Appeals recently addressed key CIPA issues in Thomas v. Papa John’s International, Inc., No. 24-3557. The decision reaffirms CIPA’s eavesdropping standard as well as the specific personal jurisdiction standard set out in its recent en banc decision, Briskin v. Shopify, Inc., 135 F.4th 739 (9th Cir. 2025).Continue Reading Ninth Circuit Affirms that CIPA Only Applies to Third-Party Eavesdropping

Question marks digital interface isolated on blue background 3D rendering
Question marks digital interface isolated on blue background 3D rendering

In a recently published Law360 article, “Appellate Guidance Needed on California Chatbot Litigation,Jason Stiehl, Jacob Canter, and Kari Ferver discuss how the California Invasion of Privacy Act (CIPA) is being levied in cases against website owners that allegedly help third parties spy on visitors via chatbots. Click here to read the full article.

Business, Technology, Internet and network concept. Labor law, Lawyer, Attorney at law-GettyImages-1331137712-Sm

Register now to join Joanna Rosen Forster, Joachim B. Steinberg, Preetha Chakrabarti, David Ervin, and Warrington Parker on June 11, 2025 from 12:00 pm EDT – 1:00 pm EDT as they discuss Section 230 and the implications for digital platforms, online businesses and e-commerce. Section 230 was enacted as part of the United States Communications Decency Act (CDA), providing immunity to interactive computer service providers for third-party content. Known as “the 26 words that created the internet,” this statute is responsible for the development of the modern internet as we know it. 

Recent calls by the DOJ, FTC, FCC, State AGs and even Congressional Leaders to reform, edit or take Section 230 enforcement in new directions signal a potential inflection point. The challenge for policy reform lies in balancing Section 230’s role in protecting online speech and fostering innovation with evolving concerns about platform accountability, consumer protection, and market efficiency in a data-driven economy.Continue Reading Register Now! Section 230: Implications for Digital Platforms, Online Businesses and E-Commerce Webinar

Business, Technology, Internet and network concept. Labor law, Lawyer, Attorney at law-GettyImages-1331137712-Sm

On April 3, 2025, the United States Department of Justice’ Antitrust Division hosted a forum on “Big-Tech Censorship” in which key Trump Administration Officials announced their desire to reform, or entirely overhaul, Section 230 of the Communications Decency Act. In March 2025, we wrote about the Federal Trade Commission’s (FTC) inquiry into “tech censorship” and

Consumer data & privacy

In March 2023, the White House published its National Strategy to Advance Privacy-Preserving Data Sharing and Analytics.  Buried in the report was a quiet, but notable, concern related to the possibility of deanonymizing a consumer due to “insufficient disassociability”.  See Report, pg. 6.  A new wave of class action lawsuits in California—already over three dozen at the time of writing—now seeks to turn a spotlight on these practices, claiming that companies are using “grey market” data to match user patterns with personal identifiable information (PII).Continue Reading Another Wave of California Privacy Suits—Deanonymization as “Doxing”

Advances in artificial intelligence have become front and center in the minds of many, including attorneys general focused on consumer protection. Although concerns exist for consumer protection, the advancement of artificial intelligence has the opportunity to add value to consumers.  This is especially true in healthcare. Recently, attorneys general gathered to discuss these issues at the Attorney General Alliance Annual Meeting, during a panel that discussed  The Value of Disruptive Healthcare. In the last few years, the growth of telemedicine has dramatically changed the delivery of healthcare. While these changes were already afoot, the pandemic highlighted the need for virtual access to healthcare and wellness tools. That disruption has added value in many ways to consumers and health care providers managing care for their patients. Similarly, in the coming years, we can expect artificial intelligence to drive even more changes in treatment, therapies, and standards of care in the healthcare sector. During these periods of major technological advancements attorneys general should consider consumers’ safety, privacy, security and consumers’ overall livelihood and health. Dramatic changes in healthcare business and technology are already challenging existing laws in unexpected ways, often creating gaps between the law and what consumers and producers need or want the law to say. This gap period, or regulatory lag, will require producers to assume some regulatory risk and for attorneys general to monitor business activities that they believe create too much risk for consumers.Continue Reading Attorneys General Consider Consumer Protection Issues Related to Artificial Intelligence in Consumer-Facing Healthcare Technology

Consumer data & privacy

On March 15, the Iowa House passed Senate File 262 (SF 262), a comprehensive state privacy law bill. If enacted, SF 262 would be the sixth state level privacy legislation, following California, Virginia, Colorado, Utah, and Connecticut, and it would go into effect on January 1, 2025.Continue Reading Iowa to Introduce the Sixth Comprehensive State Privacy Law in United States

In a judgment of August 1, 2022, the Court of Justice of the European Union (CJEU) provided further guidance on two important aspects of the General Data Protection Regulation (GDPR) (CJEU C-184/20). In summary, the CJEU held that, first, for a national law that imposes a legal obligation to process personal data to be able to constitute a legal basis for processing, it needs to be lawful, meaning that it must meet an objective of public interest and be proportionate to the legitimate aim pursued, and second, that non-sensitive data that are liable to reveal sensitive personal data need to be protected by the strengthened protection regime for processing of special categories of personal data.Continue Reading Processing of Personal Data That May Indirectly Reveal Sensitive Information on the Basis of a Legal Obligation: The CJEU Draws the Contours

On August 24, 2022, the California Attorney General’s Office announced a settlement with Sephora, Inc. (Sephora), a French multinational personal care and beauty products retailer. The settlement resolved Sephora’s alleged violations of the California Consumer Privacy Act (CCPA) for allegedly failing to: disclose to consumers that the company was selling their personal information, process user requests to opt out of sale via user-enabled global privacy controls, and cure these violations within the 30-day period currently allowed by the CCPA.Continue Reading $1.2 Million CCPA Settlement with Sephora Focuses on Sale of Personal Information and Global Privacy Controls

In the recent article, “Facebook and Google settled biometrics lawsuits. Look for more.” featured in Crain’s Chicago Business, Partner Jason Stiehl analyzes wider repercussions of Snapchat’s recent settlement after accusations that it used facial recognition technology that collected and stored users’ biometric information without consent. Stiehl explains that he expects more litigation due to Illinois’