April 2026

Michigan State Flag. Waving Fabric Satin Texture National Flag of Michigan 3D Illustration. Real Texture Flag of the State of Michigan in the United States of America. USA. High Detailed Flag

A federal court in Michigan significantly narrowed Michigan Attorney General (AG) Dana Nessel’s privacy and consumer protection case against Roku, Inc. (Roku) dismissing all non-Children’s Online Privacy Protection Act (COPPA) claims for lack of standing while allowing the state’s privacy claims under COPPA to proceed. The decision highlights COPPA’s utility as a vehicle for state AGs to bring enforcement actions in federal court, while also underscoring the jurisdictional limits on bringing companion state privacy and consumer protection claims in the same forum.

Blogs_PrivacyCyberAI_OG_PrivacyLitigationReport

Key point: Five takeaways from March 2026 decisions: (1) Courts diverge on “purpose” requirement in ECPA’s crime-tort exception; (2) Courts consider ECPA exception outside the health care industry; (3) Contradictory statements in privacy policies can defeat consent even when tracking tech use is disclosed; (4) Courts provide guidance on website design to establish consent; and (5) Three courts allow negligence claims to proceed but nix negligence per se claims.

Welcome to our monthly update on how courts across the U.S. have handled privacy litigation involving website tools such as cookies, pixels, session replay, and similar technologies. In this post, we cover decisions from March 2026.

Webinars_1200x600_GettyImages-1699087891

Key point: Businesses operating generative artificial intelligence systems in Utah and Washington may be subject to new legal obligations, such as including provenance data in content created or altered using generative artificial intelligence.

In March, Utah’s Digital Content Provenance Standards Act (HB 276) was signed by Governor Spencer Cox, and Washington’s HB 1170 on regulation of AI-modified content was signed by Governor Bob Ferguson. Both laws impose certain obligations related to provenance data on covered providers that create, code, or otherwise produce a generative artificial intelligence (GenAI) system that has more than 1 million monthly users and is publicly accessible within the geographic boundaries of each state. Utah and Washington’s bills largely align with the California AI Transparency Act (CAITA) and AB 853, which obligate creators of GenAI systems, large online platforms, GenAI hosting platforms, and capture device manufacturers to fulfill certain provenance data requirements. The article below provides an overview of the California, Utah, and Washington laws and compares the obligations of covered providers under each law.

Key point: Last week, chatbot bills were signed into law in Oregon and Idaho, while a health care-related AI bill was signed into law in Tennessee.

Below is the 12th update on the status of proposed state AI legislation in 2026. These posts track state AI bills that can directly or indirectly affect private-sector AI developers and deployers. These posts do not track AI bills that focus on government use of AI; insurance; workgroups; education; legal settings; name, image, and likeness; deepfakes; CSAM and sexual material; and election interference. As always, the contents provided below are time-sensitive and subject to change.

Key point: Last week, Maine’s consumer data privacy bill stalled in the House, while Kentucky’s legislature passed a bill to amend the commonwealth’s consumer data privacy law.

Below is the 12th update on the status of proposed state privacy legislation in 2026. This post covers updates on proposed bills dealing with consumer data privacy, children’s privacy, biometric privacy, data brokers, and consumer health data privacy. As always, the contents provided below are time-sensitive and subject to change.

US state flag of Tennessee

Key point: Tennessee’s new law prohibits parties that develop or deploy AI systems from advertising or representing to the public that the AI systems can act as a qualified mental health professional. 

On April 1, 2026, Tennessee Governor Bill Lee signed SB 1580 into law, and it will go into effect on July 1, 2026. The new law is short — less than one page — but has potentially significant consequences given that it includes a private right of action.

In the following post, we provide an overview of the new law.