Blogs_PrivacyCyberAI_OG_PrivacyLitigationReport

Key point: (1) Courts grapple with nonstatutory damage claims in “broken banner” cases; (2) Courts dismiss CIPA claims where plaintiffs failed to explain delays; (3) New privacy litigation trend takes off as two courts deny motions to dismiss under Washington’s Commercial Electronic Mail Act; (4) Motion to transfer based on forum selection clause in terms of use denied, highlighting risks for cookie banners; (5) VPPA circuit split deepens: as two more courts reject “ordinary observer” test but SCOTUS again refuses to resolve.

Welcome to our monthly update on how courts across the U.S. have handled privacy litigation involving website tools such as cookies, pixels, session replay, and similar technologies. In this post, we cover decisions from February 2026.

This five-part series provides an introductory roadmap to the California Consumer Privacy Act’s (CCPA) new cybersecurity audit requirement and the California Privacy Protection Agency’s (CalPrivacy) implementing regulations.

Oregon State (USA) Flag

Key point: With a private right of action, statutory damages, and ambiguous and undefined terms, businesses deploying consumer-facing interactive AI will want to make sure they are not unintentionally triggering the bill’s provisions.

On March 5, 2026, Oregon’s legislature passed a consumer-facing interactive artificial intelligence (AI) bill focused on AI companions (SB 1546). The bill will next head to Governor Tina Kotek who will have 30 full weekdays to sign, veto, or allow the bill to become law without her signature. According to Oregon’s legislative website, no one publicly testified in opposition to the bill and it passed both chambers with only two no votes. If the bill becomes law, it will go into effect January 1, 2027.

Although the bill is directed at AI companions, as discussed below, the bill contains ambiguous and undefined terms that could lead to businesses unintentionally triggering its provisions. This is particularly concerning given that the bill contains a private right of action with statutory damages of $1,000 for each violation.

The following article provides an overview of the Oregon bill, its applicability, obligations, and potential implications for businesses.

Key point: Last week, Oregon’s legislature passed a chatbot bill, Utah’s legislature passed a provenance bill, Washington’s legislature is on the cusp of passing both a chatbot and provenance bill, and Arizona’s Senate passed a provenance bill.

Below is the eighth update on the status of proposed state AI legislation in 2026. These posts track state AI bills that can directly or indirectly affect private-sector AI developers and deployers. These posts do not track AI bills that focus on government use of AI; insurance; workgroups; education; legal settings; name, image, and likeness; deepfakes; CSAM and sexual material; and election interference. As always, the contents provided below are time-sensitive and subject to change.

Key point: Last week, Maine’s Senate passed a consumer data privacy bill while the Virginia and Utah legislatures passed bills amending their existing consumer data privacy laws.

Below is the eighth update on the status of proposed state privacy legislation in 2026. This post covers updates on proposed bills dealing with consumer data privacy, children’s privacy, biometric privacy, data brokers, and consumer health data privacy. As always, the content provided below is time-sensitive and subject to change.

istock_102344703_og_cybersecurity-privacy

Key Point: Under the revised NYDFS Cybersecurity Regulation, covered entities must implement and enforce MFA for all access to all information systems — not just adopt MFA tools — and carefully document any CISO-approved compensating controls. Given the November 1, 2025 effective date of the new, expanded MFA requirement, and the annual certification of compliance for 2025 due April 15, 2026, now is the time for covered entities to review carefully their compliance in view of the NYDFS interpretations and guidance.

Key point: Last week, chatbot bills crossed chambers in Arizona and Iowa and advanced out of committees in five states, a health care-related AI bill crossed chambers in Kentucky, and provenance bills advanced out of committees in Utah and New York.

Below is the seventh update on the status of proposed state AI legislation in 2026. These posts track state AI bills that can directly or indirectly affect private-sector AI developers and deployers. These posts do not track AI bills that focus on government use of AI; insurance; workgroups; education; legal settings; name, image, and likeness; deepfakes; CSAM and sexual material; and election interference. As always, the contents provided below are time-sensitive and subject to change.

Key point: Alabama’s House passed a consumer data privacy bill, amendments advanced in Utah and Virginia, and the text of the latest CTDPA amendment was filed.

Below is the seventh update on the status of proposed state privacy legislation in 2026. This post covers updates on proposed bills dealing with consumer data privacy, children’s privacy, biometric privacy, data brokers, and consumer health data privacy. As always, the contents provided below are time-sensitive and subject to change.

Privacy_1200x600_GettyImages-2154887234

This article takes the next step and focuses on what businesses can do before an incident to structure their vendor relationships and IR plans in alignment with these key legal lessons. We focus on four core IR vendor types: digital forensics vendors, restoration vendors, public relations (PR)/communications firms, and data mining/data review vendors.

Key point: Last week, chatbot bills crossed chambers in four states and advanced out of committees in four other states, Utah’s provenance bill crossed chambers, and Florida’s AI Bill of Rights moved out of a second Senate committee.

Below is the sixth update on the status of proposed state AI legislation in 2026. These posts track state AI bills that can directly or indirectly affect private-sector AI developers and deployers. These posts do not track AI bills that focus on government use of AI; insurance; workgroups; education; legal settings; name, image, and likeness; deepfakes; CSAM and sexual material; and election interference. As always, the content provided below is time-sensitive and subject to change.