Privacy

New York Governor Signs Four AI-Related Bills; Vetoes Health Data Privacy Bill

By David Stauss on December 22, 2025

Posted in Artificial Intelligence, Privacy, State Legislation

Key point: New York becomes the second state — after California — to enact an AI frontier model law, while the governor’s veto of the New York Health Information Privacy Act will be a welcome result for organizations that criticized the bill as unworkable.

In the last two weeks, New York Governor Kathy Hochul took action on numerous bills the New York legislature passed before it closed in June. Among those actions, Hochul signed four AI-related bills — including a bill regulating AI frontier models — and vetoed a controversial health data privacy bill. We discuss each of those bills in the article below.

In addition to these bills, earlier this year, New York lawmakers enacted three other AI-related laws — the Algorithmic Pricing Disclosure Act, a companion chatbot law, and a law regulating the use of algorithmic pricing by landlords.

Courts Split Over How to Apply ‘Ordinary Person’ Test in VPPA Cases

By Dustin Taylor on December 18, 2025

Posted in Compliance, Litigation Updates, Privacy

Key point: Courts are split over whether use of the Meta Pixel to share URLs of videos users watch qualifies as disclosure of PII under the VPPA, even when they apply the same “ordinary person” test to nearly identical allegations.

Earlier this year, the Second Circuit joined the Third and Ninth Circuits in adopting an “ordinary person” standard to determine whether a defendant’s disclosure of information constitutes disclosure of personally identifiable information (PII) prohibited by the Video Privacy Protection Act (VPPA). Although this standard initially appeared more restrictive — and thus more favorable to defendants — than the “reasonable foreseeability” standard the First Circuit adopted in 2016, recent decisions by courts within the Second and Ninth Circuits have instead revealed a split in how district courts apply this test to nearly identical allegations, resulting in different outcomes on motions to dismiss.

12 Days of Regulatory Insights: Day 8 – How State AGs Are Rewriting Social Media Rules

By Ashley L. Taylor, Jr. & Ronald I. Raether, Jr. on December 15, 2025

Posted in Data Security, Privacy, State Legislation

TPL_Podcasts_RegulatoryOversight_LinkedIn-690x361

In this episode of our special 12 Days of Regulatory Insights podcast series, Ashley Taylor, co-leader of Troutman Pepper Locke’s State AG team, sits down with Privacy and Cyber chair Ron Raether to discuss how state attorneys general (AGs) are shaping the regulatory landscape for social media and the broader ad tech ecosystem.

12 Days of Regulatory Insights: Day 5 – Privacy Under the Microscope

By Gene Fishel & David Navetta on December 10, 2025

Posted in Data Security, Privacy

In this episode of our special 12 Days of Regulatory Insights podcast series, Gene Fishel, a member of the firm’s RISE Practice Group and State AG team, is joined by Partner Dave Navetta of the Privacy + Cyber Practice Group, to discuss the biggest privacy and cyber enforcement themes of 2025 and preview what’s ahead for 2026.

The New Wave of Web Tracking Litigation: Wiretap Statutes, VPPA Risk, and Consent Strategies

By Chris Willis, Jason E. Manning, Angelo A. Stio III & Robert Jenkin on November 13, 2025

Posted in Privacy

In this episode of The Consumer Finance Podcast, Chris Willis is joined by colleagues Jason Manning, Angelo Stio, and Rob Jenkin to unpack the surge of litigations arising from the use of tracking technologies (e.g., cookies, pixels, and session tools) on websites. This episode explains how plaintiff firms are repurposing federal and state wiretap and “trap-and-trace” laws, as well as the Video Privacy Protection Act (VPPA), to assert claims associated with a business’s use of tracking technologies without consent.

The Northern District of California Calls on the California Legislature to Fix CIPA

By Angelo A. Stio III, David Navetta & Robert Jenkin on October 31, 2025

Posted in Privacy, State Legislation

Information-Governance_1200x600_GettyImages-2157709201

KEYPOINT– The N.D.Cal. shared its frustration with the language of CIPA, the conflicting rulings on how it has been applied, and the need for the legislature to fix it, as part of its recent decision granting summary judgment and dismissing a CIPA claim.

Fourth Circuit Finds Public Disclosure Required for Standing in Data Breach Case

By Cindy D. Hanson, Jon S. Hubbard, H. Scott Kelly, Tim J. St. George, Mary C. Zinsner & Noah DiPasquale on October 27, 2025

Posted in Cybersecurity, Privacy

Key point: Courts are concluding that not all data breaches should result in a lawsuit. Businesses need to consider causation and damages when responding to an incident and take steps to determine if there is no evidence of harm or traceability including on a class wide basis.

Analyzing the 2025 Children’s Privacy Laws and Regulations

By Shelby Dolen & David Stauss on September 17, 2025

Posted in Privacy, State Legislation

Key point: Children’s privacy remained a hot topic during the 2025 state legislative session, with multiple states passing laws, adding to the growing patchwork of children’s privacy laws.

Troutman Pepper Locke Adds Privacy and Cybersecurity Ace David Stauss as Partner

By Ronald I. Raether, Jr., James Koenig & David Navetta on July 31, 2025