Privacy

Subscribe to Privacy via RSS
Blogs_PrivacyCyberAI_OG_PrivacyLitigationReport

Key point: In this post: (1) increase in ECPA litigation as courts extend “crime tort” exception beyond health care; (2) service provider wins again against wiretapping claim; (3) defendants lose standing arguments in federal court; (4) VPPA circuit split widens as courts reject existing tests to determine whether disclosure of PII occurred; and (5) first PTFA decision in 15 years is issued, with more likely to come.

Welcome to our monthly update on how courts across the U.S. have handled privacy litigation involving website tools such as cookies, pixels, session replay, and similar technologies. In this post, we cover decisions from January 2026. And there were a lot of decisions. Courts issued twice as many California Invasion of Privacy Act (CIPA) wiretapping decisions in January 2026 than in December 2025.

Artificial_Intelligence_1200x600_GettyImages-2170346048

Key Point: In a significant win for electronic communication providers that utilize artificial intelligence (AI) as part of their core functions, the Northern District of Illinois held that a defendant’s AI transcription and analytics service operated in the ordinary course of its electronic communications business and therefore did not violate the Electronic Communications Privacy Act (ECPA). The ruling may provide a powerful defense to federal and state law wiretap claims targeting AI call technologies.

Kentucky State Flag

Key point: Kentucky attorney general files a lawsuit against an artificial intelligence chatbot company, eight days after the Kentucky Consumer Data Protection Act went into effect.

On January 8, the Kentucky attorney general (AG) announced its first lawsuit for violations of the Kentucky Consumer Data Protection Act (KCDPA) against an artificial intelligence (AI) chatbot company. The complaint alleges that the defendant violated the KCDPA with unfair, false, misleading, or deceptive acts and practices, and through unfair collection and exploitation of children’s data. Among other claims, the complaint also states claims under the state’s consumer protection law and data breach law.

The complaint is the latest in a growing trend of states regulating AI chatbots, including companion chatbots. As we recently discussed, New York and California passed laws last year specifically regulating companion chatbots. Lawmakers in other states have already proposed numerous bills this year. This comes notwithstanding the recent executive order, which seeks to preempt “onerous” state AI laws. As we foreshadowed in our analysis of that order, the instant complaint also reinforces the difficulty in defining what constitutes a state AI law, as the complaint is brought under existing state laws that are not specifically written to cover AI.

In the article below, we provide a summary of the allegations in the complaint.

Waving flag of NEW JERSEY

Key point: With a new governor taking office in New Jersey later this month, the fate of rules proposed last year to implement the New Jersey Data Privacy Act (NJDPA) will be decided by the incoming administration.

On January 20, 2026, New Jersey’s governorship will pass from Governor Phil Murphy to Governor-elect Mikie Sherrill. Under the state’s rulemaking publication schedule, January 8 was the final deadline for the Murphy administration to adopt rules and transmit them for publication. The next biweekly deadline, January 23, occurs after the transition of the governorship.

Key point: New York becomes the second state — after California — to enact an AI frontier model law, while the governor’s veto of the New York Health Information Privacy Act will be a welcome result for organizations that criticized the bill as unworkable.

In the last two weeks, New York Governor Kathy Hochul took action on numerous bills the New York legislature passed before it closed in June. Among those actions, Hochul signed four AI-related bills — including a bill regulating AI frontier models — and vetoed a controversial health data privacy bill. We discuss each of those bills in the article below.

In addition to these bills, earlier this year, New York lawmakers enacted three other AI-related laws — the Algorithmic Pricing Disclosure Act, a companion chatbot law, and a law regulating the use of algorithmic pricing by landlords.

Privacy_1200x600_GettyImages-1347310666

Key point: Courts are split over whether use of the Meta Pixel to share URLs of videos users watch qualifies as disclosure of PII under the VPPA, even when they apply the same “ordinary person” test to nearly identical allegations.

Earlier this year, the Second Circuit joined the Third and Ninth Circuits in adopting an “ordinary person” standard to determine whether a defendant’s disclosure of information constitutes disclosure of personally identifiable information (PII) prohibited by the Video Privacy Protection Act (VPPA). Although this standard initially appeared more restrictive — and thus more favorable to defendants — than the “reasonable foreseeability” standard the First Circuit adopted in 2016, recent decisions by courts within the Second and Ninth Circuits have instead revealed a split in how district courts apply this test to nearly identical allegations, resulting in different outcomes on motions to dismiss.

TPL_Podcasts_RegulatoryOversight_LinkedIn-690x361

In this episode of our special 12 Days of Regulatory Insights podcast series, Ashley Taylor, co-leader of Troutman Pepper Locke’s State AG team, sits down with Privacy and Cyber chair Ron Raether to discuss how state attorneys general (AGs) are shaping the regulatory landscape for social media and the broader ad tech ecosystem.