Tagged: Privacy/Data Security

ChatBot or Not: California Federal Courts Limit CIPA Applicability

The Northern District of California recently issued a decision further constraining plaintiffs’ ability to assert claims under the California Invasion of Privacy Act (CIPA). In Ambriz v. Google, LLC, the plaintiff filed a putative class action alleging that Google violated CIPA § 631(a) because its Cloud Contact Center AI software-as-a-service, a virtual customer service tool, wiretapped, eavesdropped on, and recorded his call to Verizon’s customer service center.

New Jersey’s Consumer Data Privacy Statute – What You Need to Know

On January 16, 2024, Governor Murphy signed S332 into law, making New Jersey the 13th state to enact legislation designed to protect the personal data of its residents. The law will become effective next year, on January 15, 2025, and imposes various obligations on a person or entity (designated as either a “controller” or a “processor”) that collects, discloses, processes, or sells the personal data of New Jersey consumers. The statute establishes various rights for New Jersey residents with respect to their own personal data and also provides consumers with the ability to opt out of disclosure and sale of their personal data in certain circumstances. Finally, the Division of Consumer Affairs has the authority to develop rules and regulations necessary to effectuate the purposes of the statute, and the Attorney General has sole and exclusive enforcement authority. The scope of S332 signed by the Governor was expanded significantly from prior versions. As late as December 17, 2023, the bill only applied to a person or entity that operated “any service provided over the Internet that collects and maintains personally identifiable information from a consumer.” The law enacted less than one month later, however, is not limited to collection of data over the internet; it applies to all “personal data” regardless of how it is...

District Court Affirms United States Copyright Office’s Denial of Copyright Registration for AI-Generated Visual Art

Pursuant to the Copyright Act of 1976, “original works of authorship fixed in any tangible medium of expression, now known or later developed, from which they can be perceived, reproduced, or otherwise communicated, either directly or with the aid of a machine or device” are eligible for immediate copyright protection, provided certain requirements are met. Against this backdrop, Stephen Thaler applied for copyright registration with the United States Copyright Office (USCO) of a piece of visual art produced by a generative artificial intelligence system he created – the “Creativity Machine.” The USCO subsequently denied the application, reasoning that Thaler’s work “‘lack[ed] the human authorship necessary to support a copyright claim,’” as “copyright law only extends to works created by human beings.” After Thaler filed suit against the USCO, both parties moved for summary judgment on the sole issue of whether a work generated entirely by an artificial system should be eligible for copyright protection. On August 18, 2023, in Thaler v. Perlmutter the United States District Court for the District of Columbia granted the USCO’s motion for summary judgment, concluding that “human authorship is an essential part of a valid copyright claim.” The court rejected as contrary to the Copyright Act’s plain language Thaler’s contention that because he created the AI system that “autonomously” produced...

“Say Cheese!” CVS Passport Photo Practices Subject to BIPA Suit

In May 2022, a group of plaintiffs brought a putative class action against CVS Pharmacy, Inc. (CVS) alleging the company violated several provisions of the Illinois Biometric Information Privacy Act (BIPA) through its practices for taking passport photos. On May 4, 2023, in Daichendt and Odell v. CVS Pharmacy, Inc., the United States District Court for the Northern District of Illinois denied CVS’s motion to dismiss, holding the plaintiffs sufficiently stated a claim under Section 15(b) of BIPA. Section 15(b) of BIPA prohibits private entities from collecting “or otherwise obtain[ing] a person’s or a customer’s biometric identifier or biometric information, unless it first”: (1) provides notice of collection; (2) provides notice of the specific purpose of collection; and (3) obtains affirmative written consent. Here, the plaintiffs alleged that CVS required them to “enter[] their names, email addresses, and phone numbers into a computer terminal inside defendant’s stores prior to scanning their biometric identifiers.” Thereafter, CVS’s system would “check” and “verify” an individual’s facial features (i.e., whether the individual is smiling) to comply with government requirements. Against this backdrop, the plaintiffs argued this system violated Section 15(b) because it “collected and stored their personal contact data (‘real-world identifying information’), such as their names and email addresses,” thus allowing CVS the ability to identify the plaintiffs “when...