Robinson Cole LLP
High Contrast Mode

Kathryn M. Rattigan advises clients on data privacy and security, cybersecurity, and compliance with related state and federal laws. She assists clients in assessing risks related to technology and software contracts, as well as with compliance-related issues with outsourcing and vendor management. She represents clients across all industries, such as manufacturing, insurance, health care, education, energy, and construction. Kathryn is a member of our Business Litigation group, Data Privacy + Cybersecurity team and Artificial Intelligence team and is co-chair of the firm’s Women’s Committee. Kathryn has presented around the country on data privacy and cybersecurity, and she writes extensively on these topics, including for the firm’s Data Privacy + Cybersecurity Insider blog. The widely recognized Insider blog has received multiple Readers’ Choice Awards distinction from JD Supra.

Data Privacy + Cybersecurity Compliance

As a Certified Information Privacy Professional, Kathryn helps clients comply with all state and federal regulations related to data privacy and cybersecurity. She counsels clients facing government investigations over alleged non-compliance. She advises clients on the development of privacy and security plans, and how to best handle high-risk data to avoid breaches and cyber intrusions. Kathryn helps clients review, revise, and implement necessary policies and procedures under the California Consumer Privacy Act and other state consumer protection laws, the Health Insurance Portability and Accountability Act (HIPAA), Telephone Consumer Protection Act, the Children's Online Privacy Protection Act, Family Educational Rights and Privacy Act, and other federal and state laws and regulations. She assists businesses and organizations with measures to protect the security and confidentiality of personal and sensitive information, as well as proprietary data and intellectual property. Kathryn assists with the development of website and mobile app privacy policies and terms and conditions of use, as well as assessing risk with website tracking and pixel technology. She also assists clients in the negotiation of technology and software contracts to reduce risk and ensure that third-party vendors implement appropriate, and required, privacy and security safeguards and processes. Kathryn also collaborates with clients’ business teams and third-party consultants in negotiating these vendor contracts.

Information Governance + Record Management

Kathryn assists clients in building a strong foundation for their information governance program to drive efficiency and reduce risk related to unnecessary data and information storage. She assists clients with data mapping and classification, retention and destruction policy development and implementation, vendor management, data privacy and security compliance programs, training and ongoing support, and maintenance of information governance initiatives. The team has been recognized as a Verified Organization by ARMA International.

Artificial Intelligence Governance + Compliance

Kathryn advises clients developing AI governance programs, evaluating AI tools, negotiating AI vendor contracts, and implementation of AI platforms (such as Co-Pilot). She assists businesses with mapping of their organization’s AI use, preparation of policies and procedures, including acceptable use, adopting a methodology to comply with applicable laws for AI software and algorithm development, creating a cross-functional governance committee, updating employee handbooks and codes of conduct, training, risk assessments, and state and federal law surveys such that clients stay apprised of this ever-changing space.

Unmanned Aerial Systems + FAA Compliance

Kathryn advises clients on all legal issues surrounding the use of commercial drones, including navigation of Federal Aviation Administration regulations, commercial registration requirements, and Part 107 waivers. She reviews and prepares employee and subcontractor agreements for the piloting and use of drones. She advises commercial businesses on insurance options for adequate coverage for drone use. Kathryn is well-versed on various local and state laws, regulations, and ordinances which apply to a business’ drone use. She assists clients with privacy and cybersecurity policies, procedures and programs to mirror the National Telecommunications and Information Administration’s voluntary best practices, as well as other industry standards. Kathryn also handles drone-related litigation, such as claims involving manufacturing defects, personal injury, or property damage. She has given numerous presentations about implementing UAS into company infrastructure and privacy and cybersecurity issues related to drone use.

HIPAA Compliance

Kathryn counsels clients on HIPAA compliance, including assisting with employee training, and providing guidance on the implementation of required and recommended Privacy Rule and Security Rule policies and procedures.

Security Incident + Data Breach Preparedness + Emergency Response

Kathryn provides clients with the information needed to effectively handle potential and confirmed data breaches and cyber-attacks, including insight into state and federal regulations and requirements. If a client suffers a data breach, she assists with the follow-up response, including notification, remediation, and litigation.

Privacy + Class Action Litigation + Enforcement

If a data breach, cybersecurity issue, or consumer privacy rights complaint results in litigation or an enforcement action, Kathryn represents clients in court and before government regulatory agencies. This includes assisting clients with matters related to unauthorized access, use or disclosure of health, financial, or personal information, consumer privacy rights violations under state laws like the California Consumer Privacy Rights Act and the Connecticut Data Privacy Act, and website tracking claims under state and federal wiretap statutes.

Pro Bono + Community Involvement

Kathryn is committed to doing pro bono work and being involved in the community. Her recent efforts include assisting Wellbeing Action for Youth, a non-profit which works to help students focus and succeed through mindfulness practice in the classroom, and College Visions, which helps low-income students pursue a college education.

She writes for two of our firm’s blogs, Data Privacy + Cybersecurity Insider and Health Law Diagnosis.

  • Roger Williams University School of Law (Juris Doctor)
  • Stonehill College (Bachelors, magna cum laude)
    • B.A.

  • Commonwealth of Massachusetts
  • State of Rhode Island
  • U.S. Supreme Court
  • U.S. District Court, District of Massachusetts
  • U.S. District Court, District of Rhode Island

Recognized as part of Rhode Island Lawyers Weekly's 2025 Excellence in the Law awards

Recognized as a Woman to watch as part of the Providence Business News 2025 Business Women Awards

Recognized as a 2021 Up and Coming Lawyer by Rhode Island Lawyers Weekly

Recognized as a 2020 "40 Under Forty" winner by Providence Business News

Recognized as a 2020 National Law Review Go-To Thought Leader in the area of Cybersecurity Law

JD Supra Readers' Choice Top Author in the area of Cybersecurity from 2022 to 2026

2021 JD Supra Readers' Choice Top Author in the areas of Cybersecurity and Transportation

2020 JD Supra Readers' Choice Top Author in the areas of Airlines / Aviation and Cybersecurity

2018 and 2019 JD Supra Readers' Choice Top Author and the #1 author in Airlines/Aviation

2017 JD Supra Readers' Choice Awards Top Author with readers in the Aviation industry, on the subject of Class Actions, as well as the #1 author on the topic of Drones

2016 JD Supra Reader’s Choice Award Top Author in Airline and Aviation Industry

Selected as a Rising Star in the Rhode Island Super Lawyers list from 2018 to 2025

Certified Information Privacy Professional/US (CIPP/US) by the International Association of Privacy Professionals (IAPP)

Selected by her peers for inclusion in the Best Lawyers: Ones to Watch in America in the area of Privacy and Data Security since 2023

Recognized as a New Leader in the Law as part of Law.com and Connecticut Law Tribune's 2023 New England Legal Awards

Robinson+Cole Wellbeing Award Recipient, 2023

Stonehill College
President's Advisory Council
Board of Fellows

International Association of Privacy Professionals
Certified Information Privacy Professional, U.S.

Massachusetts Bar Association
Member
Chair of Health Law Section Council (2018 - 2020)
Vice Chair of Health Law Section Council (2016 - 2018)

Association for Unmanned Vehicle Systems International

Rhode Island Bar Association

Rhode Island Women's Bar Association

Journal on Emerging Issues in Litigation
Editorial Board of Advisors, Drone Technology

American Heart Association
Southern New England Board of Directors, Leadership Development Chair
Go Red for Women, 2025 Luncheon Co-Chair

Wellbeing Action for Youth
Advisory Board

Women's Fund of Rhode Island

Rhode Island Hospital Foundation
Board of Governors

Roger Williams University School of Law
Pro Bono Collaborative Advisory Board

Experience


Represented Acentus in Acquisition by Henry Schein, Inc.

Served as legal counsel for Acentus, a national medical supplier specializing in the delivery of continuous glucose monitors for Medicare patients, in its acquisition by Henry Schein, Inc., a solutions company for health care professionals advising over 1 million customers globally to help improve operational success and clinical outcomes. The acquisition, which was announced on November 20, 2024, will see Henry Schein acquire substantially all of Acentus’ assets, and will expand its national homecare solutions platform to address the evolving needs of clients.

Read More
Represented Acentus in Acquisition by Henry Schein, Inc.

Software + Technology Contract Negotiations

Represented multiple companies in the negotiation of software and technology contracts with third-party vendors.

Start-Up Policy Development

Worked with multiple start-up organizations in developing privacy policies and terms of use for websites and mobile applications, as well as privacy and security plans and compliance programs.



Publications


Data Privacy + Cybersecurity Insider teaser
June 12, 2026

Data Privacy + Cybersecurity Insider

Data Privacy + Cybersecurity Insider teaser
June 5, 2026

Data Privacy + Cybersecurity Insider

Data Privacy + Cybersecurity Insider teaser
May 28, 2026

Data Privacy + Cybersecurity Insider

Data Privacy + Cybersecurity Insider teaser
June 12, 2026

Data Privacy + Cybersecurity Insider

Data Privacy + Cybersecurity Insider teaser
June 5, 2026

Data Privacy + Cybersecurity Insider

Data Privacy + Cybersecurity Insider teaser
May 28, 2026

Data Privacy + Cybersecurity Insider

Data Privacy + Cybersecurity Insider teaser
May 21, 2026

Data Privacy + Cybersecurity Insider

Data Privacy + Cybersecurity Insider teaser
May 14, 2026

Data Privacy + Cybersecurity Insider

Data Privacy + Cybersecurity Insider teaser
May 7, 2026

Data Privacy + Cybersecurity Insider

Data Privacy + Cybersecurity Insider teaser
April 30, 2026

Data Privacy + Cybersecurity Insider

Data Privacy + Cybersecurity Insider teaser
April 23, 2026

Data Privacy + Cybersecurity Insider

Data Privacy + Cybersecurity Insider teaser
April 16, 2026

Data Privacy + Cybersecurity Insider



Data Privacy + Cybersecurity Insider teaser
May 21, 2026

Data Privacy + Cybersecurity Insider

Data Privacy + Cybersecurity Insider teaser
May 14, 2026

Data Privacy + Cybersecurity Insider

Data Privacy + Cybersecurity Insider teaser
May 7, 2026

Data Privacy + Cybersecurity Insider

Data Privacy + Cybersecurity Insider teaser
April 30, 2026

Data Privacy + Cybersecurity Insider

Data Privacy + Cybersecurity Insider teaser
April 23, 2026

Data Privacy + Cybersecurity Insider

Data Privacy + Cybersecurity Insider teaser
April 16, 2026

Data Privacy + Cybersecurity Insider


News


April 17, 2026

Kathryn Rattigan Joins the Beta Gamma Sigma Society as Honorary Inductee

Data Privacy + Cybersecurity team partner Kathryn Rattigan was invited to join the Beta Gamma Sigma (BGS) Society as an honorary inductee at the Leo J. Meehan School of Business at Stonehill College. Her honorary membership reflects her exceptional leadership skills, service to the legal profession, and impact to the business community. BGS is the international business honor society for AACSB-accredited schools, which are the top 5% of business schools in the world and is comprised of individuals serving in critical leadership roles in corporate, entrepreneurial, government, non-profit, and academic sectors. In a ceremony on April 16, 2026, in Easton, Massachusetts, Kathryn provided brief remarks while accepting her invitation.

Beta Gamma Sigma Society
Kathryn Rattigan Joins the Beta Gamma Sigma Society as Honorary Inductee teaser
March 16, 2026

Kathryn Rattigan Quoted on Disney CCPA Opt-Out Settlement

Cybersecurity Law Report
February 25, 2026

Data Privacy + Cybersecurity Team Receives 2026 Readers' Choice Awards

JD Supra
Data Privacy + Cybersecurity Team Receives 2026 Readers' Choice Awards teaser
April 17, 2026

Kathryn Rattigan Joins the Beta Gamma Sigma Society as Honorary Inductee

Data Privacy + Cybersecurity team partner Kathryn Rattigan was invited to join the Beta Gamma Sigma (BGS) Society as an honorary inductee at the Leo J. Meehan School of Business at Stonehill College. Her honorary membership reflects her exceptional leadership skills, service to the legal profession, and impact to the business community. BGS is the international business honor society for AACSB-accredited schools, which are the top 5% of business schools in the world and is comprised of individuals serving in critical leadership roles in corporate, entrepreneurial, government, non-profit, and academic sectors. In a ceremony on April 16, 2026, in Easton, Massachusetts, Kathryn provided brief remarks while accepting her invitation.

Beta Gamma Sigma Society
Kathryn Rattigan Joins the Beta Gamma Sigma Society as Honorary Inductee teaser
March 16, 2026

Kathryn Rattigan Quoted on Disney CCPA Opt-Out Settlement

Cybersecurity Law Report
February 25, 2026

Data Privacy + Cybersecurity Team Receives 2026 Readers' Choice Awards

JD Supra
Data Privacy + Cybersecurity Team Receives 2026 Readers' Choice Awards teaser
December 18, 2025

Business Transactions in Health Care Team Wins “Pharma & Devices Deal of the Year” at Global M&A Network’s 7th Annual USA Middle Markets M&A Atlas Awards Gala

Global M&A Network
Business Transactions in Health Care Team Wins “Pharma & Devices Deal of the Year” at Global M&A Network’s 7th Annual USA Middle Markets M&A Atlas Awards Gala teaser
November 25, 2025

Kathleen Dion and Kathryn Rattigan Spotlight Three AI-related Legal Issues Facing Higher Education Administrators

University Business
November 6, 2025

Robinson+Cole Commends 62 Attorneys Recognized in 2025 Super Lawyers®

Recognition spans key regions and highlights the firm’s seasoned practitioners and emerging leaders in many business transactions and litigation practices
Robinson+Cole Commends 62 Attorneys Recognized in 2025 <i>Super Lawyers</i>® teaser
October 27, 2025

Kathryn Rattigan and Bill Egan Discuss CIPA Trap and Trace Litigation on SCG Global Spin

SCG Legal
October 8, 2025

Robinson+Cole Healthcare Transactions Team Represents The Pennant Group in One of 2025’s Largest Homecare and Hospice Transactions

August 14, 2025

Kathryn Rattigan Quoted on CPPA Retroactivity Enforcement Authority

Daily Journal

December 18, 2025

Business Transactions in Health Care Team Wins “Pharma & Devices Deal of the Year” at Global M&A Network’s 7th Annual USA Middle Markets M&A Atlas Awards Gala

Global M&A Network
Business Transactions in Health Care Team Wins “Pharma & Devices Deal of the Year” at Global M&A Network’s 7th Annual USA Middle Markets M&A Atlas Awards Gala teaser
November 25, 2025

Kathleen Dion and Kathryn Rattigan Spotlight Three AI-related Legal Issues Facing Higher Education Administrators

University Business
November 6, 2025

Robinson+Cole Commends 62 Attorneys Recognized in 2025 Super Lawyers®

Recognition spans key regions and highlights the firm’s seasoned practitioners and emerging leaders in many business transactions and litigation practices
Robinson+Cole Commends 62 Attorneys Recognized in 2025 <i>Super Lawyers</i>® teaser
October 27, 2025

Kathryn Rattigan and Bill Egan Discuss CIPA Trap and Trace Litigation on SCG Global Spin

SCG Legal
October 8, 2025

Robinson+Cole Healthcare Transactions Team Represents The Pennant Group in One of 2025’s Largest Homecare and Hospice Transactions

August 14, 2025

Kathryn Rattigan Quoted on CPPA Retroactivity Enforcement Authority

Daily Journal

Events


Past

AI as a Friend, Not Foe: Welcoming AI to Master Information Governance

Apr 21 2026
ARMA InfoNEXT 2026
Past

Managing Matter Mobility – Setting Defensible Rules for Data Leaving or Entering the Firm

Mar 9 2026
Law.com Legalweek 2026
Past

AI as a Friend, Not Foe: Welcoming AI to Master Information Governance

Apr 21 2026
ARMA InfoNEXT 2026
Past

Managing Matter Mobility – Setting Defensible Rules for Data Leaving or Entering the Firm

Mar 9 2026
Law.com Legalweek 2026
Past

Unlocking the Power of Information Governance: Essentials for Legal Professionals

Mar 9 2026
Law.com Legalweek 2026
Past

Mastery of IG: Legal and Regulatory

Feb 19 2026
ARMA IG Mastery Session 4
Past

Deal or No Deal? Winning with Information Governance in M&A by FiT

Oct 21 2025
ARMA International INFOCON 2025
Past

Small Firms, Big Risks – How Can Small Firms Provide Responsible Oversight for AI Model Governance

Oct 21 2025
ARMA International INFOCON 2025
Past

Unlocking the Power of Information Governance: Essentials for Legal Professionals

Mar 9 2026
Law.com Legalweek 2026
Past

Mastery of IG: Legal and Regulatory

Feb 19 2026
ARMA IG Mastery Session 4
Past

Deal or No Deal? Winning with Information Governance in M&A by FiT

Oct 21 2025
ARMA International INFOCON 2025
Past

Small Firms, Big Risks – How Can Small Firms Provide Responsible Oversight for AI Model Governance

Oct 21 2025
ARMA International INFOCON 2025

Data Privacy + Cybersecurity Insider


Below is an excerpt of Data Privacy + Cybersecurity Insider blog posts authored by Kathryn.

FCC Narrows Foreign Drone Restrictions with Toy Exception

The Federal Communications Commission (FCC) has narrowed its foreign-produced drone restrictions by removing a specific category of “Toy Drones” and “Toy Drones that contain foreign-produced components” from the FCC Covered List. The June 15, 2026, Public Notice follows a June 12, 2026, National Security Determination from the Department of War, which found that this defined class of devices does not pose an unacceptable risk to U.S. national security or to the safety and security of U.S. persons. The update refines the FCC’s broader December 2025 action, which added foreign-produced uncrewed aircraft systems and UAS critical components to the Covered List, subject to later specific determinations that particular systems or components do not present the same level of risk. The key takeaway is that the exception is narrow. To qualify as a “Toy Drone,” a device must meet a detailed set of technical and marketing criteria, including a maximum take-off weight of 150 grams, line-of-sight operation of 100 meters or less, maximum sustained altitude of 300 feet, no GPS or equivalent navigation system, no internet, mobile app, cellular, or Wi-Fi connectivity, no imaging or sensing capabilities, flight time of 10 minutes or less, and marketing as a toy for recreational use. The Department of War framed the distinction around capability: low-risk toys lack the range, endurance, sensing, payload, connectivity, and data collection or storage features that raise national security concerns in more capable UAS. For drone manufacturers, importers, retailers, and equipment authorization applicants, the notice offers a clearer view into how federal officials are separating low-risk consumer toy products from higher-risk drone systems. The Covered List now expressly excludes foreign-produced Toy Drones, as defined in the National Security Determination, and Toy Drones that contain foreign-produced components, while leaving the broader restrictions in place for foreign-produced UAS and UAS critical components that do not fit an exception. Companies should treat the update as a targeted compliance opening rather than a general relaxation of the FCC’s drone-related supply chain restrictions

Visit Blog

Why AI Is Changing Anonymized Data Rules

For years, companies have treated anonymization as a legal comfort zone. Remove names, emails, phone numbers, and other identifiers, and the remaining dataset was often viewed as safer to share, analyze, monetize, and retain. That assumption is getting harder to defend. Artificial intelligence (AI) has changed the practical re-identification analysis by making it easier to connect patterns across datasets, infer identity from indirect signals, and combine “anonymous” information with public, breached, scraped, or commercially available data. Location trails, purchase histories, voiceprints, facial geometry, writing style, device signals, and other data points may not identify someone on their own, but AI can make those fragments far more revealing when viewed together. The legal and business takeaway is important: anonymization should no longer be treated as a permanent status. It is better understood as a technical condition that can degrade over time. Regulators are beginning to reflect that reality, including through frameworks that do not automatically exclude anonymized, de-identified, or pseudonymized data when re-identification remains realistic. The question is shifting from “Did we remove direct identifiers?” to “Could a reasonably capable actor re-identify individuals using current tools and available data?” That shift matters for consent strategies, disclosure obligations, litigation exposure, vendor contracting, AI training rights, audit provisions, and liability allocation. De-identification still matters, but it needs to sit inside a more modern governance model. Companies should evaluate re-identification risk on a recurring basis, account for external data sources, restrict downstream use, prohibit re-identification attempts, and apply technical controls such as differential privacy, synthetic data, aggregation, and formal risk testing where appropriate. The organizations best positioned for this next phase will treat identifiability as a spectrum, not a binary switch. In an AI-driven data ecosystem, “anonymous” is not the end of the privacy analysis. It is the beginning of a continuing risk management obligation.

Visit Blog

Kaiser Tracking Tech Case Moves Toward Class Certification

A member of Kaiser Permanente, an integrated managed care consortium headquartered in Oakland, California, has asked a federal judge in Seattle to certify nationwide classes and California subclasses in a privacy lawsuit against Microsoft and Qualtrics over tracking technologies allegedly embedded in Kaiser’s website and patient portal. The plaintiff, identified as Jane Doe, claims that Microsoft’s Universal Event Tracking tool and Qualtrics’ website technologies secretly collected sensitive information from Kaiser members as they scheduled appointments, reviewed test results, searched health topics, and managed care through Kaiser’s online services. The proposed classes would cover current and former Kaiser members whose health information or other private data was allegedly collected by Microsoft and Qualtrics without their knowledge or consent. The plaintiff is pursuing claims for invasion of privacy and intrusion upon seclusion, along with California-specific claims under the California Invasion of Privacy Act (CIPA) and Unfair Competition Law. In seeking class certification, she argues that the alleged collection practices were common across Kaiser’s website and treated users’ data in the same way, making the case appropriate for class-wide resolution. The case is another reminder that litigation over pixels, tags, SDKs, and other website tracking tools in healthcare settings remains very active. Although the court previously narrowed the suit by dismissing certain claims, it allowed core privacy theories to proceed. The next major question is whether the plaintiff can show that the alleged data collection practices are sufficiently uniform across Kaiser users to support class treatment. For healthcare organizations and their vendors, the case underscores the importance of understanding exactly what third-party code collects, where that data goes, and whether the organization has a defensible basis for using those tools in patient-facing digital environments.

Visit Blog

AI Governance Is Not Just a Policy Problem – Your Contracts Matter

AI governance is often discussed through the lens of policies, frameworks, and responsible AI principles. Those tools matter, but they are not where many of the most important AI decisions are actually being made. In practice, AI governance is increasingly happening in contracts. Vendor agreements now decide who can use data, whether customer inputs may be used for training, what rights exist around outputs, what evidence a vendor must provide, and when a customer can suspend or terminate use. Those are not just legal terms. They are operational controls. This shift matters because AI contracts are moving from broad, aspirational language to more specific governance mechanisms. The most important example is training rights. Using data to provide a service is very different from using data to improve a model, and both are different from using that data to improve a model offered to other customers. When agreements blur those distinctions, they quietly allocate risk and value in ways that may not be obvious. Clear definitions of inputs, outputs, training, fine-tuning, and permitted use are now central to responsible AI contracting. The practical takeaway is simple: if you want to understand an organization’s AI governance posture, read its contracts. Strong agreements do more than prohibit risky conduct. They create verifiable controls, event-based audit rights, traceability, escalation paths, and clear permissions. In many cases, better contracts can move deals faster because they give legal, security, procurement, and business teams concrete terms to evaluate. AI governance has not disappeared. It has moved into the agreement, and that is where organizations need to focus their attention. For organizations of all types and sizes, the next step is to treat AI contract review as a core part of AI governance, not a back-end procurement exercise. Before adopting or renewing an AI tool, make sure the agreement clearly answers the key governance questions: what data can be used, for what purpose, with what limits, and with what accountability if something goes wrong.

Visit Blog

Big Win for Companies Facing CIPA Website Tracking Lawsuits

A California court just gave companies facing website tracking claims under the California Invasion of Privacy Act (CIPA) a very helpful ruling. In Blaker v. NetScout Systems, Inc., Case No. 25STCV31283 (May 27, 2026), the plaintiff claimed that NetScout violated California’s trap-and-trace law by using a software development kit (SDK) on its website that allegedly captured visitor communications without notice or consent. The court rejected that theory, finding that CIPA’s pen register and trap-and-trace provisions apply to telephone communications only, not ordinary software on a commercial website.  That distinction matters because many recent CIPA claims try to take laws originally aimed at telephone surveillance and apply them to common website technologies, including SDKs, pixels, analytics tools, and other tracking tools. The court looked closely at the statute and found that the broader words plaintiffs often rely on, such as “addressing” and “signaling information,” have to be read alongside the statute’s more telephone-focused terms, like “originating number,” “dialing,” and “routing.” The court also pointed to related provisions that refer specifically to the “telephone line” where a pen register or trap-and-trace device would be attached, which made it hard to square the plaintiff’s website theory with the statute as a whole. Additionally, since the internet was already widely used when these provisions were enacted in 2015, the court said lawmakers could have said the law applied to commercial websites if that is what they intended.  For businesses, this is a big decision because it gives defendants a clear, common-sense response to one of the main theories behind these CIPA website tracking cases: a website tool is not automatically the same thing as a telephone trap-and-trace device. The ruling is also notable because the court sustained NetScout’s demurrer without leave to amend, meaning the plaintiff was not given another chance to rework the complaint. This does not mean every CIPA website tracking case goes away, but it gives companies a strong new argument to push back when plaintiffs try to stretch telephone surveillance laws to cover routine website technology.

Visit Blog

A Strong Defense Ruling for Companies Facing CIPA Website Tracking Claims

A recent Third Circuit decision gives companies another strong defense point in the wave of website tracking and session replay litigation, including claims brought under the California Invasion of Privacy Act (CIPA). In Smidga v. Spirit Airlines, the plaintiffs alleged that Spirit used session replay code to record website visitors’ interactions, including text entries, clicks, and geolocation, and one plaintiff asserted a CIPA claim based on that alleged tracking. The Third Circuit affirmed dismissal because the plaintiffs failed to show a concrete privacy injury sufficient for Article III standing, relying heavily on its recent Cook v. GameStop decision involving similar session replay allegations.  The decision is especially useful for companies because the court rejected the idea that an alleged statutory privacy violation alone automatically creates federal standing. The court emphasized that plaintiffs still must plead concrete harm, not just point to a privacy statute, and distinguished earlier data privacy cases involving allegations of deceptive tracking or disclosure of non-anonymous personal information. The court also found no close relationship to traditional privacy torts where two plaintiffs did not allege collection of personal information, the third did not allege embarrassment or humiliation, the allegedly intercepted information was anonymized, and users voluntarily entered information on the website.  For companies defending CIPA and similar session replay cases, the decision reinforces several practical arguments: plaintiffs need more than boilerplate claims about “recording” website activity, anonymized or non-user-specific data may undercut concrete injury, and the absence of a specific privacy promise can matter. It also highlights the value of factual assertions at the jurisdictional stage, since Spirit submitted evidence that the software functions capable of collecting personal information had never been enabled and that collected data was not traceable to a specific website user. While the opinion is non-precedential, it is still a helpful signal that courts are scrutinizing standing in website tracking cases and are not treating CIPA-style allegations as an automatic ticket into federal court.

Visit Blog

Colorado Rewrites Its AI Law Before It Takes Effect

Colorado has now significantly revised its AI governance framework before the law ever takes effect. SB 26-189, approved by Governor Jared Polis on May 14, 2026, repeals and reenacts key portions of the Colorado Artificial Intelligence Act (CAIA) and reframes the law around “automated decision-making technology” (ADMT) used to materially influence consequential decisions in areas such as employment, housing, financial and lending services, insurance, health care, education, and essential government services.  The revised law is narrower and more operational than the original version. Rather than treating every AI-adjacent business tool as a high-risk system, SB 26-189 focuses on covered ADMTs that process personal data and generate outputs such as predictions, recommendations, classifications, rankings, or scores that materially influence consequential decisions. It also excludes several low-risk or routine uses, including certain administrative, cybersecurity, fraud prevention, anti-money laundering, sanctions compliance, advertising, marketing, search, content moderation, and customer-service functions that do not materially influence covered decisions.  For companies, the practical takeaway is that Colorado has not abandoned AI regulation, but it has moved toward a more targeted compliance model. Deployers must provide clear notice before using covered ADMTs in consequential decisions, provide post-adverse outcome information within 30 days, maintain compliance records for at least three years, and offer correction and meaningful human review rights in certain circumstances. While the original law was set to take effect next month, the amended law now takes effect on January 1, 2027, and applies to consequential decisions made on or after that date, gives the Colorado Attorney General exclusive enforcement authority, includes a conditional 60-day cure period, and confirms that the statute does not create a new private right of action. To review the amended law, click here

Visit Blog

Texas Sues Netflix Over Alleged Data Privacy and Children’s Safety Practices

The Texas Attorney General has filed a new consumer-protection lawsuit against Netflix, alleging that the company misled Texans by marketing itself as an ad-free, kid-friendly alternative to Big Tech while allegedly building a large-scale system for collecting and monetizing user data. The complaint claims that Netflix repeatedly assured consumers that its paid subscription model separated it from advertising-driven platforms, including statements that Netflix did not sell ads, did not sell data, and operated as a “safe respite” from companies that exploit users through advertising. According to the complaint, Netflix later reversed course by launching and expanding an advertising business that allegedly relies on behavioral data, identity matching, third-party data partners, and ad-tech platforms.  The lawsuit also focuses heavily on children’s use of Netflix, alleging that the company encouraged parents to create kids’ profiles by describing them as kid-friendly spaces while failing to clearly disclose the extent to which Netflix allegedly collects and analyzes children’s behavioral interactions. Texas claims Netflix’s assurances that kids’ profiles are not used for behavioral advertising created a misleading impression because, according to the complaint, Netflix still collects granular data about what children watch, rewatch, abandon, search, and how they interact with the platform. The complaint further alleges that Netflix uses design features such as autoplay to extend viewing sessions, including on kids’ profiles, thereby increasing both screen time and the amount of behavioral data generated.  Texas brings the action under the state’s Deceptive Trade Practices Act and seeks civil penalties, attorneys’ fees, disgorgement, and temporary and permanent injunctive relief. Among other remedies, the complaint seeks to require Netflix to purge what is alleged to be deceptively- collected Texans’ data; obtain express and informed consent before using Texans’ data for targeted advertising; stop collecting children’s behavioral data without parental consent; turn autoplay off by default for kids profiles; and restrict clean-room data collaboration involving Texas consumers without adequate disclosure. To read the full petition click here.

Visit Blog

Why AI Risk Needs Its Own Insurance Conversation

Many insurers, and the businesses they cover, are still treating artificial intelligence (AI) risk as if it were cyber risk cloaked in a costume. That instinct is understandable since AI systems process data, rely on vendors, create operational dependencies, and sit inside digital infrastructures. However, early litigation is showing why that framing is likely incomplete. The claims are not only arising from security hacks, ransomware, or data exfiltration, but from ordinary business activity: a customer call, a chatbot exchange, a healthcare consultation, a meeting transcript, or a vendor system setting that was enabled by default long before anyone examined its legal effect. The real exposure sits in the gap between what the business thinks it is doing with AI and what its AI-enabled systems are actually doing. A notice saying “this call may be recorded” may not answer whether the call is being transcribed in real time, analyzed for content, retained by a third party, or used to improve a vendor’s model. A procurement approval may not show whether customer content was opted into training. A vendor contract may not explain whether the vendor is merely supplying a tool or independently receiving, enriching, and using the data flowing through it. That distinction can affect consent, privacy obligations, regulatory exposure, and even which insurance coverage applies. The companies that get ahead of these issues will be the ones that stop asking whether AI is secure and start asking how AI changes the legal scope of their relationships with customers, patients, employees, vendors, and regulators. They will document what users were told, what settings were active, what vendor terms applied, and what data was used for which purpose. AI risk is not just a cyber control problem, it’s a governance, consent, procurement, evidence, and business conduct problem. The market correction will favor organizations that understand that difference before the claims start arriving.

Visit Blog

California’s GM Settlement Reveals a New Era for Connected Car Privacy

California regulators have announced a major privacy settlement with General Motors (GM) over allegations that the company unlawfully sold the location and driving data of hundreds of thousands of Californians to two data brokers: Verisk Analytics and LexisNexis Risk Solutions. The settlement, subject to court approval, requires GM to pay $12.75 million in civil penalties and imposes significant restrictions on how the company may use, retain, and share consumer driving data. According to the complaint, GM collected the data through OnStar and allegedly failed to provide adequate notice to consumers, despite statements suggesting that driving and location data would not be sold or would only be disclosed for insurance purposes at the consumer’s direction. The settlement highlights the growing privacy risks associated with connected vehicles. As San Francisco District Attorney Brooke Jenkins stated, “Modern cars are rolling data collection machines.” Location data can reveal highly sensitive details about a person’s daily life, including where they live, work, worship, receive medical care, or take their children to school. California officials alleged that GM retained driving and location data longer than necessary and then sold it to data brokers that intended to use it for driver-rating products marketed to auto insurers. Although investigators determined that California drivers were likely not subject to increased premiums because California law restricts the use of driving data for insurance rates, the alleged conduct still raised serious concerns under the California Consumer Privacy Act (CCPA) and California’s Unfair Competition Law. The settlement is especially notable because it is the California Department of Justice’s first enforcement action focused on the CCPA’s data minimization principle. Under the settlement terms, GM must stop selling driving data to consumer reporting agencies for five years, delete retained driving data within 180 days except for limited internal uses or where consumers provide affirmative, express consent, request deletion from LexisNexis and Verisk, and maintain a robust privacy compliance program. For companies collecting connected device data, the message is clear: collect only what is needed, explain data practices clearly, honor consumer rights, and do not repurpose sensitive data without proper notice and consent. To read the full settlement click here.

Visit Blog

When an AI Chatbot Calls Itself a Doctor

Pennsylvania’s lawsuit against Character Technologies, Inc., is a notable early test of how professional licensing laws may apply to consumer-facing AI chatbots. The Commonwealth, acting through the Department of State and State Board of Medicine, filed a Petition for Review in the Commonwealth Court of Pennsylvania seeking to restrain what it alleges is the unlawful practice of medicine under the state’s Medical Practice Act. The case centers on Character.AI, a website and mobile application that allows users to interact with customizable AI characters powered by a large language model (LLM). According to the complaint, Character.AI is widely available, has more than 20 million monthly active users worldwide, and hosts more than 18 million unique chatbot characters created by users. The Commonwealth alleges that some of those characters purport to be health care professionals, including a chatbot named “Emilie,” described on the platform as “Doctor of psychiatry. You are her patient.” As of April 17, 2026, “Emilie” allegedly had approximately 45,500 user interactions on the Character.AI platform. According to the investigation description in the complaint, a Pennsylvania professional conduct investigator created a free Character.AI account while located in Harrisburg, searched the platform for “psychiatry,” and selected “Emilie.” When the investigator said he felt sad, empty, tired, and unmotivated, “Emilie” mentioned depression and asked whether he wanted to book an assessment. The chatbot allegedly said an assessment was within her remit “as a Doctor,” claimed medical training and psychiatric licensure in the United Kingdom, represented that she was licensed in Pennsylvania, and provided a Pennsylvania license number that the complaint says was not valid. The broader issue is not simply whether a chatbot gave bad advice, but whether an AI character can cross the line from roleplay into conduct regulated as medicine. Pennsylvania argues that Character Technologies engaged in unauthorized practice because the AI system held itself out as a licensed medical doctor and used the title of psychiatrist without a valid Pennsylvania license. If the court accepts that theory, the case could become an important warning to AI platforms: disclaimers may not be enough where a product allows bots to claim professional credentials, offer assessments, or present fake license numbers to users seeking health-related guidance. To read the complaint click here.

Visit Blog

From Future Requirement to Present Risk: California Privacy Audit Readiness

California companies may have less time than they think to prepare for privacy audits. The California Privacy Protection Agency’s (CPPA) new Audits Division, created in February 2026, is expected to begin assessing companies’ compliance with the California Consumer Privacy Act (CCPA) this year, according to Executive Director Tom Kemp. This is a notable remark because—while the formal deadline to submit cybersecurity audit certifications does not begin until 2028 for some businesses—the CPPA expects companies to already be building and maintaining real audit-ready compliance programs. So, what will these audits likely look at? The CPPA has not laid out a full roadmap, but recent comments suggest the CPPA may focus on practical problem areas that have already drawn enforcement attention. That includes whether consumers can actually exercise their rights to access, correct, delete, and opt out, whether privacy policies are accurate and complete, and how businesses handle newer risk areas like chatbots, large language models, surveillance pricing, and sensitive data. Auditors may also review a company’s cybersecurity program, internal governance, systems, and vendor relationships. If they find serious gaps, those issues could be referred for enforcement, where penalties have already reached six and seven figures. The messaging is clear: if your organization does business in California or operates nationally, it’s time to stop treating audit obligations as a future paperwork exercise and start treating them as a present compliance priority. Companies should assess whether the rules apply to them, test whether their cybersecurity program is properly documented and owned by qualified personnel, and align their audit readiness work with California’s separate risk assessment requirements. These audits may be new, but the expectation to be prepared is already here.

Visit Blog

Privacy Trends Fashion, Beauty, and Wearable Tech Brands Need to Watch

Fashion, beauty, and wearable technology brands are heading into 2026 with a lot more to think about concerning data privacy. What used to feel like a back-end legal issue is now shaping how companies design products, personalize experiences, and build trust with customers. With new state privacy laws taking effect in Indiana, Kentucky, and Rhode Island, updates to California’s rules, and more changes expected across the country, brands can no longer afford to treat privacy as a simple compliance exercise. For companies, being open and thoughtful about data practices can actually become a real point of differentiation. The biggest pressure points are clear: biometric data, consumer health and wellness data, children’s privacy, and AI are all facing increased scrutiny this year. For brands using virtual try-on tools, skin analysis, body scanning, wearables, or AI-powered personalization, the compliance stakes are especially high because many of these tools rely on sensitive personal information. At the same time, regulators are paying closer attention to targeted advertising, cookies, and tracking technologies, while class-action lawsuits tied to tools like pixels and similar technologies continue to rise. That means companies need to think carefully not just about what data they collect, but why they collect it, how they disclose it, and whether users are given real, meaningful choices. The good news is that strong privacy practices can do more than reduce legal risk. They can strengthen brand reputation and deepen consumer loyalty. Companies that invest in privacy by design, clear consent flows, transparent notices, thoughtful AI governance, and stronger controls around children’s and health-related data will be better positioned to keep up with fast-moving laws and consumer expectations. Privacy is not just about compliance; it’s about earning trust in a way customers can see and value. For brands operating in California, that also means ensuring their privacy programs align with the California Consumer Privacy Act’s requirements around notice, consumer rights, and meaningful choices about how personal information is collected, used, and shared.

Visit Blog

CCPA Employee Data Rulemaking Could Reshape Employer Privacy Compliance in California

The California Consumer Privacy Act (CCPA) continues to stand apart as the only comprehensive state privacy law in the U.S. that applies to personal information relating to employees, job applicants, and independent contractors. Since that coverage expanded in January 2023, many employers have had to navigate the difficult task of applying a consumer privacy framework to workforce data. That has created practical challenges, particularly in areas such as privacy notices, internal data practices, and responses to requests from workers seeking to exercise their privacy rights. On April 20, 2026, the California Privacy Protection Agency (CPPA) began preliminary rulemaking focused on employee data and related privacy notice and disclosure requirements under the CCPA. The CPPA is exploring whether separate or more tailored regulations are needed to clarify how the law should apply to personal information collected in the employment context. Its request for input suggests that regulators recognize the uncertainty businesses and workers have faced. Among other issues, the CPPA is asking what difficulties employers encounter when giving job applicants and employees the ability to exercise privacy rights, and how regulations could better address those concerns. Although it is still too early to predict the substance of any final rules, this process could have significant consequences for employers subject to the CCPA. New regulations could better align compliance obligations with the realities of human resources and workforce data management. At the same time, such regulations may introduce additional notice, disclosure, or operational requirements that increase regulatory burden. For now, the rulemaking remains in a pre-proposal stage, with preliminary comments due by May 20, 2026. If the CPPA moves forward with formal rulemaking, proposed regulations and another round of public comment would follow, with any final requirements unlikely to take effect before 2027.

Visit Blog

What Legal AI Is Really Changing in Law Firm Economics

Legal commentary on artificial intelligence in law practice often focuses on speed: drafts that once took days can now be produced in hours, and research that once took hours can now be narrowed in minutes. Those gains are real, but they do not resolve the more important operational questions. Many firms still don’t know whether faster tools are producing better realization or improved profitability. In practice, time saved in drafting often reappears in verification, supervision, and coordination. A draft may be generated quickly, but lawyers still need to test it against matter history, client objectives, procedural posture, and jurisdiction-specific requirements. The better question is not whether AI speeds up a single task, but whether it improves matter economics overall. Firms often measure adoption through access, query volume, or document counts, yet those metrics do not show business value. More meaningful measures include time to completion, write-offs, staffing efficiency, turnaround time, and client satisfaction. From that perspective, the real constraint may be information architecture rather than drafting speed. When lawyers have to reconstruct context before trusting the AI output, the review becomes the new bottleneck. When financial data, prior work product, client instructions, and workflow are connected, that same output can be reviewed and used much more efficiently. For law firms, the next step is not simply broader adoption, but disciplined implementation. Firms will need to determine where AI genuinely improves matter economics, build workflows that reduce rather than relocate friction, and establish clear strategies and governance around when and how these tools are used. That governance should address supervision, verification, confidentiality, accountability, and consistency of use across matters. The firms that stand out will likely be those that can show not just faster output, but controlled, measurable, and trusted use of AI in service of better outcomes.

Visit Blog