A putative class action filed in December 2025 in the U.S. District Court for the Central District of Illinois offers a reminder that AI meeting assistant and transcription tools potentially carry significant legal exposure when organizations deploy them without appropriate governance guardrails in place. It also serves as a reminder to apply strong governance principles when evaluating and deploying these and similar technologies.

What the Fireflies.AI Complaint Alleges

The plaintiff in Cruz v. Fireflies.AI Corp., No. 3:25-cv-03399 (C.D. Ill.), alleges that she participated in a virtual meeting hosted by an Illinois nonprofit organization that had enabled Fireflies.ai — a popular AI meeting assistant that automatically joins Zoom, Microsoft Teams, and Google Meet sessions to record, transcribe, and analyze conversations. She alleges she never created a Fireflies account, never agreed to its Terms of Service, and never provided any written consent authorizing the collection of her biometric data.

Several states, most notably Illinois (under its Biometric Information Privacy Act (“BIPA”), regulate the collection and processing of biometric identifiers and information, creating significant compliance and litigation risk. Check out our summary of that regulation

The crux of the BIPA claims is straightforward: Fireflies’ “Speaker Recognition” feature, marketed as able to identify different speakers in meetings and audio files, necessarily generates voiceprints — biometric identifiers expressly covered by BIPA. The complaint alleges Fireflies violated BIPA in three distinct respects:

  1. failing to maintain and publicly publish a retention schedule and destruction policy for biometric data;
  2. failing to inform participants in writing that voiceprints were being collected, or of the purpose and duration of that collection; and
  3. collecting voiceprints without obtaining a written release from participants — including non-account holders who were simply present in recorded meetings.

The plaintiff seeks statutory damages of $1,000 per negligent violation and $5,000 per reckless or intentional violation, plus attorneys’ fees and injunctive relief.

Why This Matters For and Well Beyond the Fireflies Litigation

In the case of AI meeting and transcription tools, consider the following use cases along with the potential legal and other risks if, in fact, the tools are capturing biometric information:

  • Trainings. When multiple employees use the same workstation or conference room to join trainings using an AI transcription tool, voiceprints of each participant may be captured. Unless each individual has provided written consent, exposure compounds with each meeting and each attendee.
  • Witness and investigation interviews. HR professionals and corporate investigators increasingly use AI transcription tools to document and summarize interviews.
  • Applicant interviews. Talent acquisition teams using AI notetakers during candidate interviews may be capturing the voiceprints of applicants who are unlikely to have been informed their biometric data is being processed.
  • Patient and client encounters. Healthcare providers and other licensed medical professionals using AI transcription in clinical or counseling settings face layered risk — HIPAA, state privacy laws, and where applicable, biometric information protections.

Even beyond meeting assistant and transcription tools, as similar technologies are embedded into a myriad of devices and applications, questions about the collection of biometric information arise. Examples include performance management platforms and AI glasses, both of which can capture and record audio and video.

Clearly, the allegations in Cruz highlight a risk that extends far beyond any one technology, one use case, or the law in one state. AI meeting and transcription tools, like many emerging technologies, potentially can provide substantial productivity and other benefits to an organization. Compelling evidence of this is the rapid implementation and deployment for a wide range of use cases. Whether biometric identifiers or information are collected by Fireflies.AI remains to be seen. What we do know is rolling out technology without appropriate due diligence can expose an organization to significant compliance and litigation risk.

Governance Takeaways

  1. Adopt a team approach to due diligence. The data privacy and security challenges presented by complex and easily adaptable technologies cannot be solved by the IT department alone. Technology safeguards are critical, but they do not replace strong administrative, physical, and organizational controls, nor do they address the nuances certain applications bring. Organization executives, legal counsel, HR professionals, risk, and other key stakeholders should be at the table to ensure the right questions are being asked.
  2. Know your legal and contractual limitations, and the various ways they could apply. An organization’s compliance team need not and should not be comprised solely of lawyers. But it should maintain a keen awareness of the various legal and contractual limitations on the use of certain technologies, and their potential use cases.  
  3. Change management. It is increasingly common to vet and deploy a technology for one application, only to discover that it can easily address a number of other unrelated problems. Or, the vendor developing the technology significantly expands its functionality, which could be very beneficial to the organization beyond its current use. Will those pursuing the additional use cases or functionalities reopen the due diligence analysis? They should.
  4. Write it down. Even if the organization is checking off items 1-3 above, building some structure around the process can help to ensure it is ongoing and consistent.

On March 20, 2026, Oklahoma’s Governor signed Senate Bill (SB) 546, which establishes a consumer data privacy law for the state. Oklahoma’s law takes effect January 1, 2027.

To whom does the law apply?

The law applies to controllers (or processors) operating in the state and handling data for:

  • at least 100,000 consumers; or,
  • at least 25,000 consumers, while earning over half of their revenue from selling personal data.

There are certain exemptions for state agencies and their service providers, financial institutions covered by the Gramm-Leach-Bliley Act, entities covered by HIPAA/HITECH, non-profit organizations, and institutions of higher education.

Who is protected by the law?

A consumer protected under the legislation is defined as an individual who is a resident of Oklahoma, acting only in an individual or household capacity. A consumer does not include a person acting in a commercial or employment context.

What data is protected by the law?

The law protects “personal data,” which means any information, including sensitive data, which is linked or reasonably linkable to an identified or identifiable individual.

“Sensitive data” is given additional protection and includes the following:

  • Personal data revealing racial or ethnic origin
  • Religious beliefs
  • Mental or physical health diagnosis
  • Sexual orientation
  • Citizenship or immigration status
  • Genetic or biometric data for uniquely identifying an individual
  • Personal data collected from a known child
  • Precise geolocation data.

What are the rights of consumers?

Under the law, consumers have the following rights:

  • To confirm whether a controller is processing their personal data
  • To correct inaccurate personal data
  • To delete personal data maintained by the controller
  • For data available in a digital format, to obtain a copy of their personal data that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance
  • To opt out of the processing of personal data for targeted advertising, sale, or certain profiling

Controllers must respond within 45 days to consumers’ requests under the law, with one additional 45-day extension when reasonably necessary. If declining to act, the controller must explain why and provide appeal instructions.

What obligations do controllers have?

Similar to other state comprehensive privacy laws that have been enacted over the last several years, controllers in Oklahoma must, among other things:

  • Comply with data minimization principles, including limiting the collection of personal data to what is adequate, relevant, and reasonably necessary;
  • Perform data protection assessments relating to certain data processing activities, including processing sensitive data;
  • Provide a reasonably accessible and clear privacy notice to consumers;
  • Include certain provisions in agreements with processors concerning personal data;
  • Maintain reasonable administrative, technical, and physical security practices
  • Avoid processing for incompatible purposes without consent
  • Avoid unlawful discrimination and discriminating against consumers for exercising their rights
  • Obtain consent before processing sensitive data and comply with COPPA for known children

How is the law enforced?

The Attorney General has exclusive authority to enforce violations of the legislation. Violators of the law may incur a fine of up to $7,500 per violation. The law makes clear that it shall not be construed as providing a basis for a private right of action for a violation of this law.

If you have questions about Oklahoma’s new privacy law or related issues, please reach out to a member of our Privacy, Data, and Cybersecurity practice group to discuss.

U.S. organizations have long focused on federal requirements governing international data transfers. But a growing wave of state enforcement—particularly in Florida and Texas—signals that regulators are increasingly scrutinizing how companies move sensitive data outside the United States, especially when foreign adversaries may be involved. Recent developments suggest organizations should reassess their data flows, vendor relationships, and ownership structures to understand where sensitive information may ultimately land.

Federal Rule Raises the Stakes on Cross-Border Data Transfers

The Department of Justice (DOJ) took a significant step in 2024 when it began implementing regulations restricting certain outbound transfers of sensitive U.S. personal data to entities linked to “countries of concern,” including China, Iran, and North Korea. The rule targets transfers of large volumes of sensitive data—such as precise location data, biometric identifiers, genomic data, and other categories—where access by foreign adversaries could pose national security risks.

As discussed in our earlier analysis of the rule, the framework focuses on transactions involving “covered data” and “covered persons,” and in some cases prohibits transfers outright or requires companies to implement security controls, diligence processes, and recordkeeping obligations. Organizations subject to the rule must examine their vendor relationships, data brokerage arrangements, and service provider agreements to determine whether the transfers fall within the regulation’s scope.

Yet while the DOJ rule represents a significant federal development, enforcement activity suggests that federal regulators are only part of the story.

States Filling the Enforcement Gap

States are increasingly stepping into what some see as a federal enforcement gap. According to recent reports, states have launched more than a dozen investigations or lawsuits related to U.S. consumer data transfers to China or other foreign actors. These actions have targeted companies across multiple sectors—not just traditional data brokers, but also firms handling consumer electronics, genetic data, and online marketplaces.

State regulators often lack explicit authority over national security concerns. As a result, they are using other tools, including consumer protection laws, unfair or deceptive practices statutes, and state privacy statutes, to investigate companies whose data practices may expose Americans’ information to foreign entities.

Texas has been among the most aggressive jurisdictions, filing actions against several companies, illustrating how states may combine allegations related to privacy practices with broader consumer protection claims. Florida, meanwhile, is emerging as another focal point for state enforcement.

Florida Launches Dedicated Unit Targeting Foreign Data Risks

In February 2026, Florida Attorney General James Uthmeier announced the creation of a new enforcement team dedicated to investigating foreign access to Americans’ data. The initiative—called the Consumer Harm from International and Nefarious Actors (CHINA) unit—will pursue both civil and criminal investigations involving foreign corporations’ data practices.

The new unit plans to focus heavily on companies that collect sensitive personal information, including biometric and demographic data. Health care organizations, in particular, may face heightened scrutiny given the sensitivity of the information they handle.

According to the attorney general’s office, the unit will ramp up subpoenas, investigations, and lawsuits under Florida consumer protection laws. The effort is designed not only to address potential risks within Florida but also to serve as a model for other states considering similar initiatives.

Florida’s Investigation Into Lorex Signals Broader Scrutiny

Florida has already begun investigating companies suspected of exposing consumer data to foreign surveillance risks. One notable example is Lorex Corp., a surveillance camera manufacturer that has faced investigations and litigation in several states over alleged connections to Chinese ownership.

As part of Florida’s inquiry, authorities reportedly compelled the company to produce extensive information about its corporate structure, contracts, and software architecture. The investigation highlights a growing focus on how foreign ownership structures or technological dependencies could create pathways for sensitive data to leave the United States.

For organizations, the Lorex matter underscores a key compliance issue: regulators are looking beyond privacy notices and security practices to evaluate who ultimately has access to data—including corporate affiliates, overseas vendors, and parent companies.

Florida’s Offshore Data Law Adds Another Layer

Florida has also enacted legislation restricting certain transfers of health data outside the United States, sometimes referred to as the state’s “Offshore Data” restrictions. The law prohibits the storage of personal health information by healthcare providers using certified electronic health record technology (CEHRT) outside the United States, its territories, or Canada.

When combined with the DOJ rule and the state’s new enforcement unit, these laws create a regulatory environment in which organizations operating in Florida—or handling data about Florida residents—may face multiple overlapping compliance obligations.

Practical Takeaways for Organizations

These developments highlight a critical shift in how regulators view cross-border data transfers. Organizations should consider taking several steps:

  • Map data flows. Companies should understand where sensitive data is stored, processed, and transmitted—including by vendors and subcontractors.
  • Assess vendor and ownership risks. Regulators are paying closer attention to foreign ownership interests, corporate affiliations, and data access rights.
  • Review contracts and technical controls. Agreements with service providers should address cross-border data transfers and incorporate appropriate safeguards.
  • Monitor state developments. State enforcement efforts are expanding rapidly and may reach companies that previously focused primarily on federal requirements.

The combined pressure from federal regulators and an increasingly active group of state attorneys general suggests that scrutiny of foreign data transfers is likely to intensify. As states continue to explore creative ways to regulate cross-border data flows, organizations may find that compliance requires not only understanding where their data goes—but also who ultimately controls it.

In May 2023, Florida enacted a significant change to its health data laws. Senate Bill 264 amended the Florida Electronic Health Records Exchange Act restricting where certain patient data can be stored and accessed. Codified at Section 408.051(3) of the Florida Electronic Health Records Exchange Act, the change mandates that:

In addition to the requirements in 45 C.F.R. part 160 and subparts A and C of part 164, a health care provider that utilizes certified electronic health record technology must ensure that all patient information stored in an offsite physical or virtual environment, including through a third-party or subcontracted computing facility or an entity providing cloud computing services, is physically maintained in the continental United States or its territories or Canada. This subsection applies to all qualified electronic health records that are stored using any technology that can allow information to be electronically retrieved, accessed, or transmitted.

In other words, the law requires healthcare providers using certified electronic health record technology (CEHRT) to ensure that patient information stored outside their facilities—whether in a physical data center, virtual environment, or cloud service—is maintained only in the continental United States, its territories, or Canada.

Note this compliance requirement also comes with a statutory obligation (Section 408.810(14)) for any license under Chapter 408 of the Florida Public Health Law to sign an affidavit of compliance upon initial application and future renewals:  

The licensee must sign an affidavit at the time of his or her initial application for a license and on any renewal applications thereafter that attests under penalty of perjury that he or she is in compliance with s. 408.051(3). The licensee must remain in compliance with s. 408.051(3) or the licensee shall be subject to disciplinary action by the agency.

Emphasis added.

This amendment makes clear its intent that the new rule go beyond the requirements in the well-known federal privacy and security regulations for healthcare providers, the Health Insurance Portability and Accountability Act (HIPAA). HIPAA generally does not impose geographic restrictions on where protected health information (PHI) may be processed or stored, so long as appropriate safeguards and agreements are in place. Likely considered a more stringent protection for PHI, the Florida amendment would appear to survive HIPAA preemption.  

The law applies broadly across the healthcare sector, including hospitals, clinics, ambulatory surgical centers, home health agencies, hospices, nursing homes, labs, pharmacies, and many individual licensed practitioners—from physicians and nurses to therapists and pharmacists.

And, this restriction does not stop with covered providers. It extends to vendors and subcontractors that support healthcare operations. Managed service providers, IT vendors, scheduling support services, and other contractors that store or access patient information must also ensure that the data remains within the permitted geographic boundaries.

The requirements in the law also are not limited to certain types of patient information, such as diagnoses or mental health status. The rule extends to all patient information.

For many covered entities, the operational challenge is real. Disaster recovery environments, backup systems, and globally distributed cloud infrastructure often rely on servers outside the United States. Architectures designed for redundancy or resilience may now create compliance issues under Florida’s law.

Example: Healthcare providers often rely on vendors when handling investigations, such as for security incidents, and responding to data breaches. In some cases, providers may need to perform substantial data mining efforts to identify patients impacted by a breach. Third party data mining vendors often offer substantial discounts when that work is performed outside the U.S. Incident response plans of Florida covered providers should serve as a reminder of where patient information need to be stored.

Practically speaking, that means covered healthcare providers should be, at a minimum:

  • auditing where patient data is actually stored
  • reviewing vendor and subcontractor arrangements
  • updating contracts, BAAs, and data processing agreements to reflect storage restrictions
  • performing diligence on data location when onboarding new vendors

Florida’s move is also part of a larger trend. Regulators and policymakers are increasingly focused on data sovereignty and foreign access to sensitive health information. This amendment is an indicator of where state and federal regulation appears to be headed.

Some years ago, I listened to Richard Susskind speak about the “Future of Professions” and, in his view, how systems like AI might replace them. Indeed, the disruption he predicted largely has materialized in recent years, as many assess what impact AI will have on certain professional services, knowledge-based occupations, such as attorneys, accountants, healthcare professionals, etc. The jury is still out, but while most believe professions will not be eliminated entirely, there most certainly will be some impact, driving the need for adaptation to market realities.

Artificial intelligence chatbots are increasingly being deployed across industries — from healthcare portals to legal tech platforms to financial services. As these tools take on more substantive roles, lawmakers are beginning to push back. New York Senate Bill S7263, introduced last year by Sen. Gonzalez, would impose meaningful liability on businesses that allow chatbots to stray into licensed professional territory.

What the Bill Would Do

S7263 would add a new section to New York’s General Business Law targeting “proprietors” — defined as any person, business, organization, institution, or government entity that owns, operates, or deploys a chatbot to interact with users. Notably, third-party developers who merely license their chatbot technology to a proprietor are explicitly excluded from this definition, though that distinction carries its own implications (more on that below).

The bill draws a hard line around two categories of regulated conduct:

Licensed professions. The bill lists a broad set of professional fields governed under New York’s Education Law — including medicine, dentistry, optometry, psychology, chiropractic, pharmacy, nursing, physical therapy, and others. A chatbot that provides substantive responses, information, or advice that would constitute unlicensed practice of any of these professions could expose its deployer to civil liability.

Legal practice. Chatbots would also be prohibited from providing responses that would amount to practicing law without admission to the New York bar — a significant concern given the explosive growth of AI-powered legal research and document tools.

The Disclosure Requirement

Beyond limiting what chatbots can say, S7263 would impose an affirmative disclosure obligation on all proprietors: users must receive clear, conspicuous, and explicit notice that they are interacting with an AI chatbot. The notice must appear in the same language the chatbot is using and in a font no smaller than the largest text elsewhere on the page. In other words, burying a disclosure in fine print or a terms-of-service page won’t cut it.

Liability and Enforcement

The bill would create a private right of action, allowing individuals to sue directly for actual damages. If a court finds the violation was willful, the proprietor faces actual damages plus attorneys’ fees and court costs — a provision that significantly raises the stakes for deliberate non-compliance.

Critically, the bill explicitly states that a disclaimer alone is not a defense. Simply telling users they are talking to a bot does not shield a proprietor from liability if that bot is providing advice that crosses into licensed professional practice.

What Steps Would Deployers Need to Consider

If S7263 becomes law, organizations deploying customer-facing AI tools in New York should take several steps:

  • Audit chatbot scope. Review what questions your chatbot answers and whether any responses could be characterized as medical, legal, dental, psychological, or other licensed-professional advice. Restrict or redirect sensitive queries accordingly.
  • Implement robust disclosures. Design chatbot interfaces with prominent, plain-language notices that satisfy the font and language requirements in the bill.
  • Review vendor contracts. Even though third-party developers are excluded from the definition of “proprietor,” deployers should ensure their vendor agreements clearly address responsibility for chatbot behavior and include indemnification provisions.
  • Establish escalation paths. Build in clear handoffs to licensed professionals when users raise topics that fall within the bill’s restricted categories.

What Developers Should Consider

While S7263 would not directly impose liability on technology vendors and developers who license their systems to others, the bill creates downstream pressure that developers cannot ignore. Deployers will increasingly demand contractual assurances — and may seek to shift liability — when chatbot behavior triggers a claim. Developers should consider building configurable guardrails into their products that allow deployers to restrict professional-domain responses, and they should be transparent about the limitations of their systems in licensing documentation and product design.

The Bottom Line

If enacted, the law would establish that deploying AI in contexts involving regulated professional advice carries real legal risk — regardless of disclaimers. However, this and other measures like it signal an effort by professions to push back on technology that is changing the landscape for access to such services. Where this will end up remains unclear.

On Friday, March 6, 2026, the White House issued a sweeping Executive Order (EO) titled, “Combating Cybercrime, Fraud, and Predatory Schemes Against American Citizens.” The EO reflects what most organizations already know all too well: cybercrime is no longer an episodic threat. It is a relentless, organized enterprise that is inflicting devastating financial, operational, and human harm across the globe and, in particular, in the United States.

The Trump Administration also published in March a Cyber Strategy for America, laying out six pillars underpinning the cyber strategy: Shape Adversary Behavior, Promote Common Sense Regulation, Modernize and Security Federal Government Networks, Secure Critical Infrastructure, Sustain Superiority in Critical Technologies, and Build Talent and Capacity.

At the center of the EO is a whole-of-government strategy to disrupt transnational criminal organizations (TCOs) responsible for ransomware attacks, business email compromise (BEC), online fraud schemes, and other predatory cyber activity. It directs federal agencies to coordinate more effectively, prioritize enforcement, strengthen international pressure, and explore ways to return seized funds to victims.

According to the EO:

It is the policy of the United States to protect Americans from, and harden our financial and digital systems against, these threats.  The United States shall counter attacks on Americans with a commensurate response that includes law enforcement, diplomacy, and potential offensive actions.  It is further the policy of the United States to provide support to victims of these crimes, expand public alerts, and prioritize protection for those most at risk to end the exploitation and victimization of Americans.

The Cyber Strategy for America goes a bit further, promising:

American citizens, companies, and our allies should not have to fend off sophisticated military, intelligence, and criminal adversaries in cyberspace alone. We will deploy the full suite of U.S. government defensive and offensive cyber operations.

The Devastating Impact of Ransomware

Ransomware remains one of the most destructive forms of cybercrime. A single successful intrusion can paralyze operations overnight—shutting down hospitals, manufacturing lines, school systems, and critical infrastructure. Beyond the ransom demand itself, organizations face business interruption losses, regulatory scrutiny, litigation exposure, forensic costs, notification obligations, and reputational damage that can linger for years.

For smaller organizations in particular, a ransomware attack can be existential. Even when backups exist, recovery is time-consuming and expensive. Sensitive data may be exfiltrated and later weaponized in extortion campaigns. The operational disruption alone can undermine client trust and strain workforce morale.

The EO acknowledges that ransomware campaigns are frequently coordinated by sophisticated TCOs operating with relative impunity abroad. By focusing federal resources on identifying, disrupting, and dismantling these networks, the Administration aims to attack the problem at its source—not merely respond after the damage is done.

Business Email Compromise and Financial Fraud

Another common type of attack, “business email compromise” or “BEC,” continues to quietly generate billions in losses annually. See, e.g., FBI Internet Crime Report 2024. Unlike ransomware, BEC often does not involve malicious code or dramatic system outages. Instead, threat actors gain access to email account largely through phishing campaigns and exploit trust—impersonating executives, vendors, or clients to redirect payments or manipulate financial transactions.

The harm can be immediate and severe. Funds wired in response to fraudulent instructions are often moved quickly through multiple accounts, making recovery difficult. Organizations must then manage internal investigations, insurance claims, regulatory notifications, and strained business relationships.

These schemes are not random acts by lone actors. They are frequently part of organized criminal enterprises that specialize in reconnaissance, social engineering, and rapid monetization. The EO’s emphasis on prioritizing prosecution of cyber-enabled fraud and strengthening interagency coordination may improve the speed and effectiveness of disruption efforts—particularly where international cooperation is required.

Organizations as Targets—Not Just Defendants

One of the most important themes underlying both the EO and the Cyber Strategy is the recognition that U.S. organizations are often victims in these matters, along with persons, critical infrastructure, and public services. The EO seeks recommendations for a “Victim Restoration Program” designed to provide restoration to cyber crime victims from funds clawed back, forfeited, or seized from the TCOs that perpetrate such schemes.

Certainly, organizations can and should do more to protect their information systems, although security gaps will remain and human error will persist. No system is perfect. But it is critical to understand the broader context: most organizations today are inundated with constant attack attempts. Automated scanning, credential stuffing, phishing campaigns, and brute-force login attempts occur around the clock. Threat actors leverage artificial intelligence, exploit kits, and dark web marketplaces to scale their operations.

Even well-resourced companies with mature cybersecurity programs face a daily barrage of intrusion attempts. For mid-sized and smaller entities, the challenge can be even greater even with a smaller attack surface. The cybersecurity battlefield is asymmetric. Defenders must secure every entry point; attackers need only one.

We Have Heard This Before

Prior administrations have made similar announcements and taken some steps to address this ongoing concern. Yes, cyber risks continue to be paramount for many organizations. So, it remains to be seen whether the efforts outlined in the EO and the Cyber Strategy will be successful. We hope they will.

No executive action or published strategy will eliminate ransomware or fraud overnight. But a coordinated effort that integrates law enforcement, intelligence, diplomacy, and victim support represents an important step forward. In the meantime, for U.S. organizations, the fight against cybercrime remains ongoing. Continued investment in cybersecurity governance, employee training, incident response readiness, and third-party risk management is essential.

As Data Privacy Day 2026 approaches, organizations face an inflection point in privacy, artificial intelligence, and cybersecurity compliance. The pace of technological adoption, in particular AI tools, continues to outstrip legal, governance, and risk frameworks. At the same time, regulators, plaintiffs, and businesses are increasingly focused on how data is collected, used, monitored, and safeguarded.

Below are our Top 10 Privacy, AI, and Cybersecurity Issues for 2026.

1. AI Governance Becomes Operational and Enforceable

AI governance in 2026 will be judged less by aspirational principles and more by documented processes, controls, and accountability. Organizations using AI for recruiting, managing performance, improving efficiency and security, and creating content, among a myriad of other use cases, will be expected to demonstrate how AI systems are developed, deployed, and governed, considering a global patchwork of existing and emerging laws and regulations affecting AI and related technologies.

Action items for 2026:

  • Maintain an enterprise AI inventory, including shadow or embedded AI features.
  • Classify AI systems by risk and use case (HR, monitoring, security, consumer-facing)
  • Establish cross-functional AI governance (legal, privacy/infosec, HR, marketing, finance, operations)
  • Implement documentation and review processes for high-risk AI systems.

Learn More:

2. AI-Driven Workplace Monitoring Under Scrutiny

AI-enabled monitoring tools (dashcams, performance management solutions, wearables, etc.) are increasingly used to track productivity, behavior, communications, and engagement. These tools raise heightened concerns around employee privacy, fairness, transparency, and proportionality, especially when AI generates insights or scores that influence employment decisions.

Regulators and plaintiffs are paying closer attention to whether monitoring is over-collection by design, and whether AI outputs are explainable and defensible.

Action items for 2026:

  • Audit existing monitoring and productivity tools for AI functionality.
  • Assess whether monitoring practices align with data minimization principles.
  • Update employee notices and policies to clearly explain AI-driven monitoring.
  • Ensure human review and appeal mechanisms for AI-influenced decisions.

Learn More:

3. Biometrics Expand and So Does Legal Exposure

Biometric data collection continues to expand beyond fingerprints and facial recognition to include voiceprints, behavioral identifiers, and AI-derived biometric inferences. Litigation under Illinois’ Biometric Information Privacy Act (BIPA) remains active, but risk is spreading through broader definitions of sensitive data in state privacy laws.

Action items for 2026:

  • Identify all biometric and biometric-adjacent data collected directly or indirectly.
  • Review vendor tools to ensure compliance.
  • Update biometric notices, consent processes, and retention schedules.
  • Align biometric compliance efforts with broader privacy programs.

Learn More:

4. CIPA Litigation and Website Tracking Technologies Continue to Evolve

California Invasion of Privacy Act (CIPA) litigation related to session replay tools, chat features, analytics platforms, and tracking pixels remains a major risk area, even as legal theories evolve. AI-enhanced tracking tools that capture richer interactions only heighten exposure. Organizations often underestimate the privacy implications of seemingly routine website and chatbot technologies.

Action items for 2026:

  • Conduct a comprehensive audit of website and app tracking technologies.
  • Reassess consent banners, disclosures, and opt-out mechanisms.
  • Evaluate AI-enabled chatbots and analytics for interception risks.
  • Monitor litigation trends and adjust risk tolerance accordingly.

Learn More:

5. State Comprehensive Privacy Laws Enter an Implementation and Enforcement Phase

Organizations are no longer preparing for state privacy laws, but they are living under them. The California Consumer Privacy Act (CCPA), along with other state laws, imposes increasing operational obligations.

California’s risk assessment requirements, cybersecurity audit mandates, and automated decision-making technology (ADMT) regulations represent a significant shift toward proactive compliance.

Action items for 2026:

  • Comply with annual review and update requirements.
  • Conduct CCPA-mandated risk assessments for high-risk processing.
  • Prepare for cybersecurity audit obligations and documentation expectations.
  • Inventory and assess ADMT used in employment, monitoring, and consumer contexts.

Learn More:

6. Data Minimization Becomes One of the Most Challenging Compliance Obligations

Data minimization has moved from an abstract compliance principle to a central operational challenge. Modern AI systems, monitoring tools, and security platforms are frequently architected to collect and retain expansive datasets by default, even when narrower data sets would suffice. This design approach increasingly conflicts with legal obligations that require organizations to limit data collection to what is necessary, proportionate, and purpose-specific, not only in terms of retention, but at the point of collection itself. As regulatory scrutiny intensifies, organizations must be prepared to explain why specific categories of data were collected, how those decisions align with defined business purposes, and whether less intrusive alternatives were reasonably available.

Action items for 2026:

  • Reassess data collection across AI, HR, and security systems.
  • Implement retention limits and transfer restrictions tied to business necessity and legal risk.
  • Challenge “collect now, justify later” deployments that rely on large-scale or continuous data exports.
  • Integrate data minimization and Bulk Data Transfer rule analysis into AI governance and system design reviews.

Learn More:

7. Importance of the DOJ Bulk Transfer Rule

In 2026, bulk sensitive data transfers are no longer a background compliance issue but a regulated risk category in their own right. Under the Department of Justice’s Bulk Data Transfer Rule, which took effect in 2025, organizations must closely assess whether large-scale transfers or access to U.S. sensitive personal or government-related data involve countries of concern or covered persons. The rule reaches a wide range of transactions, including vendor, employment, and service arrangements, and imposes affirmative obligations around due diligence, access controls, and ongoing monitoring.

Action items for 2026:

  • Update data mapping activities to include sensitive data collection and data storage.
  • Catalog where bulk data transfers occur, including transfers between internal systems, vendors, and cross-border environments. Develop a compliance program that includes due diligence steps, vendor agreement language, and internal access controls.
  • Evaluate the purpose of each bulk transfer.

Learn More:

8. UK and EU Data Protection Laws Reforms

Recent and proposed amendments to UK and EU data protection laws are designed to clarify or simplify compliance obligations for organizations, regardless of sector. Changes will impact both commercial and workplace data handling practices.   

UK: Data Use and Access Act (DUAA)

The UK has enacted the Data Use and Access Act, which amends key provisions of the UK General Data Protection Regulation (UK GDPR) and the Privacy and Electronic Communications Regulations (PECR). These reforms relate to subject access requests and complaints, automated processing, the lawful basis to process, cookies, direct marketing, and cross-border transfers, among others. Implementation is occurring in stages, with changes relating to subject access requests, complaints, and automated decision-making taking effect over the next few months.

EU: Digital Omnibus Regulation

The European Commission has proposed a Digital Omnibus Regulation, which introduces amendments to the EU General Data Protection Regulation. Proposed changes include redefining “personal data”, simplifying the personal data breach notification process, clarifying the data subject access process, and managing cookies.

Action items for 2026:

  • Review forthcoming guidance from the UK Information Commissioner’s Office.
    • Implement a data subject complaint process.
    • Review existing lawful bases and purposes for processing.
    • Prepare any necessary updates for employee training.
  • Monitor the progress of the proposed Digital Omnibus Regulation.
    • Review data inventories in the event the definition of personal data is revised.
    • Update data subject access response processes.
    • Review the use and nature of any cookies deployed on the organization’s website.

Learn More:

9. Vendor and Third-Party AI Risk Management Intensifies

Most organizations buy rather than build AI technologies. They buy from vendors such as recruiting platforms, notetaking tools, monitoring applications, cybersecurity providers, and analytics services—whose systems depend on large-scale data ingestion. From procurement to MSA negotiation to record retention obligations, novel and challenging issues as organizations seek to minimize third-party and fourth-party service provider risk. Importantly, vendor contracts have not kept pace with the nature of AI models or how to allocate risk.

Action items for 2026:

  • Update vendor diligence to include privacy, security, and AI-specific risk assessments.
  • Revise contracts to address AI training data, secondary use, audit rights, and allocation of liability.
  • Monitor downstream data sharing, model updates, and cross-border or large-scale data movements.

Learn More:

10. Privacy, AI, and Cybersecurity Fully Converge

In 2026, the lines between privacy, cybersecurity, and AI will continue to blur, leaving organizations that silo these disciplines to face increasing regulatory, litigation, and operational risk.

Action items for 2026:

  • Integrate privacy, AI governance, and cybersecurity leadership.
  • Harmonize risk assessments and reporting structures.
  • Align training and compliance messaging across functions.
  • Treating privacy and AI governance as enterprise risk issues.

Learn More:

As Data Privacy Day 2026 highlights, the challenge is no longer identifying emerging risks, but it is managing them at scale, across systems, and in real time. AI, biometrics, monitoring technologies, and expanding privacy laws demand a more mature, integrated approach to compliance and governance.

A blend of evolving judicial interpretation, aggressive plaintiffs’ counsel, and decades-old statutory language has brought new life to the Florida Security of Communications Act (FSCA) as a vehicle for challenging commonplace website technologies.

At its core, the FSCA was enactedto protect privacy by prohibiting the unauthorized interception of wire, oral, or electronic communications — with far stricter requirements than federal law. Unlike the federal Wiretap Act (which allows one-party consent), Florida typically requires all-party consent before recording or intercepting electronic communications. The FSCA also generally prohibits the interception of any wire, oral, or electronic communications, as well as the use and disclosure of unlawfully intercepted communications “knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication.”

The New Wave of FSCA Claims

For plaintiffs, an attractive provision of the FSCA is that actual damages need not be established to recover for violations. Under the FSCA, a plaintiff can recover liquidated damages of at least $1,000 for violations without a showing of actual harm, as well as punitive damages and attorneys’ fees. One need only examine the explosion of litigation under other laws with similar damages provisions (e.g., the California Invasion of Privacy Act (CIPA), Telephone Consumer Protection Act (TCPA), Illinois Biometric Information Privacy Act (BIPA), the Illinois Genetic Information Privacy Act (GIPA)) to see this model in action.

For years, courts were reluctant to apply the FSCA to digital technologies like website trackers or analytics tools. Courts routinely dismissed early FSCA lawsuits targeting session-replay software and cookies—finding that these tools didn’t intercept the “contents” of communications in a manner the statute was meant to reach. See Jacome v. Spirit Airlines, Inc., No. 2021-000947-CA-01 (Fla. 11th Cir. Ct. June 17, 2021). This view may be shifting.

Recent cases suggest courts may be more open to digital wiretapping-type claims brought in Florida that previously indicated.

  • A nationwide class action pending in the Southern District of Florida, Cobbs v. PetMed Express, Inc.,  alleges that PedMed Express,  an online veterinary pharmacy, used embedded tracking technologies that enabled third-party companies to capture information about consumers’ prescription-related browsing and purchase activity  on its website.   The tracking tools allegedly intercepted URLs, search queries, and personally identifiable information such as email addresses and phone numbers.   This case highlights the growing litigation risks associated with embedded website tracking technologies – particularly when sensitive data such as prescription or health-related information is involved.
  • In Magenheim v. Nike, Inc., filed in December 2025  in the Southern District of Florida, the plaintiffs allege that Nike triggered undisclosed tracking technologies on visitors’ web browsers immediately upon visiting the website – before users could review privacy disclosures or provide consent – and even when users enabled Global Privacy Control (GPC) signals or selected do not share my data on the site.   This lawsuit seeks class certification to include all Florida visitors to Nike’s website over the past two years.  This case underscores the increasing litigation risk surrounding online privacy expectations and the handling of browser-based tracking data.
  • In a lawsuit filed against a large health system in Florida and pending before the U.S. District Court for the Middle District of Florida, the plaintiff, a patient of that health system, alleges that the hospital system embedded tracking technologies within its website and patient portal.   As plead in the putative class action,  the tracking tools allegedly intercepted patients’ online queries regarding symptoms, treatments and other health related content.   The FSCA claims and the federal Wiretap Act survived a motion to dismiss, inline with the growing trend of courts scrutinizing the use of tracking technologies – particularly in the health care context.

What Courts Are Grappling With

At the heart of these disputes are questions that courts nationwide are wrestling with:

  • What constitutes an “interception” under an analog-era statute when applied to digital data?
  • Do URLs, clicks, form inputs, and other web interactions qualify as the “contents” of communications protected by wiretapping laws?
  • When (and whether) consent provided via privacy notices or cookie banners is sufficient to defeat a statutory wiretapping claim?

Courts have reached different answers, leaving Florida business in limbo with the uncertainty driving increasing claims from plaintiffs.

What This Means for Your Business

Whether you operate a website, mobile app, or digital marketing campaign, the Florida FSCA litigation trend shows no signs of slowing. To mitigate risks and avoid becoming a target of wiretapping claims, consider the following practical steps:

1. Audit All Tracking Technologies

Inventory all third-party pixels, session-replay tools, analytics scripts, and email tracking. Understand what data they capture, when it’s transmitted, and what third parties receive it.

2. Reevaluate Your Consent Mechanisms

Passive privacy disclosures may not be enough. Use clear, affirmative consent mechanisms (e.g., click-to-accept banners) that disclose what is collected and how it is used before any tracking occurs.

3. Limit Data to What’s Necessary – Minimization

Where possible, restrict the capture of high-risk data (e.g., URLs revealing sensitive information or form content) and weigh whether aggressive tracking is essential for business purposes.

4. Update Privacy Policies and Terms

Make your data collection and sharing practices transparent and easily accessible. Regularly update legal disclosures to mirror how tools actually function.

5. Tighten Vendor Contracts

Ensure contracts with analytics, marketing, and tracking vendors allocate compliance responsibility and include indemnification clauses where appropriate.

6. Monitor Legal Developments

Florida’s legal landscape is shifting rapidly. Maintain awareness of new decisions and legislative changes that may clarify or expand FSCA applicability.

Conclusion

The surge of digital wiretapping claims under the Florida Security of Communications Act illustrates how old statutes can take on new life in an era of ubiquitous data collection. What once was a niche privacy theory now threatens to expose businesses — large and small — to class action exposure and costly litigation.

By understanding the evolving legal landscape and implementing proactive compliance strategies, companies can better safeguard their digital practices and reduce the risk of costly FSCA claims.

We’re pleased to announce the publication of a comprehensive resource on the Jackson Lewis website:

Navigating the California Consumer Privacy Act: 30+ Essential FAQs for Covered Businesses, Including Clarifying Regulations Effective 1.1.26.

With California’s updated CCPA regulations now in effect as of January 1, 2026, businesses face expanded compliance requirements in several critical areas. The FAQs summarize key provisions in the statute and regulations, providing straightforward analysis for some of the most pressing questions.

Specifically, the FAQs cover a range of issues from fundamental questions about which businesses are covered and what personal information is protected, to detailed explanations of the new requirements around automated decision-making technology (ADMT), risk assessments, and cybersecurity audits. Readers will find practical guidance on meeting their notice obligations, responding to consumer requests, and implementing the technical and organizational safeguards needed to protect personal information.

Whether you’re assessing your organization’s compliance status for the first time or updating your program to reflect the latest regulatory changes, these FAQs offer actionable insights to help navigate this complex landscape.

As we have discussed in prior posts, AI-enabled smart glasses are rapidly evolving from niche wearables into powerful tools with broad workplace appeal — but their innovative capabilities bring equally significant legal and privacy concerns.

  • In Part 1, we addressed compliance issues that arise when these wearables collect biometric information.
  • In Part 2, we covered all-party consent requirements and AI notetaking technologies.
  • In Part 3, we considered broader privacy and surveillance issues, including from a labor law perspective.

In this Part 4, we consider the potentially vast amount of personal and other confidential data that may be collected, visually and audibly, through everyday use of this technology. Cybersecurity and data security risk more broadly pose another major and often underestimated exposure from this technology.

The Risk

AI smart glasses collect, analyze, and transmit enormous volumes of sensitive data—often continuously, and typically transmitting it to cloud-based servers operated by third parties. This creates a perfect storm of cybersecurity risk, regulatory exposure, and breach notification obligations under laws in all 50 states, as well as the CCPA, GDPR, and numerous sector-specific regulations, such as HIPAA for the healthcare industry.

Unlike traditional cameras or recording devices, AI glasses are designed to collect and process data in real time. Even when users believe they are not “recording,” the devices may still be capturing visual, audio, and contextual information for AI analysis, transcription, translation, or object recognition. That data is frequently transmitted to third-party AI providers with unclear security controls, retention practices, and secondary-use restrictions.

Many AI glasses explicitly rely on third-party AI services. For example, Brilliant Labs’ Frame glasses use ChatGPT to power their AI assistant, Noa, and disclose that multiple large language models may be involved in processing. In practice, this means sensitive business conversations, images, and metadata may leave the organization entirely—often without IT, security, or legal teams fully understanding where the data goes or how it is protected.

Use Cases at Risk

  • Hospital workers going on rounds with their team equipped with AI glasses that access, capture, view, and record patients, charts, wounds, family members, in electronic format, triggering the HIPAA Security Rule and state law obligations
  • Financial services employees wearing AI glasses that capture customer financial data, account numbers, or investment information
  • Any workplace use involving personally identifiable information (PII), such as Social Security numbers, credit card data, or medical information, as well as confidential business of the company and/or its customers
  • Attorneys and legal professionals using AI glasses during privileged communications, potentially risking waiver of attorney-client privilege
  • Employees connecting AI glasses to unsecured or public Wi-Fi networks, creating man-in-the-middle attack risks
  • Lost or stolen AI glasses that store unencrypted audio, video, or contextual data

Why It Matters

Data breaches involving biometric data, health information, or financial data carry outsized legal and financial consequences. With AI glasses, as a practical matter, an entity generally is less likely to face a large-scale data breach affecting hundreds of thousands or millions of people. However, a breach and exposure of sensitive patient images, discussions, or other data captured with AI glasses could be just as, if not more, harmful to the reputation of a health system, for example, than an attack by a criminal threat actor. Beyond reputational harm, incident response costs, litigation, and regulatory penalties also remain a significant risk factor.

Shadow AI (the unauthorized use of artificial intelligence tools by employees in the workplace) also poses a potential data security, breach, and third-party risks. Many devices sync automatically to consumer cloud accounts with security practices that employers neither control nor audit. When an employee uses personal AI glasses for work, fundamental questions often go unanswered: Where is the data stored? Is it encrypted? Who has access? How long is it retained? Is it used to train AI models?

Finally, the use of AI glasses can diminish the effects of a powerful data security tool – data minimization. Businesses will need to grapple with the question whether the constant, ambient data collection and recording aligns with the principles of data minimization, a principle that is woven into data privacy laws, such as the California Consumer Privacy Act.

Practical Compliance Considerations

  • Implement clear policies: Be deliberate about whether to permit these wearables in the workplace. And, if so, establish policies limiting when and where they may be used, and what recording features can be activated and under what circumstances.
  • Perform an assessment: Conduct security and privacy assessments of specific AI glasses models before deployment
  • Understand third-party service provider risks: Review security documentation, including encryption practices, access controls, and incident response commitments
  • Understand obligations to customers: Review services agreements concerning the collection, processing, and security obligations for handling customer personal and confidential business information
  • Update incident response plans: Factor in wearable device compromises
  • For HIPAA Covered Entities and Business Associates: Confirm that AI glasses meet HIPAA requirements
  • Evaluate cyber insurance coverage: Assess whether your policy (assuming you have a cyber policy!) covers breaches involving wearable technology and AI-related risks

Conclusion

AI smart glasses may feel futuristic and convenient, but from a data security and compliance perspective, they dramatically expand an organization’s attack surface. Without careful controls, these devices can quietly introduce breach risks, third-party data sharing, and regulatory exposure that outweigh their perceived benefits.

The key is to approach the deployment of AI glasses (and deployment of similar technologies) with eyes wide open—understanding both the capabilities of the technology and the complex legal frameworks that govern their use. With thoughtful policies, robust technical controls, ongoing compliance monitoring, and respect for privacy rights, organizations can harness the benefits of AI glasses while managing the risks.