Artificial intelligence has quickly become part of the modern lawyer’s toolkit. Attorneys are using generative AI platforms to assist with legal research, drafting, editing, and document review. While these technologies can improve efficiency, a growing number of court filings across the country demonstrate a significant risk: AI-generated hallucinations, including fabricated case citations, nonexistent authorities, and inaccurate quotations.

Recent sanctions decisions from federal and state courts have highlighted the problem. Judges have encountered briefs containing cases that do not exist, citations that do not support the propositions for which they are offered, and legal analyses generated by AI systems without adequate attorney verification. These incidents have reinforced a fundamental principle of legal practice: lawyers—not software—remain responsible for the accuracy of every filing submitted to a court.

Recognizing these concerns, the Florida Supreme Court has amended Florida Rule of General Practice and Judicial Administration 2.515 to establish a clear statewide standard governing representations made when documents are filed in Florida courts.

Florida’s New Rule

Effective June 15, 2026, Rule 2.515(d)(2) requires every signer of a court filing to represent that:

“the legal authorities identified exist and are accurately cited.”

The amendment applies not only to attorneys but also to self-represented litigants.

The Court’s action reflects growing concern about the use of generative AI tools that may produce authoritative-sounding but inaccurate information. In its per curiam opinion, the Court expressly noted that generative AI systems “can generate content that appears plausible but is in fact inaccurate, including fabricated or ‘hallucinated’ authorities.”

A Statewide Response to a Growing Problem

Florida is not alone in confronting AI-related filing issues. Courts throughout the United States have issued sanctions, show-cause orders, and standing orders addressing AI-generated errors in briefs and motions. Some judges have required certifications regarding AI use, while others have focused on counsel’s duty to verify all citations and legal authorities before filing.

Rather than adopting a patchwork of local requirements, the Florida Supreme Court chose a statewide approach. According to the Court’s commentary, the amendments were adopted

“principally to create a statewide, uniform replacement for varied circuit court administrative orders imposing disclosure and certification requirements about the use of artificial intelligence in filings.”

New Sanctions Authority

The amended rule also expressly authorizes courts to impose sanctions when a filing is inconsistent with the signer’s certification. The rule provides that sanctions may be imposed after notice and an opportunity to be heard and may include:

  • Reprimand;
  • Contempt;
  • Striking the document;
  • Dismissal of proceedings;
  • Costs;
  • Attorneys’ fees; or
  • Other appropriate sanctions.

Although courts already possessed various sanctioning powers, the Florida Supreme Court made clear that the new provision is intended to eliminate uncertainty regarding courts’ authority to address inaccurate filings in the AI context.

What This Means for Lawyers

The amendment does not prohibit the use of AI. Nor does it require attorneys to disclose every instance in which AI assisted with drafting or research. Instead, it reinforces a basic professional obligation that predates artificial intelligence: lawyers must independently verify the accuracy of the legal authorities cited in their filings.

As generative AI becomes more sophisticated and more widely used, attorneys should consider implementing safeguards such as:

  1. Independently reviewing every citation generated by AI tools.
  2. Confirming that all cited authorities actually exist.
  3. Reading the underlying cases rather than relying on AI-generated summaries.
  4. Verifying quotations, pinpoint citations, and procedural histories.
  5. Establishing firm policies governing AI-assisted drafting and legal research.
  6. Training lawyers and staff regarding the risks of AI hallucinations and citation errors.

The Continuing Duty of Professional Judgment

The Florida Supreme Court’s amendment serves as a reminder that technological innovation does not alter a lawyer’s fundamental duties of competence, diligence, and candor to the tribunal. AI may assist in the drafting process, but it cannot replace the attorney’s obligation to ensure that every legal authority presented to a court is real, accurate, and properly cited.

As courts continue to encounter AI-related filing errors, Florida’s approach may provide a model for other jurisdictions seeking to balance innovation with the integrity of the judicial process. The message is straightforward: use AI if you choose, but verify before you file!

Key Takeaways

  • Outlines key considerations for businesses using productivity management and monitoring platforms – such as, Teramind, ActivTrak, and Insightful – and whether their use may require a CCPA risk assessment.
  • Identifies the specific CCPA risk assessment triggers most relevant to such productivity technologies.

Productivity management and monitoring platforms have become a fixture of the modern workplace—particularly for remote and hybrid workforces. These tools can track application usage, keystrokes, website visits, active and idle time, and even capture periodic screenshots of employee screens. Some platforms go further, using artificial intelligence to generate productivity scores, assess engagement levels, and flag behavioral anomalies. Businesses subject to the California Consumer Privacy Act (CCPA) and deploying this type of technology, should carefully consider whether a risk assessment is required before or during that use.

The first question is always whether the CCPA applies to the business at all. If the business has not yet made that determination, our comprehensive CCPA FAQs is a helpful starting point. Assuming the CCPA applies, the next question is whether the specific processing activity at issue presents a “significant risk” to consumer privacy—the standard that triggers the assessment obligation.

Our earlier posts on CCPA risk assessment basics discuss when the CCPA risk assessment requirement applies and the general requirements for conducting and reporting a risk assessment. This post focuses specifically on productivity management and monitoring platforms.

What Do Productivity Management and Monitoring Platforms Do?

Modern productivity platforms vary considerably in their capabilities and configurations. At a minimum, many log which applications an employee uses and for how long. More sophisticated deployments capture screenshots at regular intervals, record keystrokes, monitor email and messaging communications, and track time spent on specific websites or documents. AI-enhanced platforms layer on behavioral analytics, producing output that can characterize an employee’s work patterns, predict disengagement, or rank individuals against their peers.

The breadth of data collected—and the degree to which it is processed automatically to draw inferences about individual employees—is precisely what makes these platforms significant from a CCPA risk assessment perspective.

Which CCPA Risk Assessment Triggers Apply?

The updated CCPA regulations, which became effective in 2026, identify specific processing activities that require a risk assessment. Businesses using productivity management and monitoring platforms should evaluate at least three of them:

First, the regulations require a risk assessment when a business profiles a consumer (which includes employees and contractors) through “systematic observation.” The term “systematic observation” is defined broadly to include “methodical and regular or continuous observation,” and expressly covers “video or audio recording or live-streaming” and “technologies that enable physical or biological identification or profiling.” Periodic screenshots, continuous application logging, and keystroke capture may fall within this definition. “Profiling” itself is defined to include “any form of automated processing of personal information to evaluate certain personal aspects… relating to a natural person,” specifically including analysis of “performance at work,” “reliability,” “predispositions,” and “behavior.” A platform that generates productivity scores or behavioral profiles may fall within this definition.

Second, to the extent a productivity monitoring platform uses automated decision-making technology (ADMT) to make or meaningfully contribute to significant decisions about employees—such as decisions about compensation, employment opportunities, or similar matters—a risk assessment may be independently required on that basis. Businesses should carefully examine whether the platform’s output is used in any formal or informal employment decision-making process.

Third, if the platform processes any “sensitive personal information” as defined under the CCPA—such as health information (e.g., inferences about mental health from behavioral data), or biometric data (e.g., keystroke dynamics used for identity verification)—that processing could independently trigger a risk assessment requirement. The regulations include a narrow exception for certain human resources functions such as payroll and benefits administration, but businesses should not assume that exception is broad enough to cover behavioral analytics or performance profiling. Also, remember that the CCPA excludes certain categories of personal information including protected health information covered under the Health Insurance Portability and Accountability Act (HIPAA) and medical information under the California Confidentiality of Medical Information Act (CMIA). Importantly, however, not all health and medical information is covered under these laws, and could be covered by the CCPA.

Other Federal and State Laws to Consider

The CCPA is not the only federal or state law to consider when deploying performance management and monitoring platforms. To fully address compliance, the business needs to take into account, among other things, the regulatory environment of the business, the data collected by the platform, and the features of the platform. By way of example, the platform could trigger laws regulating biometric data, the recording of conversations, and the safeguarding of health information.

What Should Businesses Do?

Businesses that have deployed—or are considering deploying—productivity management and monitoring platforms should begin with a thorough inventory of what data the platform collects, how that data is processed or analyzed, and what outputs or decisions flow from that processing. Where the platform involves systematic behavioral observation, AI-generated productivity profiles, or ADMT that contributes to employment decisions, a CCPA risk assessment should be considered.

For the procedural requirements of completing a risk assessment—including the required contents of the risk assessment report and the certification obligation to the CPPA—Part 2 of our risk assessment series provides relevant information.  

A recent federal court decision offers important lessons for businesses that use cookies, pixels, and other tracking technologies on consumer-facing websites. Although the court dismissed one federal wiretap claim with leave to amend, it allowed other privacy claims to proceed, including claims under California’s pen register statute and common law intrusion upon seclusion.

The case involved allegations that a company’s website began collecting visitor data immediately upon a user landing on the site, before the user had a meaningful opportunity to reject non-essential cookies via a consent banner. The plaintiff alleged that, despite selecting “reject,” certain information had already been collected and transmitted to third parties, including browsing activity, website interactions, device information, session data, user identifiers, and geolocation data.

The court found that these allegations were sufficient, at the pleading stage, to establish a concrete privacy injury for damages. Importantly, the court emphasized that privacy harms may depend on the sensitivity and nature of the information collected. Browsing history, user interactions, identifiers, and location-related information may, in some instances, be enough to support standing when allegedly collected without consent.

The decision also highlights that a plaintiff’s status as a privacy “tester” does not automatically defeat standing. While courts may scrutinize whether a tester genuinely expected privacy and indeed have declined standing when a tester’s expectations that their information would be accessed, recorded, and disclosed are met, this court accepted the allegation that the user had expressly rejected non-essential tracking, which supported a reasonable expectation that tracking would not occur.

For businesses, the most practical lesson is that cookie consent tools must work as promised. A banner that allows users to reject non-essential cookies may create risk if tracking begins before a user has an opportunity to review the banner or make a selection, or if third-party technologies continue to operate despite a rejection. Businesses should not assume that having a banner alone is enough; they should test whether it is operating as intended or represented.

The decision also underscores the need to understand what data third-party tools collect. Courts are increasingly willing to consider whether website tracking technologies may fall within older privacy statutes, including laws originally written for telephone-era tracking devices. That means businesses should carefully evaluate pixels, analytics tags, advertising scripts, session replay tools, and related technologies.

If you have questions about web tracking and privacy issues for your business, contact a Jackson Lewis attorney to discuss.

Key Takeaways

  • Analyzes whether recording customer service and sales calls triggers the CCPA’s new risk assessment requirements.
  • Identifies the specific CCPA triggers most relevant to call recording, particularly when AI analytics are applied to recordings.
  • Notes related obligations under state wiretapping laws and other state privacy frameworks.

Recording customer calls is among the most common data collection practices in business. Contact centers, healthcare providers, financial services firms, and countless other industries record customer interactions for quality assurance, training, compliance, and dispute resolution. The familiar “this call may be recorded for quality and training purposes” disclosure has become almost reflexive. But with the CCPA’s new risk assessment requirements now in effect, businesses subject to the CCPA should revisit this practice—particularly where call recordings are analyzed using AI or used in ways that go beyond simple storage and retrieval.

Our earlier posts on CCPA risk assessment basics discuss when the CCPA risk assessment requirement applies and the general requirements for conducting and reporting a risk assessment. This post focuses specifically on the call recording context.

How Businesses Use Customer Call Recordings

At its most basic level, call recording captures audio of a conversation between a customer service representative and a customer, stores that recording, and makes it available for later playback. Many businesses, however, now use AI-powered speech analytics tools to extract additional value from those recordings. These tools can transcribe calls, identify topics discussed, detect customer sentiment and emotion, flag compliance concerns, score agent performance, and generate profiles of individual customers based on their communication patterns, expressed preferences, or emotional responses across multiple interactions.

It is this AI-enhanced use of call recordings—rather than simple storage—that raises the most significant, but not the only CCPA risk assessment questions.

CCPA Risk Assessment Triggers for Call Recording Programs

Businesses should evaluate at least the following potential risk assessment triggers in connection with their call recording programs:

Sensitive Personal Information. Call recordings frequently capture sensitive personal information. Under the CCPA, sensitive personal information means personal information that reveals information about a consumer, such as: SSN, driver’s license number, passport number, precise geolocation, racial or ethnic origin, citizenship or immigration status, religious or philosophical beliefs, union membership, genetic data, biometric information for the purpose of uniquely identifying a consumer, and information about a consumer’s sex life or sexual orientation. This is not an exhaustive list, but no doubt information that could be captured on a recorded line.

Customers who call healthcare providers, pharmacies, or health insurance companies for example, routinely disclose such information. But remember, the CCPA excludes certain categories of personal information including protected health information covered under the Health Insurance Portability and Accountability Act and medical information under the California Confidentiality of Medical Information Act. Importantly, not all health and medical information is covered under these laws, and could be covered by CCPA!

If a business uses voice biometrics—either to verify a caller’s identity or as part of a speaker analytics program that analyzes vocal patterns to identify individuals—it is processing biometric information, which is sensitive personal information under the CCPA. Even a speech analytics platform that generates a persistent voice profile of a customer may implicate this category. A risk assessment may be required for processing of that kind.

Systematic Observation. The CCPA risk assessment regulations require an assessment when businesses profile consumers through systematic observation. Automated processing of information obtained from call recordings could be used to infer or extrapolate a consumer’s intelligence, aptitude, performance at work, economic situation, behavior, location, etc. based upon systematic observation. When this occurs in connection with a consumer acting in their capacity as an educational program applicant, job applicant, student, employee, or independent contractor for the business, a risk assessment may be needed.

Automated Decision-Making. Where call recording analytics feed into automated systems that make significant decisions about consumers—such as creditworthiness determinations, insurance coverage decisions, or healthcare recommendations—the ADMT risk assessment trigger may be engaged.

State Wiretapping and Consent Laws

Separate from the CCPA risk assessment requirements, businesses recording customer calls must comply with state wiretapping and call recording consent laws. California’s Invasion of Privacy Act (CIPA) requires all-party consent for recording telephone calls. Several other states—including Florida, Illinois, Maryland, Massachusetts, Montana, New Hampshire, Pennsylvania, and Washington—also require all-party consent. Businesses that record calls involving customers in those states without proper consent face significant litigation exposure. The wiretapping consent requirement and the CCPA risk assessment obligation are independent—satisfying one does not satisfy the other.

What Businesses Should Do

Businesses that record customer calls should document the full lifecycle of those recordings: what is captured, where it is stored, how long it is retained, who can access it, and whether any AI or analytics tools are applied to the recordings. Where recordings capture sensitive personal information or are analyzed by AI to generate profiles or inform significant decisions about customers, a CCPA risk assessment should be considered by businesses covered under the CCPA.

For the procedural requirements of completing a risk assessment—including the required contents of the risk assessment report and the certification obligation to the CPPA—Part 2 of our risk assessment series provides the relevant guidance.

Employers are increasingly using artificial intelligence and other algorithmic tools to support workplace decisions, including recruiting, screening, interviewing, promotion, workforce planning, and performance management. These tools can improve efficiency and consistency, but they also introduce important compliance, reputational, and employee-relations considerations. Two concepts that often arise in AI governance are bias audits and validation testing. Although related, they serve different purposes.

A bias audit generally evaluates whether the use of a tool is associated with materially different outcomes across protected or demographic groups. Depending on the jurisdiction and the tool at issue, a bias audit may be legally required before use. For example, New York City’s automated employment decision tool law requires certain employers and employment agencies to obtain a bias audit within one year before using covered tools and to provide related notices and disclosures. And other states have laws that affect the need for bias testing or are considering such requirements. Even where no specific audit law applies, employers may decide that an audit is appropriate as part of responsible AI governance, particularly when a tool affects access to job opportunities or advancement.

Validation testing, by contrast, focuses on whether a selection procedure is job-related and appropriately measures what it is intended to measure. This concept is not new. The Uniform Guidelines on Employee Selection Procedures provide a long-standing framework for evaluating employment tests and other selection procedures used in employment decisions in compliance with Title VII of the Civil Rights Act. In the AI context, a validation study may be especially important where an algorithm ranks, scores, recommends, or screens individuals based on characteristics that are intended to predict job success. If an employer’s use of an AI tool is challenged, a validation study may be critically important to the employer’s defense.

As a general governance matter, employers should consider bias audits and/or validation testing before deploying an AI tool that materially influences employment decisions. They should also consider reassessment when the tool is modified, used for a new role or population, applied in a new jurisdiction, or when the employer’s own workforce or applicant data materially changes. Ongoing monitoring is critical because a tool that performs acceptably at one point in time may produce different results as business practices, labor markets, or applicant pools evolve.

The need for testing should be assessed early in the procurement process. Employers should ask vendors what the tool does, what data it uses, whether it has been audited or validated, what assumptions underlie the model, and what documentation is available. Employers should also avoid assuming that a vendor’s general statements about fairness, accuracy, or compliance are sufficient for the employer’s particular use case.

A practical AI governance program typically includes an inventory of AI-enabled employment tools, a risk-based review before deployment, appropriate legal and human resources oversight, documentation of decision-making, and periodic reevaluation.

If you have questions about AI governance for your business, contact a Jackson Lewis attorney to discuss.

State breach-notification laws continue to evolve, and legislatures are using 2026 sessions to tighten consumer protections and shift the civil liability landscape that often follows a cyber event.

For businesses, the practical takeaway is that incident response planning increasingly needs to account not only for “whether notice is required,” but also for hard timelines, regulator-facing deliverables, and the cost of consumer support services.

Several state laws have died without passing out of the legislature, including bills in Connecticut, Hawaii, and Oklahoma. However, we continue to watch two pending state laws on the East Coast.

New Jersey – Assembly Bill 1852

New Jersey’s pending proposal is more about standardizing notice practices and ensuring ongoing consumer access to credit reporting.

As introduced, the bill narrows permissible notice methods to written notice or electronic notice. It removes the existing substitute-notice pathway that many companies rely on when notice costs are high or when contact information is incomplete.

The proposal is also more prescriptive about content. It requires breach notices to include contact information, including a toll-free telephone number, of a customer representative of the business or public entity who shall be available to give the customer information on:

  • What information has been compromised, and potential consequences of the breach of security
  • How the company or public entity is addressing the breach
  • What steps the customer may take to safeguard their information, and
  • Notification that the customer has access to free credit reports

The toll-free telephone number would be a larger lift than most state breach notice requirements.

Beyond disclosure, the bill would impose a substantive consumer-support obligation: for six months after notification, the business or public entity must provide access to independent credit reports from a consumer reporting agency and pay the associated fees for the access cadence described in the bill.

Finally, the bill includes a cost-allocation provision under which a third party maintaining records on behalf of another entity would be responsible for reimbursing the principal for notification and credit-report access costs, which will be significant for businesses that outsource data processing.

New York – Senate Bill 3078

New York’s proposal is comparatively targeted, but it could have meaningful cost implications after incidents, especially for consumer-facing organizations. The bill would require that, when the notifying person or business was the source of the breach, the notice must include an offer of appropriate identity theft prevention and mitigation services at no cost for at least 12 months, along with the information necessary for the individual to accept the offer. If passed, New York would join several other states, including California, Connecticut, Delaware, Maryland, Pennsylvania, and the District of Columbia, that require such services.

In practice, businesses should expect that determining whether they were “the source” may require careful factual analysis in multi-party ecosystems, including vendor-hosted environments and shared platforms, and should consider establishing internal criteria for that determination.

Jackson Lewis will continue to track these and other pending legislation related to cybersecurity and data breaches. If you have questions about developing an incident response plan or related issues, contact a Jackson Lewis attorney to discuss.

Takeaways

Educational Institutions use Software as a Service platforms to facilitate operations, but doing so carries significant risk that needs to be carefully managed. Strong vendor oversight, tight contracts, and incident response planning are critical to protecting personal data down the chain.

Related links

Five Privacy Issues Higher Education Institutions Should Consider Monitoring

FAQs for Schools and Persons Affected By the PowerSchool Data Breach

An EdTech vendor whose platform is used by thousands of educational institutions recently experienced a significant cybersecurity incident impacting millions of students.  The incident left customers of the platform legally and reputationally exposed—and answering difficult questions in their local communities.  This incident is not unique and highlights the importance of vendor management to effective data protection programs.

  1. The Education Technology Sector Is a High-Value Target

Lesson: Educational institutions possess a wide range of data and have become trendy targets for attack.

Educational institutions maintain large volumes of personal data related to their students and their families, as well as their teachers and other employees. These troves of data—which may be subject to federal laws like The Family Educational Rights and Privacy Act (FERPA), as well as state reasonable safeguard and breach notification laws—have made educational institutions attractive marks for cyber attackers.  So too has their reputation for underinvesting in their data security programs.  

  1. Third‑Party Contractor≠ Reduced Liability

Lesson: Educational institutions remain legally and reputationally exposed even when their vendor stores data on their behalf.

While engaging a vendor can, in some ways, simplify the process of protecting data—because the vendor handles the logistics and incurs the costs of maintaining administrative, physical, and technical safeguards to secure that data—this is not a set it and forget it situation.  Even if the vendor stores all of the data at issue, the educational institution will be the party statutorily obligated to notify and report in the event of a breach and will likely be a defendant or subject of ensuing litigation or regulatory investigation. In other words, educational institutions can outsource the function of handling their data but cannot outsource the consequences if it’s handled improperly.

  1. The Scope of Data Covered by Data Protection Laws Is Broad

Lesson: Even breaches of less “sensitive” data create meaningful risk.

Reports indicate that the data accessed in the recent breach included names, email addresses, student IDs, and messages.  Although these data elements are less “sensitive” than SSNs, financial account information, or medical information, their breach may still trigger notification and reporting obligations under state data protection laws, like New York Education Law § 2-d.  Thus, educational institutions cannot safely assume that the disclosure of “lower risk” data eliminates legal or operational exposure.  Instead, they must conduct a thorough analysis of the incident and carefully assess resulting obligations.

  1. Operational Resilience is Necessary to Avoid Operational Disruption

Lesson: Operational disruption is a key privacy risk multiplier.

The breach occurred around final examinations for many educational institutions, disrupting students and educators alike.  It also forced operational staffs to rapidly navigate technological, availability, and continuity challenges. Operational resilience, like data backups and well-crafted and -rehearsed incident response plans, are essential to minimizing the harm caused by these incidents.

  1. Strong Risk Management Requires Continuous Vendor Monitoring

Lesson: Constant diligence is required.

Vetting vendors prior to engaging them is critical to an effective management program.  So too is carefully reviewing vendor agreements to ensure they include key data protection provisions.  But vendor management doesn’t end at the time of engagement.  Instead, it’s an ongoing process that should include, among other things, exercise of audit rights, monitoring of vendor subcontractors, and periodic revisiting of vendor agreements.  Use of vendors is unavoidable, as are vendor breaches.  Where educational institutions have control, though, and can mitigate risk, is through diligent oversight of those vendors.

***

For additional information about managing the vendors that manage your data, please contact Jackson Lewis’ Privacy, AI & Cybersecurity team.

The governor of Alabama recently signed House Bill 351, which establishes a consumer data privacy law for the state. The law takes effect May 1, 2027.

To whom does the law apply?

The law applies to controllers that conduct business in Alabama or produce products or services targeted to Alabama residents, if they either:

(1) control or process the personal data of more than 25,000 consumers, excluding data processed solely to complete a payment transaction, or

(2) derive more than 25 percent of gross revenue from the sale of personal data. 

The Act does not apply to various entities, including political subdivisions and certain public bodies, institutions of higher education, certain securities associations, certain financial institutions and GLBA-regulated data, HIPAA covered entities and business associates, certain small businesses with fewer than 500 employees that do not sell personal data, certain nonprofits with fewer than 100 employees that do not sell personal data, certain regulated entities under specified Alabama statutes, certain political organizations and data sellers serving them, and certain electric providers. 

Who is protected by the law?

The law protects “consumers,” defined as individuals who are residents of Alabama. It excludes individuals acting in a commercial or employment context.

The law also specifically allows a parent or legal guardian to exercise rights on behalf of a known child, and a guardian or conservator to exercise rights on behalf of a consumer. 

What data is protected by the law?

The law protects “personal data,” defined as information that is linked or reasonably linkable to an identified or identifiable individual. It excludes deidentified data and publicly available information. 

The defines “sensitive data” to include: data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, information about an individual’s sex life, sexual orientation, or citizenship or immigration status; genetic or biometric data processed for uniquely identifying an individual; personal data collected from a known child; and precise geolocation data. 

What are the rights of consumers?

Under the law, consumers may require a controller to do the following:

  • Confirm whether the controller, processor, or third party acting on the controller’s behalf is processing the consumer’s personal data and access that data;
  • Correct inaccuracies;
  • Delete personal data;
  • Provide a portable and, where technically feasible, readily usable copy of personal data previously provided by the consumer; and
  • Allow the consumer to opt out of processing for targeted advertising, sale of personal data, and profiling in furtherance of solely automated significant decisions. 

A controller must respond to a consumer request within 45 days, subject to a possible 45-day extension when reasonably necessary and must explain if it declines to act. 

Controllers must allow opt-out requests through a clear and conspicuous link on the controller’s website to a webpage that enables the consumer directly to opt out of targeted advertising or the sale of personal data, or to provide up-to-date contact information for submitting the opt-out request. 

What obligations do controllers have?

Controllers must:

  • Limit collection of personal data to what is adequate, relevant, and reasonably necessary for the disclosed purposes;
  • Establish, implement, and maintain reasonable administrative, technical, and physical data security practices; and
  • Provide an effective mechanism for consumers to revoke consent that is at least as easy as the method used to provide consent. 

Controllers may not process personal data for purposes that are not reasonably necessary to or compatible with disclosed purposes, process sensitive data without consent (or, for known children, outside COPPA-compliant processing), process data in violation of discrimination laws, or process personal data for targeted advertising or sell personal data without consent where the controller has actual knowledge that the consumer is at least 13 and younger than 16. 

Controllers may not deny goods or services, charge different prices or rates, or provide a different level of quality because a consumer opted out, although the law allows certain loyalty and reward programs. 

Controllers must establish and describe in the privacy notice one or more secure and reliable means for consumers to submit requests to exercise their rights and may not require consumers to create a new account to do so, though they may require the use of an existing account. 

Controllers also have obligations regarding deidentified and pseudonymous data, including taking measures to ensure deidentified data cannot reasonably be associated with an individual, refraining from reidentifying deidentified data, contractually obligating recipients of deidentified data to comply with the statutory requirements, and exercising reasonable oversight over disclosures of pseudonymous or deidentified data.

How is the law enforced?

The Alabama Attorney General may enforce violations of the Act. 

Before initiating an action, the Attorney General must issue a notice of violation to the controller. If the controller fails to correct the violation within 45 days after receipt of the notice, the Attorney General may bring an action for an injunction.

If the court finds a violation and failure to cure, it may assess a civil penalty of up to $15,000 per violation. If the controller cures within the 45-day period and provides an express written statement that the violations have been corrected and will not recur, no action may be initiated. 

If you have questions about Alabama’s new privacy law or related issues, please reach out to a member of our Privacy, Data, and Cybersecurity practice group to discuss.

Key Takeaways

  • Examines how AI-driven hiring and applicant screening tools interact with the CCPA’s new risk assessment requirements.
  • Identifies the CCPA risk assessment triggers most likely to apply—including automated decision-making and systematic observation of applicants.

Artificial intelligence has made significant inroads into the hiring process. Employers increasingly rely on AI-driven tools to screen resumes, analyze video interviews, administer automated assessments, and score candidates against job-fit models. These tools promise greater efficiency and, in theory, more consistent evaluation. They also collect and generate a substantial amount of personal information about job applicants—information that, under the CCPA’s updated regulations, may require a formal risk assessment before or during use.

If your organization is a “business” under the CCPA and is using AI-powered hiring or applicant screening technology, the following analysis will help you evaluate whether a risk assessment is required. If you have not yet confirmed that the CCPA applies to your organization, check out our CCPA FAQs which address this and other provisions of the CCPA.

What AI Hiring Tools Typically Do

AI-powered hiring tools span a wide range of functions. Resume parsing and ranking tools use machine learning to score applications against predefined criteria. Video interview platforms analyze candidates’ facial expressions, word choice, and vocal patterns to generate personality or culture-fit assessments. Automated chatbots conduct initial screening interviews and assess responses. Skills assessment platforms measure cognitive ability, personality traits, and job-relevant competencies through adaptive tests scored by AI. Across all of these tools, the common thread is that personal information about applicants is being processed automatically to evaluate them and, directly or indirectly, to inform hiring decisions.

CCPA Risk Assessment Triggers for Hiring AI

The updated CCPA regulations identify several processing activities that require a risk assessment. Employers using AI hiring tools should evaluate whether any of the following apply:

Automated Decision-Making Technology (ADMT). A risk assessment is required when a business uses ADMT to make or contribute substantially to “significant decisions” about consumers. The regulations expressly identify employment opportunities and compensation among the categories of significant decisions. Accordingly, an AI tool that ranks, scores, advances, or eliminates applicants may be using ADMT to contribute to significant employment decisions—a straightforward risk assessment trigger. Employers should not assume that a human reviewer at the end of the process eliminates this obligation; the regulations focus on meaningful contribution to the decision, not exclusive AI control.

Systematic Observation of Applicants. The regulations also require a risk assessment when a business profiles a consumer through systematic observation when the individual is acting in the capacity of a “job applicant.” Systematic observation expressly includes “video or audio recording or live-streaming” and “technologies that enable physical or biological identification or profiling.” The more popular AI notetaking tools, or even AI video interviewing platforms that records candidates and/or analyzes their facial expressions and speech patterns may satisfy these elements.

Sensitive Personal Information. To the extent a hiring tool processes biometric information—such as voice patterns or facial geometry—as part of its analysis, that processing independently triggers a risk assessment as processing of “sensitive personal information.” Biometric information is expressly included in the CCPA’s definition of sensitive personal information, and employers should not assume the human resources exception is broad enough to cover biometric processing in the hiring context.

Training AI on Applicant Data. A risk assessment is also required when personal information is processed to train ADMT for significant decisions, or to train facial recognition or biometric technology. Employers that allow their hiring platform vendors to use applicant data to train or refine their models should evaluate whether this use independently triggers an assessment obligation.

Other State Law Considerations

Several states have enacted laws specifically targeting AI in hiring. Illinois’s Artificial Intelligence Video Interview Act imposes consent and anti-discrimination requirements for video interview AI. New York City’s Local Law 144 requires, among other things, bias audits for automated employment decision tools used by covered employers. Maryland prohibits facial recognition in pre-employment interviews without consent. Colorado recently replaced its AI law which includes obligations to provide consumers (including job applicants) notice prior to using automated decision making technology that will materially influence a consequential decision. To help manage and comply with this growing patchwork of AI regulation, businesses using AI hiring tools should map their tools against each of these requirements, which may operate independently of the CCPA.

Next Steps for Employers

Employers should catalog each AI hiring tool in their technology stack, document the personal information each collects and processes, and assess the functionalities of these tools, such as whether they are making or contributing to significant employment decisions, conducting systematic observation of applicants, or processing biometric or other sensitive personal information. Where any of those conditions are met, a CCPA risk assessment may be required.

Part 2 of our post on CCPA risk assessments details the procedural requirements for completing the assessment, including what the risk assessment report must contain and the obligation to certify the assessment to the CPPA. The assessment must weigh the risks to consumer privacy against the benefits of the processing—a genuine balancing exercise, not a formality.

Service providers often receive or access a customer’s personal information when performing contracted services. In the employment context, service providers may include payroll processors, Human Resource Information System (HRIS) or Applicant Tracking System (ATS) platforms, outsourced IT support, data storage, AI tool providers, or security services.

Under the EU and UK General Data Protection Regulations (GDPR), an employer (data controller) is required to execute a written data processing agreement (DPA) with a service provider (data processor) who will receive or access employee personal data. The DPA is intended to protect the rights of employees and ensure that service providers process their personal data in a compliant manner.

A GDPR DPA must contain a meaningful description of the processing activities (i.e., the subject matter and duration, nature and purpose, categories of personal data, and data subjects) and specific non-negotiable provisions. These mandated provisions include, for example:

  • processing solely on the data controller’s documented instructions,
  • data breach notification obligations,
  • restrictions on sub-processor engagement,
  • processor reasonable safeguards,
  • authorization for onward transfers of data,
  • assistance with data processing impact assessments and data subject access requests,
  • deletion or return of data, and
  • audit rights.

In addition, if an employer transfers employee personal data from the EU or UK to a service provider in a third country that lacks an “adequacy decision” (e.g., the U.S.) or permits the service provider to access employee personal data in the EU or UK from a third country, the parties must use an appropriate “transfer mechanism”. This may require appending the EU Standard Contractual Clauses (SCCs) or UK International Data Transfer Agreement (IDTA) to the DPA and completing a documented Transfer Impact Assessment.

While a GDPR DPA requires specific provisions, the employer may incorporate additional terms tailored to its interests. Common additions include indemnification provisions and limitations on liability for data-specific risks such as the processor’s material breach of the DPA, violation of applicable data protection law, or a personal data breach. The parties may negotiate the implementation terms for certain mandated provisions, such as the window for breach notification; the scope, frequency, and cost allocation of an audit; the manner for approving sub-processors; or whether personal data will be returned or deleted upon completion of the services. Although the DPA terms must require a processor to implement appropriate security measures to safeguard personal data, the GDPR is not prescriptive about specific measures. As a result, the employer should specify the required technical safeguards, as appropriate to the sensitivity of the employee’s personal data and the processing activity.

Despite containing required provisions, every DPA should be tailored to the specific processing activity, the nature and sensitivity of the personal data, and the employer’s risk exposure. Without this tailoring, a GDPR DPA may be non-compliant or create unnecessary risk for the employer and its personal data. To help manage this risk and prevent delays in the contracting process, employers can prepare and maintain a DPA template that reflects their interests and specific requirements and can be tailored to the processing activity.

If you have questions about drafting, reviewing, or negotiating a DPA – under the GDPR or another data protection framework – please feel free to contact the Jackson Lewis Privacy, AI & Cybersecurity team.