Vermont has passed Senate Bill 71, a comprehensive privacy law that will regulate how covered entities collect, use, disclose, sell, and protect personal data.

The law is scheduled to take effect on January 1, 2028.

To whom does the law apply?

The law applies to people who conduct business in Vermont or produce products or services targeted at Vermont residents and meet one of several thresholds during the preceding calendar year. A business may be covered if:

  • It controls or processes the personal data of at least 35,000 consumers (not counting personal data controlled or processed solely to complete a payment transaction);
  • Controls or processes the sensitive data of at least 3,000 consumers (not counting personal data controlled or processed solely to complete a payment transaction); or
  • Offers for sale the personal data of at least 3,000 consumers.

The Act also contains specific provisions for consumer health data, which seem to be in line with efforts in other states to fill perceived gaps in the protection of health data left by HIPAA. Those provisions apply more broadly to people conducting business in Vermont or producing products or services targeted at Vermont residents.

The law includes numerous exemptions, including for certain government entities, certain HIPAA-regulated entities and data, financial institutions and data subject to the Gramm-Leach-Bliley Act, Fair Credit Reporting Act activities, and other regulated or limited categories.

Who is protected by the law?

The Act protects “consumers,” defined generally as Vermont residents.

However, the definition excludes individuals acting in a commercial or employment context, including employees, owners, directors, officers, contractors, or representatives of an organization when their communications or transactions occur solely within that role.

The law also includes heightened protections for children and minors, such as restricting targeted advertising and the sale of personal data.

What data is protected by the law?

The Act protects “personal data,” defined broadly to include information that is linked or reasonably linkable to an identified or identifiable individual or to a device associated with such an individual. This includes derived data and unique identifiers but excludes deidentified data and publicly available information.

The law provides heightened protections for “sensitive data.” Sensitive data includes data revealing racial or ethnic origin, religious beliefs, sex life, sexual orientation, nonbinary or transgender status, citizenship or immigration status, health conditions, disability, or treatment. It also includes consumer health data, genetic or biometric data, children’s data, precise geolocation data, neural data, certain financial account credentials, and government-issued identification numbers.

What are the rights of consumers?

Under the law, consumers may require a controller to do the following:

  • Confirm whether the controller is processing the consumer’s personal data and accessing that data.
  • Correct inaccuracies.
  • Delete personal data.
  • Provide a portable and, where technically feasible, readily usable copy of personal data previously provided by the consumer;
  • Allow the consumer to opt out of processing for targeted advertising, sale of personal data, and profiling in furtherance of solely automated significant decisions; and
  • Provide a list of third parties to whom the controller has sold personal information. 

What obligations do controllers have?

Controllers have several duties, including:

  • Controllers must limit the collection of personal data to what is reasonably necessary and proportionate to disclosed purposes. Remember, data minimization.
  • They may not process personal data for a materially new purpose (other than what is reasonably necessary and proportionate in relation to the purposes for which the data are processed, as disclosed to the consumer) unless they obtain consent.
  • They also must maintain reasonable administrative, technical, and physical safeguards appropriate to the volume and nature of the personal data. For sensitive data, controllers generally must obtain consent before processing or selling the data.
  • They must provide an effective mechanism for consumers to revoke consent and stop processing within 15 days after receiving the revocation request.
  • Controllers also must avoid unlawful discrimination and refrain from discriminating against consumers for exercising privacy rights.
  • Controllers must maintain certain contractual terms with processors.
  • Controllers must provide clear, accessible (e.g., website homepage, app settings menu, etc.) privacy notices. Those notices must disclose, among other things, categories of data processed, processing purposes, consumer rights, categories of personal data sold to third parties, and the categories of those third parties, “clear and conspicuous” disclosures concerning targeted advertising, contact information, whether personal data is used to train large language models, and the date of the latest update.

Controllers must also provide secure methods for consumers to exercise their rights, honor qualifying opt-out preference signals, and conduct data protection assessments for certain high-risk processing activities, including targeted advertising, sales of personal data, sensitive data processing, and certain profiling.

How is the law enforced?

The Vermont Attorney General enforces the Act. The law does not create a private right of action, meaning consumers generally may not sue directly for violations under the Act.

The Attorney General must provide guidance to controllers and processors and submit annual reports to the General Assembly regarding enforcement activity. During the period from January 1, 2028, through June 30, 2029, the Attorney General must provide notice and a 60-day opportunity to cure when the Attorney General determines that a cure is possible before initiating an enforcement action.

If you have questions about Vermont’s new privacy law or related issues, please reach out to a member of our Privacy, AI, and Cybersecurity practice group to discuss.

With the Governor of Louisiana’s signature on Senate Bill 386, Louisiana becomes one of the latest states to enact a comprehensive consumer privacy law, joining more than twenty states that have adopted similar frameworks in recent years. Like laws in Texas, Virginia, Colorado, and other states, the Louisiana Data Privacy Act (LDPA) adopts a controller/processor framework, grants consumers rights over their personal data, and authorizes enforcement by the state attorney general rather than private litigants. The Act takes effect January 1, 2027.

To whom does the law apply?

The law applies to a person or entity that does business in the state and meets at least one of these thresholds:

  • Annual gross revenues over $25 million
  • Annually buys, receives, sells, or shares for commercial purposes the personal information of 75,000 or more consumers, households, or devices.
  • Derives 50 % or more annual revenues from selling consumers’ personal information.

Notably, Louisiana’s applicability thresholds differ from many recent state privacy laws that focus primarily on the volume of consumer data processed. Instead, the LDPA incorporates revenue-based thresholds similar to those found in California’s privacy framework, applying to businesses with annual gross revenues exceeding $25 million regardless of the amount of personal data processed.

The law does not apply to various categories, including state agencies, certain financial institutions, and GLBA-regulated data, HIPAA-covered entities and business associates, nonprofits, and institutions of higher education.

Who is protected by the law?

The law protects consumers, defined as Louisiana residents acting only in an individual or household context. The law expressly excludes individuals acting in a commercial or employment context.

Under the law, a child’s parent or legal guardian may exercise the child’s consumer rights on the child’s behalf.  

What data is protected by the law?

The law protects personal data, which is information that is linked or reasonably linkable to an identified or identifiable individual. It excludes deidentified data or publicly available information.

Under the law, “sensitive data” is protected and includes personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, citizenship or immigration status, genetic or biometric data used to uniquely identify an individual, personal data collected from a known child, and precise geolocation data. Businesses should pay particular attention to the law’s treatment of sensitive data. Like many recently enacted state privacy laws, Louisiana generally requires consumer consent before processing sensitive data.

What rights do consumers have?

Under the law, consumers may require a controller to do the following:

  • Confirm whether the controller is processing the consumer’s personal data and access that data;
  • Correct inaccuracies;
  • Delete personal data;
  • Provide a portable and, where technically feasible, readily usable copy of personal data previously provided by the consumer; and
  • Allow the consumer to opt out of processing for targeted advertising, sale of personal data, and profiling in furtherance of solely automated significant decisions. 

Controllers generally must respond within 45 calendar days, with one additional 45-day extension when reasonably necessary to such requests.

What obligations do controllers have?

Under the law, controllers must limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the disclosed purpose and must maintain reasonable administrative, technical, and physical security practices appropriate to the data.

Controllers must provide a reasonably accessible and clear privacy notice describing categories of personal data processed, processing purposes, how consumers may exercise rights and appeal decisions, categories of personal data sold, categories of third parties to whom data is sold, and request submission methods.

If a controller sells sensitive data or biometric data, it must have a specific notice to that effect.

A contract between a controller and a processor must address the processor’s data processing procedures with respect to processing performed on behalf of the controller. Similar to other state privacy laws, the LDPA requires such contracts to include certain provisions, such as:

  • clear instructions for processing data;
  • the type of data subject to processing;
  • the duration of processing; and
  • a requirement that the processor make available to the controller, on reasonable request, all information in the processor’s possession necessary to demonstrate the processor’s compliance with the requirements of the LDPA.

Controllers must also conduct and document data protection assessments for targeted advertising, the sale of personal data, certain risky profiling, the processing of sensitive data, and other activities. Controllers that already maintain privacy impact assessments under other state laws may be able to leverage existing compliance processes.

How is the law enforced?

The state attorney general may enforce the law. And violations shall constitute an unfair and deceptive trade practice pursuant to the Unfair Trade Practices and Consumer Protection law, excluding private rights of action. Note, however, that the LDPA provides a 30-day cure period that sunsets on July 31, 2027, providing organizations with a limited opportunity to address alleged violations during the law’s early implementation period.

Although the LDPA largely follows the increasingly familiar state privacy law framework, businesses should not assume existing compliance programs automatically satisfy Louisiana’s requirements. Organizations with multi-state privacy compliance programs should review their privacy notices, consumer rights request procedures, consent mechanisms for sensitive data, and data protection assessment processes before the law takes effect on January 1, 2027.

If you have questions about Louisiana’s new privacy law or related issues, please reach out to a member of our Privacy, AI, and Cybersecurity practice group to discuss.

Artificial intelligence has quickly become part of the modern lawyer’s toolkit. Attorneys are using generative AI platforms to assist with legal research, drafting, editing, and document review. While these technologies can improve efficiency, a growing number of court filings across the country demonstrate a significant risk: AI-generated hallucinations, including fabricated case citations, nonexistent authorities, and inaccurate quotations.

Recent sanctions decisions from federal and state courts have highlighted the problem. Judges have encountered briefs containing cases that do not exist, citations that do not support the propositions for which they are offered, and legal analyses generated by AI systems without adequate attorney verification. These incidents have reinforced a fundamental principle of legal practice: lawyers—not software—remain responsible for the accuracy of every filing submitted to a court.

Recognizing these concerns, the Florida Supreme Court has amended Florida Rule of General Practice and Judicial Administration 2.515 to establish a clear statewide standard governing representations made when documents are filed in Florida courts.

Florida’s New Rule

Effective June 15, 2026, Rule 2.515(d)(2) requires every signer of a court filing to represent that:

“the legal authorities identified exist and are accurately cited.”

The amendment applies not only to attorneys but also to self-represented litigants.

The Court’s action reflects growing concern about the use of generative AI tools that may produce authoritative-sounding but inaccurate information. In its per curiam opinion, the Court expressly noted that generative AI systems “can generate content that appears plausible but is in fact inaccurate, including fabricated or ‘hallucinated’ authorities.”

A Statewide Response to a Growing Problem

Florida is not alone in confronting AI-related filing issues. Courts throughout the United States have issued sanctions, show-cause orders, and standing orders addressing AI-generated errors in briefs and motions. Some judges have required certifications regarding AI use, while others have focused on counsel’s duty to verify all citations and legal authorities before filing.

Rather than adopting a patchwork of local requirements, the Florida Supreme Court chose a statewide approach. According to the Court’s commentary, the amendments were adopted

“principally to create a statewide, uniform replacement for varied circuit court administrative orders imposing disclosure and certification requirements about the use of artificial intelligence in filings.”

New Sanctions Authority

The amended rule also expressly authorizes courts to impose sanctions when a filing is inconsistent with the signer’s certification. The rule provides that sanctions may be imposed after notice and an opportunity to be heard and may include:

  • Reprimand;
  • Contempt;
  • Striking the document;
  • Dismissal of proceedings;
  • Costs;
  • Attorneys’ fees; or
  • Other appropriate sanctions.

Although courts already possessed various sanctioning powers, the Florida Supreme Court made clear that the new provision is intended to eliminate uncertainty regarding courts’ authority to address inaccurate filings in the AI context.

What This Means for Lawyers

The amendment does not prohibit the use of AI. Nor does it require attorneys to disclose every instance in which AI assisted with drafting or research. Instead, it reinforces a basic professional obligation that predates artificial intelligence: lawyers must independently verify the accuracy of the legal authorities cited in their filings.

As generative AI becomes more sophisticated and more widely used, attorneys should consider implementing safeguards such as:

  1. Independently reviewing every citation generated by AI tools.
  2. Confirming that all cited authorities actually exist.
  3. Reading the underlying cases rather than relying on AI-generated summaries.
  4. Verifying quotations, pinpoint citations, and procedural histories.
  5. Establishing firm policies governing AI-assisted drafting and legal research.
  6. Training lawyers and staff regarding the risks of AI hallucinations and citation errors.

The Continuing Duty of Professional Judgment

The Florida Supreme Court’s amendment serves as a reminder that technological innovation does not alter a lawyer’s fundamental duties of competence, diligence, and candor to the tribunal. AI may assist in the drafting process, but it cannot replace the attorney’s obligation to ensure that every legal authority presented to a court is real, accurate, and properly cited.

As courts continue to encounter AI-related filing errors, Florida’s approach may provide a model for other jurisdictions seeking to balance innovation with the integrity of the judicial process. The message is straightforward: use AI if you choose, but verify before you file!

Key Takeaways

  • Outlines key considerations for businesses using productivity management and monitoring platforms – such as, Teramind, ActivTrak, and Insightful – and whether their use may require a CCPA risk assessment.
  • Identifies the specific CCPA risk assessment triggers most relevant to such productivity technologies.

Productivity management and monitoring platforms have become a fixture of the modern workplace—particularly for remote and hybrid workforces. These tools can track application usage, keystrokes, website visits, active and idle time, and even capture periodic screenshots of employee screens. Some platforms go further, using artificial intelligence to generate productivity scores, assess engagement levels, and flag behavioral anomalies. Businesses subject to the California Consumer Privacy Act (CCPA) and deploying this type of technology, should carefully consider whether a risk assessment is required before or during that use.

The first question is always whether the CCPA applies to the business at all. If the business has not yet made that determination, our comprehensive CCPA FAQs is a helpful starting point. Assuming the CCPA applies, the next question is whether the specific processing activity at issue presents a “significant risk” to consumer privacy—the standard that triggers the assessment obligation.

Our earlier posts on CCPA risk assessment basics discuss when the CCPA risk assessment requirement applies and the general requirements for conducting and reporting a risk assessment. This post focuses specifically on productivity management and monitoring platforms.

What Do Productivity Management and Monitoring Platforms Do?

Modern productivity platforms vary considerably in their capabilities and configurations. At a minimum, many log which applications an employee uses and for how long. More sophisticated deployments capture screenshots at regular intervals, record keystrokes, monitor email and messaging communications, and track time spent on specific websites or documents. AI-enhanced platforms layer on behavioral analytics, producing output that can characterize an employee’s work patterns, predict disengagement, or rank individuals against their peers.

The breadth of data collected—and the degree to which it is processed automatically to draw inferences about individual employees—is precisely what makes these platforms significant from a CCPA risk assessment perspective.

Which CCPA Risk Assessment Triggers Apply?

The updated CCPA regulations, which became effective in 2026, identify specific processing activities that require a risk assessment. Businesses using productivity management and monitoring platforms should evaluate at least three of them:

First, the regulations require a risk assessment when a business profiles a consumer (which includes employees and contractors) through “systematic observation.” The term “systematic observation” is defined broadly to include “methodical and regular or continuous observation,” and expressly covers “video or audio recording or live-streaming” and “technologies that enable physical or biological identification or profiling.” Periodic screenshots, continuous application logging, and keystroke capture may fall within this definition. “Profiling” itself is defined to include “any form of automated processing of personal information to evaluate certain personal aspects… relating to a natural person,” specifically including analysis of “performance at work,” “reliability,” “predispositions,” and “behavior.” A platform that generates productivity scores or behavioral profiles may fall within this definition.

Second, to the extent a productivity monitoring platform uses automated decision-making technology (ADMT) to make or meaningfully contribute to significant decisions about employees—such as decisions about compensation, employment opportunities, or similar matters—a risk assessment may be independently required on that basis. Businesses should carefully examine whether the platform’s output is used in any formal or informal employment decision-making process.

Third, if the platform processes any “sensitive personal information” as defined under the CCPA—such as health information (e.g., inferences about mental health from behavioral data), or biometric data (e.g., keystroke dynamics used for identity verification)—that processing could independently trigger a risk assessment requirement. The regulations include a narrow exception for certain human resources functions such as payroll and benefits administration, but businesses should not assume that exception is broad enough to cover behavioral analytics or performance profiling. Also, remember that the CCPA excludes certain categories of personal information including protected health information covered under the Health Insurance Portability and Accountability Act (HIPAA) and medical information under the California Confidentiality of Medical Information Act (CMIA). Importantly, however, not all health and medical information is covered under these laws, and could be covered by the CCPA.

Other Federal and State Laws to Consider

The CCPA is not the only federal or state law to consider when deploying performance management and monitoring platforms. To fully address compliance, the business needs to take into account, among other things, the regulatory environment of the business, the data collected by the platform, and the features of the platform. By way of example, the platform could trigger laws regulating biometric data, the recording of conversations, and the safeguarding of health information.

What Should Businesses Do?

Businesses that have deployed—or are considering deploying—productivity management and monitoring platforms should begin with a thorough inventory of what data the platform collects, how that data is processed or analyzed, and what outputs or decisions flow from that processing. Where the platform involves systematic behavioral observation, AI-generated productivity profiles, or ADMT that contributes to employment decisions, a CCPA risk assessment should be considered.

For the procedural requirements of completing a risk assessment—including the required contents of the risk assessment report and the certification obligation to the CPPA—Part 2 of our risk assessment series provides relevant information.  

A recent federal court decision offers important lessons for businesses that use cookies, pixels, and other tracking technologies on consumer-facing websites. Although the court dismissed one federal wiretap claim with leave to amend, it allowed other privacy claims to proceed, including claims under California’s pen register statute and common law intrusion upon seclusion.

The case involved allegations that a company’s website began collecting visitor data immediately upon a user landing on the site, before the user had a meaningful opportunity to reject non-essential cookies via a consent banner. The plaintiff alleged that, despite selecting “reject,” certain information had already been collected and transmitted to third parties, including browsing activity, website interactions, device information, session data, user identifiers, and geolocation data.

The court found that these allegations were sufficient, at the pleading stage, to establish a concrete privacy injury for damages. Importantly, the court emphasized that privacy harms may depend on the sensitivity and nature of the information collected. Browsing history, user interactions, identifiers, and location-related information may, in some instances, be enough to support standing when allegedly collected without consent.

The decision also highlights that a plaintiff’s status as a privacy “tester” does not automatically defeat standing. While courts may scrutinize whether a tester genuinely expected privacy and indeed have declined standing when a tester’s expectations that their information would be accessed, recorded, and disclosed are met, this court accepted the allegation that the user had expressly rejected non-essential tracking, which supported a reasonable expectation that tracking would not occur.

For businesses, the most practical lesson is that cookie consent tools must work as promised. A banner that allows users to reject non-essential cookies may create risk if tracking begins before a user has an opportunity to review the banner or make a selection, or if third-party technologies continue to operate despite a rejection. Businesses should not assume that having a banner alone is enough; they should test whether it is operating as intended or represented.

The decision also underscores the need to understand what data third-party tools collect. Courts are increasingly willing to consider whether website tracking technologies may fall within older privacy statutes, including laws originally written for telephone-era tracking devices. That means businesses should carefully evaluate pixels, analytics tags, advertising scripts, session replay tools, and related technologies.

If you have questions about web tracking and privacy issues for your business, contact a Jackson Lewis attorney to discuss.

Key Takeaways

  • Analyzes whether recording customer service and sales calls triggers the CCPA’s new risk assessment requirements.
  • Identifies the specific CCPA triggers most relevant to call recording, particularly when AI analytics are applied to recordings.
  • Notes related obligations under state wiretapping laws and other state privacy frameworks.

Recording customer calls is among the most common data collection practices in business. Contact centers, healthcare providers, financial services firms, and countless other industries record customer interactions for quality assurance, training, compliance, and dispute resolution. The familiar “this call may be recorded for quality and training purposes” disclosure has become almost reflexive. But with the CCPA’s new risk assessment requirements now in effect, businesses subject to the CCPA should revisit this practice—particularly where call recordings are analyzed using AI or used in ways that go beyond simple storage and retrieval.

Our earlier posts on CCPA risk assessment basics discuss when the CCPA risk assessment requirement applies and the general requirements for conducting and reporting a risk assessment. This post focuses specifically on the call recording context.

How Businesses Use Customer Call Recordings

At its most basic level, call recording captures audio of a conversation between a customer service representative and a customer, stores that recording, and makes it available for later playback. Many businesses, however, now use AI-powered speech analytics tools to extract additional value from those recordings. These tools can transcribe calls, identify topics discussed, detect customer sentiment and emotion, flag compliance concerns, score agent performance, and generate profiles of individual customers based on their communication patterns, expressed preferences, or emotional responses across multiple interactions.

It is this AI-enhanced use of call recordings—rather than simple storage—that raises the most significant, but not the only CCPA risk assessment questions.

CCPA Risk Assessment Triggers for Call Recording Programs

Businesses should evaluate at least the following potential risk assessment triggers in connection with their call recording programs:

Sensitive Personal Information. Call recordings frequently capture sensitive personal information. Under the CCPA, sensitive personal information means personal information that reveals information about a consumer, such as: SSN, driver’s license number, passport number, precise geolocation, racial or ethnic origin, citizenship or immigration status, religious or philosophical beliefs, union membership, genetic data, biometric information for the purpose of uniquely identifying a consumer, and information about a consumer’s sex life or sexual orientation. This is not an exhaustive list, but no doubt information that could be captured on a recorded line.

Customers who call healthcare providers, pharmacies, or health insurance companies for example, routinely disclose such information. But remember, the CCPA excludes certain categories of personal information including protected health information covered under the Health Insurance Portability and Accountability Act and medical information under the California Confidentiality of Medical Information Act. Importantly, not all health and medical information is covered under these laws, and could be covered by CCPA!

If a business uses voice biometrics—either to verify a caller’s identity or as part of a speaker analytics program that analyzes vocal patterns to identify individuals—it is processing biometric information, which is sensitive personal information under the CCPA. Even a speech analytics platform that generates a persistent voice profile of a customer may implicate this category. A risk assessment may be required for processing of that kind.

Systematic Observation. The CCPA risk assessment regulations require an assessment when businesses profile consumers through systematic observation. Automated processing of information obtained from call recordings could be used to infer or extrapolate a consumer’s intelligence, aptitude, performance at work, economic situation, behavior, location, etc. based upon systematic observation. When this occurs in connection with a consumer acting in their capacity as an educational program applicant, job applicant, student, employee, or independent contractor for the business, a risk assessment may be needed.

Automated Decision-Making. Where call recording analytics feed into automated systems that make significant decisions about consumers—such as creditworthiness determinations, insurance coverage decisions, or healthcare recommendations—the ADMT risk assessment trigger may be engaged.

State Wiretapping and Consent Laws

Separate from the CCPA risk assessment requirements, businesses recording customer calls must comply with state wiretapping and call recording consent laws. California’s Invasion of Privacy Act (CIPA) requires all-party consent for recording telephone calls. Several other states—including Florida, Illinois, Maryland, Massachusetts, Montana, New Hampshire, Pennsylvania, and Washington—also require all-party consent. Businesses that record calls involving customers in those states without proper consent face significant litigation exposure. The wiretapping consent requirement and the CCPA risk assessment obligation are independent—satisfying one does not satisfy the other.

What Businesses Should Do

Businesses that record customer calls should document the full lifecycle of those recordings: what is captured, where it is stored, how long it is retained, who can access it, and whether any AI or analytics tools are applied to the recordings. Where recordings capture sensitive personal information or are analyzed by AI to generate profiles or inform significant decisions about customers, a CCPA risk assessment should be considered by businesses covered under the CCPA.

For the procedural requirements of completing a risk assessment—including the required contents of the risk assessment report and the certification obligation to the CPPA—Part 2 of our risk assessment series provides the relevant guidance.

Employers are increasingly using artificial intelligence and other algorithmic tools to support workplace decisions, including recruiting, screening, interviewing, promotion, workforce planning, and performance management. These tools can improve efficiency and consistency, but they also introduce important compliance, reputational, and employee-relations considerations. Two concepts that often arise in AI governance are bias audits and validation testing. Although related, they serve different purposes.

A bias audit generally evaluates whether the use of a tool is associated with materially different outcomes across protected or demographic groups. Depending on the jurisdiction and the tool at issue, a bias audit may be legally required before use. For example, New York City’s automated employment decision tool law requires certain employers and employment agencies to obtain a bias audit within one year before using covered tools and to provide related notices and disclosures. And other states have laws that affect the need for bias testing or are considering such requirements. Even where no specific audit law applies, employers may decide that an audit is appropriate as part of responsible AI governance, particularly when a tool affects access to job opportunities or advancement.

Validation testing, by contrast, focuses on whether a selection procedure is job-related and appropriately measures what it is intended to measure. This concept is not new. The Uniform Guidelines on Employee Selection Procedures provide a long-standing framework for evaluating employment tests and other selection procedures used in employment decisions in compliance with Title VII of the Civil Rights Act. In the AI context, a validation study may be especially important where an algorithm ranks, scores, recommends, or screens individuals based on characteristics that are intended to predict job success. If an employer’s use of an AI tool is challenged, a validation study may be critically important to the employer’s defense.

As a general governance matter, employers should consider bias audits and/or validation testing before deploying an AI tool that materially influences employment decisions. They should also consider reassessment when the tool is modified, used for a new role or population, applied in a new jurisdiction, or when the employer’s own workforce or applicant data materially changes. Ongoing monitoring is critical because a tool that performs acceptably at one point in time may produce different results as business practices, labor markets, or applicant pools evolve.

The need for testing should be assessed early in the procurement process. Employers should ask vendors what the tool does, what data it uses, whether it has been audited or validated, what assumptions underlie the model, and what documentation is available. Employers should also avoid assuming that a vendor’s general statements about fairness, accuracy, or compliance are sufficient for the employer’s particular use case.

A practical AI governance program typically includes an inventory of AI-enabled employment tools, a risk-based review before deployment, appropriate legal and human resources oversight, documentation of decision-making, and periodic reevaluation.

If you have questions about AI governance for your business, contact a Jackson Lewis attorney to discuss.

State breach-notification laws continue to evolve, and legislatures are using 2026 sessions to tighten consumer protections and shift the civil liability landscape that often follows a cyber event.

For businesses, the practical takeaway is that incident response planning increasingly needs to account not only for “whether notice is required,” but also for hard timelines, regulator-facing deliverables, and the cost of consumer support services.

Several state laws have died without passing out of the legislature, including bills in Connecticut, Hawaii, and Oklahoma. However, we continue to watch two pending state laws on the East Coast.

New Jersey – Assembly Bill 1852

New Jersey’s pending proposal is more about standardizing notice practices and ensuring ongoing consumer access to credit reporting.

As introduced, the bill narrows permissible notice methods to written notice or electronic notice. It removes the existing substitute-notice pathway that many companies rely on when notice costs are high or when contact information is incomplete.

The proposal is also more prescriptive about content. It requires breach notices to include contact information, including a toll-free telephone number, of a customer representative of the business or public entity who shall be available to give the customer information on:

  • What information has been compromised, and potential consequences of the breach of security
  • How the company or public entity is addressing the breach
  • What steps the customer may take to safeguard their information, and
  • Notification that the customer has access to free credit reports

The toll-free telephone number would be a larger lift than most state breach notice requirements.

Beyond disclosure, the bill would impose a substantive consumer-support obligation: for six months after notification, the business or public entity must provide access to independent credit reports from a consumer reporting agency and pay the associated fees for the access cadence described in the bill.

Finally, the bill includes a cost-allocation provision under which a third party maintaining records on behalf of another entity would be responsible for reimbursing the principal for notification and credit-report access costs, which will be significant for businesses that outsource data processing.

New York – Senate Bill 3078

New York’s proposal is comparatively targeted, but it could have meaningful cost implications after incidents, especially for consumer-facing organizations. The bill would require that, when the notifying person or business was the source of the breach, the notice must include an offer of appropriate identity theft prevention and mitigation services at no cost for at least 12 months, along with the information necessary for the individual to accept the offer. If passed, New York would join several other states, including California, Connecticut, Delaware, Maryland, Pennsylvania, and the District of Columbia, that require such services.

In practice, businesses should expect that determining whether they were “the source” may require careful factual analysis in multi-party ecosystems, including vendor-hosted environments and shared platforms, and should consider establishing internal criteria for that determination.

Jackson Lewis will continue to track these and other pending legislation related to cybersecurity and data breaches. If you have questions about developing an incident response plan or related issues, contact a Jackson Lewis attorney to discuss.

Takeaways

Educational Institutions use Software as a Service platforms to facilitate operations, but doing so carries significant risk that needs to be carefully managed. Strong vendor oversight, tight contracts, and incident response planning are critical to protecting personal data down the chain.

Related links

Five Privacy Issues Higher Education Institutions Should Consider Monitoring

FAQs for Schools and Persons Affected By the PowerSchool Data Breach

An EdTech vendor whose platform is used by thousands of educational institutions recently experienced a significant cybersecurity incident impacting millions of students.  The incident left customers of the platform legally and reputationally exposed—and answering difficult questions in their local communities.  This incident is not unique and highlights the importance of vendor management to effective data protection programs.

  1. The Education Technology Sector Is a High-Value Target

Lesson: Educational institutions possess a wide range of data and have become trendy targets for attack.

Educational institutions maintain large volumes of personal data related to their students and their families, as well as their teachers and other employees. These troves of data—which may be subject to federal laws like The Family Educational Rights and Privacy Act (FERPA), as well as state reasonable safeguard and breach notification laws—have made educational institutions attractive marks for cyber attackers.  So too has their reputation for underinvesting in their data security programs.  

  1. Third‑Party Contractor≠ Reduced Liability

Lesson: Educational institutions remain legally and reputationally exposed even when their vendor stores data on their behalf.

While engaging a vendor can, in some ways, simplify the process of protecting data—because the vendor handles the logistics and incurs the costs of maintaining administrative, physical, and technical safeguards to secure that data—this is not a set it and forget it situation.  Even if the vendor stores all of the data at issue, the educational institution will be the party statutorily obligated to notify and report in the event of a breach and will likely be a defendant or subject of ensuing litigation or regulatory investigation. In other words, educational institutions can outsource the function of handling their data but cannot outsource the consequences if it’s handled improperly.

  1. The Scope of Data Covered by Data Protection Laws Is Broad

Lesson: Even breaches of less “sensitive” data create meaningful risk.

Reports indicate that the data accessed in the recent breach included names, email addresses, student IDs, and messages.  Although these data elements are less “sensitive” than SSNs, financial account information, or medical information, their breach may still trigger notification and reporting obligations under state data protection laws, like New York Education Law § 2-d.  Thus, educational institutions cannot safely assume that the disclosure of “lower risk” data eliminates legal or operational exposure.  Instead, they must conduct a thorough analysis of the incident and carefully assess resulting obligations.

  1. Operational Resilience is Necessary to Avoid Operational Disruption

Lesson: Operational disruption is a key privacy risk multiplier.

The breach occurred around final examinations for many educational institutions, disrupting students and educators alike.  It also forced operational staffs to rapidly navigate technological, availability, and continuity challenges. Operational resilience, like data backups and well-crafted and -rehearsed incident response plans, are essential to minimizing the harm caused by these incidents.

  1. Strong Risk Management Requires Continuous Vendor Monitoring

Lesson: Constant diligence is required.

Vetting vendors prior to engaging them is critical to an effective management program.  So too is carefully reviewing vendor agreements to ensure they include key data protection provisions.  But vendor management doesn’t end at the time of engagement.  Instead, it’s an ongoing process that should include, among other things, exercise of audit rights, monitoring of vendor subcontractors, and periodic revisiting of vendor agreements.  Use of vendors is unavoidable, as are vendor breaches.  Where educational institutions have control, though, and can mitigate risk, is through diligent oversight of those vendors.

***

For additional information about managing the vendors that manage your data, please contact Jackson Lewis’ Privacy, AI & Cybersecurity team.

The governor of Alabama recently signed House Bill 351, which establishes a consumer data privacy law for the state. The law takes effect May 1, 2027.

To whom does the law apply?

The law applies to controllers that conduct business in Alabama or produce products or services targeted to Alabama residents, if they either:

(1) control or process the personal data of more than 25,000 consumers, excluding data processed solely to complete a payment transaction, or

(2) derive more than 25 percent of gross revenue from the sale of personal data. 

The Act does not apply to various entities, including political subdivisions and certain public bodies, institutions of higher education, certain securities associations, certain financial institutions and GLBA-regulated data, HIPAA covered entities and business associates, certain small businesses with fewer than 500 employees that do not sell personal data, certain nonprofits with fewer than 100 employees that do not sell personal data, certain regulated entities under specified Alabama statutes, certain political organizations and data sellers serving them, and certain electric providers. 

Who is protected by the law?

The law protects “consumers,” defined as individuals who are residents of Alabama. It excludes individuals acting in a commercial or employment context.

The law also specifically allows a parent or legal guardian to exercise rights on behalf of a known child, and a guardian or conservator to exercise rights on behalf of a consumer. 

What data is protected by the law?

The law protects “personal data,” defined as information that is linked or reasonably linkable to an identified or identifiable individual. It excludes deidentified data and publicly available information. 

The defines “sensitive data” to include: data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, information about an individual’s sex life, sexual orientation, or citizenship or immigration status; genetic or biometric data processed for uniquely identifying an individual; personal data collected from a known child; and precise geolocation data. 

What are the rights of consumers?

Under the law, consumers may require a controller to do the following:

  • Confirm whether the controller, processor, or third party acting on the controller’s behalf is processing the consumer’s personal data and access that data;
  • Correct inaccuracies;
  • Delete personal data;
  • Provide a portable and, where technically feasible, readily usable copy of personal data previously provided by the consumer; and
  • Allow the consumer to opt out of processing for targeted advertising, sale of personal data, and profiling in furtherance of solely automated significant decisions. 

A controller must respond to a consumer request within 45 days, subject to a possible 45-day extension when reasonably necessary and must explain if it declines to act. 

Controllers must allow opt-out requests through a clear and conspicuous link on the controller’s website to a webpage that enables the consumer directly to opt out of targeted advertising or the sale of personal data, or to provide up-to-date contact information for submitting the opt-out request. 

What obligations do controllers have?

Controllers must:

  • Limit collection of personal data to what is adequate, relevant, and reasonably necessary for the disclosed purposes;
  • Establish, implement, and maintain reasonable administrative, technical, and physical data security practices; and
  • Provide an effective mechanism for consumers to revoke consent that is at least as easy as the method used to provide consent. 

Controllers may not process personal data for purposes that are not reasonably necessary to or compatible with disclosed purposes, process sensitive data without consent (or, for known children, outside COPPA-compliant processing), process data in violation of discrimination laws, or process personal data for targeted advertising or sell personal data without consent where the controller has actual knowledge that the consumer is at least 13 and younger than 16. 

Controllers may not deny goods or services, charge different prices or rates, or provide a different level of quality because a consumer opted out, although the law allows certain loyalty and reward programs. 

Controllers must establish and describe in the privacy notice one or more secure and reliable means for consumers to submit requests to exercise their rights and may not require consumers to create a new account to do so, though they may require the use of an existing account. 

Controllers also have obligations regarding deidentified and pseudonymous data, including taking measures to ensure deidentified data cannot reasonably be associated with an individual, refraining from reidentifying deidentified data, contractually obligating recipients of deidentified data to comply with the statutory requirements, and exercising reasonable oversight over disclosures of pseudonymous or deidentified data.

How is the law enforced?

The Alabama Attorney General may enforce violations of the Act. 

Before initiating an action, the Attorney General must issue a notice of violation to the controller. If the controller fails to correct the violation within 45 days after receipt of the notice, the Attorney General may bring an action for an injunction.

If the court finds a violation and failure to cure, it may assess a civil penalty of up to $15,000 per violation. If the controller cures within the 45-day period and provides an express written statement that the violations have been corrected and will not recur, no action may be initiated. 

If you have questions about Alabama’s new privacy law or related issues, please reach out to a member of our Privacy, Data, and Cybersecurity practice group to discuss.