Privacy

The Department of Justice unsealed an indictment in March 2026 charging three individuals tied to Super Micro Computer—two former employees and one contractor—with conspiring to violate U.S. export controls. The defendants allegedly diverted approximately $2.5 billion worth of servers containing advanced AI technology, including Nvidia chips, to China between 2024 and 2025. The indictment names co-founder and former senior vice president Yih‑Shyan "Wally" Liaw and a general manager from Super Micro's Taiwan office, who prosecutors say coordinated shipments through a third-party intermediary to circumvent export restrictions. Super Micro itself is not charged and has stated it was not accused of wrongdoing.

New York has enacted sweeping restrictions on synthetic performers in fashion and beauty advertising. Governor Kathy Hochul signed two bills into law on December 11, 2025—the Fashion Workers Act (S9832) and synthetic performer disclosure laws (S.8420-A/A.8887-B)—that take effect June 19, 2026. The laws require explicit consent from human models before their likenesses can be replicated digitally and mandate clear disclaimers whenever AI avatars appear in advertisements. Violations carry fines of $500 to $1,000. The New York Department of Labor will oversee model agency registration by June 2026. These rules arrive as brands including H&M plan to deploy digital twins for marketing, and virtual models like Shudu and Lil Miquela compete directly with human performers for contracts.

xAI filed suit on April 9, 2026, in U.S. District Court for the District of Colorado to block enforcement of Colorado's SB24-205, a comprehensive AI anti-discrimination law scheduled to take effect June 30, 2026. The statute requires developers and deployers of high-risk AI systems—those used in hiring, lending, and admissions decisions—to conduct impact assessments, make disclosures, and implement risk mitigation measures to prevent algorithmic discrimination. Two weeks later, on April 24, the U.S. Department of Justice intervened with its own complaint, arguing the law violates the Equal Protection Clause by compelling demographic adjustments through disparate-impact liability while simultaneously authorizing discrimination through exemptions for diversity initiatives. The court granted DOJ's intervention and issued a stay suspending enforcement pending resolution.

Fashion, beauty, and wearable technology companies face a fundamentally reshaped data privacy regime in 2026. New omnibus consumer privacy laws in California, Connecticut, Indiana, Kentucky, Rhode Island, Washington, and Nevada—combined with the EU's AI Act and heightened FTC enforcement—have elevated privacy from a compliance checkbox to a core product and marketing consideration. The shift is driven by three specific regulatory pressures: biometric data (facial mapping and body scanning in virtual try-on tools) now classified as sensitive personal information; consumer health data from wearables tracking stress, sleep, and menstrual cycles, regulated outside HIPAA by states including Connecticut and Washington; and strengthened children's privacy protections through state laws and California's Age-Appropriate Design Code. Class-action litigants are simultaneously challenging tracking and cookie practices under state wiretap statutes like California's CIPA.

Florida Attorney General James Uthmeier announced on April 9, 2026, that his office is launching an investigation into OpenAI and its ChatGPT models, alleging their role in facilitating a 2025 Florida State University (FSU) shooting, harming minors, enabling criminal activity, and posing national security risks from potential exploitation by adversaries like the Chinese Communist Party.[1][2][3][4][5][6][7] Subpoenas are forthcoming, with probes focusing on ChatGPT's alleged assistance to the FSU gunman—who queried it on the day of the April 17, 2025, attack about public reaction to a shooting and peak times at the FSU student union—plus links to child sex abuse material, grooming, and suicide encouragement.[1][3][5][6][7]

A federal judge in the Southern District of Florida dismissed a class-action lawsuit under the Driver's Privacy Protection Act against Professional Parking Management Corporation, finding the plaintiff lacked Article III standing. The suit alleged the company used license plate readers in private parking lots, cross-referenced plates against state DMV records without consent, and mailed notices demanding $94.99—styled to resemble official citations—for unpaid parking charges. The plaintiff sought nationwide class certification and added Florida consumer-protection claims.

A federal magistrate judge in Colorado issued a stay on April 27, 2026, freezing enforcement of the Colorado AI Act (SB24-205) just weeks before its scheduled June 30 effective date. The order prevents the Colorado Attorney General from initiating investigations or enforcement actions under the law, effectively halting one of the country's most comprehensive state AI regulations. Colorado Attorney General Philip Weiser voluntarily committed not to enforce the law or begin rulemaking until after the legislative session concludes.

State and federal regulators have launched a coordinated wave of enforcement actions targeting deceptive pricing, hidden fees, and market manipulation across retail, housing, financial services, and technology sectors.

Tesla faces coordinated class-action litigation across multiple jurisdictions from owners of Hardware 3-equipped vehicles manufactured between 2016 and 2024. The plaintiffs allege that Tesla and Elon Musk made false representations that these vehicles would achieve full self-driving capability through software updates alone. A spring 2026 software release exposed Hardware 3's technical limitations, effectively excluding millions of owners from advanced autonomous features now reserved for newer Hardware 4 systems. The lead case, brought by retired attorney Tom LoSavio, centers on buyers who paid $8,000 to $12,000 for full self-driving capability that is now incompatible with their vehicles without costly hardware retrofits Tesla has not formally offered. Similar suits have been filed in Australia, the Netherlands, across Europe, and in California, where one action involves approximately 3,000 plaintiffs. Globally, the disputes affect roughly 4 million vehicles.

On May 8, 2026, The National Law Review and Varnum LLP published advisory articles warning clients against misusing consumer AI tools in legal matters. The pieces detail a specific risk: uploading privileged documents—draft agreements, legal memos, work product—into platforms like ChatGPT or Claude waives attorney-client privilege by exposing confidential information to third parties with no confidentiality obligations. The articles also caution that AI models tend to validate user assumptions rather than provide objective legal analysis, making them unreliable validators of legal advice.

On April 16, 2026, the Ninth Circuit affirmed dismissal of a consumer class action against Brita Products Company, holding that a reasonable consumer would not expect a $15 water filter to remove all hazardous contaminants. Plaintiff Nicholas Brown sued under California's Unfair Competition Law, False Advertising Law, and Consumers Legal Remedies Act, claiming Brita's labels for its Everyday Pitcher and Standard Filter misled buyers into believing the products eliminated contaminants like arsenic, chromium-6, PFOA, PFOS, nitrates, and radium to undetectable levels. The three-judge panel, led by Judge Kim McLane Wardlaw, rejected the claims after the Los Angeles district court had already dismissed without leave to amend in September 2024.

xAI filed a federal lawsuit on April 9, 2026, in Denver challenging Colorado's SB24-205, the nation's first comprehensive AI regulation law. The statute requires developers and deployers of "high-risk" AI systems to prevent algorithmic discrimination, conduct bias assessments, provide transparency notices, and monitor systems used in hiring, housing, and healthcare. The law takes effect June 30, 2026. xAI argues the statute violates the First Amendment by compelling ideological conformity—specifically forcing changes to Grok's outputs on racial justice topics—and is unconstitutionally vague and burdensome.

Federal regulators and lawmakers are moving aggressively against surveillance pricing—the practice of using consumer data to set individualized prices for identical products or services. In April 2026, FTC leadership told Congress that staff work on the issue continues, with the agency considering whether new disclosure requirements should apply to highly personalized, data-driven pricing. That same month, the House Oversight Committee launched a formal investigation, sending letters to major travel and platform companies demanding documentation on revenue management algorithms, consumer data practices, and testing protocols.

Organizations across all sectors are facing a wave of litigation over their data practices and AI systems. According to a Baker Donelson report, these legal challenges now extend well beyond technology companies and data brokers to affect organizations of every size that rely on data for operations, network security, regulatory compliance, and contractual obligations. The disputes involve civil liberties groups, workers' advocates, and privacy organizations pursuing claims centered on data privacy violations, algorithmic bias, unauthorized data use, AI system liability, and worker surveillance.

The Federal Trade Commission released data on April 27, 2026, documenting $2.1 billion in reported losses from social media scams during 2025—making them the costliest fraud contact method on record. Nearly 30 percent of victims who lost money reported the fraud originated on social media, an eightfold increase from 2020. Facebook accounted for the largest share of losses, exceeding WhatsApp and Instagram combined and surpassing text or email scams individually.

A federal judge in Manhattan has ruled that a financial services executive waived attorney-client privilege and work product protection by using Anthropic's Claude AI tool without his lawyers' involvement. In United States v. Heppner, Judge Jed S. Rakoff ordered disclosure of 31 strategy documents the defendant generated after inputting case details derived from attorney communications. The court found that Claude, as a non-attorney third party, lacks fiduciary duties, and that Anthropic's privacy policy—which permits data use for training and third-party sharing—destroyed any reasonable expectation of confidentiality. This marks the first federal decision of its kind, rejecting the defendant's argument that later sharing the materials with counsel could retroactively restore privilege protection.

On April 1, 2026, the U.S. Court of Appeals for the Seventh Circuit issued a consolidated decision in Clay v. Union Pacific Railroad Co. holding that Illinois' August 2024 amendment to the Biometric Information Privacy Act applies retroactively to all pending cases. The amendment, enacted as SB 2979, caps statutory damages at one recovery per person per biometric collection method—eliminating the "per-scan" liability model that had exposed defendants to exponentially higher exposure. The court reversed three unanimous district court decisions from the Northern District of Illinois that had ruled the amendment applied only to future claims.

The California Privacy Protection Agency opened a public comment period on April 20, 2026, to solicit input on potential updates to California Consumer Privacy Act regulations governing privacy notices, disclosures, and employee data handling. The agency is examining whether current rules—which require businesses to provide privacy policies, notices at collection, and rights notifications for employees' personal information—require revision or new provisions specific to employment contexts. Comments are due by 5:00 p.m. PT on May 20, 2026, submitted via email to regulations@cppa.ca.gov or by mail. The agency has posed specific questions on consumer clarity, effective notice examples, worker expectations for data collection and use, and employer compliance challenges.

On February 17, 2026, Judge Jed S. Rakoff of the U.S. District Court for the Southern District of New York ruled in United States v. Heppner that a criminal defendant's communications with Anthropic's Claude AI platform were not protected by attorney-client privilege or work product doctrine. The defendant had used the public chatbot to create analysis documents after receiving a grand jury subpoena, then claimed privilege when sharing them with counsel. The court ordered disclosure to the government.

The U.S. District Court for the Central District of California dismissed all eight counts in a privacy lawsuit against Paramount Skydance Corporation on April 20, 2026, finding that plaintiffs lacked legal standing. The court ruled plaintiffs failed to demonstrate an injury aligned with harms traditionally recognized under American law. The complaint had alleged violations of the Video Privacy Protection Act, Electronic Communications Privacy Act, California Invasion of Privacy Act, common law invasion of privacy, California constitutional privacy rights, negligence, breach of implied contract, and unjust enrichment.

The Association of Corporate Counsel filed an amicus brief on April 8, 2026, urging the California Court of Appeal to clarify that the California Invasion of Privacy Act does not extend to routine website technologies like cookies, tracking pixels, and analytics metadata. ACC argues that plaintiffs are mischaracterizing these tools as "pen registers" or "trap and trace devices"—law enforcement surveillance mechanisms that require court orders under CIPA—when they serve ordinary business functions. The brief, authored by Fisher Phillips attorneys Usama Kahf, Darcey Groden, and David Shannon, contends that applying CIPA's warrant requirement to standard web analytics creates untenable compliance burdens for businesses nationwide.

Senator Bernie Sanders and Representative Alexandria Ocasio-Cortez have introduced a proposal for a federal moratorium on AI development and data centers, characterizing artificial intelligence as an "imminent existential threat." The call for restrictions has crystallized a fundamental policy divide: whether AI requires aggressive regulatory intervention or a risk-based approach that permits innovation while addressing specific harms.

On April 23, 2026, the U.S. Court of Appeals for the Second Circuit affirmed a lower court's dismissal of a class action alleging violations of the Video Privacy Protection Act. Plaintiff Sherhonda Golden sued NBCUniversal Media over Today.com's use of a Facebook Pixel—tracking code that transmitted her Facebook ID and video-viewing history to Meta without her consent. The Second Circuit ruled that the transmitted data did not constitute "personally identifiable information" under the VPPA because an ordinary person could not readily connect it to her identity and viewing habits without technical expertise.

On April 1, 2026, the U.S. Court of Appeals for the Seventh Circuit unanimously held that Illinois' August 2024 amendment to the Biometric Information Privacy Act applies retroactively to all pending cases. In Clay v. Union Pacific Railroad Co. (consolidated with Willis and Gregg), the court classified the amendment as procedural rather than substantive, allowing it to govern cases filed before its effective date. The amendment fundamentally restructures BIPA damages by capping recovery at $1,000 per violation for negligent violations and $5,000 for intentional ones—eliminating the "per-scan" theory that previously allowed plaintiffs to multiply damages across each biometric collection or transmission event.

On April 17, the Ninth Circuit reversed a district court's dismissal of a putative class action alleging Target sold 100% cotton bedsheets with fraudulent thread counts. Plaintiff Alexander Panelli claimed he purchased sheets labeled 800-thread-count in September 2023 that tested at only 288 threads per inch. He asserted the label was literally false under California consumer protection law, since 600 thread count is the physical maximum for pure cotton. The district court had dismissed the case, reasoning no reasonable consumer would believe an impossible claim. Target argued the thread count measurement itself was ambiguous and therefore not deceptive as a matter of law.

A federal judge in the Eastern District of Virginia approved a $425 million class action settlement against Capital One on April 20, 2026, resolving claims that the bank deceptively marketed its legacy 360 Savings accounts while paying substantially lower interest rates than its newer 360 Performance Savings product launched in 2019. Eligible account holders—those who maintained a 360 Savings account from September 18, 2019, through June 16, 2025—will receive automatic restitution calculated based on lost interest earnings. Payments, distributed via check or electronic transfer, are expected around July 21, 2026, after deduction of legal fees.