On June 4, 2026, House Representatives Jay Obernolte (R-Calif.) and Lori Trahan (D-Mass.) released a 269-page bipartisan discussion draft called the “Great American AI Act” in an attempt to seek feedback from experts, stakeholders, and the public before formally introducing the bill. The Great American AI Act would establish a national standard for governing artificial intelligence and would preempt state regulations targeting AI development for a period of three years.  The framework aims to create uniform federal rules for AI, establish worker protections for whistleblowers, bolster U.S. AI research and development, and codify a Center for AI Standards and Innovation within the Commerce Department that would be tasked with developing voluntary guidelines, best practices, and standards for AI security.  The draft proposal also requires safety testing and independent auditing requirements and introduces transparency reporting obligations for certain AI companies.

On the Senate side, Marsha Blackburn (R-Tenn.) released a draft proposal in March 2026 called the “TRUMP AMERICA AI Act.” That proposal preempts state laws, rules, or regulations only to the extent it conflicts with a provision of the Act. Among other things, the proposal requires a provider of a “high-risk artificial intelligence system” to undergo audits regarding viewpoint or political affiliation discrimination. The proposal also incorporates two bipartisan bills: the “Kids Online Safety Act,” which would require covered online platforms to implement tools and safeguards to protect users under the age of 17 against online harm, and the “NO FAKES Act,” which would hold AI companies liable for unauthorized use of a creator’s voice or visual likeness. 

Taken together, the House and Senate proposals signal that momentum is building in Congress to act on federal AI legislation. However, significant hurdles remain regarding reaching a consensus on federal preemption and how aggressively to regulate AI development. Whether lawmakers can bridge the gap between the industry’s desire for regulatory clarity and the demand for meaningful accountability will determine if or when Congress finally passes a comprehensive AI framework.

vermont-flag-large

Vermont recently passed a major update to its data broker law (HB 211), joining California and Texas as one of the few states with privacy laws targeting businesses that collect and sell consumer data. Here’s what businesses that collect consumer information and share it with third parties need to know:

  • Broader definitions – The law now captures more types of consumer data and narrows when a direct relationship with a consumer actually exists. Translation: more businesses may qualify as data brokers than before.
  • Affiliate exception – Sharing data with affiliates is now excluded from the definition of a sale, aligning Vermont with Texas. California remains the only data broker state without this carve-out.
  • Higher registration fees and steeper penalties – Vermont’s annual registration fee is now $900 (the highest among data broker states), and daily penalties for failing to register jump from $50 to $200 per day.
  • New consumer deletion rights – Businesses must now maintain a webpage where consumers can request deletion of their data, and those requests must be honored within 30 days.

The amendment is currently awaiting the governor’s signature. Once signed, it will significantly raise the stakes for businesses that qualify as a data broker under Vermont law.

Bottom line: If your company buys, sells, or shares consumer data, now is the time to assess your obligations under Vermont’s law (and similar laws in California and Texas).

A bipartisan coalition of 44 state attorneys general has formally objected to the House version of the Kids Internet and Digital Safety Act (H.R. 7757), urging congressional leaders to reject the legislation in favor of its Senate counterpart. The coalition sent a letter to key lawmakers arguing that the House bill undermines state enforcement authority and shields technology companies from meaningful accountability for harms to minors.

While H.R. 7757 is intended to strengthen protections for children and teenagers online, the coalition contends that the bill does the opposite. In their letter, the 44 attorneys general claim that the legislation would broadly preempt state consumer protection and privacy laws across multiple policy areas, while simultaneously permitting federal intervention in a way that could curtail states’ ability to enforce their own, often more stringent, regulatory frameworks.

The coalition also identified substantive gaps in the proposed legislation. Among other deficiencies, the attorneys general cited the absence of a comprehensive duty-of-care requirement that would obligate platforms to proactively mitigate risks to minors. They further noted that the bill offers insufficient protections related to age assurance mechanisms and fails to adequately address emerging technologies, including artificial intelligence tools, that could be exploited to target (and profit off of) children.

Alternatively, the coalition expressed its support for the Senate version of the legislation, the Kids Online Safety Act (S.B. 1748), of which the attorneys general preferred the superior approach because it strikes the appropriate balance of holding technology companies accountable without displacing existing state laws that may provide stronger consumer protections. The Senate version of the bill supported by the coalition preserves state enforcement authority, allowing attorneys general to continue pursuing actions against platforms that harm minors.

This opposition comes amid ongoing investigations by numerous state attorneys general into popular social media platforms accused of targeting and harming minors. The 44 signatories represent a geographically and politically diverse cross-section of the country, spanning states and territories from California and New York to Tennessee, South Carolina, and Wyoming, as well as the District of Columbia, American Samoa, and the U.S. Virgin Islands.

For technology companies operating platforms used by minors, the coalition’s position signals continued and potentially intensifying state-level regulatory and enforcement activity. This letter also underscores the importance of monitoring legislation and its interaction with existing obligations under the state privacy law patchwork.

Instagram now allows creators to tag products directly in Reels (short-form, vertical videos) using affiliate links and earn commissions on resulting purchases, marking parent company Meta’s most significant push into native social commerce to date. While this native affiliate tool presents a compelling commercial opportunity, it also introduces meaningful legal exposure across advertising compliance, intellectual property, and data privacy. Retailers that move quickly to establish robust compliance frameworks and updated contractual protections will be best positioned to capitalize on this shift while mitigating regulatory risk.

The Upshot

  • Retailers can now leverage creators as a performance-driven sales channel with outcome-based compensation tied to actual transactions.
  • The Federal Trade Commission’s (FTC) Endorsement Guides impose clear disclosure obligations on both creators and brands, and platform-provided labels like “Paid Partnership” do not satisfy those obligations on their own.
  • Companies must update influencer and affiliate agreements to address FTC compliance, indemnification, content monitoring, and intellectual property protections.
  • Data privacy considerations arise from Meta’s expanded visibility into consumer purchasing behavior linked to creator content and the retailer’s SKUs.

As retailers are no doubt seeing in their creator pipelines, Instagram has rolled out native affiliate links that let creators tag products directly in Reels and earn commissions on resulting sales. This marks Instagram’s second attempt at an affiliate program after sunsetting its previous experiment in 2022. The move is part of Meta’s broader strategy to capitalize on the social commerce market by embedding affiliate commerce directly into the content creation flow and keeping transactions and data within its ecosystem. Creators can tag up to 30 products per Reel using the new “Add Products” option, with tagged content appearing in Meta’s Partnership Ads Hub. When users tap on a tagged product, they are redirected to complete the purchase via the retailer’s app or mobile site. The feature is live in the United States, Brazil, India, Indonesia, and Thailand, with plans to expand to Instagram’s wider network of commerce markets.

Why This Matters for Retailers

Instagram’s native affiliate tools allow retailers to work directly within Meta’s ecosystem rather than negotiating with multiple third-party affiliate platforms. The platform effectively transforms the creator ecosystem into a decentralized, performance-driven sales force, aligning retailer marketing spend with actual sales rather than potential reach. This model threatens to displace third-party “link-in-bio” platforms like ShopMy and LTK. Retailers should anticipate a surge in shoppable creator content tied to their Stock Keeping Units (SKUs), which will require more rigorous compliance oversight and clearer internal approval gates.

Key Legal Considerations

  1. FTC Endorsement and Disclosure Requirements: The FTC’s Endorsement Guides, revised in June 2023, require that any “material connection” between an endorser and a marketer, including affiliate commissions, be disclosed clearly and conspicuously. The FTC expects disclosures in plain language (such as “ad” or “sponsored”), placed where they are hard to miss, and not buried in hashtags or behind “see more” buttons. Platform-provided tools like Instagram’s “Paid Partnership” label do not necessarily satisfy the creator’s independent disclosure obligation. Retailers bear significant responsibility here. The FTC has stated that companies cannot avoid liability by relying on affiliate marketers instead of conducting marketing in-house, and must have reasonable programs to train and monitor the creators they engage. Retailers should consider creating (or refreshing) a documented creator compliance program, including written disclosure guidelines, periodic training, sampling-based content audits, and a remediation playbook for non-compliant posts.
  2. Contractual Protections: As affiliate relationships become more decentralized, retailers should refresh their form influencer and affiliate agreements (and any creator-platform terms incorporated by reference) to address FTC disclosure compliance, truthful product representation, indemnification for violations of consumer protection laws, content monitoring and preapproval workflows, audit and takedown rights, termination for compliance failures, and scope limitations on product claims for regulated categories (e.g., health, beauty, financial services, children’s products). Retailers should also evaluate whether existing master services agreements with agencies and creator networks need to be amended to flow these obligations down to individual creators.
  3. Intellectual Property Considerations: Instagram’s earlier “Shop the Look” feature drew criticism for adding shopping links to creator content without permission, sometimes linking to cheap lookalike products rather than the actual items featured. Retailers should ensure their commerce catalogs are accurate and up to date, as tagged products must be registered as individual items in the verified commerce catalog to maintain correct pricing and availability. If that registration has not been completed, creators cannot tag a retailer’s products in their Reels regardless of their affiliate status. Retailers should also confirm that their trademark, copyright, and image-use licenses extend to creator-generated content surfaced through the affiliate tool, and that brand guidelines are reflected in creator onboarding materials.
  4. Data Privacy: Meta’s integration of affiliate commerce gives the platform unprecedented visibility into consumer purchasing behavior linked to creator content and retailer SKUs. Retailers should review Meta’s data-sharing practices and update their privacy notices, consent mechanisms, and vendor data-processing terms to address data flowing through affiliate transactions, with attention to state privacy laws such as the California Consumer Privacy Act (and the broader patchwork of state comprehensive privacy laws), the FTC’s evolving views on dark patterns and sensitive data, and international frameworks like the General Data Protection Regulation (GDPR) where the retailer operates abroad. Retailers should also assess whether affiliate-driven traffic triggers any new data subject rights workflows or Data Protection Impact Assessment (DPIA) obligations.

Conclusion

Instagram’s native affiliate tools are accelerating the shift of creator marketing from a brand-awareness exercise into a measurable, transaction-driven sales channel—with retailers sitting at the center of the resulting legal exposure. The retailers that come out ahead will be the ones that pair the commercial upside with disciplined contracting, a documented disclosure and monitoring program, accurate commerce catalogs, and a privacy posture that anticipates Meta’s expanding visibility into purchase behavior. Getting the legal foundation in place now, before enforcement activity and consumer claims catch up to the technology, will allow retailers to scale their creator programs with confidence rather than retrofit compliance under pressure.

Our Firm’s Capabilities

Ballard Spahr regularly counsels retailers on FTC advertising compliance, intellectual property protection, data privacy, and the structuring of commercial agreements for creator and affiliate programs. We are well-positioned to help retailers navigate this evolving landscape and have experience drafting compliant affiliate agreements and disclosure policies, refreshing form contracts, and conducting risk assessments of social commerce strategies. We welcome the opportunity to discuss how Instagram’s new affiliate tools may affect your company’s program.

After attempting to amend its first-in-the-nation AI law for two years and three legislative sessions, on May 9, 2026, the Colorado legislature passed SB 26-189. It now awaits the governor’s signature and is expected to be signed into law, which will go into effect January 1, 2027.

SB 26-189 replaces the original law’s broad “high-risk artificial intelligence system” and “algorithmic discrimination” framework with a narrower regime focused on “automated decision-making technology” (ADMT) that processes personal data used to “materially influence” a “consequential decision.” The bill also shifts compliance obligations away from broad governance and impact assessments and toward targeted consumer disclosures, post-adverse-outcome explanations, correction rights, and meaningful human review.

However, whereas the original AI Act contained conditional exemptions for some federally regulated entities, the new version has eliminated those exemptions—thereby bringing into scope many additional entities that have thus far avoided state regulation of ADMT.

A Long and Tortured History

Signed in May 2024, SB 24-205 was the nation’s first comprehensive state AI law. It imposed obligations on developers and deployers of “high-risk artificial intelligence systems” used in “consequential decisions”—including employment, housing, health care, insurance, education, lending, legal services, and essential government services. Key features included reasonable care requirements to avoid algorithmic discrimination, mandatory implementation of risk-management programs, impact assessments, consumer notices, correction and appeal rights, and enforcement by the Attorney General under the Colorado Consumer Protection Act. While there was no private right of action, many feared that there would be attempts to exploit alleged ambiguities for private litigation.

When Governor Polis signed the AI Act into law in 2024, he did so with reservations, asking the legislature to revisit the law during the 2025 session before it was scheduled to go into effect in February 2026. The legislature could not come to an agreement during the general 2025 session, and, during the 2025 special session, it could agree only to extend the law’s effective date to June 2026. 

In an effort to break the logjam, a working group consisting of lawmakers, the Governor’s office, the Attorney General’s office, and other stakeholders convened in fall of 2025, prior to the 2026 legislative session. The working group released its proposal on March 17, 2026, but even its members stated that the proposal needed further work. However, that proposal gave the legislature a new framework from which it could negotiate a consensus bill.

On May 1—with the close of the legislative session nearing—SB 26-189 was released. It moved quickly after introduction, advancing through the Senate Business, Labor, and Technology Committee, Senate Appropriations, the full Senate, House Judiciary, and House Appropriations, before the House passed it on third reading on May 9, 2026.

Key Updates  and SB 26-189

For most businesses that operate as deployers of AI, SB 26-189 is meaningfully narrower than SB 24-205. Key differences include:

  • Scope of covered technology. SB 24-205 regulated “high-risk artificial intelligence systems,” while SB 26-189 focuses on “covered ADMT” that process personal data used to materially influence consequential decisions in sectors including employment, housing, lending, insurance, health care, education, and essential government services.
  • Eliminated Exemptions. Whereas the original AI Act had limited and conditional exemptions for various federally regulated entities, the new bill does not.
  • Governance obligations. SB 24-205 required broader reasonable-care, risk-management, impact-assessment, annual-review, and public-summary obligations for deployers. SB 26-189 shifts deployers’ obligations toward targeted disclosure, explanation, correction, and the right to request human-review, although it still maintains the three-year record-retention obligations.
  • Litigation and enforcement risk. SB 26-189 makes clear that the Colorado AI Act does not create a private right of action, and it closes alleged ambiguities that some argued existed in the prior law. Nonetheless, companies can still be held liable for discrimination under existing laws.
  • Three-Year Cure Period. A 60-day right-to-cure provision allows developers and deployers to remedy violations before enforcement action—but this provision expires January 1, 2030.
  • AG Rulemaking. Unlike the original AI Act where rulemaking was permissive, rulemaking under the new bill is mandatory. Further, rulemaking must be completed by January 1, 2027.

What Businesses Can Do Now

Even though we will see AG rulemaking, companies developing or deploying decision-support tools in Colorado should reassess their compliance roadmaps now. Mapping covered ADMTs and developing the general framework for compliance do not need to wait, and operational changes to implement consumer rights may take several months to execute. Further, based on the Attorney General’s approach to the Colorado Privacy Act rulemaking, we can expect that the rules will clarify, rather than change, the scope of the AI law

In other words, while we have waited for years for the changes, we now have a sprint for the finish line.

On April 22, 2026, the House Energy & Commerce Committee released the “Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act” (the “SECURE Data Act”). The SECURE Data Act seeks to establish a comprehensive federal framework for consumer privacy rights and the protection of personal data. Subject to certain exemptions, the SECURE Data Act applies to businesses subject to the FTC Act or common carriers subject to title II of the Communications Act of 1934 that either (a) collect and process personal data of more than 200,000 consumers annually and have an annual gross revenue of $25 million or more, or (b) collect and process personal data of 100,000 consumers annually and “derive[] 25 percent or more of the[ir] annual gross revenue . . . from the sale of such personal data.” The SECURE Data Act’s framework will require operational changes for many businesses, including those already complying with state privacy laws.  Below is an overview of several material provisions of the SECURE Data Act.

Consumer Privacy Rights

Section 2 of the SECURE Data Act grants consumers the right to access, correct, delete, and obtain a copy of their personal data. It further grants consumers the right to opt out of the processing of their personal data for the purposes of targeted advertising, the sale of their personal data, and “[r]eliance on profiling to make a decision that had a legal or similarly significant effect on the consumer.” Controllers must establish and disclose in a privacy notice the means by which a consumer may submit a request to exercise these rights. 

Further, the SECURE Data Act prohibits controllers from processing sensitive data of a consumer without first obtaining the consumer’s consent.

Controller Data Use and Minimization Obligations

Section 3 of the SECURE Data Act requires controllers to provide a privacy notice to consumers that identifies, among other things, “[e]ach category of personal data processed by the controller,” “[e]ach purpose for processing personal data,” and “[e]ach category of personal data the controller shares with any other controller or any governmental entity.” Controllers also are required to disclose to consumers the sale of their personal data.

Section 3 further requires controllers to limit the collection of personal data to what is “adequate, relevant, and reasonably necessary” in relation to the controller’s disclosed data processing purposes. The SECURE Data Act also restricts the processing of personal data for purposes beyond those originally disclosed unless the controller first obtains the consumer’s consent.

State Preemption

The SECURE Data Act preempts all state laws that “relate[] to the provisions of this Act.” The SECURE Data Act, however, permits state attorneys general to bring civil actions on behalf of their residents in federal court to enjoin violations of the act, enforce compliance with the act, and seek damages and equitable relief.

Key Takeaways

The SECURE Data Act, if enacted, would represent a significant shift in the U.S. data privacy landscape by establishing a single federal standard that preempts the current patchwork of state privacy laws. If enacted, businesses that have already invested in compliance with state frameworks such as the California Consumer Privacy Act, as amended by the California Privacy Rights Act, should evaluate whether their existing programs satisfy the SECURE Data Act’s requirements, particularly with respect to data broker registration requirement, data use and minimization obligations, and the consumer rights provisions.

The SECURE Data Act was introduced alongside proposed updates to financial privacy laws in the GUARD Financial Data Act – an effort to update the Gramm-Leach-Bliley Act’s longstanding notice-and-opt-out regime applicable to financial institutions’ handling of consumer financial data. See an article from Ballard Spahr’s Consumer Finance Monitor for more details: GLBA Modernization Legislation: Key Implications for Financial Institutions’ Data Practices.

A recent decision from the Northern District of California reminds corporate defendants in Internet tracking cases that strategies to defeat class certification based on individualized issues can be just as critical as merit-based defenses.

In In re Meta Pixel Tax Filing Cases, No. 22-cv-07557-PCP (N.D. Cal. Mar. 30, 2026), a group of plaintiffs sought to certify classes of individuals who visited tax-preparation websites where the Meta Pixel was deployed, alleging that user data—including URLs, browsing behavior, and potentially sensitive financial information—was transmitted to Meta in violation of the California Invasion of Privacy Act (CIPA), among other statutes. Plaintiffs’ original complaint defined the class to include individuals whose “tax filing information” was collected. But in their certification motion, plaintiffs sought to define the class as anyone whose data from visiting the websites appeared in Meta’s internal data tables—a significantly broader group.

The court held that by broadening the class, plaintiffs swept in putative class members whose claims were likely barred by CIPA’s one-year statute of limitations. Under American Pipe, class action filings toll the statute of limitations only for individuals who fall within the original class definition. Because the expanded classes included individuals from whom no tax-filing data was allegedly collected, those individuals were not entitled to tolling and their claims could be time-barred. Critically, resolving whether each class member fell within the original definition would require individualized inquiries—potentially a line-by-line review of terabytes of data—that would overwhelm common questions and defeat predominance under Rule 23(b)(3).

For companies facing internet tracking litigation, this decision underscores the importance of using discovery not only to support technical defenses but also to highlight individualized issues that might defeat class certification. Pay close attention to how plaintiffs define their proposed classes—particularly when definitions shift from the complaint to the certification stage. Expansions may create tolling gaps and undercut commonality arguments. Class certification is not a foregone conclusion in tracking technology cases, and rigorous attention to procedural requirements can yield significant results for defendants.

On April 7, 2026, the Alabama legislature unanimously passed House Bill 351, the Alabama Personal Data Protection Act, sending it to Governor Kay Ivey for approval. The bill cleared the Alabama House 104-0 and the Alabama Senate 34-0, and if Governor Ivey signs the bill, Alabama will join the growing list of states that have enacted a comprehensive consumer privacy statute. If enacted, the law would take effect on May 1, 2027.

On its surface, the bill largely follows Virginia-model framework and lays out core consumer rights, AG-exclusive enforcement, no private right of action, and a 45-day cure period. However, the Alabama bill differs in a number of key aspects.

1. Low Applicability Threshold

    The Act sets out one of the lowest data threshold in the country. Specifically, the law applies to entities that control or process data of more than 25,000 Alabama consumers. Separately, the law applies if a business earns at least 25% of its revenue from selling personal data regardless of consumer count.

    2. Definition of “Sale”

        The Act defines a “sale” as the exchange of personal data for monetary or other valuable consideration where the controller receives a material benefit and the third party is unrestricted in its use.  This definition is narrower than the CCPA but broader than monetary-only states like Virginia and Iowa.  More importantly, the Act carves out two exceptions for data transfers that are found in no other state law: disclosures for “providing analytics services” and for “providing marketing services solely to the controller.” 

        First, if a business shares consumer data with a third-party analytics provider, that transfer is not considered a “sale,” even if the analytics company keeps and uses the data.  Second, if a business shares consumer data with a third party that provides marketing services back to that business, such as a firm running targeted ad campaigns on the business’s behalf, that transfer is also excluded. The result is that a large volume of data sharing that would give consumers opt-out rights in states like California, Colorado, or Connecticut falls entirely outside the scope of Alabama’s Personal Data Protection Act.

        3. Exemptions

        Entity Exemptions: Businesses with fewer than 500 employees and nonprofits with fewer than 100 employees are exempt, provided they do not engage in the sale of personal data.  The Act also exempts defined political organizations, a complication that has derailed privacy legislation in other states like Maine.

        Data Exemptions:  The Act exempts data already governed by federal law, as well as HR and B2B data. Specifically, the following federal-law data is carved out:

        • HIPAA-regulated health data
        • FCRA-covered consumer reports
        • DPPA-protected motor vehicle records
        • FERPA-covered education records
        • Farm Credit Act data
        • Airline Deregulation Act data

        Children’s Data:  Alabama sets the “known child” threshold at under 13 and treats COPPA compliance as sufficient for parental consent obligations under the Act. Consent is required for targeted advertising or sale of data for consumers ages 13 to 15, but, unlike Colorado, Connecticut, and Virginia, which have added heightened protections for minors beyond the COPPA baseline, the Alabama Act stops there.

        4. Enforcement Framework

        The Act sets out a lighter compliance burden and does not require data protection impact assessments, universal opt-out signal mandate, or a permanent cure period.  Under Alabama’s law, there will always be a chance to fix violations before facing enforcement.  

        The Act also does not require opt-outs when targeted ads are based on pseudonymous data—such as alphanumeric mobile device identifiers—as long as that data is stored separately from identifiable information. Most state privacy laws require opt-outs for behavioral targeting regardless of pseudonymity; Alabama joins only Kentucky, Iowa, and Tennessee in creating this gap. For the ad-tech industry, this is a welcome carveout; for consumer advocates, it is one of the bill’s biggest loopholes.

        Lastly, civil penalties are also capped at $15,000 per violation, making this one of the softest enforcement postures in the state privacy landscape.

        5. Industry and Advocacy Response

        Consumer Reports has urged Governor Ivey to veto the bill, calling it a “lowest-common-denominator approach to privacy” riddled with loopholes, including but not limited to, the weak “sale” and “targeted advertising” definitions, the lack of universal opt-out or authorized agent provisions, and the pseudonymous data gap. On the other hand, the bill’s sponsor, Representative Mike Shaw, has framed it as a practical approach shaped by two years of collaboration with the attorney general’s office.

        6. What Businesses Should Do Now

        Companies that assumed they were too small for state privacy law should take a closer look. The 25,000-consumer threshold is one of the lowest in the country, and businesses with any meaningful contact with Alabama residents may well be covered. The separate 25%-of-revenue trigger could also sweep in niche data brokers with relatively few Alabama contacts. Before May 1, 2027, companies that touch consumer data should evaluate whether they cross the 25,000-consumer line, whether their data-sharing arrangements genuinely fit within the analytics and marketing carveouts rather than relying on loopholes that may not hold up under AG scrutiny, and whether their pseudonymous data practices are truly pseudonymous enough to qualify for the targeted-advertising gap. The Act’s enforcement posture is lighter than most states, but $15,000-per-violation penalties still accumulate quickly.

        When the CCPA was first enacted, it was seemingly clear that its right to private action would be limited to traditional data breaches. Over the past two years, however, some courts have called this interpretation into question by expanding the CCPA’s private right of action clause beyond the traditional breach scenario—and instead into alleged privacy violations. A recent holding from the Northern District of California could signal that more of those claims could be tacked onto the wiretap cases that are already flooding dockets.

        In many ways, Allison v. PHH Mortgage is a fairly standard website tracking case predicated on allegations that tracking devices on a business’s website disclosed users’ personal information without their knowledge or consent. However, in addition to CIPA, ECPA, and the usual accompanying claims, the plaintiffs also brought a claim under the CCPA. On March 27, 2026, the Northern District of California denied PHH Mortgage’s motion to dismiss the CCPA claim, finding that the express language of the statute does not limit private rights of action to traditional data breaches. The court held that “[n]othing in the plain language of the provision limits its application to data breaches by third parties.” Instead, the court held that the CCPA’s private right of action covers unauthorized disclosure of personal information regardless of whether the disclosure was intentional or negligent, and regardless of whether it was made by a third party or the business’s own agents.

        Although earlier cases such as Shah v. Capital One Financial Corp. and M.G. v. Therapymatch Inc. came to similar outcomes, the Allison holding shows that courts continue to consider broadening the scope of the CCPA’s private right of action and that they will do so with more reasoned opinions. Businesses with an online presence should take time to audit their use of third-party tracking technologies and privacy disclosures now to help ensure privacy compliance and make conscious decisions regarding risk moving forward.

        On March 20, 2026, the White House released its National Policy Framework for Artificial Intelligence. This Framework contains a sweeping set of legislative recommendations intended to establish a coherent, nationally unified approach to AI governance. While the Framework does not itself create binding legal obligations, it is likely to shape federal AI legislation in the months and years ahead. This post summarizes the Framework’s key areas of focus and considers what its influence could mean for the current state regulatory landscape.

        1. Protecting Children and Empowering Parents

        The Framework recommends that Congress establish privacy protections and age-verification requirements for AI services likely to be accessed by children, including providing parents with tools to manage their children’s privacy settings, screen time, and content exposure. The Framework also urges Congress to require AI platforms to implement features that reduce the risks of sexual exploitation and self-harm to minors and to continue enforcing prohibitions on nonconsensual disclosures of intimate depictions. Notably, the Framework recommends that any federal legislation should not preempt states from enforcing their own generally applicable laws protecting children, such as prohibitions on child sexual abuse material. It also contemplates strengthening existing state-level restrictions on the use of children’s data for training AI models and targeted advertising.

        1. Safeguarding and Strengthening American Communities

        The Framework’s second goal focuses on enabling continued growth of AI infrastructure while protecting communities from associated harms. It recommends streamlining federal permitting for the construction and operation of AI facilities and supports AI developers’ ability to develop on-site power generation, while protecting residential ratepayers from increased energy costs related to AI data centers, providing AI resources to small businesses, and augmenting law enforcement tools to combat AI-enabled impersonation scams and fraud.

        1. Respecting Intellectual Property Rights and Supporting Creators

        The Framework recommends that Congress provide protections for individuals affected by the unauthorized distribution or commercial use of AI-generated digital replicas of their voice, likeness, or other identifiable attributes, while exempting parody, satire, news reporting, and other expressive works protected by the First Amendment. The Framework also recommends that Congress consider enabling collective licensing frameworks that would allow rights holders to negotiate compensation from AI providers.

        1. Preventing Censorship and Protecting Free Speech

        The Framework recommends that Congress take action to prevent the federal government from coercing AI providers to suppress or alter content based on partisan or ideological agendas and establish mechanisms for seeking redress where federal agencies attempt to censor expression on AI platforms.

        1. Enabling Innovation and Ensuring American AI Dominance

        The Administration recommends establishing regulatory sandboxes to support AI development and deployment, including making federal datasets accessible in AI-ready formats for use in model training. Significantly, the Framework expressly recommends against creating any new federal rulemaking body to regulate AI, calling instead for AI to be governed through existing regulatory agencies with subject-matter expertise and industry-led standards.

        1. Educating Americans and Developing an AI-Ready Workforce

        The Framework recommends that Congress incorporate AI training into existing education and workforce development programs, expand federal efforts to study trends in AI, and bolster capabilities at land-grant institutions to provide technical assistance, launch demonstration projects, and develop youth-centered AI programs.

        1. Establishing a Federal Policy Framework and Preempting State AI Laws

        The Framework’s most consequential section for the current regulatory landscape is its recommendation for federal preemption of state AI laws. The Administration recommends that Congress preempt state AI laws that “impose undue burdens,” with the stated goal of establishing a single, minimally burdensome national standard rather than fifty discordant ones.

        The Framework does, however, carve out several categories of state law from preemption. States would retain their powers to enforce generally applicable laws against AI developers and users, exercise zoning authority, and regulate states’ own uses of AI for law enforcement or other public services. Outside of these limited carve-outs, the Framework recommends that states not be permitted to regulate AI development, penalize AI developers for third-party unlawful conduct involving their models, or burden the use of AI for activities that would be lawful if performed without AI.

        Several states have already taken action to regulate AI development and deployment. Examples include Colorado’s AI Act, which is set to take effect later in 2026, and California’s amendments to the California Consumer Privacy Act regulating automated decision-making technologies. The Framework’s interaction with these laws will depend heavily on how Congress translates the Administration’s recommendations into legislation and how broadly any preemption provision is drawn. If broad preemption language is adopted to prohibit state regulation of “AI development,” these and similar statutes could be rendered unenforceable.

        Though the Framework provides insight into the Administration’s priorities and indicates a clear direction for future AI legislation, businesses should continue to closely monitor both state and federal legislative developments moving forward.