Takeaways

  • Use in commerce: AI-generated outputs containing third-party marks may constitute use in commerce even when the reproduction is unintentional, particularly where the AI tool competes with the trademark owner’s products. The Court left this novel question open while signaling that accidental reproduction of a mark may not automatically shield AI developers from trademark liability.
  • Likelihood of confusion: Distorted or modified marks appearing on competing AI-generated outputs can support a likelihood of confusion claim at the pleading stage, even without evidence of actual confusion.
  • Passing off vs. reverse passing off: Dastar does not bar “passing off” claims where AI outputs bear another’s mark; instead, it bars “reverse passing off” claims where a defendant distributes plaintiff’s work without attribution.
  • Famous marks: Trademark dilution claims can survive at the pleading stage where the plaintiff pleads specific facts supporting household-name status, including search volume, customer counts, and presence in major publications.
  • Training data risks: Training AI models on watermarked or trademarked content may expose them to trademark liability beyond copyright concerns to the extent models reproduce those marks in their outputs.
  • Post-knowledge inaction: Awareness of trademark reproduction in AI outputs without adequate remediation may strengthen a plaintiff’s case for infringement.
Continue Reading Northern District of California Allows Trademark Claims Against AI To Proceed

Takeaways

  • The enactments of Alabama’s and Oklahoma’s comprehensive privacy legislation are not remarkable in and of themselves. However, the passage of these business-friendly statutes, in contrast with the defeat of Maine’s more aggressive privacy law, points to a trend of deregulatory pressureoccurring at both the U.S. state and federal levels.
  • With sectorial regulation remaining robust, the U.S. is fully engrossed in its third era of privacy regulation, focusing on high-risk processing instead of generalized comprehensive regulation.
Continue Reading Activity in Oklahoma, Alabama, and Maine Signals a Privacy Deregulatory Trend

On March 20, 2026, the Trump Administration released its National AI Legislative Framework, a seven-section policy document covering children’s safety, energy infrastructure, intellectual property, censorship, innovation, workforce development, and federal preemption of state laws. Guided by a vision of “permissionless innovation” and “minimally burdensome” regulation, the framework’s most consequential provision is in Section III, where the White House states its belief that AI training on copyrighted material does not violate copyright law, but explicitly declines to ask Congress to codify that position, instead deferring the question to the courts and directing Congress not to take any action that would impact the judiciary’s resolution of the issue.

Continue Reading The White House AI Framework for Fair Use and Why the Courts May Get There First

One of the most valuable AI companies in the world may have just accidentally given away one of its crown jewels and immediately turned to copyright law to limit the damage. On March 31, 2026, Anthropic accidentally exposed the source code for Claude Code, one of its most valuable AI products. The company issued Digital Millennium Copyright Act (DMCA) takedown requests that removed over 8,000 copies of the leaked code from GitHub. However, within hours of the leak, and before those takedown requests could be processed, a developer used AI to translate the entire codebase into a new Python repository that became the fastest-growing in GitHub history. This all comes at a time when AI companies are relying heavily on fair use as a defense in their mounting copyright infringement lawsuits over their use of copyrighted works to train their models, and as courts have made it clear that copyright law does not recognize AI as an author. This article examines how copyright law applies to AI-generated works and what the AI Code leak reveals about the tensions at the heart of AI and intellectual property.

Continue Reading AI Code Leak Exposes the Fault Lines of Copyright

A status check on the state of artificial intelligence regulation in the U.S.

Takeaways

  • Executive Order 14365 has so far not brought any clarity or consistency to U.S. artificial intelligence (AI) regulations.
  • No U.S. state AI laws have been challenged or overturned (yet).
  • Businesses should be careful about not overcorrecting to early federal pressure on AI regulations. Even if they are overturned, organizations would still have consumer protection, anti-bias, and anti-discrimination obligations that state regulators and Attorneys General will enforce in the AI context through other mechanisms.

OpenAI released GPT-4 in March 2023. By then, it was already the fastest-growing software application in the history of the human race. Artificial intelligence had already been deployed across many businesses, but the rapid proliferation of large language models into everyday life transformed AI regulation from a niche concern into the top priority of legislative sessions nationwide. There was a scramble to regulate and then understand (in that order) this new technology, resulting in over-drafted measures followed by industry pushback and a subsequent contraction due to the chilling effect that reactionary regulation can have on business investment.[1]

Continue Reading The Curious Case of Executive Order 14365’s Impact on AI Regulation

Takeaways

  • The CCPA Dives Into Internal Governance. The new amendments introduce three major regulatory pillars: new requirements for Automated Decision-Making Technology (ADMT), mandatory annual cybersecurity audits, and a requirement for businesses to conduct pre-processing data protection risk assessments.
  • ADMT. The CCPA has adopted pre-notice, risk assessment, consumer opt-out, and access obligations, as have been found in more recent privacy laws, with regard to automated decision-making and profiling.
  • Mandatory Executive Oversight. Members of a business’s executive management team are now directly responsible for overseeing the new mandatory cybersecurity audits and risk assessments and are responsible for making the necessary related certifications to the California Privacy Protection Agency (CPPA).
  • Phased Compliance Deadlines. The new regulations will likely be effective within the next four months and have compliance deadlines extending from 2027 through 2030.

Summary

After a tortured process taking years, the California Privacy Protection Agency has finalized the long-awaited amendments to the CCPA Regulations. The final package of regulations, now spanning more than 100 pages, is pending final review by the California Office for Administrative Law (OAL). If the OAL files the regulations by August 31, 2025, they will take effect on October 1, 2025. If the filing occurs between September 1 and November 30, the regulations will take effect on January 1, 2026.

Continue Reading New CCPA Regulations: Culture Change and the Rise of the ex ante Framework

Key Takeaways:

  • The Minnesota Consumer Data Privacy Act (the “Act”) follows established trends regarding transparency, data minimization, and required assessments, but represents the next evolution in consumer rights under U.S. state-by-state privacy legislation.
  • The Act provides consumers with special rights related to profiling, that is, automated processing of personal data to evaluate, analyze, or predict personal aspects of an individual, including through AI, not found in other state laws.
  • The Act requires covered organizations to adapt and expand their existing compliance programs in order to respond to these new consumer rights.

Summary:

Starting July 31, Minnesota will join the growing list of U.S. states with its own comprehensive consumer data privacy law, but with a key difference. Signed into law in 2024, the Minnesota Consumer Data Privacy Act follows the broader national trend toward stronger data protection and use standards. Like other U.S. state privacy laws, the Act requires covered organizations to:

Continue Reading The Minnesota Consumer Data Privacy Act Is the Next Evolution in Consumer Privacy Rights

Takeaways

  • Increased federal deregulation and related actions are further destabilizing the already tenuous foundation of the Data Privacy Framework (DPF). European privacy regulators have been issuing guidance indicating that they expect a European pull-back from the DPF.
  • Businesses that rely on the DPF should maintain their certification, but should move now to prepare to activate alternative data transfer mechanisms, such as the standard contractual clauses, and update lapsed transfer and data privacy impact assessments.
  • Review current cloud-storage arrangements and consider regionalizing European data storage to avoid EU-to-U.S. data transfers, especially if your cloud provider is relying on DPF certification to legitimize GDPR data transfers.

After years of litigation, false starts, and invalidated frameworks, the U.S. had finally achieved a simplified path for GDPR compliant transfers of personal data from Europe. However, European reaction to the recent changes on the U.S. side of the pond indicates a wavering in the support of the EU-U.S. Data Privacy Framework (DPF) and threatens to send the U.S. back into the data transfer dark ages.

Continue Reading Status Check: Support Is Quickly Eroding for the EU-U.S. Data Privacy Framework

We’re not playing horseshoes here, folks. It’s time to review your consumer privacy rights forms and mechanisms.

Key Takeaways

  • The fields relating to requests to opt-out of sale/sharing and requests to limit should only solicit the information strictly necessary to complete the request, which is likely less than the other more substantive requests (like access and delete). This applies to authorized agent opt-out requests as well.
  • For the more substantive requests (like access and delete), re-evaluate how much information is actually necessary for you to fulfill the consumer’s request. Ensure your form is not asking for anything extraneous.
  • Review your cookie consent toggles to ensure that the exact number of steps are involved in opting-out of certain cookies as they are for opting-in.
  • Ensure you have CCPA-compliant contracts with your advertising technology providers saved in your files.
Continue Reading Close Enough Is Not Good Enough When It Comes to Consumers’ Privacy Rights

Takeaways

  • Conflicting court rulings regarding the retroactivity of the BIPA Amendment create significant legal ambiguity for businesses facing pending lawsuits.
  • It is crucial for businesses to stay informed about ongoing BIPA litigation developments, as outcomes could have substantial financial implications.

While enacted in 2008, the Illinois Biometric Information Privacy Act (“BIPA”) did not emerge as a significant source of litigation until nearly 10 years later. From 2015 to 2023, there was nearly a 7,000% increase in BIPA claims. Although this snowball effect can be partially attributed to the rapid evolution of biometric technologies, a series of Plaintiff-friendly decisions also spurred BIPA filings. With recent developments on the legislative front and in the courtroom, has BIPA litigation finally reached its peak?

Continue Reading Interpretation of BIPA Amendment Splits the Courts: Implications for Businesses