In cybersecurity, typically, laws and regulations lag market and industry standards and customer expectations. I say typically because some laws and regulations are forward-thinking, usually in terms of their flexibility, and less often, in their specificity. Case in point is Massachusetts’ 201 CMR chapter 17.00: Standards for the protection of personal information of residents of the Commonwealth, available at: https://www.mass.gov/regulations/201-CMR-1700-standards-for-the-protection-of-personal-information-of-residents-of-the-commonwealth. These regulations went into effect on March 1, 2010, and borrowed from the GLBA Safeguards Rule (effective May 23, 2003) and the HIPAA Security Rule (effective April 21, 2005). The regulations required a comprehensive written information security program and contained somewhat prescriptive technical requirements, in considerable contrast to the requirement to implement and maintain commercially reasonable protective measures found in most data breach notification statutes. Put otherwise, if someone was drafting an information security policy in 2010, the Massachusetts regulations were as good a place as any to start.  

Fast forward to March 2026. The world seems to be a far less hospitable place. Trust is in even shorter supply. Verification is paramount. Enter the California Consumer Privacy Act Regulations (the “CCPA Regulations”), effective January 1, 2026: https://cppa.ca.gov/regulations/pdf/ccpa_statute_eff_20260101.pdf.

Pursuant to the CCPA Regulations, cybersecurity audits must be performed by a business that either (a) derives at least 50 percent of its annual revenues from selling or sharing consumers’ personal information (in effect, a data broker) or (b) (i) satisfies the annual revenue threshold (currently, $26.25 million) and (ii) processed the personal information of at least 250,000 consumers or households or processed the sensitive personal information of at least 50,000 consumers, in each case in the preceding calendar year.

The audit must be performed by an audit professional using audit industry-accepted procedures and standards, such as ISO. If a business does not have a suitable auditor yet, it should consider engaging one as soon as possible.

The first batch of cybersecurity audit reports under the CCPA Regulations are due in just over two years, on April 1, 2028. This deadline applies to businesses with calendar year 2027 gross revenue greater than $100 million and covers January 1, 2027 to January 1, 2028. The next batches are due on the first of April 2029 (gross revenue between $50 million and $100 million) and April 2030 (gross revenue less than $50 million). For the first batch, two years may seem long, but given that the audit year starts in just over nine months, it is just around the corner. The audit requirements are sprawling, but not unexpected. Components to be assessed during the audit include: encryption of personal information, at rest and in transit; strong passwords; audit log management; account management and access control; employee cyber training; patch management; inventory management; log management; segmentation; internal and external vulnerability scans, penetration testing, and vulnerability disclosure and reporting (e.g., bug bounty and ethical hacking programs); secure development and coding practices; and incident response management. The audit must assess a business’s cybersecurity program, and specifically whether said program is “appropriate to the business’s size and complexity and the nature and scope of its processing activities, taking into account the state of the art and cost of implementing the components of a cybersecurity program.” CCPA § 7123(b)(1). For those in the field, if this is bringing back memories of 2010 (201 CMR ch. 17.00) or 2003 (GLBA Safeguards Rule), you are not alone. The assessment is supposed to be context specific; for example, if the business operates exclusively online, restricting and monitoring physical access will be a null set. The requirements are general; compliance with specific standards, e.g., NIST SP 800-88 for secure document destruction, is not mandated. That said, a seasoned auditor will probe into the technical sufficiency and reasonableness of the protective technological measures. The report mandates a gap analysis and a plan, including a timeframe, to address the gaps. A business may leverage other cybersecurity assessments and audit reports, so long as alone or as supplemented they address the same requirements as the CCPA Regulations.

In preparing for the audit, now is as good a time as any to create a “punch list” of the components to be assessed and to map against current policies and practices. If there has not been a penetration test (not to be confused with website vulnerability scanning) in some time, or ever, now is the time to engage a reputable vendor. If there is a process but no documentation, now is the time to prepare such documentation. If there is a documented process, but it has not been pressure tested, now is the time to do so. An auditor will ask. Plus, even as the CCPA Regulations may not apply to a broad swath of businesses for some time, if there is a cybersecurity incident, rest assured that a state regulator can and will ask about the cybersecurity measures at and after the time of the incident, as will counterparties. Further, cybersecurity (and privacy) laws and regulations are living documents, especially in California, and the trend is for them to become more, not less, stringent. Case in point: the CCPA, which has been amended (and strengthened) many times. In the same vein, an amendment in the next few years to require businesses tasked with performing a risk assessment (triggered, e.g., by a sale or sharing of personal information) to also perform a cybersecurity audit is not farfetched. Last, but not least, concepts (e.g., the accessible deletion mechanism, for data brokers) first enacted in California tend to spread to other states (with similar bills, e.g., in Rhode Island and Vermont), meaning that other states may soon follow with cybersecurity audit requirements.

Where to start? The written information security program, or course.

The critical difference is agency. Generative AI is reactive; agentic AI is proactive. When an AI system can autonomously trigger actions—such as sending emails, modifying records, executing transactions, or orchestrating other systems—it effectively becomes a non-human actor and potential insider threat.

Before deploying agentic AI in a business context, ask:

• What authority will this agent have? Can it only read data, or can it modify systems, move funds, or initiate communications?
• What decisions can it make without human approval? Where are the guardrails, and how are they enforced?
• What systems can it interact with? Each integration expands the blast radius of a system failure or compromise. How safe is it?
• How will its behavior be audited and monitored? Can auditors observe what the agent is doing, why it is doing it, and the input used?
• What is the failure mode? How do you stop it if it becomes a threat?

After all these questions have been answered, complete a risk assessment that aligns with the National Institute of Standards and Technology’s AI Risk Management Framework. Individually assess all elements of the agentic AI solution, as well as the sum of all parts, prior to deployment and regularly thereafter.

Identification, Authentication, and Authorization

Agentic AI will have a unique risk profile in your Identify and Access Management (“IAM”) system. At minimum, address these three elements:

• An agent must have a unique, persistent identity distinct from developers, users, or service accounts. Avoid shared or embedded credentials, as they magnify risk in agentic deployments.
• Agents should authenticate using strong, non-interactive mechanisms (e.g., short-lived tokens), with no static passwords or keys baked into prompts or code.
• Least privilege is essential. Constrain agents with fine-grained, task-specific permissions, not broad system access. Granting excessive permissions leads to systemic risk. An agent should never have more authority than the narrow task it is performing at that moment.

Security Risks and Mitigations

While the full scope of systemic risk is too broad for this blog post, here are five high-level risks that must be mitigated when considering an agentic AI rollout:

1. Excessive autonomy enables agents to take unintended actions with real-world impact. Enforce human-in-the-loop controls for high-risk actions.

2. Prompt injection and manipulation can allow external bad actors to force agents to override safeguards. Adopt a secure development framework such as the Open Worldwide Application Security Project’s and perform vulnerability testing at regular intervals.

3. Data leakage and oversharing risks allowing agents to exfiltrate sensitive data during task execution. Limit access only to appropriately classified data and filter output.

4. Lack of accountability will result in systemic issues and untrustworthy AI. Require immutable logging, decision traceability, and clear ownership for each deployed agent.

5. Unmanaged supply chains risk allowing the use of unapproved tools, vulnerable plugins, undocumented APIs, or unfit or hackable models. Review all system dependencies on a regular cadence and restrict interactions to vetted and managed tools and vendors.

Contracting Agentic AI

As expected, technological advancements are outpacing contracting and the law. Best-in-class contractual provisions today may be obsolete in 12-24 months, if not sooner, and even if not, at least for the near term, it will take a village to operationalize and enforce the contractual mandates. Further, most contracts are filed away, never to be seen again unless a dispute develops or the parties are reviewing contract termination logistics. Not revisiting on a regular cadence the security (and other) terms in an agentic AI contract creates substantial risk. Below are a few mitigation options.

While specificity is usually preferable, for the time being it may be worthwhile to leverage more general language, such as compliance with laws (which will, of course, evolve over time and move somewhat in lockstep with the technology). Specific protections outlined above complement the general “compliance with laws” language and serve as the foundation to a mutual operational understanding.

In the near term, consider spending more time negotiating independent third-party audit clauses, for both the developer and the deployer, to help ensure that both parties are receiving the bargained-for protections. An audit in 2031 may look quite different than one in 2026, but at least you will have established the foundation and expectation for confirming mutual compliance.

Most importantly, best-in-class contractual provisions for agentic AI may, given the nature of the technology, and in particular the need to actively monitor and manage it, create a Potemkin village issue. In particular, the contracting party ostensibly benefiting from the robust language may be lulled into a false sense of security. Put otherwise, best-in-class language without the requisite security and operational resources to monitor and manage the salient aspects of the agentic AI solution could be a recipe for disaster. The deployer will need to, among other things:

• Constantly communicate with the developer,
• Learn about model updates and any other changes implemented by the developer that could impact the performance and behavior of the agentic AI solution,
• Validate all integrations,
• Know how to disable the agent if it crosses certain lines,
• Request appropriate documentation from the developer to perform legally mandated risk assessments, and
• Ensure that the logs provided by the deployer are timely, sufficiently granular, and actionable.

The contract should include “hooks” for these activities that require the developer to reasonably comply. In addition, the contract should permit both the developer and deployer to shut an agent down immediately if it presents a safety risk or on short notice if it crosses certain thresholds or operates outside preset guardrails. Deployments will need to factor “kill switch” scenarios into operational continuity, and deployers will need to work closely with developers, at least until expectations harden and the engagement becomes more routine. Conversely, the developer will need to dedicate considerable resources in order to minimize failure risk and help ensure successful deployments. Lastly, the developer and deployer will want to regularly (at least annually) review the AI contract to help ensure that it is meeting their needs and addressing emergent risks.

Investigations from regulators follow as well. The beginning of the year is as good a time as any to review the Written Information Security Program (WISP) and to confirm appropriate implementation of the systems and measures that flow from the WISP. Likewise, it is as good a time as any to review and (if appropriate) update website privacy notices, ensure that website consent managers and opt-out mechanisms function as intended, and conduct privacy and cybersecurity training. What’s old is new, at least each January. 

The California Privacy Protection Agency continues to focus on data brokers and with the availability of the Delete Request and Opt-Out Platform (DROP) will likely step up enforcement in 2026. Implementation of DROP may not be entirely straightforward, so a detailed project plan and punchlist are recommended.

The updated California Consumer Privacy Act of 2018 (CCPA) regulations became operative on January 1, 2026. These regulations now mandate, among other items, annual cybersecurity audits, data privacy risk assessments, and pre-use notice and other requirements for automated decision-making technologies, generally with staggered start dates depending on the size of the business.

The California legislature reconvened on January 5, 2026. As we are in the second year of the 2025-2026 Biennium, legislators may introduce new bills and/or try to progress bills, introduced during the first year, that had not made it to the Governor’s desk. For example, a few bills stalled in the Assembly Privacy and Consumer Protection Committee, after having been approved by the Senate: SB 690 (an act to amend Sections 631, 632, 632.7, 637.2, and 638.50 of the Penal Code, relating to crime) aimed to de-conflict CIPA and the CCPA and in so doing legislatively closed the floodgates on CIPA litigation; SB 420 would have required developers of high-risk automated decision systems to conduct impact assessments before making the system publicly available. The current legislative session ends on August 31, 2026.

The following AI and data privacy laws went into effect on January 1, 2026.

1. AB 316 (Artificial intelligence: defenses)
2. AB 566 (CCPA: opt-out preference signal)
3. AB 853 (California AI Transparency Act)
4. SB 53 (Artificial intelligence models: large developers)
5. SB 243 (Companion chatbots)
6. SB 361 (Data broker registration: data collection)
7. SB 446 (An act to amend Section 1798.82 of the Civil Code, relating to personal information and data breach notification)

AB 566 (the California Opt Me Out Act) requires web browsers to include a clear, one-step setting allowing users to send an opt-out preference signal. AB 853 imposes new transparency and disclosure obligations on GenAI systems, amending the existing California AI Transparency Act. On an even larger scale, SB 53 requires large AI developers to publish risk-management frameworks and report catastrophic safety incidents to the State.

SB 446 mandates data breach notification to impacted California residents within 30 calendar days of discovery or notification of the data breach, with customary exceptions. A breach notification report must be submitted to the California Attorney General within 15 calendar days of notifying the affected individuals.

A number of new AI and privacy bills have been introduced.

SB 300, SB 867, and AB 1609 are new chatbot bills. AB 1064 (Leading Ethical AI Development (LEAD) for Kids Act) was vetoed by Governor Newsom last Fall. A new ballot measure, Parents & Kids Safe AI Act, has been introduced, and signatures are now being sought to put the measure on the ballot in November 2026. It’s possible that the California legislature may introduce, and Governor Newsom may sign, new legislation on this topic, following the course of the CCPA, which was originally a proposed ballot measure.

AB 1542 (an act to amend Sections 1798.100 and 1798.121 of the Civil Code relating to privacy) would, under the CCPA, prohibit a business, service provider, or contractor from selling or sharing sensitive personal information to a third party. Current law allows the consumer to opt out of the selling or sharing of personal information and to limit the use and disclosure of sensitive personal information to certain uses as set out in the statute. AB 1542 may be heard in committee on February 5, 2026.

Stay tuned. 2026 promises to be another interesting year in California.

Privacy Policy Review: Carving Out Time for Compliance

Once you satisfy the Black Friday itch, consider carving out some time to reflect – on food, family, festivities of the season, and of course, federal (and state!) privacy requirements. Whether you’re in healthcare, tech, finance, retail or otherwise, your privacy policies should reflect the current reality of business operations, and importantly, confirm that an annual review was performed. A “last revised: 2020” date on your privacy policy is a red flag for regulators – just like those leftovers on the counter, it’s time for a refresh.

If the types of personal information you collect, your target marketing audience, actual customer numbers, or how you process personal information, and especially health-related data (e.g., protected health information), has changed this year, it might be time for a policy update. Pay attention to vendor practices too – with rapid adoption of AI, vendors and business associates alike may be changing their capabilities and data processing practices, and the (tur-)key is to know how those changes might impact your data and business operations, and update policies accordingly.

Dark Meat… Dark Patterns: When Digital Design Goes Bad

Just as you might be wary of overcooked dark meat at your Thanksgiving table, businesses should be equally cautious about the “dark patterns” in their digital interfaces. Dark patterns are deceptive tools or designs used to impair user privacy choices or manipulate user behavior – like that second serving of pumpkin pie.

These digital design techniques are deemed a dark pattern if they have the effect of substantially subverting or impairing user autonomy, decision-making, or choice – a business’s intent is not determinative of whether the user interface is a dark pattern, but a factor that is considered.

Dark patterns can take many forms. A common example is a cookie banner with a bright, oversized “ACCEPT ALL COOKIES,” with an adjacent, neutral “manage preferences” button. This presents a visual cue to a user to click the conspicuous button, while not providing an equivalent button to reject – neither in language nor in the steps taken to effectuate the request. Dark patterns may also be disguised ads, difficult to cancel subscriptions, buried terms, tricks to obtain personal information, and more. Many state privacy laws prohibit the use of dark patterns, and the FTC continues to actively enforce regulations against them. Regulators emphasize that the use of dark patterns invalidates consumer consent. Because these practices can manipulate choices through deception or coercion, they undermine informed decision-making, rendering any consent neither voluntary nor fully informed.

Cookies and Tracking Technologies: Save Room (and Attention!) for Dessert

Some things to consider about your cookie policy while digesting your turkey and watching football: A cookie policy explains what cookies are, how they track your activity, and how you can control them.

Is your website using any new third-party software that may receive personally identifiable information or collect data for the software vendor’s own purposes? Tracking technology may be included in software developer kits (SDKs), plug-ins, or other features or functions on your website or application.

Is your consent manager accurately facilitating consent and consumer-friendly opt-out preferences before dishing out cookies? The California privacy regulatory body has held that website owners, not consent management platforms are responsible for the proper configuration of consent mechanisms (i.e., cookie banner).

Is your cookie policy compliant with different jurisdictional requirements? Obligations may vary based on location.

Whether you need a simple temperature check, or a more in-depth review, the privacy team at Stoel Rives is here to help cross annual compliance updates (and lots of other tasks) off of your long holiday to-do list.

We’ve written about three areas companies should keep in mind when working with data:

• Creating datasets: Privacy and ethics should guide collection. Small details can reveal personal identities, and biased or incomplete data can undermine entire AI systems.
• Licensing third-party data: Pay close attention to ownership, scope, warranties, and liability in agreements.
• Using public data: Public availability does not equal unrestricted use. Licensing terms, privacy laws, and governance protocols still apply.

Data is a powerful driver of innovation and a potential source of significant legal exposure. Proactive governance, thoughtful contracting, and attention to ethics and privacy can help businesses unlock the value of data while minimizing the risks.

Read the full article on stoel.com for practical guidance on building a responsible approach to data.

On July 23, 2025, the Executive Office of the President released “Winning the Race – America’s AI Action Plan,” available here: https://www.whitehouse.gov/wp-content/uploads/2025/07/Americas-AI-Action-Plan.pdf. Conveniently, or perhaps not exactly so, I was scheduled to present AI legislative developments at a conference that morning. I was able to skim the plan before the presentation and promised the attendees that I would provide a more nuanced assessment during my evening panel on global AI policy and compliance.

The plan is wide-ranging and provides under the heading “Remove Red Tape and Onerous Regulation”: “The Federal government should not allow AI-related Federal funding to be directed toward states with burdensome AI regulations that waste these funds, but should also not interfere with states’ rights to pass prudent laws that are not unduly restrictive to innovation.” Policy recommendations include: “Led by OMB, work with Federal agencies that have AI-related discretionary funding programs to ensure, consistent with applicable law, that they consider a state’s AI regulatory climate when making funding decisions and limit funding if the state’s AI regulatory regimes may hinder the effectiveness of that funding or award.” If, when, and how this will be implemented remain to be seen. Another policy recommendation is to “[r]eview all Federal Trade Commission (FTC) investigations commenced under the previous administration to ensure that they do not advance theories of liability that unduly burden AI innovation. Furthermore, review all FTC final orders, consent decrees, and injunctions, and, where appropriate, seek to modify or set aside any that unduly burden AI innovation.” Practically, this may be a relatively short list, if not a null set. The relatively recent Workado and Intellivision complaints and associated settlements both address alleged false and unsubstantiated claims about the efficacy of AI solutions. The Rite-Aid consent decree may be within scope as well, as artificial intelligence technologies undergird many biometric systems. The commissioners who voted in favor of the decree, in December 2023, are now gone.

Congress is in recess until early September. It’s possible that the 10-year (or a shorter duration) moratorium may be reintroduced as a separate bill.

In the meantime, the states forge ahead, although only a handful of them, including California (AB 410, AB 412, AB 853, and SB 53, as examples) and New York (A06578, S06954, and S00934, to list a few bills), remain in legislative session. Texas Governor Greg Abbott signed into law HB 149 (Texas Responsible Artificial Intelligence Governance Act), which takes a considerably narrower approach than the Colorado AI Act, which, after the failure of SB 25-318, still goes into effect on February 1, 2026, and Virginia HB 2094, which was vetoed by Governor Glenn Youngkin earlier this year.

Put simply, fragmentation continues and should be expected, at least for the near future. Couple this with extra-national concepts such as Sovereign AI, and other geopolitical factors and considerations, and we can all agree that we live in interesting times.

Of course, AI is not the only item on the radar. For example, earlier this month, with limited exception, U.S. DOJ Provisions Pertaining to Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons, codified at https://www.ecfr.gov/current/title-28/chapter-I/part-202, are now fully enforceable. The rules address prohibited transactions and restricted transactions with a country of concern or covered person and introduce considerable compliance obligations.

Thus, while July typically might be a month to put away the laptop for a bit, it seems that this July was very much an exception. Let’s see what August brings.

In February, I wrote about the 24-Hour AI News Cycle: https://www.stoelprivacyblog.com/2025/02/articles/ai/the-24-hour-ai-news-cycle-keeping-up-with-legal-and-regulatory-developments/. February is ancient history, and the AI news cycle has become even further compressed since then.

Now, at the end of June, we stand at a crossroads. H.R. 1 (“One Big Beautiful Bill Act”), passed by the House on May 22, 2025, contains a 10-year moratorium on the enforcement by a state or any of its political subdivisions of any laws “limiting, restricting, or otherwise regulating artificial intelligence models, artificial intelligence systems, or automated decision systems entered into interstate commerce.”[1] State attorney generals from both sides of the aisle have pushed back on the AI moratorium.[2] The Senate Committee on Commerce, Science, and Transportation reconciliation text includes in one subsection (q) the moratorium and in the immediately preceding subsection (p), a statement that none of the $500MM in BEAD (Broadband, Equity, Access, and Deployment) funds “to construct and deploy infrastructure for the provision of artificial intelligence models, artificial intelligence systems, or automated decision systems” may be made available to an eligible (any) state or any political subdivision that does not comply with the moratorium.[3] Read together, this would seem to suggest that the moratorium could affect any state, and states that do not comply with the moratorium will not receive BEAD funding.  

Some, including certain U.S. Chamber of Commerce members, support the moratorium, as reflected in a letter dated June 9, 2025 to Senate Majority Leader Thune and Senate Minority Leader Schumer.[4] Others, including Senators Cantwell (D-WA) and Blackburn (R-TN), and the attorney generals for their respective states, oppose it.[5] The bill would still need to be approved by the full Senate, which could remove the moratorium via amendment, and the House would have one more bite at the apple.   

The tax and spending bill may be presented to President Trump as early as next week. If a bill with the moratorium is signed into law, while laws such as the Colorado AI Act[6] and others squarely focused on AI will be within scope, it is an open question as to whether general consumer protections laws and privacy laws or regulations, with a nexus to AI, will be impacted. At the end of 2024 and the beginning of 2025, the Attorney Generals of Oregon and California provided guidance on the application or Oregon[7] and California[8] law to AI.

Meanwhile, AI bills continue to progress through state legislatures and in some cases, such as the Texas Responsible AI Governance Act (HB 149)[9], get signed.    

As intimated, the situation is fluid.

I am still tracking AI bills, and there are many, including not only in California, but the moratorium cannot but enter into the analysis.

If you are apt, or trying, to take the long view, consider reading Nexus: A Brief History of Information Systems from the Stone Age to AI (Yuval Noah Harari). Harari is a trained historian, and if you have read any of his articles or books, you would not be surprised to find Nexus intellectually sprawling.

As an aside, I first ran across Harari in an article in The Atlantic, published in late 2018, while preparing to teach Technology Transactions Law to second and third year law students. The article, Why Technology Loves Tyranny, focused on the need to continuously reskill and upskill, and stressed the importance of critical thinking, in the new age of AI. This was roughly four years before the launch of ChatGPT, and likely some time before the term “cognitive offloading” entered the popular lexicon. I shared the teachings with my students, but the future predicted by Harari seemed quite distant. 

Nexus tackles different issues. There, Harari writes: “My goal in this book is to provide a more accurate historical perspective on the AI revolution. This revolution is still in its infancy, and it is notoriously difficult to understand momentous developments in real time.” (398)  Harari stresses the importance of self-correcting mechanisms, especially when and as the network becomes more powerful. This may be especially the case with respect to AI.  More broadly, accountability is key, but it must be operationalized thoughtfully, pragmatically, and with sufficient lead time for effective enforcement, at least based on the recent (failed) attempt to amend the Colorado AI Act, which goes into effect on February 1, 2026.[10]    

As some know, an article on agentic AI is still in the works. Stay tuned.

[1] https://legiscan.com/US/bill/HB1/2025

[2] https://coag.gov/press-releases/attorney-general-phil-weiser-bipartisan-ag-letter-congress-artificial-intelligence-regulations-5-16-25/

[3] https://www.commerce.senate.gov/services/files/AD3D04CF-52B4-411F-854B-44C55ABBADDA

[4] https://www.uschamber.com/technology/artificial-intelligence/coalition-letter-to-the-senate-supporting-the-moratorium-on-ai-regulation-enforcement

[5] https://www.commerce.senate.gov/2025/6/state-attorneys-general-tell-congress-ai-moratorium-will-leave-consumers-citizens-vulnerable-to-ai-fraud-theft-other-harms

[6] https://leg.colorado.gov/sites/default/files/2024a_205_signed.pdf

[7] https://www.doj.state.or.us/wp-content/uploads/2024/12/AI-Guidance-12-24-24.pdf

[8] https://oag.ca.gov/system/files/attachments/press-docs/Legal%20Advisory%20-%20Application%20of%20Existing%20CA%20Laws%20to%20Artificial%20Intelligence.pdf; https://oag.ca.gov/system/files/attachments/press-docs/Final%20Legal%20Advisory%20-%20Application%20of%20Existing%20CA%20Laws%20to%20Artificial%20Intelligence%20in%20Healthcare.pdf

[9] https://legiscan.com/TX/text/HB149/id/3249139/Texas-2025-HB149-Enrolled.html

[10] https://coag.gov/blog-post/attorney-general-phil-weiser-testimony-on-senate-bill-25-318-5-5-25/

This updated guidance provides a clearer roadmap for what the Division expects in an effective antitrust compliance program. It also signals that the DOJ’s civil teams will be applying similar scrutiny when evaluating compliance in civil enforcement actions—raising the stakes for companies seeking to mitigate liability across the board.

Key Takeaways

• AI Risk Now Front and Center: The DOJ expects companies to assess and address antitrust risks arising from AI, algorithmic pricing tools, and other emerging technologies.
• Compliance Must Keep Pace with Technology: Compliance teams should understand the technologies in use, be involved in deployment decisions, and ensure policies are updated to reflect current legal and market developments.
• Ephemeral Messaging in the Spotlight: Companies must identify and evaluate the use of non-company communication tools (like Signal or WhatsApp), establish clear policies, and define preservation requirements.
• Mid-Level Managers Matter: Compliance leadership must go beyond the C-suite—DOJ wants to see “tone from the middle” with managers modeling ethical behavior across the organization.
• Data Analytics and Monitoring Expectations Are Rising: The DOJ encourages the use of data tools to detect antitrust risks and asks whether compliance teams have timely access to relevant data sources.
• Application to Civil Enforcement: Civil antitrust teams will now assess compliance programs using many of the same factors as criminal prosecutors—underscoring the need for strong programs even outside of criminal investigations.

Read the full article to explore what these updates mean for your company’s antitrust compliance efforts and how to align your policies with DOJ expectations.

Under the Act, app store providers must request age information during account creation and link minor accounts to verified parent accounts. Developers must confirm age categories and seek parental consent before app use or in-app transactions, particularly when implementing a “significant change” to the app’s content or data practices. Personal age verification data must be encrypted and used solely for purposes outlined in the legislation.

Violations may be enforced as deceptive trade practices by the Utah Attorney General, and starting December 31, 2026, parents may bring private actions for non-compliance—potentially recovering the greater of $1,000 per violation or actual damages, plus attorneys’ fees. Developers acting in good faith on app store-provided data may be shielded from liability.

As similar bills are being considered in states such as California, Kentucky, and West Virginia, app developers may need to prepare for a patchwork of state-specific requirements. Until federal standards are adopted, many may choose to align with the most stringent laws to manage compliance risk.

Read the full article here.

With over two decades in insurance litigation, Seth notes that no other technology has introduced such a wide and unpredictable range of risks. And the response from insurers? It’s a mix of new exclusions, cautious underwriting, and emerging coverage options designed to tackle this frontier.

Key Takeaways

• AI-Driven Claims Are Already Here: Real-world lawsuits allege harms ranging from AI chatbots encouraging self-harm to discriminatory hiring bots and copyright misuse.
• Coverage Varies Widely: Claims are being made under general liability, D&O, E&O, media liability, and cyber-risk policies—sometimes successfully, sometimes not.
• Exclusions Are on the Rise: New policy language is carving out AI-related exposures, including broadly worded exclusions for generative AI content and AI-assisted decision-making.
• Some Insurers Are Leaning In: Select carriers are offering AI-specific E&O endorsements, including coverage for data misuse and “data poisoning” in machine learning.
• Risk Management Must Be Proactive: Companies should integrate legal and risk teams early, audit contracts with AI vendors, and stay informed on evolving governance frameworks like NIST and NYC’s Local Law 144.

Read the full article to better understand the shifting contours of insurance coverage in the age of AI—and what your company can do to manage these emerging risks.