Federal & State Regulatory

On January 1, 2020, the Artificial Intelligence Video Interview Act went into effect in Illinois.  This is the first state law regulating the use of AI for employee interviews.

Illinois’ law reflects increasing scrutiny in the United States and globally of biometrics practices. The law is consistent with U.S. policymakers’ focus on addressing significant concrete

IN FASHION 2020: Kelley Drye’s 6th Annual Fashion and Retail Law Summit
On January 16, 2020, Kelley Drye will host the sixth annual IN FASHION: Fashion and Retail Law Summit for executives and in-house counsel. Kelley Drye lawyers and thought leaders from some of the world’s top fashion and retail companies will convene for a

The January 1, 2020 effective date of the California Consumer Privacy Act (CCPA) has come and gone, but questions about how to comply with the law show no hint of disappearing.  As companies move past their efforts to comply with the law’s most visible requirement – providing notice at the point of collection and explaining data practices in a full privacy policy – the focus is sharpening on a broad array of operational and implementation questions.

While Attorney General Xavier Becerra has indicated his office will prioritize enforcement relating to the sale of minors’ personal information, will direct enforcement efforts at companies that are not showing a willingness to comply, and will not make major changes before finalizing the proposed regulations, the Attorney General has not fielded specific questions about how to implement the law.  This state of affairs has left companies scrambling to benchmark their compliance practices against competitors and the industry at large.

In this post, we provide some insights on common questions we are hearing about how to comply with the CCPA in the absence of clear guidance or precedent.  Of course, every company is different and companies should always consult with a privacy attorney before deciding on the best way to comply with the CCPA.

Why are so many companies posting a “Do Not Sell My Info” (DNSMI) button on their website if they do not sell personal information in exchange for money?

Companies that post a DNSMI button but do not sell personal information for money likely have determined that their provision of personal information to ad tech companies in connection with interest-based advertising is a “sale.”  Accordingly, they post the DNSMI button to enable consumers to opt out of these “sales.”

The question of whether, and under what circumstances, the use of third-party cookies, pixels, tags, etc. constitutes a “sale” and how to provide DNSMI choices is a flashpoint in the debate over how to interpret the CCPA (as discussed here, here, and here).  There is a growing consensus that only a lawsuit or a government enforcement action will resolve this matter.

For now, two ways of analyzing this question are emerging.  One position concludes that data collected via a third-party cookie, tag, or pixel may be a potential “sale” because the company adding that cookie, tag, or pixel to its website sends, makes available, or otherwise shares personal information to an ad tech provider in exchange for services, and, critically, where that provider does not restrict its use or sharing of that personal information for the provider’s or other entities’ commercial benefit (other than for a limited number of exempted purposes).

The other position is that the third party directly collects personal information via the cookie, tag, or pixel placed on a publisher’s website, and the publisher is not selling that personal information to the third party responsible for the tracker.

Each business, however, will need to evaluate, on a case-by-case basis, whether its interest-based advertising, analytics, and other forms of tracking may constitute a sale under the CCPA.  Often this starts with categorizing  the types of vendors and partners (i.e. ad tech, analytics, or other services); identifying each specific vendor or partner responsible for the tracker on the business’s site(s); and reviewing the vendor or provider’s publicly posted terms, privacy policy, and contract with the business, if there is one, to determine if the transfer of personal information to the vendor could reasonably qualify as a transfer for a business purpose to a service provider, or other exemption, or whether the transfer is likely a “sale.”

When can a business claim that its ad tech partner and purchased ad tech services are exempt from the “sale” provisions of the CCPA?

The CCPA provides an exemption from the definition of a “sale” when a business uses or shares with a “service provider” personal information of a consumer that is necessary and proportionate to perform a “business purpose.”  As a result, companies may want to determine (1) whether an ad tech vendor is a “service provider” and (2) whether that vendor performs its ad tech service for a “business purpose.”  Examining specific arrangements with each advertising partner is the best way to address this question and for each of the relevant services provided by the vendor.

Some of the major players in online advertising have laid down public markers that can be helpful in classifying interest-based advertising activities.  Examples include:
Continue Reading

In the 2010s, Kelley Drye’s Ad Law Access blog posted approximately 1500 entries. Below are the most popular by year. To give you a sense of beginning to end, the first post came one month after Apple announced the iPad and the last just days before the first all-female spacewalk by astronauts Christina Koch and

In 2019, Ad Law Access published 124 stories on a wide range of topics. However, two topics stood out above the others:

  • California Consumer Privacy Act (CCPA)
    CCPA was far and away the most popular topic of 2019 and, as mentioned in one of our last posts of the year, “businesses and privacy professionals

“Made in the USA” claims have taken on an even greater importance as American manufacturing has captivated the political discussion. Recently FTC Commissioner Chopra released a statement calling for more stringent enforcement of the agency’s “Made in USA” advertising policies.

Kristi Wolff discusses how to substantiate “Made in USA” claims on the latest episode of

On a new episode of the Ad Law Access PodcastAlex Schneider discusses the recently approved (four) bills to amend the California Consumer Privacy Act (CCPA) and the Nevada and Maine Legislatures legislation that, like the CCPA, features new requirements relating to the sale of consumer personal data.

For additional information see the Ad

Kelley Drye & Warren LLP announced the launch of the Ad Law Access podcast – a new podcast from its advertising law and privacy law groups.  Hosted by Kelley Drye attorneys, including Christie Grymes Thompson, Alysa Hutnik, John Villafranco, Gonzalo Mon, and Kristi Wolff, the podcast provides updates on advertising and policy law trends, issues,

The current and future definition of what qualifies as an automatic telephone dialing system (ATDS or autodialer) remains a hotly debated and evaluated issue for every company placing calls and texts, or designing dialer technology, as well as the litigants and jurists already mired in litigation under the Telephone Consumer Protection Act (TCPA).  Last year, the D.C. Circuit struck down the FCC’s ATDS definition in ACA International v. FCC, Case No. 15-1211 (D.C. Cir. 2019).  Courts since have diverged in approaches on interpreting the ATDS term.  See, e.g., prior discussions of Marks and Dominguez.  All eyes thus remain fixed on the FCC for clarification.

In this post, we revisit the relevant details of the Court’s decision in ACA International, and prior statements of FCC Chairman Ajit Pai concerning the ATDS definition to assess how history may be a guide to how the FCC approaches this issue.


Continue Reading

With the Illinois Supreme Court’s recent decision in Rosenbach v. Six Flags Entertainment Corp., the floodgates have opened for class actions in Illinois against businesses that collect biometric information from employees or customers.  In Rosenbach, the Illinois Supreme Court decided that alleged procedural violations of Illinois’s Biometric Information Privacy Act (“BIPA”) are enough,