Blog

Join the Engelberg Center on Innovation Law and Policy, the Information Law Institute, and S.T.O.P. (the Surveillance Technology Oversight Project) for the US launch of Albert Fox Cahn’s new book “Move Slow and Upgrade”. Albert will be discussing the book, co-authored by Evan Selinger of the Rochester Institute of Technology, which takes a deep dive into some of the most disastrous innovations of recent years while highlighting some of the unsung upgraders pushing real progress each day. The event will take place on Wednesday March 4, 2026 at NYU School of Law. Book discussion begins at 7:30; reception follows at 8:15. Register here. 

The UK has proposed legislation to mandate age verification for VPN use. 

The French offices of Elon Musk’s X have been raided by the Paris prosecutor’s cyber-crime unit, as part of an investigation into suspected offences including unlawful data extraction and complicity in the possession of child sexual abuse material (CSAM).

Amazon ran a Super Bowl ad promoting its AI-driven Search Party feature. The ad was met with backlash that extended beyond traditional privacy supporters. 

Steve Yegge took a dive into Anthropic’s organizational and AI development philosophy. Relatedly, the New Yorker published an in-depth piece detailing the limits of Anthropic’s LLM – Claude.

The New Yorker published an in-depth report detailing the limits ofIn-depth reporting explores the epistemic limits of large language models like Claude and the attendant legal/policy questions about transparency, explainability, and regulation of autonomous systems.

U.S. Immigration and Customs Enforcement (ICE) uses facial recognition and AI-driven surveillance systems—often integrated with contractors like Palantir— to identify and harass peaceful protestors in Minneapolis.

Discord updated their terms of service to require biometric user identification – often by providing an ID. This follows a data-breach where thousands of ID images were leaked from their servers. 

(compiled by Anthony Perrins)

As ICE has continued to use the facial recognition app Mobile Fortify, the Illinois AG has sued in order to prevent its use and to prevent other invasions of privacy.

The Wall Street Journal interviewed a lawyer representing a client alleging that xAI/Grok had made non-consensual deepfakes of her. The interview features a discussion of what pathways are available legally for such clients.

Child safety cases continue to percolate up through the courts, with quite a few states passing statutes constraining what ages kids can get on social media, and corresponding litigation from the companies.

Events coming up:

NYU’s LPE, ACS, Energy Law Society, and Rights Over Tech  is hosting “Under the Hood of AI,” a discussion into the infrastructure—and financing—undergirding the AI craze. The event will be at 1pm on February 9th. RSVP here

Profs. Michal Shur-Ofry & Katherine Strandburg are teaching innovation policy colloquium this semester at NYU, on Law and Complex Systems. The colloquium will be on Thurs 4:45-6:45; reach out to Prof. Strandburg for more information. On Feburary 5, the colloquium will host Prof. Albert-László Barabási, a professor of network science.

Welcome back!

Opinion editors at Scientific American argue that AI deepfakes pose escalating risks to democracy and personal privacy, and point to Denmark’s proposed law granting people rights over their face and voice as a potential model for the US to follow. 

A new analysis from Georgetown Law’s Institute for Technology Law & Policy explains how existing U.S. consumer protection and privacy laws already apply to AI chatbots designed for kids and teens.

Bloomberg Law reports that California is finalizing a privacy-law specialization for attorneys. The proposed standards include continuing education requirements (45 hours to qualify for initial certification and 36 hours for recertification), proof of significant engagement in privacy matters, and options to qualify without a written exam if certain thresholds are met. 

On November 19, the European Commission proposed major reforms to Europe’s GDPR, AI Act, ePrivacy Directive and the Data Act, aiming to simplify digital regulations and encourage AI development. The changes would delay implementation of key parts of the AI Act, and would allow AI companies to use personal data for model training without user consent if in compliance with other GDPR requirements.

(compiled by Karinna Gerhardt)

Privacy Research Group News Roundup 11/12/25

The New York Algorithmic Pricing Disclosure Act took effect on November 10, 2025, requiring businesses to display a clear disclosure near prices stating that the price was set by an algorithm using personal customer data.

New research from the European Broadcasting Union and the BBC has found that four leading chatbots routinely generate flawed summaries of news stories.

At the 2025 Joint Mathematics Meetings, Meta’s AI Chief Yann LeCun said that even “a house cat has better intelligence than our most advanced AI systems.” He explained the Moravec paradox – “the observation that tasks difficult for humans are relatively easy for computers, while tasks that seem effortless to humans remain extraordinarily challenging for AI.” LeCun reportedly plans to leave Meta to build his own startup.

The European Commission is expected to unveil the “Digital Omnibus” reform package on November 19, which could roll back the General Data Protection Regulation, the AI Act, and many other privacy-related regulations.

A new opinion piece in The New York Times discusses whether chatbot conversations should be entitled to legal protections.

Several journalists offer think pieces on how New York City mayor-elect Zohran Mamdani might reform the surveillance state enforced by the New York Police Department, given his commitment to working with current Police Commissioner Jessica Tisch and his plan to divert some resources into creating a $1B Department of Community Safety.

(Compiled by Sarah Wang).

Florida’s novel lawsuit against Roku under its privacy law has been noticed by lawyers and industry insiders.

A new preprint suggests that AIs are trained to hallucinate through their training that rewards confidence and conversely disincentivizes “I don’t know” responses.

A new paper discusses a layer in AI industry that’s frequently not talked about: the human labor that goes into “collect[ing] and annotat[ing] data, monitor[ing] and maintain[ing] algorithmic systems, keep[ing] data centers running, and min[ing] rare earth minerals—not to mention the artists, translators, writers, and actors whose work fuels so-called generative AI”

A recent audit found that the continuing budget and staffing cuts at the CFPB has left major data security risks.

A network of global privacy regulators announced an enforcement sweep into digital services’ use of underage users’ data.

The Fifth Circuit heard a case, Computer & Comm. Ind. Ass’n v. Paxton, regarding Texas’ law that would require content filtering for minors, although it seemed wary of deciding it directly instead of remanding to the District Court.

A new bill introduced in the senate, the GUARD Act, would regulate the use of chatbots by minors.

The FCC will vote later this month to reverse a Biden-era policy that added cybersecurity requirements.

OpenAI has updated its terms of service to say its models cannot be used to provide legal or medical advice. OpenAI disclaimed this as “not a new change to our terms.”

More than a dozen states have filed a motion to submit an amicus brief in Huiskamp v. ZoomInfo Tech. LLC, arguing that selling peoples’ phone numbers should be treated as commercial speech.

(compiled by Tobit Glenhaber)

Meta’s new “smart glasses” raise similar issues to Google glass, with questions on whether privacy law is equipped to deal with the higher level of private surveillance they allow.

The Guardian and +972 report that Israel’s contracts with Amazon and Google provide for “unorthodox ‘controls’” in the deal. It creates a “winking mechanism” that requires the companies to secretly divulge the identity of foreign countries whose law enforcement has asked for Israeli data through coded payments. The contract also limits the ability for the companies to revoke Israel’s access to the cloud platforms even if they find Israel’s use of the technology violates their terms of service or non-Israeli law.

Reddit sued Perplexity for data scraping of its website. This follows a lawsuit filed against Anthropic earlier this year.

DHS has published a final rule providing for photographing all non-citizens at all border entries.

ICE and CPB have been using facial recognition technology in their enforcement raids.

Character AI has modified their terms of service to bar minors from using its chatbots.

Contact Clay Venetis, cvenetis@cspi.org, if you are interested in diving into the MTA’s alcohol ad policy change.

(Compiled by Tobit Glenhaber)

Representatives in the Michigan state legislature have proposed a ban on VPNs as a part of a larger bill that aims to ban online pornography in the state. 

Mother Jones recently published an article detailing how a secretive surveillance firm called First Wap exploits telecom network loopholes to track, intercept, and surveil phones worldwide—including those of public figures, politicians, and dissidents—often without legal oversight. Lighthouse Reports has also published an investigatory report on First Wap’s activities.

The U.S. Privacy Consortium, a bipartisan collective of U.S. regulators that collaborates on the implementation and enforcement of their states’ data privacy regimes, recently welcomed the attorneys general of Minnesota and New Hampshire as the group’s newest members.

CA Governor Gavin Newsom signed a bill that requires social media companies to make canceling an account straightforward and clear, ensures that cancellation triggers full deletion of the user’s personal data, and provides additional data protections for Californians.

Scouting America, formerly known as the Boy Scouts, announced two new badges that scouts can earn: one in artificial intelligence, and another in cybersecurity.

Federal law enforcement has arrested a suspect in connection with starting what became the Palisades blaze that killed 12 people in early 2025. Among the evidence cited is an AI image of a burning city that the suspect allegedly generated with ChatGPT.

(Compiled by Audrey Kim)

Meta has announced it will incorporate data from user interactions with its AI products to sell targeted ads starting December 16th. More than a billion users engage with Meta AI each month, and the company hopes to monetize this data to better refine its advertisements across a user’s accounts. This includes data gathered from Meta’s Ray-Ban smart glasses and its AI-video programs. Users may not opt out, but company officials say AI conversations involving controversial topics will not be incorporated into a user’s ad feed. 

The 2025 Esports World Cup brought in hundreds of millions of viewers, highlighting the surging popularity of this once-niche hobby. As the field expands, Esports participants must increasingly comply with local consumer privacy laws, especially as they advertise to viewers and collect their data. Competitors themselves must obtain affirmative consent from users and companies must avoid falling afoul of unfair competition or deceptive business practice regulations.. Stakeholders throughout the industry must conduct extensive due diligence to avoid liability, whether it be event organizers, team managers, players, or sponsors, a burden which will only grow as the sport continues its meteoric growth.

The Supreme Court recently upheld Texas HB 1181, narrowly approving age verification for sexual content online in apparent contravention of online privacy. The need to submit ID exposes adult users to data breaches, to say nothing of intentional sale or surveillance. Recent data breaches at major companies and their partners indicates these fears may be warranted.

The Supreme Court also allowed President Trump to fire a commissioner of the FTC, which enforces consumer protection and antitrust laws. This decision signals a willingness to overturn Humphrey’s Executor v. US, a 1935 decision restricting the President’s power to remove the leaders of independent regulatory agencies. By extension, this would threaten the ability of the FTC and similar agencies to regulate data usage and privacy in the US.

While the US tries to maintain a lead in the AI space, a black market in GPUs increasingly brings these high-demand products to China despite American regulations. The American government rarely approves exports of these goods, but unofficial channels salvage GPUs and clandestinely smuggle them from Taiwan and the US to Chinese companies. In the meantime, the US government has been working with semiconductor companies NVIDIA and AMD to compensate them for any revenue lost due to restrictions on exports to China.

(Compiled by David Gonzalez)

Brazil has passed a new child protection law – the ECA Digital. The law requires online services likely to be used by children to build in protections for privacy, safety, and children’s best interests by default, including banning profiling and behavioral advertising targeting kids. It takes effect in March 2026 and includes penalties for non-compliance, such as fines (up to 50 million reais or 10% of revenue in Brazil), suspension or bans, and is being enforced by Brazil’s data protection authority.

Tech Policy published a piece arguing that recent Supreme Court rulings erode longstanding protections by allowing states to impose age-verification mandates online, thereby undermining users’ First Amendment rights and privacy. The piece claims that requiring individuals to submit personal identifiers to access content risks surveillance, data exposure, and chilling effects on online speech for both minors and adults.

The United Kingdom rolled out their proposal for a digital ID. The plans faced criticism from across the political spectrum. The proposal has been pushed by the Tony Blair Institute, who is funded almost exclusively by Oracle. 

Recently, the U.S. Supreme Court granted a stay allowing President Trump’s removal of FTC Commissioner Rebecca Kelly Slaughter and agreed to review the FTC’s structure under the separation-of-powers doctrine. Slaughter, dismissed in March 2025 along with Commissioner Alvaro Bedoya, had been reinstated by the D.C. Circuit based on Humphrey’s Executor v. United States (1935), which upheld “for-cause” protections for FTC commissioners.

The Supreme Court’s stay blocks her return while it considers whether those protections are constitutional and whether Humphrey’s Executor should be overruled.The outcome could significantly alter the FTC’s independence and its role in privacy and consumer protection enforcement. A ruling narrowing removal protections would weaken the agency’s autonomy, while affirming them would preserve its authority. For privacy law, the decision introduces major uncertainty for ongoing and future FTC enforcement actions

(Compiled by Anthony Perrins)

Sen. Cruz introduced a new bill that would provide for a “regulatory sandbox” for AI companies.

A new product, “friend,” raises some privacy concerns.

In a follow-up to the DOGE data access litigation from the spring, it appears that there was a data breach with the DOGE access to social security information.

An ex-meta employee has filed a whistleblower lawsuit against Meta over “systematic cybercecurity failures.” The suit alleges that the whistleblower alerted Meta to security failures, but was rebuffed and retaliated against.

A California law attempting to limit minors’ exposure to “addicting algorithms” was upheld against a First Amendment challenge in the Ninth Circuit. (opinion here)

Anthropic has settled its class action complaint brought against it by a group of authors for $1.5 billion.

Warner Bros has jumped on the bandwagon of suing Midjourney AI for alleged copyright infringement.

The MTA is updating its advertising guidelines.

A growing amount of states are attempting to protect neural data as PII

Apologies for the delayed post this week; was still trying to figure out wordpress