Photo of Danny Riley

Danny Riley

Subscribe to Danny Riley's Posts
Contact:Read more about Danny Riley
google-deepmind-LIlsk-UFVxk-unsplash

When Colorado enacted the first comprehensive state AI law in 2024, it imported the conceptual architecture of the EU AI Act: a risk-based regime built on duties of care, risk management programs, and impact assessments. Two years later, and within a matter of weeks, the state has dismantled that legislation. On May 14, 2026, Governor Jared Polis signed Senate Bill 26-189, which repeals SB 24-205 and replaces it with a disclosure-and-rights framework focused on automated decision-making technology (“ADMT”). The new framework takes effect January 1, 2027.

The substance of the rewrite has been well-covered already. Less examined is how Colorado got here, and what the speed and direction of the pivot signal for the rest of the state AI regulatory landscape. The new bill was introduced and signed within two weeks of its introduction. The Governor’s AI Policy Working Group did the heavy lift in advance: roughly six months of stakeholder consultation produced the draft framework released on March 17, 2026. But the final two-week sprint reflects pressure to land the rewrite before the original AI Act’s June 30, 2026 effective date and amid escalating federal headwinds.

The Federal Backdrop

On December 11, 2025, the White House issued an executive order (“EO”) titled, “Ensuring a National Policy Framework for Artificial Intelligence.” The EO directs federal agencies to challenge conflicting state AI laws through litigation and coordinated federal action, and urges development of a preemptive national framework. It specifically named Colorado’s AI Act as an example of a state law that, in the administration’s view, would compel AI systems to “produce false results in order to avoid a ‘differential treatment or impact’ on protected groups.”

Continue Reading Colorado’s AI Reset: Two Weeks, a White House Callout, and a Pivot Away from the EU Model
brianpenny-ai-generated-8540917

Legal500 featured an article by Seyfarth partners Kathleen McConnell and Lauren Gregory Leipold, and associate Daniel Riley“AI Governance In (and Beyond) Privacy: Regulatory Tensions in Automated Decision‑Making, the Digital Authenticity Crisis, and Restrictions on Professional Use.

The piece, published as a part of the Legal500 Country Comparative Guides, examines the rapidly

akshat-sharma-mrTVz_fosMY-unsplash

Now in its sixth year, Seyfarth’s Commercial Litigation Outlook provides a clear view into the forces reshaping business disputes in 2026. This year’s analysis highlights a risk landscape defined by accelerating technological change, an increasingly fragmented regulatory environment, and growing economic pressures across multiple industries.

According to the Outlook, artificial intelligence is creating new categories of legal risk, from the challenges of authenticating AI‑generated content to navigating the use of algorithmic tools while courts and regulators rapidly reset expectations around emerging technology. At the same time, state‑level regulation continues to expand, particularly around non‑competes, privacy, and biometrics, creating a compliance patchwork that requires businesses to adapt strategies by jurisdiction. Coupled with elevated interest rates, rising debt, and post‑pandemic strain, especially in real estate, health care, and franchise sectors, the commercial litigation environment remains fluid, fast‑moving, and resistant to neat predictions. Against this backdrop, eDiscovery, information governance, and cybersecurity response functions play increasingly central roles in managing litigation risk and staying ahead of shifting expectations.

Authored by Jay Carle, Matthew Christoff, and Danny Riley, this year’s eDiscovery & Innovation article spotlights one of the most significant and fast‑moving risks in the discovery landscape: the rise of AI‑enabled notetaking and meeting‑summarization tools. As generative AI capabilities become embedded directly into videoconferencing platforms, these tools now routinely record meetings, create transcripts with speaker attribution, and auto‑generate summaries—often by default. The result is a sudden proliferation of new, unvetted records that can capture sensitive, strategic, or privileged conversations. The article warns that these tools exponentially increase the risk of inadvertent disclosure, while also creating evidentiary challenges when transcripts or summaries are later used to establish what was said, by whom, and with what intent.

The article also highlights that litigation risk is expanding beyond the developers of these tools to the organizations deploying them. AI notetakers raise overlapping consent, privacy, wiretap, and biometric concerns, and courts will increasingly scrutinize whether companies can demonstrate how meeting data was captured, stored, and controlled. As with prior waves of privacy litigation, the differentiator will be operational discipline: organizations that implement clear governance around meeting recording, restrict distribution of AI‑generated outputs, and define authoritative versions of records will be far better positioned to defend against disclosure missteps, authenticity disputes, and statutory claims.

Click here to download the 2026 Commercial Litigation Outlook.

Continue Reading The Changing Discovery Landscape: Takeaways from Seyfarth’s 2026 Commercial Litigation Outlook
zeng-yili-QWKAv65uhQs-unsplash

When Judge Jed Rakoff ruled in United States v. Heppner (S.D.N.Y. Feb. 17, 2026)  that documents a criminal defendant created through exchanges with Anthropic’s Claude platform weren’t protected by attorney-client privilege or the work product doctrine, the decision generated significant attention across the legal community. Many practitioners read that ruling as a sweeping statement: using

thomas-lefebvre-gp8BLyaTaA0-unsplash

On July 24, 2025, the California Privacy Protection Agency (“CPPA”) unanimously voted to adopt a package of Proposed Regulations for the California Consumer Privacy Act (“CCPA”), marking a significant development in California privacy law. These cover Automated Decision-making Technology (“ADMT”), mandatory Cybersecurity Audits, Risk Assessments, and clarifications for the CCPA’s applicability to Insurance Companies. The package will move into its final review stage before formal enactment, once filed with the California Office of Administrative Law.

CCPA Steering Toward Operational Compliance

This is a clear signal that privacy compliance expectations in California are trending toward a more operational phase. The new rules are designed to give Californians greater control over how their personal information is used while pushing businesses toward higher levels of transparency and accountability, especially when automated decision-making and high-risk data processing is involved. For companies, this is more than just a theoretical update – it’s a clarion call to ensure these requirements are built into day-to-day governance, technology and process design, and vendor management practices.

Continue Reading California Privacy Protection Agency (CPPA) Finally Voted to Adopt Much Debated Update to CCPA Regulations: What Your Business Should Know
kevin-ku-w7ZyuGYNpRQ-unsplash (2)

The California Privacy Protection Agency (“CPPA”) has made it abundantly clear: privacy compliance isn’t just about publishing the right disclosures – it’s about whether your systems actually work. On May 6, the agency fined Todd Snyder, Inc. $345,178 for failures that highlight a growing regulatory focus on execution of California Consumer Privacy Act (“CCPA”) compliance. The action sends a powerful message: even well-resourced companies are not insulated from enforcement if they don’t actively test and manage how privacy rights are honored in practice.

Not Just Tools – Working Tools

The action against Todd Snyder was rooted in executional failure. The company had a portal in place for consumer rights requests, but it wasn’t processing opt-out submissions – a failure that lasted for roughly 40 days, according to the CPPA. The cookie banner that should have enabled consumers to opt out of cookie tracking would disappear prematurely, preventing users from completing their requests.

The company further required users to verify their identity before opting out and requested sensitive personal information, such as a photograph of their driver’s license. The CPPA determined this was not only unnecessary, but a violation in itself. The allegations around improper verification reflect concerns raised in a CPPA Enforcement Advisory issued last year, which cautioned businesses against collecting excessive information from consumers asserting their privacy rights.

Continue Reading CPPA Underscores That Businesses Own CCPA Compliance – Even When Privacy Management Tools Fail
kaffeebart-KrPulSdUetk-unsplash (1)

On September 6, 2024, the U.S. Department of Labor (DOL) issued Compliance Assistance Release No. 2024-01, titled “Cybersecurity Guidance Update.” The updated guidance clarifies that the DOL cybersecurity guidance applies to all ERISA-covered plans, and not just retirement plans, but also health and welfare plans. Also, as a direct response to service providers’

rodion-kutsaiev-0VGG7cqTwCo-unsplash (3)

Seyfarth Synopsis: In a significant decision for website operators, the Massachusetts Supreme Judicial Court clarified that tracking users’ web activity does not constitute illegal wiretapping under the state’s Wiretap Act. The court found that person-to-website interactions fall outside the Act’s scope, which focuses on person-to-person communications. However, the court emphasized that other privacy laws could

rob-king-Au6eR7Yg9CY-unsplash (1)

Corporations face unprecedented challenges in safeguarding sensitive data and mitigating privacy risks in an era marked by the rapid proliferation of Internet of Things, or IoT, devices.

Recent developments, including federal and state regulators’ heightened focus on privacy enforcement, highlight the importance of proactive risk management, compliance and data governance. As IoT and smart devices continue to hit the marketplace, heightened scrutiny for businesses’ data governance practices follows.

The Federal Trade Commission’s recent technology blog, “Cars & Consumer Data: On Unlawful Collection & Use”[1] underscores the agency’s commitment to enforcing consumer protection laws. Despite their blog’s focus on the car industry, the FTC’s message extends to all businesses, emphasizing its vigilance against illegal — or “unfair and deceptive” — collection, use and disclosure of personal data.

Recent enforcement actions are a stark reminder of the FTC’s proactive stance in safeguarding consumer privacy.

Geolocation data is a prime example of sensitive information subject to enhanced protections under the Federal Trade Commission Act. Much like mobile phones, cars can reveal consumers’ persistent, precise locations, making them susceptible to privacy infringements.

Continue Reading Careful Data Governance Is a Must Amid Enforcement Focus

The European Union (EU)’s government organizations are just like any another entity trying to function in a world where global companies and even government entities are reliant on digital platforms for messaging and collaboration. For years, there has been debate about how platforms like Microsoft 365, formerly Office 365, could be deployed in a way