Photo of Jason Priebe

Jason Priebe

Subscribe to Jason Priebe's Posts
Contact:Read more about Jason Priebe
sasun-bughdaryan-cX8kNl8X0Ys-unsplash

It has been a busy spring for data privacy in the Southeast. On April 17, 2026, Alabama Governor Kay Ivey signed the Alabama Personal Data Protection Act (HB 351). Weeks later, on May 11, 2026, Governor Kemp signed Georgia’s SB 111. There is an important caveat there: although the Senate-passed version of SB 111 carried the title “Georgia Consumer Privacy Protection Act,” the House substituted the bill’s entire text with unrelated amendments to the rural hospital tax credit. The Senate agreed to the substitute on April 2, and the version Kemp ultimately signed has nothing to do with consumer privacy. Legislative tracking services continue to display the original title, which has caused understandable confusion, but Georgia did not enact a comprehensive privacy law this session.

That leaves the Southeast with three states currently operating under a comprehensive privacy statute: Florida (in effect since 2024), Tennessee (in effect since 2025), and Alabama (taking effect in 2027). Georgia remains a state to watch, with sponsors expected to introduce a successor measure when the new General Assembly convenes in 2027. And in keeping with the national trend, each state’s “omnibus” law (or proposed law) takes a slightly different approach with qualifying thresholds and defined terms. This article provides a short summary of what businesses operating in the region need to know and what they should be working on today.

Who Is Covered: Three Enacted Laws and Three Thresholds (and a Note on Georgia)

The biggest difference among the three enacted statutes is the way each defines businesses that must comply.

Florida’s Digital Bill of Rights (FDBR), which took effect on July 1, 2024, has the narrowest scope by a wide margin. The FDBR imposes obligations on controllers with annual global revenue of more than $1 billion that also meet one of three additional criteria: derive 50% or more of annual revenue from selling online ads, operate a consumer smart speaker with an integrated virtual assistant, or operate an app store with at least 250,000 applications. By design, the majority of the FDBR’s controller obligations apply only to the largest tech and platform companies. As a practical matter, most Southern businesses will never need to worry about Florida’s controller obligations, though enforcement has now begun. The Florida AG’s October 2025 action against Roku is a useful reminder that the FDBR is no longer dormant for the companies that do qualify.

Continue Reading Southeastern Privacy Laws Taking Shape: Current and Upcoming Omnibus Laws for Alabama, Georgia, Florida, and Tennessee
google-deepmind-LIlsk-UFVxk-unsplash

When Colorado enacted the first comprehensive state AI law in 2024, it imported the conceptual architecture of the EU AI Act: a risk-based regime built on duties of care, risk management programs, and impact assessments. Two years later, and within a matter of weeks, the state has dismantled that legislation. On May 14, 2026, Governor Jared Polis signed Senate Bill 26-189, which repeals SB 24-205 and replaces it with a disclosure-and-rights framework focused on automated decision-making technology (“ADMT”). The new framework takes effect January 1, 2027.

The substance of the rewrite has been well-covered already. Less examined is how Colorado got here, and what the speed and direction of the pivot signal for the rest of the state AI regulatory landscape. The new bill was introduced and signed within two weeks of its introduction. The Governor’s AI Policy Working Group did the heavy lift in advance: roughly six months of stakeholder consultation produced the draft framework released on March 17, 2026. But the final two-week sprint reflects pressure to land the rewrite before the original AI Act’s June 30, 2026 effective date and amid escalating federal headwinds.

The Federal Backdrop

On December 11, 2025, the White House issued an executive order (“EO”) titled, “Ensuring a National Policy Framework for Artificial Intelligence.” The EO directs federal agencies to challenge conflicting state AI laws through litigation and coordinated federal action, and urges development of a preemptive national framework. It specifically named Colorado’s AI Act as an example of a state law that, in the administration’s view, would compel AI systems to “produce false results in order to avoid a ‘differential treatment or impact’ on protected groups.”

Continue Reading Colorado’s AI Reset: Two Weeks, a White House Callout, and a Pivot Away from the EU Model
ramon-salinero-vEE00Hx5d0Q-unsplash (1)

The lesson from the PocketOS database deletion is not that agentic AI is dangerous. It’s about governance and controls.

You have probably seen some version of the headline by now: “AI Agent Deletes Company’s Entire Database in 9 Seconds.” It is a compelling story. But the headline, while technically accurate, obscures the far more important lesson buried in the details.

So what actually happened? PocketOS, a small SaaS company that makes software for car rental businesses, was using a popular AI-powered code editor running on Anthropic’s Claude Opus 4.6 model. The AI agent was tasked with resolving a routine issue in a staging environment. When it hit a credential mismatch, the agent decided on its own initiative to “fix” the problem by deleting a volume on Railway, the company’s cloud hosting provider. The agent found a password in an unrelated file and used it to execute a deletion command. Because of permissions made available to the agent and the way access to the infrastructure was configured, that single command using a password which was valid across all systems wiped both the production database and all associated backups.  

The agent, when asked to explain itself, produced what multiple outlets described as a “confession,” acknowledging it had violated its own safety instructions. The story has gone viral. The framing in most coverage puts the AI squarely at the center of the narrative: the agent “went rogue,” it “confessed,” it acted autonomously and destroyed a business. But the reports are not entirely accurate and usually miss the point.

Continue Reading The AI Didn’t Go Rogue. Guardrails Were Never There.
zeng-yili-QWKAv65uhQs-unsplash

When Judge Jed Rakoff ruled in United States v. Heppner (S.D.N.Y. Feb. 17, 2026)  that documents a criminal defendant created through exchanges with Anthropic’s Claude platform weren’t protected by attorney-client privilege or the work product doctrine, the decision generated significant attention across the legal community. Many practitioners read that ruling as a sweeping statement: using

conny-schneider-xuTJZ7uD7PI-unsplash (2)

Seyfarth Shaw is proud to sponsor the 2025 Masters Conference, a premier boutique legal event hosted in cities across the U.S., as well as in Toronto and London. The conference will be held on Tuesday, May 20, 2025, at Seyfarth’s Chicago office and will feature keynote presentations, panel discussions, workshops, and networking opportunities.

Topics will include eDiscovery, Artificial Intelligence, Information and Data Governance, Legal Project Management, Forensics and Investigations, Knowledge Management, and Cybersecurity.

Seyfarth partners Jay Carle, Matthew Christoff, and Jason Priebe will share their insights as featured panelists throughout the day. Additional information about their panel topics is outlined below.

For more information and to register, click here.

Continue Reading Seyfarth to Sponsor and Present at 2025 Masters Conference
kaffeebart-KrPulSdUetk-unsplash (1)

On September 6, 2024, the U.S. Department of Labor (DOL) issued Compliance Assistance Release No. 2024-01, titled “Cybersecurity Guidance Update.” The updated guidance clarifies that the DOL cybersecurity guidance applies to all ERISA-covered plans, and not just retirement plans, but also health and welfare plans. Also, as a direct response to service providers’

rob-king-Au6eR7Yg9CY-unsplash (1)

Corporations face unprecedented challenges in safeguarding sensitive data and mitigating privacy risks in an era marked by the rapid proliferation of Internet of Things, or IoT, devices.

Recent developments, including federal and state regulators’ heightened focus on privacy enforcement, highlight the importance of proactive risk management, compliance and data governance. As IoT and smart devices continue to hit the marketplace, heightened scrutiny for businesses’ data governance practices follows.

The Federal Trade Commission’s recent technology blog, “Cars & Consumer Data: On Unlawful Collection & Use”[1] underscores the agency’s commitment to enforcing consumer protection laws. Despite their blog’s focus on the car industry, the FTC’s message extends to all businesses, emphasizing its vigilance against illegal — or “unfair and deceptive” — collection, use and disclosure of personal data.

Recent enforcement actions are a stark reminder of the FTC’s proactive stance in safeguarding consumer privacy.

Geolocation data is a prime example of sensitive information subject to enhanced protections under the Federal Trade Commission Act. Much like mobile phones, cars can reveal consumers’ persistent, precise locations, making them susceptible to privacy infringements.

Continue Reading Careful Data Governance Is a Must Amid Enforcement Focus
george-prentzas-SRFG7iwktDk-unsplash (2)

On August 2, 2024, Illinois Governor J. B. Pritzker signed legislation reforming Illinois’ Biometric Information Privacy Act (BIPA). Senate Bill 2979 immediately amends BIPA to limit a private entities’ potential liability for collecting or sharing biometric data without consent.

The BIPA amendment followed a call for action  directed at the legislature from the Illinois courts.

The European Union (EU)’s government organizations are just like any another entity trying to function in a world where global companies and even government entities are reliant on digital platforms for messaging and collaboration. For years, there has been debate about how platforms like Microsoft 365, formerly Office 365, could be deployed in a way

glenn-carstens-peters-npxXWgQ33ZQ-unsplash

This post was originally published to Seyfarth’s Global Privacy Watch blog.

On July 10th, the European Commission issued its Implementing Decision regarding the adequacy of the EU-US Data Privacy Framework (“DPF”). The Decision has been eagerly awaited by US and Europe based commerce, hoping it will help business streamline cross-Atlantic data transfers, and by