Privacy & Information Security Law Blog

On January 13, 2025, Texas Attorney General Ken Paxton announced lawsuits against Allstate and its subsidiary, Arity (together, “Allstate”), for the unlawful collection, use and sale of precise geolocation data collected through Allstate’s mobile apps, in violation of Texas’s comprehensive data privacy law. The AG’s office alleges that Allstate then used this covertly obtained data to justify raising insurance rates.

On December 24, 2024, the Oregon Attorney General published AI guidance, “What you should know about how Oregon’s laws may affect your company’s use of Artificial Intelligence,” (the “Guidance”) that clarifies how existing Oregon consumer protection, privacy and anti-discrimination laws apply to AI tools. Through various examples, the Guidance highlights key themes such as privacy, accountability and transparency, and provides insight into “core concerns,” including bias and discrimination.

In December 2024, the Centre for Information Policy Leadership at Hunton Andrews Kurth published a discussion paper titled, “Applying Data Protection Principles to Generative AI: Practical Approaches for Organizations and Regulators.”

On November 8, 2024, the California Privacy Protection Agency Board hosted its public bimonthly meeting, during which it adopted new regulations applicable to data brokers and initiated the formal rulemaking process for proposed regulations for risk assessments, cybersecurity audits, automated decisionmaking technologies and AI, and insurance.

On October 31, 2024, the UK Information Commissioner’s Office published its response to the draft Data (Use and Access) Bill.

On July 16, 2024, the California Privacy Protection Agency Board held a public meeting and discussed next steps regarding its upcoming Formal Rulemaking for Automated Decisionmaking Technology, Risk Assessments, Cybersecurity Audits, Insurance, and Updates to Existing Regulations.