And then there were six!
On March 28, 2023, Gov. Reynolds of Iowa signed into law SF 262, a bill for an act relating to consumer data protection. By signing the bill into law, Gov. Reynolds established Iowa as the sixth state to establish a comprehensive data protection framework. “In our digital age, it’s never been more important to state, clearly and unmistakably, that consumers deserve a reasonable level of transparency and control over their personal data,” said Gov. Reynolds. “That’s exactly what this bill does,...
The EU’s Digital Markets Act: Who it regulates, how to comply, and next steps
On October 12, 2022, the Digital Markets Act (DMA) was published in the Official Journal of the EU, thereby creating a new framework for regulating the European Union’s digital market.[1] The DMA seeks to prohibit certain unfair business practices by establishing rules and obligations for entities known as “gatekeepers,” which are large online platforms whose services have a significant impact on the EU internal market.[2] The DMA works in conjunction with its sibling law, the Digital Services...
Metaverse Law’s Lily Li to guest star on Threat Watch podcast to discuss risks of ChatGPT, generative AI, and LLMs
Near the end of 2022, generative AI models became something of a sensation. Art-based models like Midjourney, DALL-E, and Stable Diffusion threw the art world into a panic, prompting companies to ban AI-generated art.[1] Models like ChatGPT—and its underlying GPT-3.5 and GPT-4 LLMs—seemingly invaded every social sphere, from academia[2] to big tech,[3] and prompted many to start asking, “Will AI replace us?”[4] Given all this buzz around generative AI and LLMs, it’s only natural to consider the...
The Digital Services Act: EU’s new gold standard for regulating online services and search engines
On October 19, 2022, the Digital Services Act (DSA) was published in the Official Journal of the European Union, thereby triggering its entry into force.[1] The DSA creates a first-of-its-kind regulatory framework that, like the General Data Protection Regulation (GDPR), could set an international benchmark for regulating intermediary services such as search engines, e-commerce platforms, hosting services, and more. [2] To achieve these regulatory goals, the DSA creates a pyramid-like, category...
Creating trustworthy AI and reducing liability with NIST’s AI Risk Management Framework
On January 26, 2023, the National Institute of Standards and Technology (NIST) released the first version of the Artificial Intelligence Risk Management Framework (AI RMF).[1] The AI RMF is a voluntary resource meant to help organizations “manage the many risks of AI and promote trustworthy and responsible development and use of AI systems.”[2] To support the goal of the AI RMF, NIST supplemented its release with a companion NIST AI RMF Playbook,[3] AI RMF Explainer Video,[4] an AI RMF Roadmap,...
What the EU’s Artificial Intelligence Act will mean for the global AI industry
On April 21, 2021, the European Commission proposed the Artificial Intelligence Act (AIA), a regulatory and legal framework for artificial intelligence systems.[1] On December 5, 2022, the Council of the European Union adopted its general approach to the AIA, which incorporated changes to the regulation.[2][3] Germany announced support for the AIA, but “sees some need for improvements.”[4] In similar fashion, the Federal Trade Commission (FTC) published an article on April 19, 2021, calling for...
Guidance on Artificial Intelligence and Data Protection
[Updated: March 7, 2024] For many of us, Artificial Intelligence (“AI”) represents innovation, opportunities, and potential value to society. For data protection professionals, however, AI also represents a range of risks involved in the use of technologies that shift processing of personal data to complex computer systems with often opaque processes and algorithms. Data protection and information security authorities as well as governmental agencies around the world have been issuing guideli...
hiQ v. LinkedIn: User Agreements in the Age of Data Scraping
On November 4, 2022, LinkedIn announced a “significant win” for the platform and its members against “personal data scraping.” The win resulted from a 6-year legal battle that asked, in part, whether LinkedIn must allow hiQ Labs to scrape data from the public profiles of LinkedIn members. Last Friday, the U.S. District Court for the Northern District of California answered that question by ruling that LinkedIn’s User Agreement “unambiguously prohibits hiQ’s scraping and unauthorized use of the...






