0

Deepfakes: A New Form of Workplace Sexual Harassment

Cybersecurity , , ,

In recent years, there has been an uptick in the number of cases where images generated or edited by artificial intelligence have given rise to workplace harassment claims. Regardless of whether the conduct at issue occurred in person or off duty, courts have shown a willingness to hold employers liable, leaving employers vulnerable to significant costs from employee misconduct. 

Current Cases

Employer liability arising from AI-generated content may stem from actionable workplace harassment claims. This could include media such as falsified videos, audio and images containing sexually explicit material which features a real person without their consent. 

Current and pending litigation involving these types of claims includes:  

  • Carranza v. City of Los Angeles (Cal. Ct. App. 2025). A decision from the California Court of Appeals confirmed a $4 million dollar award issued to a female police captain where a deepfake photo of her topless circulated in the workplace. There, the dissemination in the workplace was considered actionable workplace harassment. 
  • Pearson v. State of Washington (Wash. Super. Ct. 2025). Washington State Patrol trooper Collin Pearson alleges coworkers circulated an AI-generated kissing video that created a hostile work environment based on sexual orientation.
  • Friedrichs v. Scripps Media, Inc. (M.D. Tenn. 2025). Former Nashville meteorologist Bree Smith Friedrichs alleges her employer failed to address sexually explicit deepfake images and retaliation tied to workplace sexism claims. 

What about other federal statutes? 

Workplace harassment claims often interact with Title VII of the Civil Rights Act of 1964, which prohibits discrimination on the basis of sex. Additionally, Section 230 limits liability for platforms where harmful content is posted, meaning that if, for example, an employee distributes an AI-generated non-consensual image on a workplace messaging system (e.g. Slack, Microsoft Teams Chat, etc.) the employer, as opposed to the platform, may still be held liable. Additional claims at play may include: 

  • Title VII of the Civil Rights Act of 1964. The primary federal employment law used in deepfake cases. It supports hostile work environment, sexual harassment, sex discrimination, and retaliation claims. Employers face liability if they knew of the conduct and failed to investigate or stop it.
  • TAKE IT DOWN Act. The first major federal deepfake-specific law. It criminalizes knowingly publishing nonconsensual intimate imagery, including AI-generated “digital forgeries.” Requires covered platforms to remove reported content rapidly.

Are state laws involved? 

State laws cover three categories of harm—nonconsensual intimate deepfakes, election deepfakes, and identity impersonation. Additionally, nonconsensual intimate imagery and revenge porn statutes now often explicitly include AI-generated content, prohibiting the distribution of intimate images without consent and adding an additional legal framework supportive of employee claims against employers. 

In California, there are a handful of specific laws addressing this type of AI use, which may include: 

  • AB 602 creates a civil cause of action against anyone who either creates and intentionally shares digitized sexually explicit material without the depicted person’s consent, providing broad protection against deepfake pornography. Claims arising under this statute are supplemented by strong privacy torts, publicity rights, and CA FEHA for workplace claims. 
  • SB 926 explicitly adds AI-generated depictions to CA’s existing revenge porn law. 
  • SB 1381 and AB 1831 extend CA’s protections to include AI-generated content depicting minors. 

Additional laws have been enacted in Connecticut, Michigan, New Jersey, and New York, among other states. Additionally, state and common law claims for defamation may be relevant when deepfakes create false representations that create reputational harm. Deepfake audio and video may be considered evidence of injury. 

What are my potential responsibilities as an employer? 

While the issue is specific, the issue may require comprehensive action in order to preempt potential liability. Employers may consider the following actions: 

    • Updating Policies: Ensure that workplace policies clearly prohibit dissemination of sexually explicit material, real or doctored. Draft or update a standalone AI Acceptable Use Policy that names prohibited conduct (creating, possessing, distributing deepfakes targeting coworkers) and specifies that violations are grounds for discipline up to and including termination. 
    • Incorporating Training: Equip HR, legal, and IT teams to recognize and respond to deepfake incidents effectively.
    • Refreshing Investigation and Response Protocols: Encourage prompt investigations, which may include forensic analysis, verification of metadata, and ensuring fairness in credibility assessments for both alleged victims and accused parties. 
    • Reviewing Insurance: Review employment practices liability insurance coverage to confirm whether deepfake-related harassment claims and related cyber incidents are covered. Many existing EPL policies predate generative AI and may contain gaps.

What’s next? 

This is a rapidly evolving area of employment litigation—the applications of state deepfake and AI-related statutes in workplace harassment claims are likely to turn on pending federal agency actions and court decisions, ultimately determining the limits of employer liability for their employee’s potentially harassing conduct. Concerned employers may consider monitoring this landscape closely and adjusting compliance programs as litigation continues to contour this area of law. 

0
Image depicting the flag of Texas, which is blue, white, and red, with a lone white star.

Overview of the Texas Responsible AI Governance Act

AI & Algorithms, United States , ,
In June 2024, Texas Governor Abbott signed HB 149 for the Texas Responsible Artificial Intelligence Governance Act (TRAIGA, or the Act) into law, which will go into effect on January 1, 2026. With this law, Texas joins California, Colorado and Utah in implementing AI-specific state laws. While TRAIGA was originally provided a comprehensive AI framework, the final version has been significantly pared down. With narrow substantive provisions, TRAIGA focuses on harms caused by AI, and the Act regulates – or completely bans – certain uses of these systems. Businesses that develop or deploy AI systems in Texas should consider measures for compliance with the Act. This may include reviewing system uses and updating the system’s documentation with details the Texas Attorney General (AG) may need to investigate a complaint. Scope & Applicability TRAIGA applies broadly to private sector companies if they provide AI-generated content or services to Texas residents, even if they are located outside the state of Texas. Additionally, government agencies interacting with the public fall squarely within the scope of the Act. Substantive Provisions
  • Prohibited Uses for all AI. TRAIGA prohibits certain uses of AI systems for both the public and private sector, including intentionally inciting self-harm, violence or crime; infringing on an individual’s rights; or unlawfully discriminating. The Act also prohibits deploying AI systems that intentionally generate illegal content, as well as child sexual abuse material or sexually explicit chat systems that impersonate children.

Notably, accidental or disparate impact alone is most likely not enough to violate TRAIGA, as there most likely must be a purposeful intent to discriminate using the AI system.

  • Public Sector: While the scope of TRAIGA includes both public and private entities, there are additional requirements for Texas governmental agencies.
    • Prohibited Uses: Prohibited uses include, among other things, social scoring and uniquely identifying an individual using biometric data, with limited exceptions.
    • Transparency Requirements: Governmental agencies must, among other things, provide conspicuous notice to consumers that are interacting with the AI system – even if this would be obvious to the user; and are prohibited from gathering biometric data without the individual’s informed consent if doing so would infringe that individual’s rights.
Enforcement With no private right of action, TRAIGA can only be enforced by the Texas AG. The Act requires the attorney general to create an “online mechanism” on the AG’s website where consumers can submit complaints of potential violations. If the AG investigates a complaint, developers and deployers of the AI systems may be required to provide information including, but not limited to, a description of the:
  • purpose, intended use, deployment context, and associated benefits of the AI system;
  • categories of data used as inputs and of the outputs produced by the system;
  • types of data used to train the system;
  • evaluation criteria of the performance of the system;
  • known limitations of the system; and
  • post-deployment and user safeguards (e.g., oversight, use and learning processes established to address issues).
If the AG determines a violation has occurred, there is a 60-day cure period. If the violation continues after this period, the AG may bring a claim for, among other things:
  • an injunction;
  • a civil penalty for curable breaches between $10,000 and $12,000;
  • a civil penalty for uncurable breaches between $80,000 and $200,000; and
  • a civil penalty for each day of continued violation between $2,000 and $40,000.
Safe Harbor Notably, TRAIGA states that a defendant may not be found liable for violations if the defendant substantially complies with the most recent version of the Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile (AI RMF Framework) published by the National Institute of Standards and Technology (NIST) or another recognized risk management framework for AI systems. Sandbox Program Under TRAIGA, the Texas Department of Information Resources is required to establish a sandbox program. This program would enable developers and deployers of AI systems to obtain legal protection and limited market access. The AG may not file or pursue charges against a program participant for violations of TRAIGA that occur during the testing period. Effective Date The Act goes into effect on January 1, 2026.
0

Overview of New York’s Child Data Protection Act

Children, Cybersecurity, New York, State Privacy Laws, United States , , , , ,
In June 2024, New York Governor Kathy Hochul signed the New York Child Data Protection Act (Act) into law, which will go into effect on June 20, 2025. Per the Act’s justification, “[c]hildren now live much of their lives online,” including learning, socializing, shopping. They also “make mistakes online, and they discover who they are online,” and, accordingly, they should be able to do so without the “concern of omnipresent monitoring and recording.” The Act enables this through two major provisions:
  1. if a digital service knows a user is a minor (or if the service is primarily directed to minors), it will “default to only being able to use that child’s data in a way that is strictly necessary to provide the service;” and
  2. digital services using third-party service providers must “contractually restrict those third parties from using the personal data of minors except for specified purposes” and include additional safeguards to help ensure compliance.
The Office of the New York State Attorney General has also released Implementation Guidance to clarify key questions raised in the rulemaking process.

Scope & Applicability

This Act applies only to conduct occurring in the state of New York. This means that commercial conduct that takes place outside of New York is not covered by the Act if: 1)  the user was outside of the state or 2) no data collected while the user was in the state was used.
  • Covered Users. The Act imposes restrictions on processing information of “covered users.” This includes users of websites, online services, or connected devices (the “Websites”) who are: 1) actually known by the operator to be a minor (under 18), or 2) who are using Websites primarily directed to minors.
  • Operator. An operator is defined as any person who offers Websites, who alone – or jointly with others – controls the purposes and means of processing personal data. Notably, one who acts as both a controller and processor shall comply with obligations for both roles, depending on the purposes and means of processing personal data.
  • Personal data. This definition includes any data that identifies or could be reasonably linked, directly or indirectly, with a specific natural person or device.

Substantive Provisions

Processing Restrictions. The Act provides that, among other things, an operator shall not process the personal data of a covered user collected through the Sites, unless one of the following applies:
  1. the user is 12 or younger, and processing is permitted under COPPA;
  2. the user is 13 or older and the processing is “strictly necessary”; or
  3. the user is 13 or older and the processor has received informed consent.
Strictly Necessary Processing. The term “strictly necessary” includes, among other things, processing that is required to:
  • Provide or maintain a specific product or service requested by the covered user;
  • Conduct the operator’s internal business operations (excluding those that relate to marketing, advertising, research and development, providing products or services to third parties, pr prompting covers users to use the Site when it is not in use); and
  • Identify and repair technical errors that impair functionality.
According to the Implementation Guidance, processing that is “strictly necessary” to provide a process or service required by a covered user depends on the “expectations of a reasonable covered user,” similar to the guidance provided under the CCPA regulations. The Guidance also clarifies that business operations “shall not include any activities relating to marketing, advertising, research and development, [or] providing products or services to third parties.” Informed Consent. If the information being processed is not “strictly necessary,” the operator will need informed consent, through either: 1) a device communication or signal, or 2) an informed consent request. A request for informed consent should, among other things:
  1. be made separately from any part of the transaction.
  2. clearly and conspicuously state that the processing is not strictly necessary, and consent is not mandatory to continue using the Websites.
  3. clearly present an option to refuse to provide consent as the most prominent option.
Additionally, the user should be able to revoke consent at any time as easily as they provided it.

Enforcement

The New York Attorney General may bring an action or special proceeding to enjoin any violation of this Act, and to obtain civil penalties of up to $5,000 per violation. Further, the Act gives the New York Attorney General authority to issue rules and regulations ad necessary, and according to the Implementation Guidance, the Office of the Attorney General intends to issue these rules. The Implementation Guidance also states that, until such rules are finalized, the Office of the Attorney General will exercise discretion in pursuing enforcement actions, taking good-faith compliance efforts of covered businesses into account.

Effective Date

The Act goes into effect on June 20, 2025.
0
Chicago Grand Central Looking Up

DOJ Issues Final Rule on US Bulk Sensitive Data

Data Brokers, Data Transfers, United States , , , ,
The International Emergency Economic Powers Act (IEEPA) vests the President with authority to deal with extraordinary threats to national security and foreign policy that have their source in part or in whole outside of the United States. Acting pursuant to the IEEPA, President Biden issued Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data By Countries of Concern” (the EO). The EO directed the Department of Justice (DOJ or Department) to establish and implement regulations addressing threats from certain countries of concern attempting to access and exploit bulk amounts of US sensitive data, including personal and government data. On December 27, 2024, the DOJ issued the Final Rule, which went into effect on April 8, 2025. Additional compliance provisions for certain transactions take effect on October 6, 2025. The Final Rule prohibits or restricts a range of transactions involving categories of bulk sensitive personal data or government-related data between the US and countries of concern or covered persons. In assisting businesses to adapt to this comprehensive update, the DOJ provided a Fact Sheet, a Compliance Guide, and over 100 FAQs on the Final Rule, along with an Implementation and Enforcement Policy. Below are five main takeaways that US entities may want to consider in light of these regulations.
  1. Enforcement May Be More Lenient Until July 8, 2025 
The DOJ’s Implementation and Enforcement Policy, states that the Department will “target its enforcement efforts during the first 90 days to allow US persons (e.g., individuals and companies) additional time to continue implementing the necessary changes to comply with the [Final Rule].” The Department’s civil enforcement actions for violations of the Final Rule will not be a priority “so long as the person is engaging in good faith efforts to comply with or come into compliance with the [Final Rule] during that time.” However, the Department makes clear that it will “pursue penalties and other enforcement actions as appropriate for egregious, willful violations” during the delayed enforcement period.
  1. DOJ Will Consider Good Faith Efforts to Comply
While the Implementation and Enforcement Policy reflects that civil actions for violations of the Final Rule will not be a priority, this depends on the entity’s good faith effort to comply. According to this Policy, examples of evidence of good faith efforts may include, but are not limited to:
  • Conducting internal reviews of access to sensitive data.
  • Conducting internal reviews to determine whether transactions involving access to such data flows constitute data brokerage.
  • Reviewing internal datasets and datatypes to determine if they are subject to the Final Rule.
  • Conducting due diligence on potential new vendors.
  • Renegotiating vendor agreements or negotiating contracts with or transferring products or services to new vendors.
  • Adjusting employee work locations, roles or responsibilities.
  • Evaluating investments from countries of concern or covered persons.
  • Implementing the CISA Security Requirements.
  1. “Good Faith” May Include Satisfying CISA Security Requirements 
A good-faith effort to comply may be demonstrated, in part, by implementing the CISA Security Requirements, which were developed concurrently with the Final Rule pursuant to the EO. The security requirements are intended to address threats that arise when conducting restricted transactions, as detailed below. These security requirements are divided into two sections: i) organizational- and covered system-level requirements; and ii) data-level requirements.
  1. Before October 6, 2025, Determine if Your Company is Conducting Restricted Transactions
US entities engaged in restricted transactions under the Final Rule have affirmative data compliance program and audit obligations, among other obligations. In addition, the Final Rule provides that data brokerage transactions are prohibited with any foreign entity unless the US person contractually binds the foreign entity from subsequent transactions of that data with a country of concern or covered person. They must also report any known or suspected violation of this requirement.
  1. An Iterative Review Plan May be Needed for Covered Transactions 
With the Final Rule coming into effect and enforcement nearing, US companies that engage in certain data transactions or share information with third parties that may be covered persons or countries of concern should evaluate their transactions and data practices. After a thorough review of the types of information collected, who that information is shared with, and who is involved in the processing of that data, it may be helpful to adopt a compliance policy to ensure transactions are being handled appropriately in light of the Final Rule.
0

The Do’s and Don’ts of DSARs: A Practical Guide for Responding to Data Subject Access Requests

DSAR, EU, GDPR, State Privacy Laws, United States , , , , , ,
Handling data subject access requests (DSARs) isn’t as easy as ticking a compliance checkbox. It can be a test of an entity’s data organization, internal communication, and understanding of legal requirements. Between navigating jurisdictional nuances and meeting strict deadlines, the DSAR response process can quickly unravel without a clear plan. In this guide, we suggest best practices for handling and responding to DSARs, along with tips and common pitfalls to avoid when planning effective responses.

1.    Understand the Individual’s Ask

Under international data privacy laws, including those in the US and EU, individuals may have rights over the personal data collected about them by covered entities. The way individuals generally actualize those rights are through DSARs submitted to the relevant entities. These rights can include, but are not limited to:
  • Accessing Data: Individuals may request access to all or specific categories of their personal data.
  • Ceasing Data Processing: Individuals may request the entity stop processing their personal data.
  • Data Correction or Deletion: Individuals may request rectification of inaccurate or outdated personal data or even request the deletion of their personal data.
  • Processing Information: Individuals may request what their personal data is used for and why.
  • Portability: Individuals may request to receive a copy of their personal data in a portable format.
When an individual makes a request to exercise one of these rights, the entity must then respond to the request within a set time frame determined by the applicable law. These time frames differ between applicable laws, so the first step is ensuring you know the appropriate time frame to apply. Who can submit a DSAR? DSARs may be submitted by individuals whose data is processed by entities under the scope of laws like the GDPR and US state privacy laws. Depending on the jurisdiction, DSARs may also be submitted by employees of the covered entity or by agents appointed by the individual and authorized to submit DSARs on the individual’s behalf. Why are DSARs important? DSARs allow individuals to determine what information a covered entity holds about them, how it’s being used, and why it is being processed. In short, they empower individuals to understand and exert some control over their personal data. Additionally, DSARs serve as a tool to confirm that covered entities are upholding their promises: by using these requests, individuals can check whether entities are adhering to both privacy laws and customer privacy notices. This allows individuals to better hold entities accountable for lawful data processing.

2.    Build A Response Team

Given the complexity of modern data systems, internal collaboration is essential when handling DSARs. Clear communication helps ensure DSARs are handled effectively—especially for more comprehensive requests, like deleting or accessing an individual’s data. To build your response team, start by identifying key players. Privacy officers can help oversee legal and regulatory compliance, data experts can help retrieve and process data securely, and communication teams can help draft clear responses to requests and questions. While the specific structure of each team will vary based on the covered entity’s size and complexity, every member of the team should understand the DSAR requirements and specific responsibilities, and get proper training based on their role. Do: Train Your Team       Training is critical to help every member of the team understand the importance of DSARs and their role in maintaining compliance. This isn’t about knowing the legal jargon—each team member should be able to recognize these requests (even if worded in a vague or informal way) and how to execute the steps required to meet deadlines. Since each DSAR is unique, teams should also have a clear point of contact for guidance and next steps if there is any confusion. Don’t: Delay Decisions Effective responses generally take effective planning. Because of the tight DSAR response deadlines imposed by applicable laws, covered entities should plan for these requests before they arrive. By defining clear rules, covered entities can avoid last-minute confusion and chaos when responding to DSARs.

3.    Prepare A Playbook

The regulatory landscape governing DSARs is far from uniform. Because each law may have its own requirements and response timeline, it is essential to understand jurisdiction-specific obligations. A playbook is a simple way to address these obligations in one place and guide the response team through a step-by-step process. To create a playbook, consider:
  • Legal scope: Identify applicable laws based on where the entity operates and whose personal data they process.
  • Verification requirements: Confirm the verification requirements, if any, under each law to determine what steps are needed to confirm the identity of the individual submitting the DSAR.
  • Data retrieval methods: Determine what tools and workflows are needed to locate and compile data efficiently, and how this information may be transmitted to the individual, if necessary.
  • Template responses: Draft standardized responses for anticipated outcomes, like fulfillment or denial of requests, or requests for additional information.
  • Escalation plans: Provide guidance for handling complex requests.
Playbooks should be regularly reviewed to reflect changes in regulations or operational processes. Do: Note the Nuances of Each Law Laws that provide individuals with rights over their personal data commonly include exemptions, such as data that is covered by other laws. Double-check and note these requirements for each jurisdiction and ensure that the playbook is marked in a way that users can easily understand it. Don’t: Forget to Customize Using the same strategy for every DSAR risks a misstep in responses. Privacy laws are often unique, and failing to adapt to these nuances can lead to delays, incomplete responses, or even regulatory penalties. By making your playbook specific to both your entity’s needs and the requirements of each jurisdiction, you are better preparing your team to handle DSARs.

4.    Respond Effectively

Most data privacy laws require a response within a certain time frame from when the request was received. In other words, once a DSAR is received, a clock usually starts ticking. We suggest the following steps as a starting place for a well-executed response, but your steps should be tailored to the applicable legal requirements:
  1. Acknowledge the Request: Confirm the request and provide a clear timeline for how the request will be handled.
  2. Verify the Identify (as needed): Ensure the individual’s identity is confirmed, if required by the relevant laws.
  3. Locate and Collect Data: Collaborate across departments as needed to gather the relevant information.
  4. Review Data for Exceptions: Identify data that may be exempt from disclosures or require redaction, like data that pertains to another individual.
  5. Respond Clearly: Deliver the response in a clear, accessible format with an explanation of how that response was arrived at.
  6. Record and Learn: Maintain detailed records for accountability and review the process regularly.
 Do: Build a Feedback Loop    The best way to learn is by doing. After developing your playbook, perform a trial exercise to ensure your communication is streamlined and a test request is handled as expected. Then, talk to your team to review what went well and what improvements are needed. By viewing this process as iterative, with modifications and refinements made along the way, the DSAR response team can effectively grow and shift with the volume of requests or any regulatory changes. Don’t: Overlook Redaction and Exemptions Redaction and exemptions can easily be overlooked, but neglecting these steps can lead to non-compliance, or even a breach. Always double-check any information before it is disclosed and verify that all information is accounted for and handled appropriately.   While typically seen as a compliance obligation, DSARs can also present an opportunity for entities to demonstrate data privacy and transparency. Each DSAR is a chance to refine operations, and with a capable response team and a detailed playbook, entities can approach the process with a better understanding of compliance.
1 2 3