Data Protection

Fifth Circuit Order Reverts HSR Filings to Old Form

On March 19, 2026, the U.S. Court of Appeals for the Fifth Circuit denied the Federal Trade Commission’s (“FTC”) motion for a stay pending appeal in the ongoing litigation challenging the recent February 2025 expansion of pre-merger reporting requirements under the Hart-Scott-Rodino (“HSR”) Antitrust Improvements Act of 1976. Previously, in a February 12, 2026 Order, a Texas federal court ruled that the expanded requirements “exceed[] the FTC’s statutory authority because the agency has not shown that the rule’s claimed benefits will ‘reasonably outweigh’ its significant and widespread costs.” Shortly thereafter, the FTC filed an appeal with the Fifth Circuit and sought an emergency stay of the District Court’s Order pending the outcome of their appeal. On February 19, 2026, the Fifth Circuit granted an administrative stay “until further order of [the] court” while it reviewed but ultimately decided in its most recent Order that the stay should not be maintained pending a final outcome of the appeal. As a consequence of this decision, the expanded requirements that were imposed by the updated HSR form have been vacated, although there is a chance that they could be reinstated if the FTC is successful on appeal. In accordance with the Order, the FTC has announced that it will begin accepting HSR filings on the prior, pre-February 2025 HSR Form although it will continue to accept filings submitted on the new HSR form on a voluntary basis. Parties preparing to submit HSR filings should consult with counsel to assess the best approach in light of this new HSR filing framework. The Lewis Rice HSR team is available to advise and will continue to monitor developments as the FTC’s appeal proceeds.

Kyle M. Binns Selected for Membership in American College of Real Estate Lawyers

Lewis Rice Obtains $532,226 in Compensation for Landowners in Dutchess and Putnam Counties

Effective February 23, 2026: Changes in the Minimum Standard Detail Requirements for ALTA/NSPS Land Title Surveys

Effective February 23, 2026, the American Land Title Association^® (ALTA^®) and the National Society of Professional Surveyors, Inc. (NSPS) adopted certain changes to the "Minimum Standard Detail Requirements for ALTA^®/NSPS Land Title Surveys," including the Table A optional survey responsibilities and specifications, replacing the prior 2021 standards. Click here to view the redline changes between the prior 2021 and the new 2026 standards. We have summarized below the more notable changes for the consideration of property owners, prospective purchasers, investors and lenders: Surveyors must note on the face of the plat or map any verbal statements by interested landowners or occupants as to title or boundary issues related to the surveyed property. (Section 6(D)(ii)(l)) New Table A Item 20: Surveyors must summarize the following conditions and potential encroachments in a table on the face of the plat or map, which conditions must be readily located on the face of the plat or map. Potential encroachments onto and from an adjoining property Potential encroachments into rights of way and easements Potential encroachments into setbacks (provided setback requirements are provided to the surveyor) Physical access between adjoining parcels where there is no easement for such access Use of adjoining parcel by surveyed property without the benefit of an easement for such use [Practical Tip: Because this requirement was added to Table A, it is optional, not standard, and clients must specifically elect for such information to be shown on the face of the plat or map.] Surveyors are required to observe evidence of possession for occupation by adjoining properties regardless of proximity to perimeter boundary lines. (Section 5(C)) Fieldwork must include evidence of pipeline markers, utility locate markings, manholes, valves, meters, transformers, pedestals, clean outs, overhead lines, and guy wires limited to within 5 feet of the surveyed property (utility poles to be located within 10 feet of surveyed property). (Section 5(E)) If you have any questions regarding the 2026 changes to the Minimum Standard Detail Requirements for ALTA^®/NSPS Land Title Surveys or how such changes may affect you, please contact a member of our Real Estate Practice Group.

AI Transcription Tools Give Rise to BIPA Claims

Litigation under the Illinois Biometric Information Privacy Act (“BIPA”) is increasingly and very recently focused on one category of biometric data that many organizations may overlook: voiceprints. Recent lawsuits have focused on AI-powered transcription, speaker recognition, and voice analytics tools as an unlawful use of participants’ voiceprints without proper consent. Voiceprints Are Expressly Covered by BIPA BIPA defines “biometric identifiers” to include voiceprints. Unlike general audio recordings, a voiceprint involves the analysis of unique vocal characteristics to identify or distinguish a speaker. Plaintiffs are alleging that software creates biometric identifiers subject to the statute when it attributes speech to specific individuals using speaker recognition technology. To comply with BIPA, a company collecting voiceprints must: Provide written notice that biometric data is being collected or stored; Inform the individual in writing of the purpose and duration of collection; and Obtain a written release before collection. The collecting company must also publish a publicly available written retention and destruction policy. As discussed in our recent client alert, statutory damages are significant: $1,000 per negligent violation and $5,000 per reckless or intentional violation with potential accrual on a per-scan basis under Cothron v. White Castle System, Inc. AI Meeting Assistants and Speaker Recognition: Ambient Listening a part of the allegations in recent lawsuits. In Cruz v. Fireflies.AI Corp., filed on December 18, 2025 in Illinois District Court, the plaintiff alleges that an AI meeting assistant violated BIPA by recording virtual meetings and using speaker recognition technology to distinguish between participants. According to the complaint, the software automatically joins meetings when enabled by a host, records and transcribes conversations, identifies and labels individual speakers, and stores the resulting data. The plaintiff alleges that these functions necessarily involve creating voice-derived identifiers and that meeting participants, who never created accounts and never signed any written release, were not provided BIPA-compliant notice or consent. The case, which has just began litigation, reflects a growing theory of liability: even where a company does not market its product as “biometric,” functionality that distinguishes speakers based on vocal characteristics may qualify as voiceprint collection under Illinois law. Voiceprint-related risk is not limited just to AI transcription vendors. Employers and organizations may face exposure where they deploy tools such as voice authentication systems, call center voice analytics tools, meeting transcription software, productivity monitoring software, or security systems using vocal identification. Out-of-state technology providers may also face jurisdictional exposure if their tools are used by Illinois entities or affect Illinois residents. Similar to the allegations in Fireflis.AI Corp, in Basich et al. v. Microsoft Corp., plaintiffs allege that consent from one user (such as a meeting host) is insufficient for other participants whose voiceprints are captured during an AI live transcription feature in Microsoft’s Teams product while the participants are physically located in Illinois. The complaint focuses on a specific background process known as “diarization” which creates real-time meeting transcripts by distinguishing who is speaking using unique vocal characteristics, which plaintiffs contend is a collection of a “voiceprint”. Key Takeaways Recent filings confirm that voice-enabled AI tools are a developing frontier of BIPA litigation. Organizations operating in Illinois, or interacting with Illinois residents, should carefully evaluate whether any technology they deploy analyzes or distinguishes speakers based on vocal characteristics (i.e., create “voiceprints”). If voiceprints are implicated, strict compliance with BIPA’s notice, written release, and retention policy requirements is essential to avoid potentially significant statutory exposure. For questions regarding voiceprint-related compliance, AI deployment, or BIPA risk assessment, please contact one of our Data Privacy & Cybersecurity attorneys.

Securing a Legislative Victory for the American Car Rental Association

Lewis Rice member David W. Sweeney represented the American Car Rental Association (ACRA) in its effort to shape legislation governing the operations of Turo, an online car-sharing platform, at St. Louis Lambert International Airport. The initial bill would have permitted Turo to operate in airport garages within walking distance of passenger terminals, a proposal opposed by members of the St. Louis Airport Commission due to competitive concerns. David engaged with stakeholders to negotiate a revised agreement that addressed these objections while protecting the interests of ACRA. The final legislation limits Turo’s operations to three designated parking areas west of Terminal 1. The measure was opposed by the St Louis Airport Director but  approved unanimously by the St. Louis Board of Aldermen, marking a significant milestone in the legislative process. This outcome preserved competitive balance in the airport rental market and aligned with ACRA’s policy objectives. The case demonstrates how strategic advocacy and effective negotiation can deliver tangible results for industry associations facing complex regulatory challenges.

Supreme Court Clarifies Contributory Liability Standard in Copyright Infringement

In a decision with broad implications for internet service providers and generative AI, on March 25, 2026, the United States Supreme Court unanimously held in the Cox Communications, Inc. v. Sony Music Entertainment that an internet service provider is not contributorily liable for copyright infringement solely on a provider’s knowledge of infringement and failure to take sufficient action to prevent infringement. Rather, liability arises only where the provider intended that its service be used to facilitate infringement. What Happened? Cox Communications is an internet service provider serving six million subscribers. Sony Music is a major music copyright owner. Sony sent Cox over 163,000 notices identifying IP addresses of Cox subscribers associated with infringing activity. Sony then sued Cox in federal district court, advancing claims of secondary copyright liability. The jury originally found in favor of Sony Music on both theories and awarded $1 billion in statutory damages. The Fourth Circuit affirmed, reasoning that knowledge that the recipient of the service will use the service to infringe copyrights is sufficient for contributory infringement. The Supreme Court reversed that decision. The Supreme Court’s Decision The Court held Cox was not contributorily liable for the individual users’ infringement because Cox did not intend that its internet service be used for infringement. Such intent can be shown only if the service provider induced the infringement or provided a service that is tailored to infringement. The Court further held that inducement can only be shown through specific acts, such as promoting or marketing the service as a tool to infringe, and that a service is tailored to infringement only if it is not capable of a substantial or commercially significant non-infringing use. Importantly, the Court held that a service provider’s failure to take affirmative steps to prevent infringement by users, even though it was aware of and profiting from that activity, is not sufficient for secondary liability. The opinion emphasized that it may be difficult for a service provider to determine that its services were used for infringement. For example, many internet service subscribers provide connections to multiple different people (e.g., a household, coffee shop, or college dormitory), and network traffic from all such users will ordinarily originate from a single internet address. The Court reasoned that it would be extremely difficult, in many cases impossible, for a service provider to determine which individual was infringing. The Court also noted that a service provider cannot directly control how subscribers use their services. Thus, without evidence of express promotion, marketing, or intent to promote infringement, a service provider’s mere knowledge that infringement was occurring through its services was insufficient to hold the service provider contributorily liable for it. Justice Sotomayor, joined by Justice Jackson, concurred in judgment only, holding the majority unnecessarily limited secondary liability even though common-law theories, such as aiding and abetting, could be applicable to copyright cases, and that the majority dismantled the statutory incentive structure created in the Digital Millennium Copyright Act (“DMCA”). Why it Matters This decision limits the scope of contributory copyright liability for internet service providers in key respects. By requiring evidence of express promotion, marketing, or intent to promote infringement, rather mere knowledge of it and the failure to stop infringing activity, the decision shifts much of the burden of policing the internet for copyright infringement from service providers to copyright holders. Major commercial service providers are unlikely to meet the newly articulated standard for liability. Copyright owners have noted for some time that the DMCA’s balance is tilted too far in favor of service providers. This decision will tilt the scales further. Copyright owners thus will be increasingly dependent on their own policing efforts in pursuing individual infringers directly, which is logistically difficult for similar reasons to those noted by the Court. Once infringing content is removed, on-line infringers can simply re-post it with the push of a button, requiring copyright owners to send repeated takedowns, and the service providers have little legal incentive to disable such accounts. This may result in greater emphasis on enforcement strategies that leverage technical limitations, rather than legal remedies, which could make copyrighted material more difficult to obtain and use electronically.  It should be recognized that the DMCA safe harbor framework, including notice and takedown obligations, remains in place. Thus, service providers still must comply with the DMCA’s notice-and-takedown procedures to enjoy the benefits of the so-called “safe harbor” provisions, which immunize service providers from contribution infringement claims in certain circumstances. Further, the quantity of takedown requests may increase due to this ruling.  If you have questions about copyright infringement or secondary liability in light of this decision, please contact a member of our Intellectual Property team to discuss how these developments may affect your business, compliance obligations, and enforcement strategies going forward.

David W. Sweeney Secures Legislative Victory for American Car Rental Association at St. Louis Lambert International Airport

Lewis Rice attorney David W. Sweeney represented the American Car Rental Association (ACRA) in negotiations over legislation governing the operations of online car-sharing company Turo at St. Louis Lambert International Airport. An initial proposal would have allowed Turo to operate from airport garages within walking distance of passenger terminals. After opposition from members of the St. Louis Airport Commission, David worked with stakeholders to secure a revised agreement limiting Turo to three designated parking areas west of Terminal 1. This outcome represents a significant victory for ACRA, which had requested the bill to ensure fair competition in the car rental industry. The measure was opposed by the St. Louis Airport Director but  approved unanimously by the St. Louis Board of Aldermen, marking a significant milestone in the legislative process. To read more about the agreement, click under "Resources" below. David focuses on lobbying, governmental and finance matters; municipal and public law; government affairs; zoning, land use, tax increment financing, community improvement districts, and other development incentives. His experience ranges from drafting and overseeing implementation of legislation regarding tax increment financing, community improvement districts, special business districts, transportation development districts, and property tax abatements to representation of governmental entities in a variety of real estate development and finance matters.

Oklahoma and Alabama Get the Ball Rolling Again, Enact Comprehensive Privacy Laws

Thus far in 2026, two states, Oklahoma and Alabama, have enacted state comprehensive data privacy laws, continuing the national trend of State-by-State privacy regulation in the absence of federal law. The Oklahoma Consumer Data Privacy Act (“OCDPA”) goes into effect on January 1, 2027. The Alabama Personal Data Protection Act (“APDPA”) goes into effect on May 1, 2027. While these laws largely follow other state comprehensive privacy laws, businesses that operate in or target products or services to residents in these states must comply with distinct features of these laws. Applicability OCDPA: The OCDPA applies to persons conducting business in Oklahoma or producing products or services targeted to Oklahoma residents and that during a calendar year either:  control or process personal data of at least 100,000 Oklahoma residents; or  control or process data of at least 25,000 Oklahoma residents and derive more than 50% of gross revenue from the sale of personal data. APDPA: The APDPA applies to persons conducting business in Alabama or producing products or services targeted to Alabama residents and either:  control or process the personal data of more than 25,000 Alabama residents (excluding personal data processed solely for completing a payment transaction); or  derive over 25% of gross revenue from the sale of personal data, regardless of the number of residents. Exemptions Both the OCDPA and APDPA exempt financial institutions subject to the Gramm-Leach-Bliley Act, HIPAA covered entities and business associates, institutions of higher education, and nonprofits (though the APDPA limits this exclusion to nonprofits with less than 100 employees that do not sell personal data). Notably, the APDPA also includes a small-business exemption for businesses with fewer than 500 employees that do not sell personal data. The OCDPA does not include a small business exemption. Both laws also include data-level exemptions for protected health information under HIPAA, personal data processed by consumer reporting agencies under the Fair Credit Reporting Act, data regulated by the Family Educational Rights and Privacy Act, and data regulated by the Farm Credit Act. Key Definitions Consumer: Both laws narrowly define “consumer” to mean an individual resident of the respective state acting only in an individual or household context. Both laws exclude individuals acting in a commercial or employment context, meaning employee personal data and business-to-business personal data are outside the scope of both the OCDPA and APDPA. Sensitive Data: In line with other state comprehensive data privacy laws, both laws provide for a special category of personal data known as “sensitive data,” which both laws define similarly to include: personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; genetic or biometric data processed to uniquely identify an individual; personal data collected from a known child; and precise geolocation data. Both laws require controllers to obtain consent prior to processing sensitive data. Additionally, if the controller has actual knowledge a consumer is between ages 13 and 16, the APDPA requires affirmative consent in order to sell the consumer’s personal data or using it for targeted advertising purposes. Personal Data: This is a key area of divergence between the two laws. The OCDPA defines “sale” of personal data narrowly to mean only the exchange of personal data for monetary consideration by the controller to a third party. In contrast, the APDPA defines “sale” of personal data more broadly to cover exchanges for monetary consideration or for “other valuable consideration,” and adds a novel requirement that the “controller receives a material benefit and the third party is not restricted in its subsequent uses of the personal data.” Businesses that engage in data sharing arrangements involving non-monetary benefits should carefully assess whether those arrangements trigger the APDPA’s requirements even if they would not under the OCDPA. Both laws include similar broad exceptions to the definition of “sale” for ordinary business disclosures, including transfers to processors, affiliates, and disclosures made to fulfill a consumer’s product or service request. Compliance Both the OCDPA and APDPA contain compliance obligations substantially similar to those found in other state comprehensive data privacy laws, including the requirement for controllers to provide a compliant privacy notice to consumers and to enter into data processing contracts with processors. However, the two laws differ with respect to data protection assessments. The OCDPA requires controllers to conduct and document data protection assessments for processing activities involving targeted advertising, the sale of personal data, the processing of sensitive data, profiling in certain instances, or processing that presents a “heightened risk of harm” to consumers. The APDPA does not require data protection assessments at all. Additionally, under the APDPA if a consumer sends an opt-out preference signal (such as browser-based global opt-out signals), controllers may notify consumers of conflicting signals and provide the consumer an opportunity to confirm controller-specific privacy settings or participation in loyalty programs. Consumer Rights and Requests Both the OCDPA and the APDPA grant residents substantially the same set of consumer rights, which are consistent with the rights found in other state comprehensive data privacy laws. Those consumer rights include the following: Right to Access: Consumers may confirm whether a controller is processing their personal data and access that data. Right to Correction: Consumers may request correction of inaccuracies in their personal data. Right to Deletion: Consumers may request deletion of personal data provided by or obtained about them. Right to Data Portability: Consumers may obtain a copy of their personal data in a portable and, to the extent technically feasible, readily usable format. Right to Opt Out of Sale: Consumers may opt out of the sale of their personal data. Right to Opt Out of Targeted Advertising: Consumers may opt out of the processing of their personal data for purposes of targeted advertising. Right to Opt Out of Profiling: Consumers may opt out of profiling in furtherance of a decision that produces a legal or similarly significant effect, such as decisions affecting financial and lending services, housing, insurance, health care, education, employment opportunities, criminal justice, or access to basic necessities such as food and water. Both the OCDPA and APDPA require controllers to respond to consumer requests within 45 days, with the ability to extend by an additional 45 days when reasonably necessary. While the OCDPA provides consumers the right to appeal, the APDPA does not. The OCDPA allows a consumer to appeal if a controller declines to act on a consumer’s request. Controllers must respond to appeals within 60 days and, if the appeal is denied, must direct the consumer to the Oklahoma Attorney General’s online complaint mechanism. Enforcement and Rulemaking Authority Like most other state comprehensive privacy laws, neither the OCDPA nor the APDPA include a private right of action. The Oklahoma Attorney General has the exclusive authority to enforce the OCDPA, and the Alabama Attorney General has the exclusive authority to enforce the APDPA. The OCDPA provides for a 30-day cure period prior to initiating an enforcement action, while the APDPA provides for a 45-day cure period. Unlike some other state comprehensive data privacy laws, neither of these cure periods sunset, meaning that they will always be available, as opposed to having a limited duration. Each violation of the OCDPA can result in a civil penalty up to $7,500, while each violation of the APDPA can result in a civil penalty up to $15,000. Conclusion The enactment of the OCDPA and the APDPA represents the continued trend of states enacting comprehensive data privacy laws across the United States in the absence of federal legislation. While neither law is novel, there are meaningful differences that businesses operating in, or targeting residents of, these states must consider and comply with. Businesses should act promptly to assess their obligations under both laws and ensure compliance programs are updated accordingly before the effective dates. Entities already compliant with other state privacy laws will find much of the required groundwork already in place, but the unique features of each law warrant careful review. If you would like assistance with, or have any questions about, complying with the OCDPA, the APDPA, or other data privacy laws, or need assistance reviewing your data privacy practices, please contact one of our Data Protection attorneys. Check out our U.S. State Privacy Laws page for more information.

Bridget Hoy Named 2026 Wonder Woman by Small Business Monthly