Portrait of Joseph E. Martineau

Client Alert

Supreme Court Clarifies When Government Officials’ Social Media Posts are "State Action"

March 18, 2024

Joseph E. Martineau, John M. Hessel, Jacqueline K. Graves, Sarah L. White, Kolten C. Ellis

share this page:

State and local governments, and many government officials, increasingly rely on social media to communicate quickly and effectively with their constituents. Many government officials also use personal social media accounts to connect with friends and family and to speak in their private capacities on a wide range of issues. But when can a government official’s activity on his or her personal social media page be attributed to his or her public employer? With the rise of social media and the expediency it allows for communication of personal and public matters, often commingled on one social media site, the question has confounded the courts, public officials, and lawyers for the last decade.

In Lindke v. Freed, a unanimous opinion issued on March 15, 2024, the United States Supreme Court provided critical guidance to clarify the line between private and government activities conducted on social media. The Court held that posting, deleting comments, and blocking viewers or commenters—even on a government official’s personal social media page—can be considered government action when the official (1) has authority to speak on behalf of the government entity about the subject of the post, and (2) purports to exercise that authority through his or her social media activities. This new test supersedes the approaches previously adopted by the U.S. Courts of Appeals for the Second, Third, and Ninth Circuits.

Lindke involved the City Manager of Port Huron, Michigan, who had long maintained a personal Facebook page that predated his employment with the city. The City Manager used his Facebook page both for personal social media activities, such as posting family photographs, and to make public announcements about the city’s events and policies. When the COVID-19 pandemic began, the City Manager used his Facebook page to inform city residents about pandemic safety measures the city had adopted. One Port Huron resident made several comments criticizing the city’s COVID-19 policies, and the City Manager eventually deleted those comments and “blocked” the resident from posting further comments on his page.

The resident then sued the City Manager under 42 U.S.C. § 1983, which allows state officials to be held liable for official actions that violate a person’s rights under the U.S. Constitution or other federal law. The resident claimed the City Manager violated the First Amendment by deleting the resident’s comments based on the views he expressed and by blocking him from making further comments on the City Manager’s Facebook page. 

The key question under section 1983 was whether the City Manager’s deletions and blocking were “state action”—acts that could be ascribed to his capacity as a City Manager rather than to his individual status as a father, husband, and citizen. To answer this question, the Supreme Court announced a two-part test.

First, a government official’s social media posts can only be “state actions” if the official has authority (under written law or “longstanding custom”) to make official statements about the subject of the post. A school board president may have customary authority to speak for the school district when announcing a districtwide snow day, but a municipal sanitation worker likely cannot speak for the city when discussing a new ordinance about parking fees that the sanitation department does not enforce or apply.

Second, state action exists only where an official purports to exercise his or her authority when speaking or posting on social media. Department or organizational accounts, accounts run jointly by officials and other city staff, and posts on an official’s private page that announce new policies or livestream official government meetings are all likely to be state action. Because this third category is most likely to arise where public officials start to use their private pages to communicate government business, the Supreme Court admonished that the risk of liability increases for an official who does not “keep personal posts in a clearly designated personal account.” And while an official can reduce the appearance of speaking on behalf of the government by posting a disclaimer that a page or post represents only private opinions, the Supreme Court warned that a disclaimer cannot categorically shield a clearly official statement from qualifying as state action. So, while disclaimers might be good practice, they should not be seen as a panacea.

Finally, the Supreme Court noted that whether deleting a comment or blocking a commenter counts as state action may depend on how a specific social media platform functions. A state or local official who deletes an insulting comment about a picture of her cat is likely performing only a private action. But “blocking” the rude commenter may be a state action if, on the specific social media platform in question, the blocked commenter can no longer see or comment on posts by the official that do speak on behalf of the official’s department.

Lindke represents a large first step in adapting the state action doctrine to the online world of social media, and the Supreme Court emphasized that each case must be handled under a fact-specific basis that considers the authority of the government official, the type of action taken, and the reach that action has on the relevant platform. Concrete applications of Lindke’s holding will take time to develop and build in future litigation.

If you need assistance in crafting a social media policy for public employees to avoid Section 1983 liability for their activities on personal social media profiles, if you are facing litigation that arises from a social media post by a government agency or employee, or if you have any questions about the possible impacts of Lindke on your operations, please contact one of the authors above.

Firm Highlights

  • Case Study

    Securing a Legislative Victory for the American Car Rental Association

    Lewis Rice member David W. Sweeney represented the American Car Rental Association (ACRA) in its effort to shape legislation governing the operations of Turo, an online car-sharing platform, at St. Louis Lambert International Airport. The initial bill would have permitted Turo to operate in airport garages within walking distance of passenger terminals, a proposal opposed by members of the St. Louis Airport Commission due to competitive concerns. David engaged with stakeholders to negotiate a revised agreement that addressed these objections while protecting the interests of ACRA. The final legislation limits Turo’s operations to three designated parking areas west of Terminal 1. The measure was opposed by the St Louis Airport Director but  approved unanimously by the St. Louis Board of Aldermen, marking a significant milestone in the legislative process. This outcome preserved competitive balance in the airport rental market and aligned with ACRA’s policy objectives. The case demonstrates how strategic advocacy and effective negotiation can deliver tangible results for industry associations facing complex regulatory challenges.

  • Firm News

    Emily K. Bardon Named Chairperson of Saint Louis Fashion Fund

  • Publication

    Supreme Court Clarifies Contributory Liability Standard in Copyright Infringement

    In a decision with broad implications for internet service providers and generative AI, on March 25, 2026, the United States Supreme Court unanimously held in the Cox Communications, Inc. v. Sony Music Entertainment that an internet service provider is not contributorily liable for copyright infringement solely on a provider’s knowledge of infringement and failure to take sufficient action to prevent infringement. Rather, liability arises only where the provider intended that its service be used to facilitate infringement. What Happened? Cox Communications is an internet service provider serving six million subscribers. Sony Music is a major music copyright owner. Sony sent Cox over 163,000 notices identifying IP addresses of Cox subscribers associated with infringing activity. Sony then sued Cox in federal district court, advancing claims of secondary copyright liability. The jury originally found in favor of Sony Music on both theories and awarded $1 billion in statutory damages. The Fourth Circuit affirmed, reasoning that knowledge that the recipient of the service will use the service to infringe copyrights is sufficient for contributory infringement. The Supreme Court reversed that decision. The Supreme Court’s Decision The Court held Cox was not contributorily liable for the individual users’ infringement because Cox did not intend that its internet service be used for infringement. Such intent can be shown only if the service provider induced the infringement or provided a service that is tailored to infringement. The Court further held that inducement can only be shown through specific acts, such as promoting or marketing the service as a tool to infringe, and that a service is tailored to infringement only if it is not capable of a substantial or commercially significant non-infringing use. Importantly, the Court held that a service provider’s failure to take affirmative steps to prevent infringement by users, even though it was aware of and profiting from that activity, is not sufficient for secondary liability. The opinion emphasized that it may be difficult for a service provider to determine that its services were used for infringement. For example, many internet service subscribers provide connections to multiple different people (e.g., a household, coffee shop, or college dormitory), and network traffic from all such users will ordinarily originate from a single internet address. The Court reasoned that it would be extremely difficult, in many cases impossible, for a service provider to determine which individual was infringing. The Court also noted that a service provider cannot directly control how subscribers use their services. Thus, without evidence of express promotion, marketing, or intent to promote infringement, a service provider’s mere knowledge that infringement was occurring through its services was insufficient to hold the service provider contributorily liable for it. Justice Sotomayor, joined by Justice Jackson, concurred in judgment only, holding the majority unnecessarily limited secondary liability even though common-law theories, such as aiding and abetting, could be applicable to copyright cases, and that the majority dismantled the statutory incentive structure created in the Digital Millennium Copyright Act (“DMCA”). Why it Matters This decision limits the scope of contributory copyright liability for internet service providers in key respects. By requiring evidence of express promotion, marketing, or intent to promote infringement, rather mere knowledge of it and the failure to stop infringing activity, the decision shifts much of the burden of policing the internet for copyright infringement from service providers to copyright holders. Major commercial service providers are unlikely to meet the newly articulated standard for liability. Copyright owners have noted for some time that the DMCA’s balance is tilted too far in favor of service providers. This decision will tilt the scales further. Copyright owners thus will be increasingly dependent on their own policing efforts in pursuing individual infringers directly, which is logistically difficult for similar reasons to those noted by the Court. Once infringing content is removed, on-line infringers can simply re-post it with the push of a button, requiring copyright owners to send repeated takedowns, and the service providers have little legal incentive to disable such accounts. This may result in greater emphasis on enforcement strategies that leverage technical limitations, rather than legal remedies, which could make copyrighted material more difficult to obtain and use electronically.  It should be recognized that the DMCA safe harbor framework, including notice and takedown obligations, remains in place. Thus, service providers still must comply with the DMCA’s notice-and-takedown procedures to enjoy the benefits of the so-called “safe harbor” provisions, which immunize service providers from contribution infringement claims in certain circumstances. Further, the quantity of takedown requests may increase due to this ruling.  If you have questions about copyright infringement or secondary liability in light of this decision, please contact a member of our Intellectual Property team to discuss how these developments may affect your business, compliance obligations, and enforcement strategies going forward.

  • Firm News

    Lewis Rice and its Attorneys Recognized in Chambers USA 2026 Guide

  • Publication

    Louisiana Joins the Club: What Businesses Need to Know About the Louisiana Data Privacy Act

    On May 29, 2026, Louisiana’s Governor signed the Louisiana Data Privacy Act (“LDPA”) into law, making Louisiana the 22nd state, and the third in 2026, to enact a comprehensive state privacy law. The LDPA goes into effect on January 1, 2027. While businesses familiar with the Texas Data Privacy and Security Act (“TDPSA,” discussed in our prior alert here) will recognize much of the LDPA’s structure, several distinctive features warrant careful attention for businesses subject to the LDPA. Applicability The LDPA applies to any person or entity that does business in Louisiana and satisfies at least one of the following thresholds:  Has annual gross revenues in excess of $25 million;  Annually buys, receives, sells, or shares for commercial purposes the personal information of 75,000 or more Louisiana residents, households, or devices; or  Derives 50% or more of annual revenues from selling Louisiana residents’ personal information. This structure is similar to the California Consumer Privacy Act (“CCPA”) and represents a significant departure from the thresholds used in most other comprehensive state privacy laws. Most notably, the revenue-based threshold may capture businesses, including those with few business-to-consumer sales, that would not be covered based on the processing of personal data or the volume thereof. Exemptions The LDPA exempts several types of entities, including financial institutions subject to the Gramm-Leach-Bliley Act, HIPAA covered entities and business associates, nonprofits, institutions of higher education, and electric public utilities. Data-level exemptions under the LDPA are broader than those found in most other comprehensive state privacy laws and encompass seventeen categories. Beyond the standard exemptions for protected health information under HIPAA, Fair Credit Reporting Act data, Family Educational Rights and Privacy Act and Driver’s Privacy Protection Act data, Farm Credit Act data, and employee and contractor data processed in the context of that relationship, the LDPA also exempts the following, among others: health records; certain patient identifying information; identifiable private information used in human subjects research under certain federal frameworks; Health Care Quality Improvement Act information; patient safety work product; and information collected solely for public health activities authorized under HIPAA. Key Definitions Consumer: The LDPA defines “consumer” to mean an individual who is a Louisiana resident acting only in an individual or household context. Individuals acting in a commercial or employment context are excluded, meaning employee personal data and business-to-business personal data fall outside the LDPA’s scope. Sensitive Data: Controllers must obtain affirmative consent before processing a consumer’s sensitive data. Consistent with other comprehensive state privacy laws, the LDPA defines “sensitive data” to include: personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, or citizenship or immigration status; genetic or biometric data processed to uniquely identify an individual; personal data collected from a known child (under 13); and precise geolocation data. Sale of Personal Data: The LDPA defines “sale of personal data” as the exchange of personal data for monetary or other valuable consideration by the controller to a third party. Businesses engaged in data-sharing arrangements that involve non-monetary benefits should assess whether those arrangements constitute a “sale” under the LDPA. Standard exemptions from the definition of “sale” apply for disclosures to processors or affiliates, consumer-directed disclosures, and transfers in connection with mergers and acquisitions. Compliance Controllers subject to the LDPA must provide consumers with a reasonably accessible and clear privacy notice disclosing the categories of personal data processed, the purposes of processing, and the process by which consumers may exercise their rights. The LDPA imposes two prescriptive notice requirements found in the TDPSA, but not in most other comprehensive state privacy laws: (1) if a controller sells sensitive personal data, it must post the notice “NOTICE: We may sell your sensitive personal data.” in the same manner as its general privacy notice; and (2) if a controller sells biometric personal data, it must similarly post “NOTICE: We may sell your biometric personal data.” The LDPA requires controllers to conduct and document data protection assessments for higher-risk processing activities, including targeted advertising, the sale of personal data, processing sensitive data, profiling that presents a reasonably foreseeable risk of (i) unfair or deceptive treatment of or unlawful disparate impact on consumers; (ii) financial, physical, or reputational injury to consumers; (iii) an intrusion on the solitude or seclusion, or the private affairs, of consumers that would be offensive to a reasonable person; or (iv) other substantial injury to consumers; and any other processing presenting a “heightened risk of harm.” Assessments are confidential but the Attorney General may request them through a civil investigative demand. Controllers must also recognize universal opt-out preference signals, such as browser or device-level signals, through which consumers may opt out of targeted advertising and the sale of personal data. Importantly, the LDPA specifies that qualifying opt-out signals may not rely on a default setting; they must reflect an affirmative, freely given, and unambiguous choice by the consumer to opt out. Consumer Rights and Requests The LDPA grants Louisiana residents the following rights, consistent with the rights established under other comprehensive state privacy laws: Right to Access: Consumers may confirm whether a controller is processing their personal data and access that data. Right to Correction: Consumers may request correction of inaccuracies in their personal data. Right to Deletion: Consumers may request deletion of personal data provided by or obtained about them. Right to Data Portability: If available in a digital format, consumers may obtain a copy of personal data they previously provided to the controller in a portable and, to the extent technically feasible, readily usable format. Right to Opt Out of Sale: Consumers may opt out of the sale of their personal data, including through a designated authorized agent or a qualifying opt-out signal. Right to Opt Out of Targeted Advertising: Consumers may opt out of the processing of their personal data for targeted advertising purposes. Right to Opt Out of Profiling: Consumers may opt out of profiling in furtherance of a decision that produces a legal or similarly significant effect, such as decisions affecting financial and lending services, housing, insurance, healthcare, education enrollment, employment opportunities, criminal justice, or access to basic necessities such as food and water. Controllers must respond to requests within 45 days of receipt, with the ability to extend by an additional 45 days when reasonably necessary. Controllers must establish a conspicuously available appeal mechanism and respond to appeals within 60 days. If an appeal is denied, the controller must provide the consumer with access to the Attorney General’s online complaint mechanism. Enforcement The LDPA does not include a private right of action. The Louisiana Attorney General has exclusive enforcement authority and may pursue violations as unfair and deceptive trade practices under Louisiana’s Unfair Trade Practices and Consumer Protection Law (“UTPCL”). The LDPA expressly excludes private rights of action otherwise available under the UTPCL. From January 1, 2027 through July 31, 2027, the Attorney General must provide written notice at least 30 days before initiating an investigation, identifying the specific provisions alleged to be violated. The Attorney General may not proceed with the investigation if the business cures the alleged violation within the 30-day period. This cure period sunsets, meaning it will no longer be available, after July 31, 2027. This stands in contrast to the permanent cure periods available under some of the other comprehensive state privacy laws, such as those recently enacted in Oklahoma and Alabama. Conclusion The enactment of the LDPA represents the continued expansion of state-level data privacy regulation across the United States. While much of the LDPA will be familiar to businesses already operating under other comprehensive state privacy laws, its applicability thresholds, broad definition of “sale,” prescriptive sensitive and biometric data notices, and sunsetting cure period are features that require specific attention. Businesses should assess their compliance programs promptly and ensure they are updated before January 1, 2027 and fully mature before the cure period sunsets on July 31, 2027. If you would like assistance with, or have any questions about, complying with the LDPA or other data privacy laws, or need assistance reviewing your data privacy practices, please contact one of our Data Protection attorneys. Check out our U.S. State Privacy Laws page for more information.

  • Firm News

    Lewis Rice Secures $1.95 Million in Compensation for Rock Island Trail Landowners

  • Firm News

    David W. Brown Earns Band 1 Ranking in Chambers USA 2026

  • Publication

    Next Up: The Vermont Data Privacy and Online Surveillance Act

    On June 16, 2026, Vermont’s Governor signed the Vermont Data Privacy and Online Surveillance Act (the “VDPOSA”) into law, making Vermont the most recent state to enact a comprehensive state privacy law. The VDPOSA takes effect January 1, 2028. Vermont’s law departs from the standard playbook for comprehensive state privacy laws in several meaningful ways, including a standalone sensitive data applicability trigger, expanded definitions of sensitive data and publicly available information, novel consumer health data obligations that apply without any minimum processing threshold, and enhanced rights and assessments relating to profiling. Applicability The VDPOSA applies to any person or entity that conducts business in Vermont or produces products or services targeted to Vermont residents and that, during the preceding calendar year, satisfied at least one of the following thresholds:  Controlled or processed the personal data of not fewer than 35,000 Vermont residents, excluding personal data controlled or processed solely for the purpose of completing a payment transaction;  Controlled or processed the sensitive data of not fewer than 3,000 Vermont residents, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or  Offered for sale in trade or commerce the personal data of not fewer than 3,000 Vermont residents. Vermont is only the second state, after Connecticut, to include a standalone sensitive data threshold that is independent of any revenue or general processing threshold (Connecticut’s sensitive data threshold takes effect July 1, 2026). The practical effect is that businesses handling even limited quantities of sensitive data, such as health, biometric, or precise geolocation information, may be subject to the VDPOSA even if they would otherwise fall below the 35,000-person threshold. Further, with respect to the VDPOSA’s provisions concerning consumer health data, the above applicability thresholds do not apply. Rather, the VDPOSA’s consumer health data provisions apply to any person or entity that does business in Vermont or targets products or services to Vermont residents without any data processing, revenue, or similar thresholds. Exemptions The VDPOSA’s exemptions depart from many other comprehensive state privacy laws in notable ways. For example, while the VDPOSA provides entity-level exemptions for HIPAA covered entities and business associates, and data-level exemptions for protected health information and other federally regulated data categories, it does not include a blanket nonprofit exemption or any exemption for institutions of higher education. Nonprofit organizations benefit only from narrow carve-outs for those established to detect and prevent insurance fraud, those providing enrollment data reporting services for postsecondary institutions for limited purposes, and the noncommercial activities of certain enumerated media entities. The VDPOSA’s treatment of financial institutions similarly diverges from most peer laws. The law provides only a data-level GLBA exemption. The entity-level financial institution exemption is limited to state and federally chartered banks, credit unions, and certain affiliates principally engaged in financial activities, which is a narrower carve-out than the entity-level GLBA exemptions found in many other comprehensive state privacy laws. Certain financial institutions must therefore analyze which personal data they collect and process qualifies for the data-level exemption. As with other comprehensive state privacy laws, personal data processed in an employment or contractor context falls outside the VDPOSA’s scope. Key Definitions Consumer: The VDPOSA defines “consumer” to mean an individual who is a Vermont resident acting only in an individual or household context. Individuals acting in an employment or contractor context are excluded, meaning employee personal data and business-to-business personal data fall outside the VDPOSA’s scope. Sensitive Data: Controllers must obtain affirmative consent before processing sensitive data. Separately, controllers must also obtain affirmative consent before selling sensitive data. The VDPOSA uniquely and broadly defines “sensitive data” to include: personal data revealing racial or ethnic origin, religious beliefs, sex life, sexual orientation, status as nonbinary or transgender, citizenship or immigration status, mental or physical health conditions, diagnosis, disability, or treatment; consumer health data; genetic or biometric data or information derived therefrom; precise geolocation data; personal data collected from a known child; neural data; a consumer’s financial account number, financial account login credentials, or credit or debit card number that, in combination with any required access or security code, password, or credential, would allow access to a consumer’s financial account; and government-issued identification numbers, including Social Security numbers, passport numbers, state identification card numbers, and driver’s license numbers, that applicable law does not require to be publicly displayed. Sale of Personal Data: The VDPOSA defines “sale of personal data” as the exchange of personal data for monetary or other valuable consideration by a controller to a third party. Standard exemptions apply for disclosures to processors or affiliates, consumer-directed disclosures, and transfers in connection with mergers and acquisitions. Publicly Available Information: The VDPOSA’s definition of “publicly available information” is significantly narrower than in many other comprehensive state privacy laws. Importantly, information that is collated and combined into a consumer profile that is made available to users of a publicly available website, whether for payment or free of charge, loses its publicly available classification under the VDPOSA, as do inferences derived from such profiles. The law also excludes from the definition genetic data, biometric data collected without a consumer’s knowledge, personal data created by combining personal data with publicly available information, information shared with a restricted audience, and nonconsensual intimate images. This narrowed definition has particular significance for data brokers and information aggregators. Compliance Controllers subject to the VDPOSA must provide consumers with a reasonably accessible privacy notice disclosing the categories of personal data processed, the purposes of processing, the categories of personal data shared with third parties, and the process by which consumers may exercise their rights. The VDPOSA adds a disclosure requirement found in recent amendments to Connecticut’s law, namely that the privacy notice must include whether a controller collects, uses, or sells personal data for the purpose of training large language models. Like Connecticut’s law, the VDPOSA does not specify what qualifies as “training large language models,” creating ambiguity that controllers will need to navigate carefully. The VDPOSA requires controllers to conduct and document data protection assessments for processing activities that present a heightened risk of harm to consumers, including targeted advertising, the sale of personal data, the processing of sensitive data, and profiling activities that present a reasonably foreseeable risk of unfair or deceptive treatment, financial, physical, or reputational injury, intrusion upon seclusion, or other substantial injury. Assessment obligations apply prospectively to processing activities created or generated after January 1, 2028. Further, the VDPOSA requires a separate impact assessment when a controller engages in profiling for making decisions with legal or similarly significant effects on consumers. This impact assessment carries prescribed content requirements, including purpose disclosure, risk analysis, categories of data used, performance metrics, transparency measures, and post-deployment monitoring. All assessments are confidential but may be requested by the Vermont Attorney General. Consumer Rights and Requests The VDPOSA grants Vermont residents the following rights: Right to Access: Consumers may confirm whether a controller is processing their personal data, access that data, and access inferences derived from their personal data. Consumers may also confirm whether a controller is processing their personal data for profiling purposes in furtherance of a decision with a legal or similarly significant effect. Facilitating this right may prove difficult for controllers. Right to Correction: Consumers may request correction of inaccuracies in their personal data. Right to Deletion: Consumers may request deletion of personal data provided by or obtained about them. Right to Data Portability: Consumers may obtain a copy of personal data they previously provided in a portable and, to the extent technically feasible, readily usable format. Right to Opt Out of Sale: Consumers may opt out of the sale of their personal data and may request a list of the specific third parties to whom their personal data was sold, or, if the controller does not maintain such a list, a list of all third parties to whom the controller has sold personal data. Right to Opt Out of Targeted Advertising: Consumers may opt out of the processing of their personal data for targeted advertising purposes. Right to Opt Out of Profiling and Enhanced Profiling Rights: Consumers may opt out of profiling in furtherance of decisions that produce legal or similarly significant effects. Where a controller uses profiling to produce such a decision, consumers may also question the result, be informed of the reasons for the decision, and review the personal data processed for such decision. For profiling decisions concerning housing specifically, consumers have the additional right to correct inaccurate personal data and to have the profiling decision reevaluated on the basis of corrected data. Controllers must respond to requests within 45 days of receipt, with the ability to extend by an additional 45 days when reasonably necessary. Controllers must establish a conspicuously available appeal mechanism and respond to appeals within 60 days. If an appeal is denied, the controller must provide the consumer with information enabling them to contact the Vermont Attorney General to submit a complaint. Consumer Health Data As noted above, the VDPOSA’s consumer health data provisions apply more broadly than the general law. The VDPOSA defines “consumer health data” expansively as any personal data that a controller uses to identify a consumer’s physical or mental health condition, diagnosis, or status, including gender-affirming health data and reproductive or sexual health data. This definition may capture data not traditionally associated with health, including fitness application data, inferred health conditions, and advertising segments tied to health interests. Notably, the consumer health data obligations do not apply to HIPAA covered entities processing personal data for purposes covered by HIPAA. Among other obligations, the VDPOSA prohibits any person or entity subject to the consumer health data provisions from: Granting any employee or contractor access to consumer health data without a contractual or statutory duty of confidentiality; Granting any processor access to consumer health data without a compliant data processing agreement; Using geofencing technology to establish a virtual boundary within 1,850 feet of any healthcare facility, including any mental health facility or reproductive or sexual health facility, for the purpose of identifying, tracking, collecting data from, or sending notifications to consumers regarding their consumer health data; and Selling or offering to sell consumer health data without first obtaining the consumer’s affirmative consent. Enforcement The VDPOSA does not include a private right of action. The Vermont Attorney General has exclusive enforcement authority. A violation of the VDPOSA constitutes a violation of the Vermont Consumer Protection Act, with civil penalties up to $10,000 per violation. Notably, the law states that the Vermont General Assembly may add a private right of action in the future if adequate enforcement resources are not appropriated to the Attorney General’s office. From January 1, 2028 through June 30, 2029, the Attorney General must give violators 60 days to cure before initiating any enforcement action, but only if a cure is possible. This cure period will not be available after June 30, 2029. Conclusion The enactment of the VDPOSA continues the national trend of state-level data privacy regulation and introduces several provisions that set Vermont apart from many of its peers. Businesses should pay particular attention to the VDPOSA’s unique requirements. Businesses should assess their compliance programs promptly and ensure they are updated before the VDPOSA takes effect on January 1, 2028, and fully mature before the cure period sunsets on June 30, 2029. If you would like assistance with, or have any questions about, complying with the VDPOSA or other data privacy laws, or need assistance reviewing your data privacy practices, please contact one of our Data Protection attorneys. Check out our U.S. State Privacy Laws page for more information.

  • Publication

    Oklahoma and Alabama Get the Ball Rolling Again, Enact Comprehensive Privacy Laws

    Thus far in 2026, two states, Oklahoma and Alabama, have enacted state comprehensive data privacy laws, continuing the national trend of State-by-State privacy regulation in the absence of federal law. The Oklahoma Consumer Data Privacy Act (“OCDPA”) goes into effect on January 1, 2027. The Alabama Personal Data Protection Act (“APDPA”) goes into effect on May 1, 2027. While these laws largely follow other state comprehensive privacy laws, businesses that operate in or target products or services to residents in these states must comply with distinct features of these laws. Applicability OCDPA: The OCDPA applies to persons conducting business in Oklahoma or producing products or services targeted to Oklahoma residents and that during a calendar year either:  control or process personal data of at least 100,000 Oklahoma residents; or  control or process data of at least 25,000 Oklahoma residents and derive more than 50% of gross revenue from the sale of personal data. APDPA: The APDPA applies to persons conducting business in Alabama or producing products or services targeted to Alabama residents and either:  control or process the personal data of more than 25,000 Alabama residents (excluding personal data processed solely for completing a payment transaction); or  derive over 25% of gross revenue from the sale of personal data, regardless of the number of residents. Exemptions Both the OCDPA and APDPA exempt financial institutions subject to the Gramm-Leach-Bliley Act, HIPAA covered entities and business associates, institutions of higher education, and nonprofits (though the APDPA limits this exclusion to nonprofits with less than 100 employees that do not sell personal data). Notably, the APDPA also includes a small-business exemption for businesses with fewer than 500 employees that do not sell personal data. The OCDPA does not include a small business exemption. Both laws also include data-level exemptions for protected health information under HIPAA, personal data processed by consumer reporting agencies under the Fair Credit Reporting Act, data regulated by the Family Educational Rights and Privacy Act, and data regulated by the Farm Credit Act. Key Definitions Consumer: Both laws narrowly define “consumer” to mean an individual resident of the respective state acting only in an individual or household context. Both laws exclude individuals acting in a commercial or employment context, meaning employee personal data and business-to-business personal data are outside the scope of both the OCDPA and APDPA. Sensitive Data: In line with other state comprehensive data privacy laws, both laws provide for a special category of personal data known as “sensitive data,” which both laws define similarly to include: personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; genetic or biometric data processed to uniquely identify an individual; personal data collected from a known child; and precise geolocation data. Both laws require controllers to obtain consent prior to processing sensitive data. Additionally, if the controller has actual knowledge a consumer is between ages 13 and 16, the APDPA requires affirmative consent in order to sell the consumer’s personal data or using it for targeted advertising purposes. Personal Data: This is a key area of divergence between the two laws. The OCDPA defines “sale” of personal data narrowly to mean only the exchange of personal data for monetary consideration by the controller to a third party. In contrast, the APDPA defines “sale” of personal data more broadly to cover exchanges for monetary consideration or for “other valuable consideration,” and adds a novel requirement that the “controller receives a material benefit and the third party is not restricted in its subsequent uses of the personal data.” Businesses that engage in data sharing arrangements involving non-monetary benefits should carefully assess whether those arrangements trigger the APDPA’s requirements even if they would not under the OCDPA. Both laws include similar broad exceptions to the definition of “sale” for ordinary business disclosures, including transfers to processors, affiliates, and disclosures made to fulfill a consumer’s product or service request. Compliance Both the OCDPA and APDPA contain compliance obligations substantially similar to those found in other state comprehensive data privacy laws, including the requirement for controllers to provide a compliant privacy notice to consumers and to enter into data processing contracts with processors. However, the two laws differ with respect to data protection assessments. The OCDPA requires controllers to conduct and document data protection assessments for processing activities involving targeted advertising, the sale of personal data, the processing of sensitive data, profiling in certain instances, or processing that presents a “heightened risk of harm” to consumers. The APDPA does not require data protection assessments at all. Additionally, under the APDPA if a consumer sends an opt-out preference signal (such as browser-based global opt-out signals), controllers may notify consumers of conflicting signals and provide the consumer an opportunity to confirm controller-specific privacy settings or participation in loyalty programs. Consumer Rights and Requests Both the OCDPA and the APDPA grant residents substantially the same set of consumer rights, which are consistent with the rights found in other state comprehensive data privacy laws. Those consumer rights include the following: Right to Access: Consumers may confirm whether a controller is processing their personal data and access that data. Right to Correction: Consumers may request correction of inaccuracies in their personal data. Right to Deletion: Consumers may request deletion of personal data provided by or obtained about them. Right to Data Portability: Consumers may obtain a copy of their personal data in a portable and, to the extent technically feasible, readily usable format. Right to Opt Out of Sale: Consumers may opt out of the sale of their personal data. Right to Opt Out of Targeted Advertising: Consumers may opt out of the processing of their personal data for purposes of targeted advertising. Right to Opt Out of Profiling: Consumers may opt out of profiling in furtherance of a decision that produces a legal or similarly significant effect, such as decisions affecting financial and lending services, housing, insurance, health care, education, employment opportunities, criminal justice, or access to basic necessities such as food and water. Both the OCDPA and APDPA require controllers to respond to consumer requests within 45 days, with the ability to extend by an additional 45 days when reasonably necessary. While the OCDPA provides consumers the right to appeal, the APDPA does not. The OCDPA allows a consumer to appeal if a controller declines to act on a consumer’s request. Controllers must respond to appeals within 60 days and, if the appeal is denied, must direct the consumer to the Oklahoma Attorney General’s online complaint mechanism. Enforcement and Rulemaking Authority Like most other state comprehensive privacy laws, neither the OCDPA nor the APDPA include a private right of action. The Oklahoma Attorney General has the exclusive authority to enforce the OCDPA, and the Alabama Attorney General has the exclusive authority to enforce the APDPA. The OCDPA provides for a 30-day cure period prior to initiating an enforcement action, while the APDPA provides for a 45-day cure period. Unlike some other state comprehensive data privacy laws, neither of these cure periods sunset, meaning that they will always be available, as opposed to having a limited duration. Each violation of the OCDPA can result in a civil penalty up to $7,500, while each violation of the APDPA can result in a civil penalty up to $15,000. Conclusion The enactment of the OCDPA and the APDPA represents the continued trend of states enacting comprehensive data privacy laws across the United States in the absence of federal legislation. While neither law is novel, there are meaningful differences that businesses operating in, or targeting residents of, these states must consider and comply with. Businesses should act promptly to assess their obligations under both laws and ensure compliance programs are updated accordingly before the effective dates. Entities already compliant with other state privacy laws will find much of the required groundwork already in place, but the unique features of each law warrant careful review. If you would like assistance with, or have any questions about, complying with the OCDPA, the APDPA, or other data privacy laws, or need assistance reviewing your data privacy practices, please contact one of our Data Protection attorneys. Check out our U.S. State Privacy Laws page for more information.

  • Publication

    SEC Proposed Amendments to Permit Optional Semiannual Reporting

    On May 5, 2026, the Securities and Exchange Commission ("SEC") proposed amendments to existing rules to provide reporting companies the option to file interim reports on a semiannual basis rather than quarterly. The idea underlying the proposed changes is that, freed from the need to prepare quarterly reports, companies may experience reduced compliance costs and regulatory burden and be able to provide more attention to company strategy and focus more resources on business growth. Furthermore, according to the SEC, a reduction in costs and regulatory burden may incentivize more private companies to enter the public markets. The 279-page proposal would make both substantive and technical amendments to the existing rules to account for the semiannual option. The technical amendments would amend existing rules and forms that refer to quarterly reporting so that they also reflect the semiannual reporting option. A discussion of certain key substantive proposed amendments is included below. How to Elect Under the proposal, companies would be able to elect on an annual basis whether they would continue to file their reports quarterly on Form 10-Q or semiannually on a new, proposed Form 10-S. The SEC is proposing to add a check box to the cover page of Form 10-K where, by checking the box, a company would indicate that it intends to file semiannually. If a company leaves the box unchecked, then it is indicating that it will file quarterly. For example, if a company with a calendar year fiscal year intended to report semiannually for 2029, it would check the box on its Form 10-K for calendar year 2028 that it would file in early 2029. For companies that have yet to file Exchange Act reports, the SEC is also proposing to add a similar check box to the cover page of Securities Act or Exchange Act registration statements.   The deadline for filing Form 10-S would be the same as the current Form 10-Q, 40 days (for large accelerated and accelerated filers) or 45 days (for all other filers) after the end of the fiscal period. If a company mistakenly checks the box or erroneously leaves it unmarked, the SEC is proposing that the company can fix any such inadvertent mistakes by filing an amendment to the Form 10-K as soon as practicable, but no later than the due date by which the company’s first Form 10-Q report would be required for such fiscal year. Companies would be bound to their election for the year in question, but would be able to switch their election on an annual basis. Thus, if the company in the example above wished to revert to filing quarterly in 2030, it would leave the semiannual reporting box unchecked in its Form 10-K for 2029 filed in early 2030. Required Disclosures in Form 10-S The proposed Form 10-S would require the same narrative disclosures and financial information as currently required by Form 10-Q but for the covered six-month period instead of a quarter. Accordingly, the required disclosures would include, among other matters, a management discussion and analysis, material legal proceedings, material changes in risk factors and exhibits required under Item 601 of Regulation S-K. The financial statements for the covered semiannual period would be required to be prepared in accordance with U.S. GAAP and reviewed by an auditor (but not required to be audited). The current disclosure and certification requirements for disclosure controls and procedures, as well as for internal control over financial reporting, would also apply. Regulation S-X Amendments  The SEC proposed amendments to Regulation S-X governing the age of financial statements to help ensure that, when semiannual filers file registration statements, their financial statements in those registration statements are not considered “stale” under existing rules built along a quarterly framework. The SEC also proposed amendments to simplify the existing rules governing the age of financial statements and consolidate these requirements in a single rule. In light of the significant interest in the proposal and the large number of public comments the SEC will receive (nearly 1,500 comments as of June 11, 2026), it is very likely that the final rules, if and when adopted by the SEC, will have changes, possibly material ones, from the proposal. The public comment period is open until July 6, 2026. Lewis Rice will continue to monitor for further developments regarding these proposed amendments.