Publications

David W. Brown Earns Band 1 Ranking in Chambers USA 2026

Supreme Court Clarifies Contributory Liability Standard in Copyright Infringement

In a decision with broad implications for internet service providers and generative AI, on March 25, 2026, the United States Supreme Court unanimously held in the Cox Communications, Inc. v. Sony Music Entertainment that an internet service provider is not contributorily liable for copyright infringement solely on a provider’s knowledge of infringement and failure to take sufficient action to prevent infringement. Rather, liability arises only where the provider intended that its service be used to facilitate infringement. What Happened? Cox Communications is an internet service provider serving six million subscribers. Sony Music is a major music copyright owner. Sony sent Cox over 163,000 notices identifying IP addresses of Cox subscribers associated with infringing activity. Sony then sued Cox in federal district court, advancing claims of secondary copyright liability. The jury originally found in favor of Sony Music on both theories and awarded $1 billion in statutory damages. The Fourth Circuit affirmed, reasoning that knowledge that the recipient of the service will use the service to infringe copyrights is sufficient for contributory infringement. The Supreme Court reversed that decision. The Supreme Court’s Decision The Court held Cox was not contributorily liable for the individual users’ infringement because Cox did not intend that its internet service be used for infringement. Such intent can be shown only if the service provider induced the infringement or provided a service that is tailored to infringement. The Court further held that inducement can only be shown through specific acts, such as promoting or marketing the service as a tool to infringe, and that a service is tailored to infringement only if it is not capable of a substantial or commercially significant non-infringing use. Importantly, the Court held that a service provider’s failure to take affirmative steps to prevent infringement by users, even though it was aware of and profiting from that activity, is not sufficient for secondary liability. The opinion emphasized that it may be difficult for a service provider to determine that its services were used for infringement. For example, many internet service subscribers provide connections to multiple different people (e.g., a household, coffee shop, or college dormitory), and network traffic from all such users will ordinarily originate from a single internet address. The Court reasoned that it would be extremely difficult, in many cases impossible, for a service provider to determine which individual was infringing. The Court also noted that a service provider cannot directly control how subscribers use their services. Thus, without evidence of express promotion, marketing, or intent to promote infringement, a service provider’s mere knowledge that infringement was occurring through its services was insufficient to hold the service provider contributorily liable for it. Justice Sotomayor, joined by Justice Jackson, concurred in judgment only, holding the majority unnecessarily limited secondary liability even though common-law theories, such as aiding and abetting, could be applicable to copyright cases, and that the majority dismantled the statutory incentive structure created in the Digital Millennium Copyright Act (“DMCA”). Why it Matters This decision limits the scope of contributory copyright liability for internet service providers in key respects. By requiring evidence of express promotion, marketing, or intent to promote infringement, rather mere knowledge of it and the failure to stop infringing activity, the decision shifts much of the burden of policing the internet for copyright infringement from service providers to copyright holders. Major commercial service providers are unlikely to meet the newly articulated standard for liability. Copyright owners have noted for some time that the DMCA’s balance is tilted too far in favor of service providers. This decision will tilt the scales further. Copyright owners thus will be increasingly dependent on their own policing efforts in pursuing individual infringers directly, which is logistically difficult for similar reasons to those noted by the Court. Once infringing content is removed, on-line infringers can simply re-post it with the push of a button, requiring copyright owners to send repeated takedowns, and the service providers have little legal incentive to disable such accounts. This may result in greater emphasis on enforcement strategies that leverage technical limitations, rather than legal remedies, which could make copyrighted material more difficult to obtain and use electronically.  It should be recognized that the DMCA safe harbor framework, including notice and takedown obligations, remains in place. Thus, service providers still must comply with the DMCA’s notice-and-takedown procedures to enjoy the benefits of the so-called “safe harbor” provisions, which immunize service providers from contribution infringement claims in certain circumstances. Further, the quantity of takedown requests may increase due to this ruling.  If you have questions about copyright infringement or secondary liability in light of this decision, please contact a member of our Intellectual Property team to discuss how these developments may affect your business, compliance obligations, and enforcement strategies going forward.

Louisiana Joins the Club: What Businesses Need to Know About the Louisiana Data Privacy Act

On May 29, 2026, Louisiana’s Governor signed the Louisiana Data Privacy Act (“LDPA”) into law, making Louisiana the 22nd state, and the third in 2026, to enact a comprehensive state privacy law. The LDPA goes into effect on January 1, 2027. While businesses familiar with the Texas Data Privacy and Security Act (“TDPSA,” discussed in our prior alert here) will recognize much of the LDPA’s structure, several distinctive features warrant careful attention for businesses subject to the LDPA. Applicability The LDPA applies to any person or entity that does business in Louisiana and satisfies at least one of the following thresholds:  Has annual gross revenues in excess of $25 million;  Annually buys, receives, sells, or shares for commercial purposes the personal information of 75,000 or more Louisiana residents, households, or devices; or  Derives 50% or more of annual revenues from selling Louisiana residents’ personal information. This structure is similar to the California Consumer Privacy Act (“CCPA”) and represents a significant departure from the thresholds used in most other comprehensive state privacy laws. Most notably, the revenue-based threshold may capture businesses, including those with few business-to-consumer sales, that would not be covered based on the processing of personal data or the volume thereof. Exemptions The LDPA exempts several types of entities, including financial institutions subject to the Gramm-Leach-Bliley Act, HIPAA covered entities and business associates, nonprofits, institutions of higher education, and electric public utilities. Data-level exemptions under the LDPA are broader than those found in most other comprehensive state privacy laws and encompass seventeen categories. Beyond the standard exemptions for protected health information under HIPAA, Fair Credit Reporting Act data, Family Educational Rights and Privacy Act and Driver’s Privacy Protection Act data, Farm Credit Act data, and employee and contractor data processed in the context of that relationship, the LDPA also exempts the following, among others: health records; certain patient identifying information; identifiable private information used in human subjects research under certain federal frameworks; Health Care Quality Improvement Act information; patient safety work product; and information collected solely for public health activities authorized under HIPAA. Key Definitions Consumer: The LDPA defines “consumer” to mean an individual who is a Louisiana resident acting only in an individual or household context. Individuals acting in a commercial or employment context are excluded, meaning employee personal data and business-to-business personal data fall outside the LDPA’s scope. Sensitive Data: Controllers must obtain affirmative consent before processing a consumer’s sensitive data. Consistent with other comprehensive state privacy laws, the LDPA defines “sensitive data” to include: personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, or citizenship or immigration status; genetic or biometric data processed to uniquely identify an individual; personal data collected from a known child (under 13); and precise geolocation data. Sale of Personal Data: The LDPA defines “sale of personal data” as the exchange of personal data for monetary or other valuable consideration by the controller to a third party. Businesses engaged in data-sharing arrangements that involve non-monetary benefits should assess whether those arrangements constitute a “sale” under the LDPA. Standard exemptions from the definition of “sale” apply for disclosures to processors or affiliates, consumer-directed disclosures, and transfers in connection with mergers and acquisitions. Compliance Controllers subject to the LDPA must provide consumers with a reasonably accessible and clear privacy notice disclosing the categories of personal data processed, the purposes of processing, and the process by which consumers may exercise their rights. The LDPA imposes two prescriptive notice requirements found in the TDPSA, but not in most other comprehensive state privacy laws: (1) if a controller sells sensitive personal data, it must post the notice “NOTICE: We may sell your sensitive personal data.” in the same manner as its general privacy notice; and (2) if a controller sells biometric personal data, it must similarly post “NOTICE: We may sell your biometric personal data.” The LDPA requires controllers to conduct and document data protection assessments for higher-risk processing activities, including targeted advertising, the sale of personal data, processing sensitive data, profiling that presents a reasonably foreseeable risk of (i) unfair or deceptive treatment of or unlawful disparate impact on consumers; (ii) financial, physical, or reputational injury to consumers; (iii) an intrusion on the solitude or seclusion, or the private affairs, of consumers that would be offensive to a reasonable person; or (iv) other substantial injury to consumers; and any other processing presenting a “heightened risk of harm.” Assessments are confidential but the Attorney General may request them through a civil investigative demand. Controllers must also recognize universal opt-out preference signals, such as browser or device-level signals, through which consumers may opt out of targeted advertising and the sale of personal data. Importantly, the LDPA specifies that qualifying opt-out signals may not rely on a default setting; they must reflect an affirmative, freely given, and unambiguous choice by the consumer to opt out. Consumer Rights and Requests The LDPA grants Louisiana residents the following rights, consistent with the rights established under other comprehensive state privacy laws: Right to Access: Consumers may confirm whether a controller is processing their personal data and access that data. Right to Correction: Consumers may request correction of inaccuracies in their personal data. Right to Deletion: Consumers may request deletion of personal data provided by or obtained about them. Right to Data Portability: If available in a digital format, consumers may obtain a copy of personal data they previously provided to the controller in a portable and, to the extent technically feasible, readily usable format. Right to Opt Out of Sale: Consumers may opt out of the sale of their personal data, including through a designated authorized agent or a qualifying opt-out signal. Right to Opt Out of Targeted Advertising: Consumers may opt out of the processing of their personal data for targeted advertising purposes. Right to Opt Out of Profiling: Consumers may opt out of profiling in furtherance of a decision that produces a legal or similarly significant effect, such as decisions affecting financial and lending services, housing, insurance, healthcare, education enrollment, employment opportunities, criminal justice, or access to basic necessities such as food and water. Controllers must respond to requests within 45 days of receipt, with the ability to extend by an additional 45 days when reasonably necessary. Controllers must establish a conspicuously available appeal mechanism and respond to appeals within 60 days. If an appeal is denied, the controller must provide the consumer with access to the Attorney General’s online complaint mechanism. Enforcement The LDPA does not include a private right of action. The Louisiana Attorney General has exclusive enforcement authority and may pursue violations as unfair and deceptive trade practices under Louisiana’s Unfair Trade Practices and Consumer Protection Law (“UTPCL”). The LDPA expressly excludes private rights of action otherwise available under the UTPCL. From January 1, 2027 through July 31, 2027, the Attorney General must provide written notice at least 30 days before initiating an investigation, identifying the specific provisions alleged to be violated. The Attorney General may not proceed with the investigation if the business cures the alleged violation within the 30-day period. This cure period sunsets, meaning it will no longer be available, after July 31, 2027. This stands in contrast to the permanent cure periods available under some of the other comprehensive state privacy laws, such as those recently enacted in Oklahoma and Alabama. Conclusion The enactment of the LDPA represents the continued expansion of state-level data privacy regulation across the United States. While much of the LDPA will be familiar to businesses already operating under other comprehensive state privacy laws, its applicability thresholds, broad definition of “sale,” prescriptive sensitive and biometric data notices, and sunsetting cure period are features that require specific attention. Businesses should assess their compliance programs promptly and ensure they are updated before January 1, 2027 and fully mature before the cure period sunsets on July 31, 2027. If you would like assistance with, or have any questions about, complying with the LDPA or other data privacy laws, or need assistance reviewing your data privacy practices, please contact one of our Data Protection attorneys. Check out our U.S. State Privacy Laws page for more information.

Lewis Rice Secures $1.95 Million in Compensation for Rock Island Trail Landowners

Securing a Legislative Victory for the American Car Rental Association

Lewis Rice member David W. Sweeney represented the American Car Rental Association (ACRA) in its effort to shape legislation governing the operations of Turo, an online car-sharing platform, at St. Louis Lambert International Airport. The initial bill would have permitted Turo to operate in airport garages within walking distance of passenger terminals, a proposal opposed by members of the St. Louis Airport Commission due to competitive concerns. David engaged with stakeholders to negotiate a revised agreement that addressed these objections while protecting the interests of ACRA. The final legislation limits Turo’s operations to three designated parking areas west of Terminal 1. The measure was opposed by the St Louis Airport Director but  approved unanimously by the St. Louis Board of Aldermen, marking a significant milestone in the legislative process. This outcome preserved competitive balance in the airport rental market and aligned with ACRA’s policy objectives. The case demonstrates how strategic advocacy and effective negotiation can deliver tangible results for industry associations facing complex regulatory challenges.

Oklahoma and Alabama Get the Ball Rolling Again, Enact Comprehensive Privacy Laws

Thus far in 2026, two states, Oklahoma and Alabama, have enacted state comprehensive data privacy laws, continuing the national trend of State-by-State privacy regulation in the absence of federal law. The Oklahoma Consumer Data Privacy Act (“OCDPA”) goes into effect on January 1, 2027. The Alabama Personal Data Protection Act (“APDPA”) goes into effect on May 1, 2027. While these laws largely follow other state comprehensive privacy laws, businesses that operate in or target products or services to residents in these states must comply with distinct features of these laws. Applicability OCDPA: The OCDPA applies to persons conducting business in Oklahoma or producing products or services targeted to Oklahoma residents and that during a calendar year either:  control or process personal data of at least 100,000 Oklahoma residents; or  control or process data of at least 25,000 Oklahoma residents and derive more than 50% of gross revenue from the sale of personal data. APDPA: The APDPA applies to persons conducting business in Alabama or producing products or services targeted to Alabama residents and either:  control or process the personal data of more than 25,000 Alabama residents (excluding personal data processed solely for completing a payment transaction); or  derive over 25% of gross revenue from the sale of personal data, regardless of the number of residents. Exemptions Both the OCDPA and APDPA exempt financial institutions subject to the Gramm-Leach-Bliley Act, HIPAA covered entities and business associates, institutions of higher education, and nonprofits (though the APDPA limits this exclusion to nonprofits with less than 100 employees that do not sell personal data). Notably, the APDPA also includes a small-business exemption for businesses with fewer than 500 employees that do not sell personal data. The OCDPA does not include a small business exemption. Both laws also include data-level exemptions for protected health information under HIPAA, personal data processed by consumer reporting agencies under the Fair Credit Reporting Act, data regulated by the Family Educational Rights and Privacy Act, and data regulated by the Farm Credit Act. Key Definitions Consumer: Both laws narrowly define “consumer” to mean an individual resident of the respective state acting only in an individual or household context. Both laws exclude individuals acting in a commercial or employment context, meaning employee personal data and business-to-business personal data are outside the scope of both the OCDPA and APDPA. Sensitive Data: In line with other state comprehensive data privacy laws, both laws provide for a special category of personal data known as “sensitive data,” which both laws define similarly to include: personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; genetic or biometric data processed to uniquely identify an individual; personal data collected from a known child; and precise geolocation data. Both laws require controllers to obtain consent prior to processing sensitive data. Additionally, if the controller has actual knowledge a consumer is between ages 13 and 16, the APDPA requires affirmative consent in order to sell the consumer’s personal data or using it for targeted advertising purposes. Personal Data: This is a key area of divergence between the two laws. The OCDPA defines “sale” of personal data narrowly to mean only the exchange of personal data for monetary consideration by the controller to a third party. In contrast, the APDPA defines “sale” of personal data more broadly to cover exchanges for monetary consideration or for “other valuable consideration,” and adds a novel requirement that the “controller receives a material benefit and the third party is not restricted in its subsequent uses of the personal data.” Businesses that engage in data sharing arrangements involving non-monetary benefits should carefully assess whether those arrangements trigger the APDPA’s requirements even if they would not under the OCDPA. Both laws include similar broad exceptions to the definition of “sale” for ordinary business disclosures, including transfers to processors, affiliates, and disclosures made to fulfill a consumer’s product or service request. Compliance Both the OCDPA and APDPA contain compliance obligations substantially similar to those found in other state comprehensive data privacy laws, including the requirement for controllers to provide a compliant privacy notice to consumers and to enter into data processing contracts with processors. However, the two laws differ with respect to data protection assessments. The OCDPA requires controllers to conduct and document data protection assessments for processing activities involving targeted advertising, the sale of personal data, the processing of sensitive data, profiling in certain instances, or processing that presents a “heightened risk of harm” to consumers. The APDPA does not require data protection assessments at all. Additionally, under the APDPA if a consumer sends an opt-out preference signal (such as browser-based global opt-out signals), controllers may notify consumers of conflicting signals and provide the consumer an opportunity to confirm controller-specific privacy settings or participation in loyalty programs. Consumer Rights and Requests Both the OCDPA and the APDPA grant residents substantially the same set of consumer rights, which are consistent with the rights found in other state comprehensive data privacy laws. Those consumer rights include the following: Right to Access: Consumers may confirm whether a controller is processing their personal data and access that data. Right to Correction: Consumers may request correction of inaccuracies in their personal data. Right to Deletion: Consumers may request deletion of personal data provided by or obtained about them. Right to Data Portability: Consumers may obtain a copy of their personal data in a portable and, to the extent technically feasible, readily usable format. Right to Opt Out of Sale: Consumers may opt out of the sale of their personal data. Right to Opt Out of Targeted Advertising: Consumers may opt out of the processing of their personal data for purposes of targeted advertising. Right to Opt Out of Profiling: Consumers may opt out of profiling in furtherance of a decision that produces a legal or similarly significant effect, such as decisions affecting financial and lending services, housing, insurance, health care, education, employment opportunities, criminal justice, or access to basic necessities such as food and water. Both the OCDPA and APDPA require controllers to respond to consumer requests within 45 days, with the ability to extend by an additional 45 days when reasonably necessary. While the OCDPA provides consumers the right to appeal, the APDPA does not. The OCDPA allows a consumer to appeal if a controller declines to act on a consumer’s request. Controllers must respond to appeals within 60 days and, if the appeal is denied, must direct the consumer to the Oklahoma Attorney General’s online complaint mechanism. Enforcement and Rulemaking Authority Like most other state comprehensive privacy laws, neither the OCDPA nor the APDPA include a private right of action. The Oklahoma Attorney General has the exclusive authority to enforce the OCDPA, and the Alabama Attorney General has the exclusive authority to enforce the APDPA. The OCDPA provides for a 30-day cure period prior to initiating an enforcement action, while the APDPA provides for a 45-day cure period. Unlike some other state comprehensive data privacy laws, neither of these cure periods sunset, meaning that they will always be available, as opposed to having a limited duration. Each violation of the OCDPA can result in a civil penalty up to $7,500, while each violation of the APDPA can result in a civil penalty up to $15,000. Conclusion The enactment of the OCDPA and the APDPA represents the continued trend of states enacting comprehensive data privacy laws across the United States in the absence of federal legislation. While neither law is novel, there are meaningful differences that businesses operating in, or targeting residents of, these states must consider and comply with. Businesses should act promptly to assess their obligations under both laws and ensure compliance programs are updated accordingly before the effective dates. Entities already compliant with other state privacy laws will find much of the required groundwork already in place, but the unique features of each law warrant careful review. If you would like assistance with, or have any questions about, complying with the OCDPA, the APDPA, or other data privacy laws, or need assistance reviewing your data privacy practices, please contact one of our Data Protection attorneys. Check out our U.S. State Privacy Laws page for more information.

SEC Proposed Amendments to Permit Optional Semiannual Reporting

On May 5, 2026, the Securities and Exchange Commission ("SEC") proposed amendments to existing rules to provide reporting companies the option to file interim reports on a semiannual basis rather than quarterly. The idea underlying the proposed changes is that, freed from the need to prepare quarterly reports, companies may experience reduced compliance costs and regulatory burden and be able to provide more attention to company strategy and focus more resources on business growth. Furthermore, according to the SEC, a reduction in costs and regulatory burden may incentivize more private companies to enter the public markets. The 279-page proposal would make both substantive and technical amendments to the existing rules to account for the semiannual option. The technical amendments would amend existing rules and forms that refer to quarterly reporting so that they also reflect the semiannual reporting option. A discussion of certain key substantive proposed amendments is included below. How to Elect Under the proposal, companies would be able to elect on an annual basis whether they would continue to file their reports quarterly on Form 10-Q or semiannually on a new, proposed Form 10-S. The SEC is proposing to add a check box to the cover page of Form 10-K where, by checking the box, a company would indicate that it intends to file semiannually. If a company leaves the box unchecked, then it is indicating that it will file quarterly. For example, if a company with a calendar year fiscal year intended to report semiannually for 2029, it would check the box on its Form 10-K for calendar year 2028 that it would file in early 2029. For companies that have yet to file Exchange Act reports, the SEC is also proposing to add a similar check box to the cover page of Securities Act or Exchange Act registration statements.   The deadline for filing Form 10-S would be the same as the current Form 10-Q, 40 days (for large accelerated and accelerated filers) or 45 days (for all other filers) after the end of the fiscal period. If a company mistakenly checks the box or erroneously leaves it unmarked, the SEC is proposing that the company can fix any such inadvertent mistakes by filing an amendment to the Form 10-K as soon as practicable, but no later than the due date by which the company’s first Form 10-Q report would be required for such fiscal year. Companies would be bound to their election for the year in question, but would be able to switch their election on an annual basis. Thus, if the company in the example above wished to revert to filing quarterly in 2030, it would leave the semiannual reporting box unchecked in its Form 10-K for 2029 filed in early 2030. Required Disclosures in Form 10-S The proposed Form 10-S would require the same narrative disclosures and financial information as currently required by Form 10-Q but for the covered six-month period instead of a quarter. Accordingly, the required disclosures would include, among other matters, a management discussion and analysis, material legal proceedings, material changes in risk factors and exhibits required under Item 601 of Regulation S-K. The financial statements for the covered semiannual period would be required to be prepared in accordance with U.S. GAAP and reviewed by an auditor (but not required to be audited). The current disclosure and certification requirements for disclosure controls and procedures, as well as for internal control over financial reporting, would also apply. Regulation S-X Amendments  The SEC proposed amendments to Regulation S-X governing the age of financial statements to help ensure that, when semiannual filers file registration statements, their financial statements in those registration statements are not considered “stale” under existing rules built along a quarterly framework. The SEC also proposed amendments to simplify the existing rules governing the age of financial statements and consolidate these requirements in a single rule. In light of the significant interest in the proposal and the large number of public comments the SEC will receive (nearly 1,500 comments as of June 11, 2026), it is very likely that the final rules, if and when adopted by the SEC, will have changes, possibly material ones, from the proposal. The public comment period is open until July 6, 2026. Lewis Rice will continue to monitor for further developments regarding these proposed amendments.

Emily K. Bardon Named Chairperson of Saint Louis Fashion Fund

Lewis Rice and its Attorneys Recognized in Chambers USA 2026 Guide