In the beginning of March, I gave a presentation on AI legal developments. One of the attendees astutely pointed out that the current legal framework seems to focus on B2C use cases. I agreed. The focus is consumer protection. About 10 days later, I spoke at an AI contracting livestreaming event. Preparing for it gave

John Pavolotsky
John Pavolotsky focuses his practice on data privacy, security matters, complex technology transactions. On privacy and security matters, John advises a broad range of clients on general compliance, use of new(er) technologies such as artificial intelligence (AI), data incidents, and breach response. On technology transactions matters, John assists clients with technology licensing, collaboration and joint development agreements, and cloud (XaaS) services agreements, among others. In addition, John advises clients in privacy, cybersecurity, and intellectual property matters in mergers and acquisitions (M&A) transactions. Click here for John Pavolotsky's full bio.
The 24-Hour AI News Cycle: Keeping Up with Legal and Regulatory Developments
AI is evolving at a breakneck pace, making it increasingly difficult for businesses and legal professionals to track critical developments. Whether you’re an AI model developer, deployer, investor, or infrastructure provider, staying informed on AI’s risks and benefits requires a strategic approach. This article explores key AI regulatory trends and offers a framework for organizations…
Navigating Data Broker Privacy Compliance: Top 5 Considerations
Data brokers face significant compliance challenges in the evolving landscape of data privacy laws. With multiple state regulations, stringent registration requirements, and heightened enforcement, data brokers must take proactive steps to mitigate risk. Here are five key compliance takeaways:
- Broad Definition of Data Brokers – Many businesses may unknowingly qualify as data brokers under laws
A Deeper Dive into the Proposed Modifications to the HIPAA Security Rule
In our earlier post, we wrote:
“Through December 20, 2024, 575 security incidents involving unsecured protected health information affecting 500 or more individuals had been reported to Health and Human Services. Through the same date in 2023, 265 incidents had been reported. On December 27, 2024, the Office of Civil Rights at HHS issued…
Data Privacy and Cybersecurity Look Ahead: First Half of 2025
Privacy and cybersecurity are incredibly dynamic, and in 2025 we have committed ourselves to a look ahead post every six months, with the next one in July 2025. The new Congress convened on January 3, 2025, and a new administration starts on January 20. Most state legislatures reconvene in early-to-mid January. If you track privacy…
Just Around the Corner: The Utah Consumer Privacy Act (“UCPA”)
2023 has seen a flurry of general state privacy laws, with twelve (12) such laws now on the books. The next one to “go live,” on December 31, 2023, is the Utah Consumer Privacy Act (UCPA). With no general federal privacy law in sight, the state privacy landscape continues to get more crowded and challenging…
Working with Artificial Intelligence: Privacy Pitfalls (and Opportunities)
As consumer demand for new artificial intelligence (“AI”) tools continues to grow, businesses must be prepared to build tools with “privacy by design” principles in mind, and to remain educated about privacy best practices and risk mitigation strategies when working with AI. The following areas provide the greatest opportunities to manage data privacy risks and…
A New Consumer Personal Data Protection Law in Oregon
Q&A about the new Oregon consumer personal data protection law.
Continue Reading A New Consumer Personal Data Protection Law in Oregon
A New Consumer Data Protection Bill in Oregon: A Summary of SB 619

Earlier this month, the Oregon state legislature introduced Senate Bill (SB) 619, “relating to protections for the personal data of consumers.” The bill has since been referred to the Senate Committee on Judiciary and the Joint Committee on Ways and Means. Of course, Oregon would not be the first state to enact general, or omnibus, privacy legislation; to date, five states (California, Virginia, Colorado, Connecticut, and Utah) have done so, with the first two operative as of today. Likewise, Oregon is not the only state to introduce new omnibus privacy legislation this month. The introduction of this bill (and other general state privacy legislation) remains significant because the prospect for omnibus federal privacy legislation (in the near term) fizzled out when the 117th Congress adjourned.
No bill exists in a vacuum. Structurally, SB 619 generally follows the Virginia Consumer Data Protection Act (VCDPA), as do the laws enacted by Colorado, Connecticut, and Utah.
SB 619 is only 17 pages long, not as slim as the VCDPA (8 pages), but not as bulky as the California Consumer Privacy Act (59 pages). Unlike the CCPA, SB 619 does not reference any implementing regulations; however, implementing regulations could be added.
As with any omnibus state privacy bill, the proposed legislation raises some key questions:Continue Reading A New Consumer Data Protection Bill in Oregon: A Summary of SB 619
The Current State of General State Privacy Laws
It’s a great time to be a privacy attorney. On October 17, 2022, the California Privacy Protection Agency (CPPA) released the next draft of the regulations under the California Privacy Rights Act of 2020 (CPRA) as well as a document explaining the proposed modifications. Two days of public hearings were recently held on October 21-22…