Information Privacy

The Collapse of Capability Theory: Ambriz, Popa, and the Future of Article III Standing in AI Privacy Cases

viv.daniel Article, Blog , , , , ,

The Collapse of Capability Theory: Ambriz, Popa, and the Future of Article III Standing in AI Privacy Cases

Caroline Aiello

 

Introduction

In February 2025, the Northern District of California denied Google’s motion to dismiss in a class action lawsuit that claimed Google’s artificial intelligence (“AI”) tools violated the California Invasion of Privacy Act (“CIPA”) by transcribing phone calls of users.[1] The court in this case, Ambriz v. Google, ruled that Google’s technical “capability” to use customer call data to train its AI models was enough to state a claim under California’s Invasion of Privacy Act, regardless of whether or not Google actually exploited that data.[2] Six months later, the Ninth Circuit took the opposite approach. The later ruling in Popa v. Microsoft held that routine website tracking did not constitute actual harm and the claims were dismissed for lack of Article III standing before reaching the merits.[3]

These two decisions present privacy law with incompatible standards. Ambriz asks what a technology could do with personal data and finds liability in that potential. Popa demands proof of what a technology actually did and requires concrete injury beyond the action itself. The collision between the two theories is inevitable. When a plaintiff sues an AI company under Ambriz’s capability theory, alleging that the defendant’s system has the technical ability to misuse data, and the defendant responds with a Popa-based standing challenge, the courts will face an impossible choice. The capability to cause harm is not the same as harm itself, and if capability cannot satisfy Article III’s concrete injury requirement, then Ambriz’s approach becomes constitutionally unenforceable in federal court. While Popa has not technically overruled Ambriz, the Ninth Circuit will inevitably need to choose which standard to adopt. 

Continue reading

AI Tracking in Small Town Maine?: Real Life Optimization and Our Expectation of Privacy

viv.daniel Article , , , ,

AI Tracking in Small Town Maine?: Real Life Optimization and Our Expectation of Privacy

Viv Daniel

 

I. Introduction

Increasingly, the intangible world of the internet has been likened to physical space – the concept of the “digital town square,” the term “online space,” and the short-lived promise of the metaverse all come to mind – but recent developments beg the question: Are our physical spaces starting to resemble digital life?

This year, Old Town, Maine became the latest Bangor-area community to sign up for Placer.ai’s services through the Greater Bangor Recreation Economy for Rural Communities group, which is part of Eastern Maine Development Corporation.[1] The AI service collects location data from the smartphones of people moving in and out of these communities, alongside information about where these phones were immediately before and after moving through the monitored area.[2] The AI also collects personal data about the smartphone’s owner, including income level and other demographic information.[3]

In 2025, many Americans might expect that their movements from site-to-site online are being tracked, and their data collected along the way. In their real physical lives, even, most Americans put up with a certain degree of tracking and data collection in the form of surveillance cameras, cell-site location information (CSLI), and the like.[4] Still, many people would likely be surprised to find that their local government (or that of their vacation destination) had contracted with a private company to track their movements and income. So, why would a city or town sign up for such a tracking program?

Continue reading

Put the Katz Back in the Bag: Restoring Privacy Rights in the Digital Age

viv.daniel Paper , , ,

Put the Katz Back in the Bag: Restoring Privacy Rights in the Digital Age

Tommy Scherrer

 

The word “privacy” appears nowhere in the Constitution, yet the Supreme Court has recognized that a constitutional right to privacy emerges from certain “penumbras, formed by emanations” of guarantees in the Bill of Rights.[1] Of these guarantees, that of the Fourth Amendment provides the clearest architecture for a right to privacy by recognizing the individual citizen’s dominion over their “persons, houses, papers, and effects,” and requiring the government to justify any intrusion.[2] This article argues for a restoration of the American privacy regime to this original foundation: enforceable boundaries that empower individuals to control access to their lives.

I. Introduction

The Court complicated the foundations of American privacy rights in Katz v. United States when it reimagined privacy rights as a matter of “reasonable expectations.”[3] That formulation was intended to liberalize the Fourth Amendment and extend its protections beyond physical trespass. However, by grounding privacy rights in what a small group of lawyers believe society recognizes as “reasonable,” the Court detached protection from the concrete boundaries of the Constitution and created an ambiguous standard. As we journey further into the 21st century, and state and private surveillance become normalized as necessary to a secure society, our general expectation of privacy is shrinking rapidly, and our rights are shrinking with it.

The text of the Constitution protects citizens through their persons, homes, papers, and effects—real places and things that anchor enforceable boundaries. Katz inverted that logic by replacing hardline rules with shifting baselines and mistaking trust for consent to surveillance. In the decades that followed, this logic hardened into the third-party doctrine, which holds that any information shared with others loses constitutional protection.[4] The consequences of this doctrine are especially harsh in today’s world, when nearly all personal information flows through third parties. If privacy rights are to remain a foundation of democratic life, they need to be grounded in some sort of enforceable boundary. Because today’s data and the inferences drawn from it can reach further into private life than any physical trespass, the protections of the Fourth Amendment must be interpreted with that reality in mind.

Continue reading

Data Sovereignty in the Age of Digital Nationalism: The Case of TikTok and the Global Fragmentation of the Internet

viv.daniel Paper , , , , ,

Data Sovereignty in the Age of Digital Nationalism: The Case of TikTok and the Global Fragmentation of the Internet

Aysha Vear

 

I. Introduction

Social media has significantly changed the ways in which individuals both receive information and exchange it. As these applications and platforms have increasingly become part of the everyday lives of citizens and further incorporated into their daily interactions, the issue of social media regulation has been a clear focal point of legal and political discourse. Today there exists a growing concern about American citizens’ data with respect to Chinese influence and intrusion. Consequently, the House of Representatives presented a bill in 2024 to mitigate these fears. H.R. 7521 would force the foreign ownership of TikTok, a social media platform controlled by Chinese parent company ByteDance, to divest or face a broad federal ban.[1]

TikTok is centered on short videos created and uploaded by users who are able to create, share and interact with networks of content,[2] and it has quickly become one of the most popular apps in the United States.[3]  It is “a mass marketplace of trends and ideas and has become a popular news source for young people”[4] with sixty-two percent of eighteen to twenty-nine year olds saying that they use the app[5] which reached a billion users in 2021.[6]  The app got its start in the U.S. as an app called “Musical.ly” but was acquired by the Chinese company ByteDance in 2018 and rebranded as TikTok.[7] ByteDance is headquartered in Beijing and it launched “Douyin,” the Chinese TikTok equivalent in 2016 prior to the “Musical.ly” acquisition. It is this affiliation with China and the Chinese app that flagged concern for United States government officials and this case represents a growing trend of national governments asserting greater control over digital platforms and the content which citizens consume.

This highlights a growing trend toward countries treating data governance as a national security issue. Data sovereignty is a concept that refers to “a state’s sovereign power to regulate not only cross-border flow of data through uses of internet filtering technologies and data localization mandates, but also speech activities . . . and access to technologies.”[8] Governments are introducing laws to prevent foreign control over citizen data, such as China’s Data Security Law and India’s restriction on data localization. Given that these laws have different aims and approaches to governance as well as shifting priorities, they have increased geopolitical competition between the U.S., China, and the EU. While data sovereignty is a necessary framework for global internet governance, its implementation must balance security concerns with the need to prevent a fragmentation of the internet as we know it. More countries are scrambling to control the flow of data in and out of their national borders and, as such, “the rise in data localization policies has been a contributing factor in declining internet freedom.”[9] This paper will explore the different approaches of the United States, China, and the European Union in controlling cross-border data flows. Next, looking through a specific lens at the TikTok forced divestiture and attacks on other Chinese entities, it will explore the growing trend of data sovereignty and attempt to find the balance in national security and digital openness. Finally, the paper will suggest possible solutions for the growing need for better collaboration in the digital sphere.

Continue reading

Spoiled for Choice: AI Regulation Possibilities

viv.daniel Blog , , ,

Spoiled for Choice: AI Regulation Possibilities

William O’Reilly

 

I. Introduction

Americans want innovation and they believe advancing AI benefits everyone.[1] One solution to encourage this is to roll back regulations.[2] Unfortunately, part and parcel with the innovations are several harms that are likely to result from the inappropriate use of personal and proprietary data and AI decision-making.[3]  There is an option to ignore this potential harm and halt regulations to encourage the spread of personal information.[4] This option is not in the best interest of the country because the U.S. is already losing the innovation race in some respects. Innovation can still occur despite heavy regulations. Virginia is the latest state to pursue the “no regulation” strategy, and it provides a good microcosm to highlight the challenges and advantages of this approach.[5] Virginia’s absence of regulation falls on a spectrum of legislation that demonstrates options for states to protect rights and innovation. As this article discusses further, curbing AI regulation on companies will not advance innovation enough to justify the civil rights violations perpetuated by current AI use.

Continue reading

It Will Take A Village To Ensure An Authentic Future For Generation Beta

zion.mercado Blog , , , , , ,

It Will Take a Village to Ensure an Authentic Future for Generation Beta

By: Susan-Caitlyn Seavey

 

Introduction

One of the many glaring issues that future generations will face is the decline in frequency of in-person human interactions. Today’s technology, especially artificial intelligence (AI) offers unparalleled tools that can be used for the betterment and progression of humanity. For example, new customer service bots, called “conversational agents” are responding to customer inquiries with efficient, personalized and human-like responses, “reshaping how we engage with [ ] companies, [and] creating a world where efficiency meets empathy–or at least an impressively convincing facsimile of it.”[1] AI software is also providing efficiency for individuals through multitasking functions, auto-generated answers to questions, and draft responses to texts and emails, saving the user valuable time. However, this technology can also create unrealistic standards and attractive environments that isolate individuals from their reality. Around the globe, AI technology is becoming more normalized and ubiquitous with software like co-pilot in the workplace and AI robots as companions, friends and romantic partners at home. The rapid development is “particularly concerning given its novelness, the speed and autonomy at which the technology can operate, and the frequent opacity even to developers of AI systems about how inputs and outputs may be used or exposed.”[2] We face the challenge of balancing the benefits of efficiency and progression of this technology with the risk of being fully consumed by it, and at the cost of our youngest members of society.

This powerful technology should be used to embrace reality and continue striving for a better world; one that actually exists off of a screen. Jennifer Marsnik summarized this challenge well by contemplating how society can “maintain authenticity, human intelligence and personal connection in a landscape increasingly dominated by algorithms, data and automation.”[3] Young minds are the most susceptible to the unrealistic standards and depictions AI can create. Considering the difficulty even adults can sometimes have when determining whether a visual is real or generated by AI, the young generations with their still-developing minds will evolve in this landscape of not always knowing what is authentic and what is not. If society fails to provide safeguards and implement protections around children and their use of our ever-progressing technology, we could end up with future generations being stuck in a perpetual a cycle of unrealistic expectations and disappointment in the real world, prompting more isolation and leading to the degradation of communities. Preserving authentic relationships and interactions with the real world will require a village: Congress must support new and developing legislation for online safety for children, companies should adopt management frameworks and clearinghouse functions to ensure transparency and accountability in consumer engagement, and parents, teachers, and community leaders must work together to encourage social-emotional learning and in-person interactions in children and teens at home, at school, and in their communities.

Continue reading

Privacy in Death: Conserving your Power in Legacy

zion.mercado Paper , , , , ,

Privacy in Death: Conserving your Power in Legacy

Gabriel Siwady-Kattan

 

Introduction

Throughout our lives, we store everything online. This means that not only can a person keep physical assets in a bank; they can also have digital assets available online for access and distribution. Who should be able to access those assets when we die? The IRS defines a digital asset as “a digital representation of value recorded on a cryptographically secure distributed ledger or similar technology” and names as examples convertible virtual currency and cryptocurrency, stablecoins, and Non-Fungible Tokens (NFTs).[1] The IRS further elaborates that “[i]f a particular asset has characteristics of a digital asset, [then] it’s treated as one for federal income tax purposes.”[2] Beyond digital assets that have a financial component to them, however, are also images, videos, digital documents, and electronically-stored music. These could be held by any person, and in our modern age, most people have an account where their digital information is stored, whether in an Apple, Google, Facebook, or Instagram account. The existence of digital assets has brought many issues, including how to deal with the distribution of digital assets at the time of death.

To deal with this issue, the Uniform Law Commission (ULC) drafted the Uniform Fiduciary Access to Digital Access Act (hereinafter referred to as the Digital Assets Act).[3] This Act essentially treated digital assets as it would any other kind of traditional property a person held at the time of their death.[4] This meant that an executor had near unsupervised power to access, manage, and distribute a decedent’s digital assets.[5] Under the Digital Assets Act, an executor had the same access to digital assets as an owner had at the time of their death.[6]

Naturally, this “open-access approach” could raise personal privacy concerns. What if, in the process of getting a decedent’s affairs in order, an executor came across communications with a third party? What if that communication shed light on an unknown aspect of the deceased’s life? What if that communication was meant to remain confidential? And what about that third party’s identity?

On top of these personal privacy concerns, the Digital Assets Act’s provisions were contrary to some tech companies’ terms of use agreements. For example, tech companies have their own ways of managing the content on their platform, and often control or limit the agency a user or consumer might have over their own communications. To this end, tech companies almost always require users to agree to a terms of use agreement, which typically includes provisions on how and to whom data may be shared.

Continue reading

Profits Over Privacy: A Confirmation of Tech Giants’ Mass Surveillance and a Call for Social Media Accountability

zion.mercado Blog , , , , , , , ,

Profits Over Privacy: A Confirmation of Tech Giants’ Mass Surveillance and a Call for Social Media Accountability

Aysha Vear

 

In an effort to better understand the data collection and use practices of major social media and video streaming services (SMVSSs), the Federal Trade Commission issued orders to file Special Reports under Section 6(b) of the FTC Act[1] to nine companies in 2020.[2] The orders sought to understand how the companies collect, track, and use their consumers’ personal and demographic information; how they handle advertising and targeted advertising; whether they apply algorithms, data analytics, and artificial intelligence (AI) to consumer information; and how their practices impact children and teens.[3] Titled, “A Look Behind the Screens: Examining the Data Practices of Social Media and Video Streaming Services,” the 2024 report has been four years in the making and a key but unsurprising finding was that the business model of targeted advertising was the catalyst for extensive data gathering and harmful behaviors, and companies failed to protect users, particularly children and teens.[4]

Data Practices and User Rights
Companies involved in the FTC report collected a large amount of data about consumers’ activity on their platforms and also gleaned information about consumers’ activity off of the platforms which exceeded user expectations.[5] The Commission found that a massive amount of data was collected or inferred about users including demographic information, user metrics, or data about their interaction with the network.[6] With respect to specific privacy settings, many companies did not collect any information at all about user changes or updates to their privacy settings on the SMVSSs.[7]

The information came from many places as well. Some information on users collected by the companies was directly input by the SMVSS user themselves when creating a profile; passively gathered from information on or through engagement with the SMVSS; culled from other services provided by company affiliates or other platforms; inferred from algorithms, data analytics, and AI; or from advertising trackers, advertisers, and data brokers. Data collected was used for many different purposes including for targeted advertising, AI, business purposes like optimization and research and development, to enhance and analyze user engagement, and to infer or deduce other information about the user.[8] In addition, most companies deliberately tracked consumer shopping behaviors and interests.[9] Little transparency, if any, was provided on the targeting, optimization, and analysis of user data.

Continue reading

Google’s New AI-Powered Customer Service Tools Spark Back-to-Back Class Action Lawsuits

zion.mercado Blog , , , , , , ,

Google’s New AI-Powered Customer Service Tools Spark Back-to-Back Class Action Lawsuits

Zion Mercado 

 

Google recently began rolling out “human-like generative AI powered” customer service tools to help companies enhance their customer service experience.[1] This new service is known as the “Cloud Contact Center AI,” and touts a full package of customer service-based features to help streamline customer service capabilities.[2] Companies who utilize the new service  can create virtual customer service agents, access AI-generated insights providing feedback on customer service interactions, store and manage data on a specialized “Contact Center AI Platform,” and consult with Google’s team of experts on how to improve the AI-integrated systems.[3] However, one key feature that has recently come into controversy is the ability for customers to utilize real-time AI-generated responses to customer inquiries which can then be relayed back to the customer by a live agent.[4] This is known as the “Agent Assist” feature.

Agent Assist operates by “us[ing] machine learning technology to provide suggestions to . . . human agents when they are in a conversation with a customer.”[5] These suggestions are based on the company’s own data and conversations.[6] Functionally, when Agent Assist is in use, there are two parties to the conversation: the live customer service agent, and the customer. The AI program listens in and generates responses in real time for the live customer service agent. Some have argued that this violates California’s wiretapping statute by alleging that the actions of Google’s AI program, which is nothing more than a complex computer program, are attributable to Google itself.[7] Those who have done so have alleged that Google, through its AI-integrated services, has been listening in on people’s conversations without their consent or knowledge.[8]

The wiretapping statute in question is a part of the California Invasion of Privacy Act (“CIPA”), and prohibits the intentional tapping, reading, or any other unauthorized connection, whether physically or otherwise, with any communication being transmitted via line, wire, cable, or instrument without the consent of all parties to the communication.[9] It is also unlawful under the statute to communicate any information so obtained or to aid another in obtaining information via prohibited means.[10]

In 2023, a class action lawsuit was filed against Google on behalf of Verizon customers who alleged that Google “used its Cloud Contact Center AI software as a service to wiretap, eavesdrop on, and record” calls made to Verizon’s customer service center.[11] In the case, District Court Judge Rita F. Lin granted Google’s motion to dismiss on grounds that the relationship between Google and Verizon and the utilization of the Cloud Contact Center AI service fell squarely within the statutory exception to the wiretapping statute.[12] Now, the wiretapping statute does contain an explicit exception for telephone companies and their agents, which is the exception upon which Judge Lin relied; however, that exception is narrowed to such acts that “are for the purpose of construction, maintenance, conduct or operation of the services and facilities of the public utility or telephone company.”[13]

Continue reading

State Data Privacy & Security Law as a Tool for Protecting Legal Adult Use Cannabis Consumers and Industry Employees

zion.mercado Paper , , ,

State Data Privacy & Security Law as a Tool for Protecting Legal Adult Use Cannabis Consumers and Industry Employees

By: Nicole Onderdonk

1. Introduction

The legalization of adult use cannabis[1] at the state level, its continued illegality at the federal level, and the patchwork of privacy regulations in the United States has generated interesting academic and practical questions around data privacy and security.[2]  At risk are the consumers and employees participating in the legal recreational cannabis marketplace— particularly, their personal information.[3]   For these individuals, the risks of unwanted disclosure of their personal information and the potential adverse consequences associated with their participation in the industry varies significantly depending on which state an individual is located in.[4]  Further, while these are distinct risks, the unwanted disclosure of personal information held by cannabis market participants may significantly increase the degree and likelihood of an individual experiencing adverse employment-related consequences due to recreational cannabis use.  Therefore, data privacy and security laws can and should be deployed by states as a tool to not only protect legal adult use cannabis consumers’ and employees’ personal information, but also their interests and rights more broadly related to their participation in the legal cannabis market.

Privacy law and cannabis law are both arenas where states are actively engaged in their roles in the federalist system as “laboratories of democracy.”[5]  The various state-by-state approaches to protecting consumer and employee data privacy and legalizing recreational cannabis have taken various shapes and forms, akin to other areas of the law where there is an absence or silence at the federal level.  This divergence may create problems and concerns,[6] but it also may reveal novel solutions.  Regarding the personal data of recreational cannabis consumers and industry employees, the strongest solution that emerges from an analysis of the current state-by-state legal framework is a hybrid one—taking the most successful aspects from each state’s experimentation and deploying it to protect legal adult use cannabis market participants from collateral adverse consequences.

Continue reading