Tech Law Top 3 - January 5, 2026

Transcript

Stanton 0:00

Hey everyone. Welcome to Tech Law Top three where we break down the most notable developments in privacy, cybersecurity, AI, and IP from last week in 10 minutes or less, to help you get your week started. I am your host, Stan Burke, and it's Monday, January 5th, 2026. We've got a busy first episode. Today we're covering Disney's $10 million settlement with the FTC. Why Perplexity AI says it shouldn't face Reddit's copyright claims. And ex AI's lawsuit challenging. California's AI Data Transparency Act Stick around to the end for some rapid updates, including which new state privacy laws went into effect on January one, New York's RAISE Act, and the launch of California's new data deletion platform. Let's dive right in. On Tuesday, a California federal judge approved a $10 million settlement resolving FTC allegations that Disney violated the Children's Online Privacy Protection Act or coppa. The FTC alleged that Disney failed to properly label certain kid directed content on YouTube as quote made for kids, which in turn allowed YouTube to collect children's personal data without the required parental notice and consent required under coppa. As part of the settlement, Disney must implement a compliance program to review and correctly designate videos that it posts to YouTube as made for kids. Unless YouTube either implements reliable age assurance technologies or eliminates creator based labeling altogether. Why does this matter? Well, that forward looking provision anticipates the growing push toward age assurance and verification as a key way to protect kids

1:42

online

Stanton 1:43

It's still early, but 2026 is shaping up to be the year of children's privacy and enforcement, and I think we'll see this trend continue. Shifting gears, let's talk about perplexity and Reddit. Reddit has long restricted automated scraping through both technical controls and its terms of service. And since last year has publicly raised concerns about AI companies using Reddit content at scale to train models or generate answers for users. Last fall, Reddit sued perplexity and others alleging violations of Section 1201 of the DMCA, the statute's anti circumvention provision. It alleges that the defendants bypassed Google's search guard protections to collect search engine results. Pages containing Reddit snippets, which were then used downstream by AI systems. On Friday, perplexity moved to dismiss arguing that Reddit failed to allege perplexity itself, circumvented any technological protection, and that search guard doesn't effectively control access because the same Reddit content remains publicly available through ordinary search results. So why does this matter? If the court agrees that Section 1201 liability is limited to the party that actually circumvents an access control? Or that search guard doesn't qualify as an access control. Platforms may need to rely far more on licensing and contract enforcement rather than DMCA theories to control AI related use of content. This is definitely one we'll continue to monitor. XI added to the noise last week as well. On Monday XI filed a lawsuit in California seeking to block enforcement of the state's generative AI Training Data Transparency Act, also known as AB 2013, which took effect a few days ago. On Jan one, The law would require developers of generative AI models to publicly disclose detailed information about the data sets use to train their systems. XAI argues the law is unconstitutional on several grounds. First, it claims the statute compel speech in violation of the First Amendment triggering strict scrutiny. Second, it argues the disclosure would force the release of trade secrets constituting an unlawful taking. And finally, it claims the laws impermissibly vague with respect to the disclosure requirements. Why does this matter? This case will be an interesting test of how far states can go. In mandating public AI transparency. the court could narrow or block the statutes public disclosure requirements, specifically if they conclude that it forces companies to reveal protected trade secret information or compel speech. Just last year, net choice successfully challenged California's age appropriate design code act on First Amendment grounds, and that law still remains on hold. We're also seeing this argument being made across other states with pending a legislation including Colorado, Texas, Utah, and others. Let's pivot to legislation on January one. Comprehensive state privacy laws went into effect in Kentucky, Indiana, and Rhode Island. All three state privacy laws follow the business friendly Virginia model rather than California CCPA or Colorado's more prescriptive approach. There's nothing revolutionary here. The laws provide familiar consumer rights like access deletion, correction, opt-outs for targeted ads and profiling, and can sit requirements for certain uses of sensitive data. None included private right of action or currently require compliance with universal opt-out mechanisms or the GPC. One notable wrinkle, Rhode Island does not include a 30 day cure period, which is still common across most other state privacy laws. Shifting gears to New York, New York, governor Kathy Hoel recently signed a modified version of the Responsible AI Safety and Education Act. Or the raise act. The law applies to developers of large frontier AI models, largely defined by compute spend, and takes effect on January 1st, 2027. Covered entities must adopt and publish safety and security protocols, review them annually, and report AI safety incidents to the relevant authorities within 72 hours. Notably, the signed version significantly reduces penalties. To $1 million for a first violation and $3 million for subsequent violations down from the much steeper 10 million and $30 million penalties in earlier drafts. The final law is far more about transparency in reporting than restricting deployment of high risk AI models. Last but not least on January one, Cal Privacy, formerly known as the California Privacy Protection Agency, launched a new tool called the Delete Request and Opt Out platform or drop. The platform was initially mandated by the California Delete Act, passed in October, 2023, and went through rounds of amendments in public comment periods. So what is Drop? Drop allows consumers to submit a single deletion request to every registered data broker in California to delete or reduce the personal data. These data brokers collect, sell, or retain. This is intended to be a one click deletion mechanism designed to materially lower the friction for consumers to exercise their rights at scale. And it is quite prescriptive for data brokers to implement data brokers must begin processing drop requests on August 1st, 2026 by checking drop at least every 45 days to pull requests, updating the request status within 45 days of retrieval. And deleting any match data within 90 days. Bottom line, California just gave consumers a one click deletion mechanism and the state intends to enforce that's all we have for today. Thanks for listening to Tech Law Top Three and Happy New Year. Be sure to hit that follow button and share this with your friends. We'll see you next week.