On April 21, 2025, significant developments in data privacy laws unfolded across the United States, reflecting growing tensions between state regulations and the expansive reach of technology companies. In a landmark ruling, the 9th U.S. Circuit Court of Appeals revived a proposed data privacy class action against Shopify, a Canadian e-commerce platform, allowing it to be sued in California for allegedly collecting personal data without consent. Meanwhile, Project Veritas filed a petition with the U.S. Supreme Court challenging Oregon's audio recording law, which restricts citizens from secretly recording conversations, raising questions about First and Fourth Amendment rights.
The Shopify case stems from a complaint by California resident Brandon Briskin, who accused the company of installing tracking software, known as cookies, on his iPhone without his consent during a purchase from a retailer. Briskin claimed that Shopify used this data to create a profile that could be sold to other merchants. Shopify contended that it should not be held accountable in California, arguing that its operations are nationwide and not specifically aimed at the state. However, the appeals court ruled that Shopify "expressly aimed" its conduct towards California residents, emphasizing that the company knowingly installed tracking software on unsuspecting users’ devices.
In a 10-1 decision, the court highlighted the importance of local jurisdiction, with Circuit Judge Kim McLane Wardlaw stating that Shopify's actions were neither random nor isolated. This ruling has broader implications, as a bipartisan group of 30 states and Washington, D.C., sided with Briskin, advocating for the ability to enforce consumer protection laws against companies that operate within their digital marketplaces. The U.S. Chamber of Commerce, however, supported Shopify, arguing that a broad jurisdictional grant could negatively impact backend service providers operating globally.
Simultaneously, Project Veritas's petition challenges Oregon's law, which prohibits citizens from secretly recording conversations without the consent of all parties involved. The law was upheld by the Ninth Circuit in the name of "conversational privacy," but critics argue that it infringes on First Amendment rights. The petition seeks Supreme Court review of the Ninth Circuit's en banc decision, focusing on the conflict between First Amendment protections of free speech and Fourth Amendment rights concerning privacy.
Federal law generally permits individuals to record their own conversations without notice, but states like Massachusetts, Oregon, and Montana maintain strict regulations against secret recordings. In 2021, Oregon's appellate court upheld a conviction against a citizen who secretly recorded a meeting with state personnel, illustrating the legal risks involved in such actions. The Project Veritas petition contends that the law's restrictions on audio recording are overly broad and arbitrary, potentially stifling free speech.
The ongoing legal battles reflect a growing concern over data privacy and the implications of technology on individual rights. As the House Energy and Commerce Committee's privacy working group seeks stakeholder input on a data privacy and security framework, the need for robust protections against invasive data practices becomes increasingly urgent. On April 7, 2025, the Center for American Progress (CAP) submitted formal comments to the working group, identifying four critical protections essential for any federal privacy framework: strong data minimization requirements, narrowly tailored permissible purposes, universal opt-out mechanisms, and clear provisions regarding artificial intelligence (AI).
CAP's research emphasizes the importance of data minimization, which restricts companies from collecting and processing personal data beyond what is necessary for delivering services. This principle, established in the Privacy Act of 1974, is crucial for reducing the risks associated with data breaches and commercial exploitation. However, tech firms, often represented by trade associations, have consistently opposed strong privacy protections, arguing against stringent regulations.
Moreover, the proposed framework must include narrowly defined exceptions for permissible data use, particularly concerning law enforcement. CAP argues that companies should only share data with law enforcement if it was legally collected and under a valid legal process, such as a warrant. Vague terms like "public safety" must be strictly defined to prevent misuse of personal data.
Another key element of CAP's recommendations is the implementation of universal opt-out mechanisms, allowing individuals to easily communicate their privacy preferences across multiple platforms. This would enable users to manage their privacy settings without navigating through numerous websites and apps, thus enhancing their control over personal data.
Lastly, CAP calls for clear prohibitions on the use of AI systems that rely on extensive personal data collection. As AI technologies become more prevalent, it is vital to establish safeguards against high-risk applications, such as biometric surveillance and social scoring, which threaten individual rights and democratic norms.
In the midst of these developments, Clearview AI faces challenges regarding its biometric data privacy settlement. Objectors to the settlement have filed an appeal, arguing that the arrangement would not alter Clearview's conduct and does not guarantee monetary compensation for class members. The appeal, filed by Robert Weissman and Rick Claypool, aligns with the concerns expressed by 23 attorneys general in an amicus brief.
As the legal landscape continues to evolve, the outcomes of these cases could set important precedents for data privacy and individual rights in the digital age. The intersection of technology and privacy law remains a contentious arena, with ongoing debates about the balance between innovation and the protection of personal information.
