Photo of Aaron Francis

Aaron Francis

Subscribe to Aaron Francis's Posts

Aaron Francis is an associate in the Litigation Department and a member of the Data Privacy and Cybersecurity Litigation Group.

Aaron's practice focuses on complex civil litigations, internal and regulatory investigations, and arbitrations, covering a range of types of disputes, including cybersecurity, commercial contracts, and securities.  He also advises, counsels, and represents various pro bono clients, including non-profit organizations on issues related to harassment and discrimination, incarcerated survivors of domestic violence in criminal appeals, and multiple other entities in civil rights litigation.

Aaron is a member of Proskauer’s Black Lawyers Affinity Group.

Contact:Read more about Aaron Francis

Key Takeaways

  • In a recent decision by the Ninth Circuit in Briskin, the court ruled that e-commerce platform Shopify purposefully directed its conduct toward California because of its nationwide operations, rejecting the need for differential targeting of a forum state.
  • Notably, the court found a direct causal nexus between Shopify’s conduct and Briskin’s claims, deeming an exercise of specific jurisdiction over Shopify in California fair and reasonable.
  • Legal scholars are concerned that the decision could broadly expand the scope of specific personal jurisdiction and increase litigation risks for online platforms.
  • Companies should reassess their data practices and anticipate forum shopping by plaintiffs following Briskin.

Key Takeaways:

  • CPPA launched its first major enforcement action in targeting connected vehicle-maker Honda.
  • Connected vehicles often collect various kinds of sensitive driver information, including geolocation, biometric and behavioral data.
  • After the CPPA found Honda in violation of several CCPA provisions, the company agreed to settle the enforcement action for approximately $650,000 while also agreeing to adopt certain remedial measures.
  • Other Connected vehicle-makers have also experienced a spike in regulatory scrutiny, signaling rising enforcement pressure and growing expectations for privacy-by-design.

Key Takeaways:

  • Ed tech company PowerSchool’s recent breach exposed the data of approximately 60 million students and 10 million educators.
  • Hacker gained access via a compromised employee password and remained undetected for nine days.
  • Sensitive personal data, including Social Security numbers and medical histories, was potentially compromised, raising a number of legal and regulatory concerns.
  • The breach underscores the urgent need for stronger third-party oversight and security requirements.

2024 marked another significant year for privacy law, with new state legislation and high-stakes litigation reshaping the landscape. Legal battles over tracking technologies, biometric data, and children’s privacy intensified, while federal agencies, including the Federal Trade Commission (“FTC”) and the U.S. Department of Health and Human Services Office for Civil Rights (“HHS OCR”), ramped up their efforts through major enforcement actions and high-profile settlements, marking a new era of increased accountability.

  • Amazon faces allegations of unauthorized data collection in violation of federal and state privacy laws, including a first-of-its-kind claim under Washington’s My Health My Data Act (“MHMDA”).
  • The MHMDA restricts businesses from collecting, sharing, or selling any-health related information about a consumer without their consent of “valid authorization”, going

Repurposing old laws to challenge new technologies has become the new normal in the privacy space. Plaintiffs continue to bring a kaleidoscope of privacy claims against companies in the tech age, reviving laws like the California Invasion of Privacy Act of 1994 (“CIPA”), Video Privacy Protection Act (“VPPA”), Telephone Consumer Protection Act (“TCPA”), Pennsylvania Wiretapping and Electronic Surveillance Control Act, and Arizona Telephone, Utility, and Communication Service Records Act.

  • There has been a recent surge of privacy class action lawsuits under the Arizona Telephone, Utility, and Communication Service Records Act targeting the use of common email marketing analytics technologies.
  • Defendants are asserting standard defenses including lack of Article III standing as well as challenging the 2007 Arizona law’s applicability to email tracking pixels.