Skip to content
vCard Download
By clicking on the Submit button below, you are downloading the Loeb contact's vCard

Hashed & Salted: Vol. 5, Issue 1

Client Alerts/Reports

Hashed & Salted | A Privacy and Data Security Update

The first quarter of 2026 brought few surprises in U.S. privacy law and regulation.

While a new federal privacy framework, the Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act (the SECURE Data Act), was recently introduced and is in the very early stages of the legislative process, states continue to forge ahead with their own legislation, with no signs of slowing down.

In the nearly eight years since California passed the first-of-its-kind privacy law, the California Consumer Privacy Act, 19 more states have enacted comprehensive privacy laws. In that same time frame, a number of states have built on or amended their privacy frameworks to enhance or add to existing consumer rights and protections, or layer on additional safeguards for minors, and the collection and use of sensitive information, and the implementation of technologies like artificial intelligence (AI), algorithmic pricing and automated decision-making technology (ADMT).

To no one’s great surprise, California has continued to iterate and amend its laws and regulations. Last year, the California Privacy Protection Agency (CPPA) finalized new regulations and amendments to existing regulations, including new cybersecurity audit and risk assessment requirements and new regulations for the use of ADMT, both of which took effect Jan. 1.

At the beginning of the year, the CPPA also launched the Delete Request and Opt-Out Platform (DROP), a portal that allows Californians to direct every registered data broker in the state to delete their personal information and halt the sale or sharing of that data. DROP has implications far beyond third-party data vendors.

Under California’s Delete Act, enacted in 2023, the definition of “data broker” is intentionally broad. Any business that collects and sells personal information about California residents (without a direct relationship to those individuals) may fall within scope, including traditional data vendors and also retailers, loyalty program operators, lead generation firms, business intelligence providers and others who sell or enrich data acquired from third parties.

In addition to annual registration and disclosure requirements and fees, the Delete Act also requires data brokers to check the DROP portal at least once every 45 days to download new consumer deletion requests and take action on those requests under procedures and timelines set by the CPPA. Of course, DROP is not an isolated compliance exercise but rather part of California’s broader mandate on consumers’ privacy rights and choices.

And while California is the vanguard of state privacy regulation, it is not alone in shaping U.S. privacy policy and regulation. At the Interactive Advertising Bureau (IAB) Public Policy & Legal Summit last month in Washington, D.C., Loeb partner Robyn Mohr, deputy chair of the Privacy, Security & Data Innovations practice, moderated “Laboratories of Democracy: Privacy in the States,” a panel discussion with leading public policy, technology and compliance experts. The discussion explored the state-driven evolution of privacy law in the U.S., emerging complexity and fragmentation as states take divergent approaches, and the resulting challenges for lawmakers, regulators and companies, as well as broader economic and political implications. You can read the highlights of the discussion in “States Are ‘Laboratories of Democracy’ for Privacy Regulation as Federal Legislation Stalls.”

Much like privacy more generally, the absence of comprehensive federal regulation has created a vacuum into which states are also stepping at a remarkable rate. Hundreds of AI-related bills were proposed at the state level in 2025, and nearly every state—44 at last count—has at least one AI law on the books. As a result, a patchwork of laws is being enacted across the country to address a wide range of AI uses, from chatbot disclosures and digital performer labeling to algorithmic pricing notices and rules for use in making employment decisions.

In her recent article “States Forging Ahead with New AI Laws Despite Federal Opposition,” Liz Allen, Loeb’s chair of Emerging Technologies, examines the explosion of state AI legislation across the country in the absence of a comprehensive federal law—and despite the Trump administration’s December 2025 executive order “Ensuring a National Policy Framework for Artificial Intelligence,” which attempts to force states to stand down.

While legislators and regulators grapple with the challenge of developing and enforcing a legal framework that keeps pace with innovation, the plaintiffs’ bar is focused on expanding liability by shoehorning new technology into existing laws. In our third article of this issue, “The Millisecond Problem: How Pre-Consent Tracking Is Driving CIPA Lawsuits in 2026,” Allison Cohen explains new theories of liability emerging in privacy class actions challenging routine web-tracking practices as violations of the California Invasion of Privacy Act (CIPA).

In our team member spotlight, Advertising & Media associate Jess Jesselson talks about how she developed and refined her focus on emerging data privacy issues prior to joining Loeb; the challenges of navigating a reactive regulatory environment as the convergence of privacy law, AI regulation and corporate governance accelerates; and why finding a hockey puck in her bag is not an unusual occurrence for her.

In This Issue:

States Are “Laboratories of Democracy” for Privacy Regulation as Federal Legislation Stalls

While a federal privacy framework starts circulating on the Hill, states continue to serve as the primary engines of privacy policy innovation, setting precedents that may influence or even outpace federal action and shaping the rules of the road for the digital economy as well as the growth and health of the U.S. economy more broadly.

Read more here.

States Forging Ahead with New AI Laws Despite Federal Opposition

Hundreds of AI-related laws are being introduced and enacted across the country to address a wide range of AI uses, with more on the way this year, even as the Trump administration seeks to shut states out of AI regulation.

Read more here.

The Millisecond Problem: How Pre-Consent Tracking Is Driving CIPA Lawsuits in 2026

What began as a niche theory in California privacy litigation has become a fast-moving plaintiff playbook: suits alleging that routine web-tracking practices—tracking pixels, website cookies, session replay, keystroke monitoring software—capture or transmit user communications without proper consent in violations of CIPA. The potential for per-violation statutory damages, class action certification and inconsistent court rulings makes these cases appealing to the plaintiff bar, which has continued to adapt their theories of liability.

Read more here.

Team Member Spotlight: Jess Jesselson

How did you develop your area of focus?

I established a professional focus on data privacy during my time as in house counsel at Hudson’s Bay Company (HBC), where I supported brands including Saks Fifth Avenue and Saks OFF FIFTH. As the regulatory landscape evolved, my responsibilities increasingly involved addressing new and emerging data privacy requirements. That shift marked the beginning of my deeper engagement with data privacy as a core part of my work.

As the CCPA approached its effective date, I was selected to join HBC’s cross functional task force responsible for guiding the organization through the new regulatory environment. At that point, most of my data privacy experience came from negotiating adtech and digital marketing agreements, so I was far from a subject matter expert.

Our task force—spanning legal, technology, customer service, communications and PR—met weekly to break down the CCPA’s requirements and prepare for the next wave of data privacy regulations emerging in other jurisdictions. The challenge was significant: We needed to build a compliance strategy for a legacy company with decades of data spread across fragmented systems, and we had to do it in a way that did not disrupt critical business operations.

What made the experience transformative was the collaborative nature of the work. Each function brought a different lens—legal risk, technical feasibility, operational realities and customer facing communications. That blend of regulatory analysis, operational problem solving and cross functional coordination sparked my passion for privacy and technology law and taught me how to bridge the gap between regulatory demands and practical, business oriented solutions—an approach that continues to guide my practice today.

What is exciting you/grabbing your attention right now?

What’s grabbing my attention right now is the way privacy teams are increasingly being asked to lead on AI governance. Companies are elevating AI oversight to a strategic priority, expanding governance structures and increasing board level attention. The pace of AI innovation has many organizations racing to educate themselves, implement responsible practices and keep up with an evolution that’s moving faster than their internal frameworks can adapt. At the same time, the regulatory environment is accelerating as new AI and data governance requirements emerge across jurisdictions almost as fast as the tools themselves, creating a constantly shifting compliance landscape. This combination has created a pivotal moment for privacy professionals, especially as the core risks of AI—how data is collected, used and governed—are fundamentally privacy issues.

As privacy law, AI regulation and corporate governance rapidly converge, the questions emerging across the industry are becoming more complex and interdisciplinary than anything we’ve seen since the early days of GDPR and CCPA. It’s rare to see a field evolve this quickly and even rarer to see privacy practitioners positioned squarely at the center of that evolution.

What would people be surprised to learn about you?

Many people are surprised to learn that in addition to being an attorney, I’m a mom to four wonderful kids—Eric (11), Layla (10), Harrison (6) and Charlotte (1). I also double as our family’s resident hockey mom, which means most Sundays start at the rink by 7 a.m. (sometimes earlier!), juggling coffee and a baby bottle, tying skates, and wondering how yet another puck ended up in my bag. For the past four years, I’ve also served as president of the PTA at my kids’ school, which has been both rewarding and a great way to stay connected to our community and give back. Over time, the chaos of motherhood has developed its own rhythm—one that builds routine, discipline and the sweetest family memories that one could ever wish for.

Events Spotlight

2026 IAB Public Policy & Legal Summit

  • Loeb & Loeb sponsored the 2026 IAB Public Policy & Legal Summit March 31 in Washington, D.C., where Jessica Lee, chair of Loeb’s Privacy, Security & Data Innovations practice, spoke at a fireside chat, “Privacy Diligence.”
  • Robyn Mohr, the deputy chair of the practice, moderated the panel “Laboratories of Democracy: Privacy in the States.” The IAB Legal Summit brings together leaders from advertising, media, technology and government for a one-day program focused on the legal, regulatory and policy issues shaping the future of digital advertising.

EthCC(9): The Ethereum Community Conference

  • Partner Chris Ott presented “How ZK Identity and Account Abstraction Are the Only Firewall Against Government Surveillance of AI” March 31 at EthCC[9], the Ethereum Community Conference. The largest and longest-running European Ethereum event, the annual Ethereum Community Conference brings together developers, entrepreneurs, researchers and a variety of experts for four days of intensive programming including talks, workshops and networking sessions covering a wide range of topics. Chris summarized his presentation in his recent article “Defending Human Agency in the Age of Agentic AI.”

From Strategy to Deployment: Highlights from Loeb’s 2026 AI Summit in Los Angeles

  • Loeb & Loeb hosted its annual Los Angeles AI Summit April 21, bringing together in-house counsel and leading AI professionals for an interactive program focused on the evolving AI landscape and the legal, regulatory and technical considerations shaping how organizations are deploying AI. The morning included an overview of the current AI legal and technical landscape, including recent regulatory developments and emerging trends, given by Kenneth Adler, chair of the firm’s Technology & Sourcing practice, and Liz Allen, chair of the Emerging Technologies practice, and a guest presentation from Ritu Ghai and Lauren Abercrombie of Google DeepMind. The summit wrapped up with two rounds of 45-minute, lawyer-led roundtables tackling timely, practical AI topics, including contracting, governance, employment law, intellectual property, privacy and WGA, SAG and collective bargaining.

Defining Tomorrow’s Technology: Inside Loeb’s 2026 AI Summit in New York

  • Loeb & Loeb hosted its annual New York AI Summit Feb. 11, convening in-house counsel and industry-leading AI professionals for a day of discussion on issues in AI. Kenneth Adler, chair of the firm’s Technology & Sourcing practice, and Liz Allen, chair of the Emerging Technologies practice, presented an overview of recent legal and regulatory developments and trends influencing how organizations evaluate, adopt and oversee AI tools. Voice synthesis software company ElevenLabs gave a live product demonstration highlighting cutting-edge AI voice and audio technology and its real-world business applications. In addition, Loeb partners led seven interactive roundtable discussions focused on AI issues including advertising law, governance, contracting and implementation dispute resolution, employment law, intellectual property, and privacy.

Balancing Risk and Reward Around AI Data and Governance: Takeaways from Loeb’s 2026 New York AI Summit

  • As organizations across industries and sectors—from advertising, media and entertainment to financial services, retail, consumer brands and healthcare—integrate AI solutions into all levels of their operations, legal, business and compliance teams are increasingly focused on a fundamental question: How can we maximize the value of AI tools and solutions while safeguarding the data that fuels them? Balancing innovation with privacy protections and responsible data stewardship was a repeated theme at Loeb & Loeb’s 2026 AI Summit last month in New York. Robyn Mohr, Jessica Lee and Liz Allen share some of the insights from the summit’s roundtables on privacy, AI governance, advertising and contracting that highlight how organizations are approaching AI implementation and managing legal, business and reputational risks.

In Case You Missed It

AI Outlook 2026: Celebrating Client Innovation and Exploring Future Trends

  • AI offers extraordinary opportunities but also complex challenges as it reshapes industries and redefines how businesses operate across sectors. Loeb & Loeb has partnered with clients to navigate this evolving landscape with strategies that protect innovation and enable growth. In our annual AI Outlook, we highlight how Loeb has supported clients in AI innovation—from securing patents for groundbreaking tech to advising on strategic partnerships—and offer predictions for the coming year about AI’s role across industries and market sectors.

Loeb Partners Kenneth Adler and Jessica Lee Featured in 2026 ‘Lawdragon 100 Leading AI & Legal Tech Advisors’

  • Kenneth Adler, chair of the firm’s Technology & Sourcing practice, and Jessica Lee, Loeb’s chief privacy & security partner and chair of the firm’s Privacy, Security & Data Innovations practice, were recognized in the “Lawdragon 100 Leading AI & Legal Tech Advisors” guide for 2026.

Loeb & Loeb Quick Takes:

Sign up for our Hashed & Slated newsletter by creating an account and selecting Privacy, Security & Data Innovation as your area of interest here.

Related Services

Related Professionals

Also See