Data Privacy

Subscribe to Data Privacy via RSS

On April 27, 2026, a federal court paused enforcement of Colorado’s Artificial Intelligence Act (SB 24-205), placing one of the country’s most comprehensive state AI laws on hold while lawmakers reconsider its timing and scope. The order prevents the state from initiating enforcement actions during the pendency of the litigation, effectively freezing the law just weeks before its anticipated June 30, 2026 effective date.

This development is neither a repeal nor a permanent delay. Instead, it leaves employers in a familiar position—navigating a period of legal uncertainty while continuing to operate against a rapidly evolving regulatory backdrop. Importantly, even if the Colorado law is ultimately blocked or significantly revised, employers should not view the pause as a signal to deprioritize AI governance. As discussed below, the legal and regulatory risks associated with AI in employment remain very much in force.

Background

With the statute’s effective date approaching, a leading AI developer filed suit in April seeking declaratory and injunctive relief, challenging the constitutionality of several provisions of the Act. Shortly thereafter, the US Department of Justice intervened, arguing that aspects of the law impermissibly compel AI systems to adopt state‑defined viewpoints. The DOJ’s intervention marks the administration’s first litigation effort aimed at limiting state‑level AI regulation.

Continue Reading AI Regulation on Hold in Colorado—But Employer Risk Isn’t

Employee monitoring tools — badge and access logs, video surveillance, productivity and activity tracking, and even biometrics — can strengthen security and operations, but they also create real privacy, employment, and (in some cases) criminal-law risk. In this installment of Baker McKenzie’s In Focus video chat series, our cross-border Employment and Data Privacy lawyers break

We are pleased to announce that the 2026 Global Data & Cyber Handbook is now available. This essential resource for businesses navigating the complex landscape of data and cyber regulation covers key data and cyber laws in over 50 jurisdictions.
 
The latest edition provides expanded overviews and comparative insights, offering a clear view of

This article was originally published by IAPP linked here.

When monitoring employees in the workplace in the U.S. and Canada, employers must be cognizant of their obligations under employment and data privacy laws. 

In the US, employers can mostly negate privacy expectations from developing in the workplace by providing clear notice of monitoring practices and which notice is required in certain states, such as New York. But under the California Consumer Privacy Act, data minimization requirements apply and monitoring practices must be justifiable as necessary and proportionate.

In Canada, employers are required to balance operational needs such as safety, security and productivity, with the privacy rights of their employees. Monitoring should be reasonable, proportionate and tied to a legitimate business purpose. Organizations must comply with applicable federal or provincial privacy legislation, which can include safeguarding any employee personal information collected, obtaining employee consent in certain circumstances, and providing notice to employees of monitoring practices. 

For federally regulated private-sector employers — such as banks, airlines and telecommunications companies — employee monitoring is generally governed by the Personal Information Protection and Electronic Documents Act. Provinces that have enacted privacy laws deemed “substantially similar” to PIPEDA are exempt from its collection, use and disclosure provisions under section 26(2)(b). Presently, only Alberta, British Columbia and Québec have privacy legislation that is substantially similar to PIPEDA.

US: A patchwork of requirements apply to employers

At the federal level in the U.S., employee monitoring is primarily governed by the Electronic Communications Privacy Act and the Stored Communications Act, which permit monitoring for legitimate business purposes but impose strict limits on unauthorized interception and access to private communications. Further, employers must conduct all workplace monitoring and surveillance in compliance with federal, state and local anti-discrimination laws. And, all employers, even those with a nonunionized workforce, must comply with the National Labor Relations Act when conducting workplace monitoring and surveillance. 

Continue Reading Employee Monitoring in the US and Canada: What Employers Need to Know

On December 11, 2025, President Trump signed an Executive Order on “Ensuring A National Policy Framework For Artificial Intelligence” (the “Order”). The Order represents the Administration’s latest and most pointed attempt to stop and reverse the wave of state AI legislation that has emerged over the preceding year, which the Order asserts “creates a patchwork of 50 different regulatory regimes.” The Order raises the political stakes regarding state AI laws and creates uncertainty in the form of anticipated litigation, but does not instantly remove current or impending state AI law obligations for companies developing or deploying AI.

Continue Reading Pre-emption by Executive Order: Trump Order Moves to Block State AI Laws

As California continues to set the pace for employment law regulation, 2026 looks to be another high-speed race filled with sharp turns and new obstacles. From restrictions on repayment agreements and expanded Cal WARN notice requirements to stricter pay equity rules, and much more, California employers are entering a compliance race where every second counts.

Fast Track to 2026: A 75-Minute Must-Attend Webinar for In-House Counsel

The legal landscape impacting California employers is evolving at breakneck speed. As we race toward 2026, employers need to stay agile, informed, and ready to shift gears. This high-impact session will cover the most pressing workplace trends, risks, and regulatory changes ahead for California

[UPDATE RE THE OMNIUS PROPOSAL HERE]

The European Union’s Corporate Sustainability Reporting Directive is a regulation requiring covered companies to disclose information on what they see as the risks and opportunities arising from social and environmental issues, and on the impact of their activities on people and the environment.

The CSRD impacts not

Shortly after taking office, President Trump rescinded Biden’s Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence. Biden’s Executive Order sought to regulate the development, deployment, and governance of artificial intelligence within the US, identifying security, privacy and discrimination as particular areas of concern. Trump signed his own executive order titled “Removing Barriers to American Leadership in Artificial Intelligence,” directing his advisers to coordinate with the heads of federal agencies and departments, among others, to develop an “action plan” to “sustain and enhance America’s global AI dominance” within 180 days.

While we wait to see if and how the federal government intends to combat potential algorithmic discrimination and bias in artificial intelligence platforms and systems, a patchwork of state and local laws is emerging. Colorado’s AI Act will soon require developers and deployers of high-risk AI systems to protect against algorithmic discrimination. Similarly, New York City’s Local Law 144 imposes strict requirements on employers that use automated employment decision tools, and Illinois’ H.B. 3773 prohibits employers from using AI to engage in unlawful discrimination in recruitment and other employment decisions and requires employers to notify applicants and employees of the use of AI in employment decisions. While well-intentioned, these regulations come with substantial new, and sometimes vague, obligations for covered employers.

California is likely to add to the patchwork of AI regulation in 2025 in two significant ways. First, California Assemblymember Rebecca Bauer-Kahan, Chair of the Assembly Privacy and Consumer Protection Committee, plans to reintroduce a bill to protect against algorithmic discrimination by imposing extensive risk mitigation measures on covered entities. Second, the California Privacy Protection Agency’s ongoing rulemaking under the California Consumer Privacy Act will likely result in regulations restricting the use of automated decision-making technology by imposing requirements to mitigate algorithmic discrimination.

Continue Reading Passage of Reintroduced California AI Bill Would Result In Onerous New Compliance Obligations For Covered Employers
  • Key laws and regulations, including recent changes and expected developments over the next year
  • Foundational data privacy obligations including information and notification requirements, data subject rights, accountability and governance measures, and responsibilities of data controllers and