On December 22, the Federal Trade Commission (“FTC”) issued an order setting aside its 2024 final consent order against Rytr, LLC (“Rytr”) on the grounds that the facts alleged in the Rytr complaint did not violate Section 5. The Commission further found that the Rytr order did not provide any
Continue Reading FTC Sets Aside Rytr Final Order Pursuant to White House AI Action Plan
Greystar’s $24 Million Settlement Signals FTC Crackdown on Hidden Rental Fee
On December 2, Greystar agreed to a $24 million settlement over allegations it misled renters by omitting mandatory fees from advertised monthly rents. This settlement underscores the FTC’s continuing scrutiny of “junk fees” and signals that the FTC may pursue rulemaking requiring greater transparency in rental fee advertising. Continue Reading Greystar’s $24 Million Settlement Signals FTC Crackdown on Hidden Rental Fee
NYDFS Publishes Industry Guidance on Managing Cyber Risks Related to Third-Party Service Providers
On October 21, 2025, the New York State Department of Financial Services (“NYDFS”) issued an industry letter (the “Guidance”) highlighting the cybersecurity risks related to Covered Entities’ use of Third-Party Service Providers (“TPSPs”) and providing strategies to address these risks. The Guidance is addressed to all Covered Entities subject to NYDFS’s cybersecurity regulation codified at 23 NYCRR Part 500 (“Cybersecurity Regulation”), which requires Covered Entities to implement a comprehensive cybersecurity program that includes written policies addressing TPSP risks as well as due diligence, contractual requirements, and periodic assessments for TPSPs. While the Guidance is explicit that it “does not impose any new requirements” beyond those already included in the Cybersecurity Regulation, it provides significant additional detail to clarify how to comply with existing requirements and offers industry best practices to mitigate TPSP-related cyber risks. As the Guidance suggests that NYDFS will continue to focus on TPSP-related cyber risks, Covered Entities should consider reviewing their TPSP oversight and management against the specific recommendations from the Guidance and adjusting their practices where appropriate. Alongside a review of TPSP oversight and management, Covered Entities may also consider reviewing their implementation of the provisions of the Cybersecurity Regulation requiring multifactor authentication, asset management, and data retention, which take effect on November 1, 2025.Continue Reading NYDFS Publishes Industry Guidance on Managing Cyber Risks Related to Third-Party Service Providers
FTC Sues Live Nation and Ticketmaster for Deceptive Pricing Tactics
On September 17, 2025, the Federal Trade Commission (“FTC”) and seven states – Colorado, Florida, Illinois, Nebraska, Tennessee, Utah, and Virginia – sued Live Nation and Ticketmaster for violations of Section 5 of the FTC Act and the Better Online Ticket Sales Act (“BOTS Act”). Additionally, each state Attorney General alleges violation of various state consumer protection laws, including the Colorado Consumer Protection Act, Florida Deceptive and Unfair Trade Practices Act, Illinois Consumer Fraud and Deceptive Business Practices Act, Illinois Uniform Deceptive Trade Practices Act, Nebraska Uniform Deceptive Trade Practices Act, Tennessee Consumer Protection Act, and Utah Consumer Sales Practices Act. Continue Reading FTC Sues Live Nation and Ticketmaster for Deceptive Pricing Tactics
FTC Sues LA Fitness Operators for Unfair Gym Cancellation Policies
On August 20, 2025, the Federal Trade Commission (“FTC”) sued Fitness International, LLC and Fitness & Sports Club LLC – the parent companies of LA Fitness and other gym chains – for violations of Section 5 of the FTC Act and the Restore Online Shoppers’ Confidence Act (“ROSCA”) in connection with alleged practices that make it difficult for their customers to cancel their gym memberships and other add-on services. The FTC seeks a court order prohibiting the allegedly unfair and unlawful conduct and restitution to consumers harmed by the difficulty in cancelling memberships.Continue Reading FTC Sues LA Fitness Operators for Unfair Gym Cancellation Policies
California Frontier AI Working Group Issues Final Report on Frontier Model Regulation
On June 17, the Joint California Policy Working Group on AI Frontier Models (“Working Group”) issued its final report on frontier AI policy, following public feedback on the draft version of the report released in March. The report describes “frontier models” as the “most capable” subset of foundation models, or
Continue Reading California Frontier AI Working Group Issues Final Report on Frontier Model RegulationNew York Legislature Passes Sweeping AI Safety Legislation
On June 12, the New York legislature passed the Responsible AI Safety & Education (“RAISE”) Act (S 6953), a frontier model public safety bill that would establish safeguard, reporting, disclosure, and other requirements for large developers of frontier AI models. If signed into law by Governor Kathy Hochul
Continue Reading New York Legislature Passes Sweeping AI Safety LegislationBlog Post: State Legislatures Consider New Wave of 2025 AI Legislation
Authors: Jennifer Johnson, Jayne Ponder, August Gweon, Analese Bridges
State lawmakers are considering a diverse array of AI legislation, with hundreds of bills introduced in 2025. As described further in this blog post, many of these AI legislative proposals fall into several key categories: (1) comprehensive consumer protection legislation similar to the Colorado AI Act, (2) sector-specific legislation on automated decision-making, (3) chatbot regulation, (4) generative AI transparency requirements, (5) AI data center and energy usage requirements, and (6) frontier model public safety legislation. Although these categories represent just a subset of current AI legislative activity, they illustrate the major priorities of state legislatures and highlight new AI laws that may be on the horizon.
- Consumer Protection. Lawmakers in over a dozen states have introduced legislation aimed at reducing algorithmic discrimination in high-risk AI or automated decision-making systems used to make “consequential decisions,” embracing the risk- and role-based approach of the Colorado AI Act. In general, these frameworks would establish developer and deployer duties of care to protect consumers from algorithmic discrimination and would require risks or instances of algorithmic discrimination to be reported to state attorneys general. They would also require notices to consumers and disclosures to other parties and establish consumer rights related to the AI system. For example, Virginia’s High-Risk AI Developer & Deployer Act (HB 2094), which follows this approach, passed out of Virginia’s legislature this month.
- Sector-Specific Automated Decision-making. Lawmakers in more than a dozen states have introduced legislation that would regulate the use of AI or automated decision-making tools (“ADMT”) in specific sectors, including healthcare, insurance, employment, and finance. For example, Massachusetts HD 3750 would amend the state’s health insurance consumer protection law to require healthcare insurance carriers to disclose the use of AI or ADMT for reviewing insurance claims and report AI and training data information to the Massachusetts Division of Insurance. Other bills would regulate the use of ADMT in the financial sector, such as New York A773, which would require banks that use ADMT for lending decisions to conduct annual disparate impact analyses and disclose such analyses to the New York Attorney General. Relatedly, state legislatures are considering a wide range of approaches to regulating employers’ uses of AI and ADMT. For example, Georgia SB 164 and Illinois SB 2255 would both prohibit employers from using ADMT to set wages unless certain requirements are satisfied.
Continue Reading Blog Post: State Legislatures Consider New Wave of 2025 AI Legislation