Photo of Jonathan Mollod

Jonathan Mollod

Subscribe to Jonathan Mollod's Posts

Jonathan P. Mollod is an attorney and content editor and a part of the firm’s Technology, Media and Telecommunications (TMT) Group. Jonathan earned his J.D. from Vanderbilt Law School. He focuses on issues involving technology, media, intellectual property and licensing issues and general online/tech law issues of the day.

Contact:Read more about Jonathan Mollod

On April 23, 2026, the Second Circuit issued a multi-part decision addressing copyright infringement claims involving a website’s embedding of social media video posts and display of video screenshots, reversing the lower court’s dismissal of the complaint. (Richardson v. Townsquare Media, Inc., No. 25-291 (2d Cir. Apr. 23

On April 13, 2026, Virginia Governor Abigail Spanberger signed the bipartisan bill SB338, amending the Virginia Consumer Data Protection Act (VCDPA) by prohibiting data controllers from selling or offering for sale a consumer’s precise geolocation data. SB 338 replaces the VCDPA’s prior consent-based treatment of precise geolocation data –

On March 20, 2026, the White House announced a comprehensive national legislative framework (the “Framework”) that tracks with its December 2025 AI Preemption Executive Order and its July 2025 AI Action Plan and takes aim at hot-button AI policy topics such as child safety and privacy, AI training and copyright, liability protections and preemption of state laws that the Trump administration believes are necessary to maintain America’s leadership in AI innovation. The Administration set an ambitious deadline, calling on Congress to turn this policy blueprint into law by year’s end (some administration advisors are cautiously optimistic that a bipartisan solution based on the Framework is within reach). At the same time, Senator Marsha Blackburn released a 291-page discussion draft for national AI legislation, or “one federal rulebook for AI,” that would generally codify White House policy, but also diverges in several important ways.

At this juncture – with doubts about whether Congress can form a consensus around AI regulation even as state legislatures step up to fill the void – developers and deployers are left to watch and wait. For now, a patchwork of state AI laws remains, covering everything from child protection, health and safety, transparency measures, and automated decisionmaking.   

A recent decision from an Indiana federal court underscores that the principles behind what makes “clickwrap” assent enforceable are not limited to websites and apps found through smartphones and laptops. In Beckett v. Bitcoin Depot, Inc., No. 25-01450 (S.D. Ind. Feb. 26, 2026), the court granted a Bitcoin ATM operator’s motion to compel arbitration, finding that the plaintiff—who had fallen victim to a cryptocurrency scam—assented to the company’s clickwrap terms before completing the transactions.

The ruling is notable because most electronic “clickwrap” contracting cases focus on the issues involving websites or mobile apps. While there was no reason to expect a different analysis in the context of a kiosk, Beckett clarifies that those familiar principles extend into the physical world of kiosk screens and self-service terminals.

The takeaways are clear:

  • First, contracting rigor matters just as much in kiosk environments as it does online. Providers should implement thoughtfully designed user flows that mirror best practices from ecommerce: clear and uncluttered interfaces, conspicuous presentation of terms, affirmative assent mechanisms, and reliable audit logs.
  • Second, and specific to the fact that this was a crypto case, robust anti-fraud warnings can serve a dual purpose. Beyond helping protect consumers, they may also strengthen litigation defenses, particularly on issues of notice, assumption of risk and causation.

Have you noticed a message on your food delivery app that reads: “THIS PRICE WAS SET BY AN ALGORITHM USING YOUR PERSONAL DATA”?

If so, the reason may be New York’s new personalized algorithmic pricing law (General Business Law § 349-a). Enacted in May 2025 and effective as

A recently-filed federal court complaint tests the enforceability of restrictive terms in a data license against the use of licensed data for generative AI purposes. The outcome of this case may turn on interpreting broad terms such as training, internal research, distribution and publication.

UPDATE: On December 18, 2025, the court denied defendant Alexi Technologies Inc.’s (“Alexi”) motion for a temporary restraining order (TRO) based on Alexi’s contention that it would suffer irreparable harm without access to Fastcase’s updated data and lose revenue and customers and suffer reputational damage. In a brief order, the court found that Alexi’s harm is “too speculative and is not sufficiently corroborated to merit emergency relief at this time.” 

On November 26, 2025, legal research platform Fastcase, Inc. (“Fastcase”) sued legal AI company Alexi Technologies Inc. (“Alexi”) in a District of Columbia district court, alleging that Alexi used licensed “Fastcase Data” (i.e., a sophisticated, extensively tagged legal research database) to train and power a commercial AI legal research product in violation of a 2021 data license agreement.(Fastcase, Inc. v. Alexi Technologies Inc., No. 25-04159 (D.D.C. Filed Nov. 26, 2025)).

The complaint is particularly interesting as it involves a 2021 agreement – entered into before generative AI was a generally known technology – and thus presents the age-old question of interpreting the terms of an agreement to a technology not known at the time the agreement was entered into.

Regardless of the outcome of this case, the complaint highlights the importance of precise license drafting – for both licensors and licensees – in the age of AI. Parties should focus on well-defined understandings of how data can be used, shared and commercialized at a time where every company is seeking to leverage AI.  As this complaint illustrates, vague terms can lead to uncertainty and legal disputes.[1]

Of course, we do not know if this litigation will proceed to summary judgment or trial, but if it does, we may have an opportunity to see how a court will interpret and potentially enforce broad and general restrictions in a data license (e.g., no publication, distribution, commercial use, competitive use, use for internal research purposes only) in the context of generative artificial intelligence.[2]

In the closing days of August, two federal appeals courts issued noteworthy decisions at the intersection of workplace conduct, computer law and online platforms.  The two opinions were released during a period of time this past summer amidst the continuing flurry of AI-related case developments and perhaps did not get wide media attention (but which might prove to be important cases in the future).

  • Second Circuit – CDA Section 230. The court ruled that a software platform was not entitled to CDA Section 230 immunity – at least at the early stage in the case – based on allegations that it actively contributed to the unlawful software content at issue by manufacturing and distributing an emissions-control “defeat devices.” (U.S. v. EZ Lynk, SEZC, No. 24-2386 (2d Cir. Aug. 20, 2025)). The opinion’s discussion of what it means to be a “developer” of content has implications for future litigation that might involve generative AI, app stores, marketplaces, and IoT ecosystems, where certain fact patterns could blur the line between passive hosting and active co-development.
  • Third Circuit – CFAA and Trade Secrets: Days later, the Third Circuit issued an important decision (subsequently amended, with minor changes that did not change the holding) that further develops CFAA case law post-Van Buren. The court held that CFAA liability, an anti-hacking statute, does not extend to workplace computer use violations. (NRA Group, LLC v. Durenleau, No. 24-1123 (3d Cir. Aug. 26, 2025) (vacated by Oct. 7, 2025 amended opinion), reh’g en banc denied (Oct. 7, 2025)). The court also addressed and rejected a novel claim of trade secret misappropriation based on access to account passwords.     

Together, the cases show how courts continue to interpret the reach of technology-related statutes in contexts never contemplated when those laws were first enacted.

In Cody v. Jill Acquisition LLC, No. 25-937 (S.D. Cal. June 30, 2025), the Southern District of California declined to enforce a retail site’s terms of use and compel arbitration, holding that the plaintiff, who used guest checkout to place an online order at the retail clothing site, did not have adequate notice of the terms and the arbitration clause. This case should serve as a wake-up call for online entities to reexamine electronic contracting processes. It exemplifies how, even if a website’s visual design and its placement of the hyperlinked Terms of Use during user checkout are comparable to other presentations that have been deemed enforceable, a court could still decline to enforce online terms if the context of the transaction is not the typical e-commerce transaction between a registered customer and a retail site. In this case, the court found that by checking out as a guest without creating an account, the user was less likely to expect a continuing relationship and, therefore, the site’s notice and presentation of the terms below the “Place Order” button were not conspicuous enough in this instance to bind the plaintiff.

On June 3, 2025, Oregon Governor Tina Kotek signed HB 2008 into law to amend the Oregon Consumer Privacy Act,[1] the state’s comprehensive data privacy law. Among other items, effective January 1, 2026, the “sale” of two categories of personal data will be prohibited

  • Precise geolocation information that can pinpoint an individual or device with a 1,750-foot radius, absent some specific communications or utility-related exceptions
  • Personal data of anyone under sixteen years of age, provided that the data controller “has actual knowledge that, or willfully disregards whether, the consumer is under 16 years of age”[2]

The location data provision echoes a similar prohibition that was passed in Maryland last year.[3] 

Location data is considered “sensitive” because it can be readily collected from mobile devices or web browsing activities and can reveal a great deal about an individual’s habits, interests and movements. Beyond targeted advertising, anonymized location data can be a valuable source of alternative data for businesses gathering insights on competitors or consumer foot traffic or migration patterns and population growth.

As a result, the Oregon law – and the possibility of other similar state enactments that could restrict the sale of precise location data – represents an important development affecting data brokers and entities that use such data for location-based advertising and profiling and to create other data products and insights from location data. HB 2008’s definition of “sale” may potentially affect not just direct sales of precise location data but bundling and other licensing arrangements, subject to certain exceptions and uses. The new law will also add to customers’ due diligence process examining their data vendors’ collection practices.

  • Law establishes national prohibition against nonconsensual online publication of intimate images of individuals, both authentic and computer-generated.
  • First federal law regulating AI-generated content.
  • Creates requirement that covered platforms promptly remove depictions upon receiving notice of their existence and a valid takedown request.
  • For many online service providers, complying with the Take It Down Act’s notice-and-takedown requirement may warrant revising their existing DMCA takedown notice provisions and processes.
  • Another carve-out to CDA immunity? More like a dichotomy of sorts…. 

On May 19, 2025, President Trump signed the bipartisan-supported Take it Down Act into law. The law prohibits any person from using an “interactive computer service” to publish, or threaten to publish, nonconsensual intimate imagery (NCII), including AI-generated NCII (colloquially known as revenge pornography or deepfake revenge pornography). Additionally, the law requires that, within one year of enactment, social media companies and other covered platforms implement a notice-and-takedown mechanism that allows victims to report NCII.  Platforms must then remove properly reported imagery (and any known identical copies) within 48 hours of receiving a compliant request.