Photo of Jonathan Mollod

Jonathan Mollod

Subscribe to Jonathan Mollod's Posts

Jonathan P. Mollod is an attorney and content editor and a part of the firm’s Technology, Media and Telecommunications (TMT) Group. Jonathan earned his J.D. from Vanderbilt Law School. He focuses on issues involving technology, media, intellectual property and licensing issues and general online/tech law issues of the day.

Contact:Read more about Jonathan Mollod

On March 20, 2026, the White House announced a comprehensive national legislative framework (the “Framework”) that tracks with its December 2025 AI Preemption Executive Order and its July 2025 AI Action Plan and takes aim at hot-button AI policy topics such as child safety and privacy, AI training and copyright, liability protections and preemption of state laws that the Trump administration believes are necessary to maintain America’s leadership in AI innovation. The Administration set an ambitious deadline, calling on Congress to turn this policy blueprint into law by year’s end (some administration advisors are cautiously optimistic that a bipartisan solution based on the Framework is within reach). At the same time, Senator Marsha Blackburn released a 291-page discussion draft for national AI legislation, or “one federal rulebook for AI,” that would generally codify White House policy, but also diverges in several important ways.

At this juncture – with doubts about whether Congress can form a consensus around AI regulation even as state legislatures step up to fill the void – developers and deployers are left to watch and wait. For now, a patchwork of state AI laws remains, covering everything from child protection, health and safety, transparency measures, and automated decisionmaking.   

A recent decision from an Indiana federal court underscores that the principles behind what makes “clickwrap” assent enforceable are not limited to websites and apps found through smartphones and laptops. In Beckett v. Bitcoin Depot, Inc., No. 25-01450 (S.D. Ind. Feb. 26, 2026), the court granted a Bitcoin ATM operator’s motion to compel arbitration, finding that the plaintiff—who had fallen victim to a cryptocurrency scam—assented to the company’s clickwrap terms before completing the transactions.

The ruling is notable because most electronic “clickwrap” contracting cases focus on the issues involving websites or mobile apps. While there was no reason to expect a different analysis in the context of a kiosk, Beckett clarifies that those familiar principles extend into the physical world of kiosk screens and self-service terminals.

The takeaways are clear:

  • First, contracting rigor matters just as much in kiosk environments as it does online. Providers should implement thoughtfully designed user flows that mirror best practices from ecommerce: clear and uncluttered interfaces, conspicuous presentation of terms, affirmative assent mechanisms, and reliable audit logs.
  • Second, and specific to the fact that this was a crypto case, robust anti-fraud warnings can serve a dual purpose. Beyond helping protect consumers, they may also strengthen litigation defenses, particularly on issues of notice, assumption of risk and causation.

Have you noticed a message on your food delivery app that reads: “THIS PRICE WAS SET BY AN ALGORITHM USING YOUR PERSONAL DATA”?

If so, the reason may be New York’s new personalized algorithmic pricing law (General Business Law § 349-a). Enacted in May 2025 and effective as

A recently-filed federal court complaint tests the enforceability of restrictive terms in a data license against the use of licensed data for generative AI purposes. The outcome of this case may turn on interpreting broad terms such as training, internal research, distribution and publication.

UPDATE: On December 18, 2025, the court denied defendant Alexi Technologies Inc.’s (“Alexi”) motion for a temporary restraining order (TRO) based on Alexi’s contention that it would suffer irreparable harm without access to Fastcase’s updated data and lose revenue and customers and suffer reputational damage. In a brief order, the court found that Alexi’s harm is “too speculative and is not sufficiently corroborated to merit emergency relief at this time.” 

On November 26, 2025, legal research platform Fastcase, Inc. (“Fastcase”) sued legal AI company Alexi Technologies Inc. (“Alexi”) in a District of Columbia district court, alleging that Alexi used licensed “Fastcase Data” (i.e., a sophisticated, extensively tagged legal research database) to train and power a commercial AI legal research product in violation of a 2021 data license agreement.(Fastcase, Inc. v. Alexi Technologies Inc., No. 25-04159 (D.D.C. Filed Nov. 26, 2025)).

The complaint is particularly interesting as it involves a 2021 agreement – entered into before generative AI was a generally known technology – and thus presents the age-old question of interpreting the terms of an agreement to a technology not known at the time the agreement was entered into.

Regardless of the outcome of this case, the complaint highlights the importance of precise license drafting – for both licensors and licensees – in the age of AI. Parties should focus on well-defined understandings of how data can be used, shared and commercialized at a time where every company is seeking to leverage AI.  As this complaint illustrates, vague terms can lead to uncertainty and legal disputes.[1]

Of course, we do not know if this litigation will proceed to summary judgment or trial, but if it does, we may have an opportunity to see how a court will interpret and potentially enforce broad and general restrictions in a data license (e.g., no publication, distribution, commercial use, competitive use, use for internal research purposes only) in the context of generative artificial intelligence.[2]

In the closing days of August, two federal appeals courts issued noteworthy decisions at the intersection of workplace conduct, computer law and online platforms.  The two opinions were released during a period of time this past summer amidst the continuing flurry of AI-related case developments and perhaps did not get wide media attention (but which might prove to be important cases in the future).

  • Second Circuit – CDA Section 230. The court ruled that a software platform was not entitled to CDA Section 230 immunity – at least at the early stage in the case – based on allegations that it actively contributed to the unlawful software content at issue by manufacturing and distributing an emissions-control “defeat devices.” (U.S. v. EZ Lynk, SEZC, No. 24-2386 (2d Cir. Aug. 20, 2025)). The opinion’s discussion of what it means to be a “developer” of content has implications for future litigation that might involve generative AI, app stores, marketplaces, and IoT ecosystems, where certain fact patterns could blur the line between passive hosting and active co-development.
  • Third Circuit – CFAA and Trade Secrets: Days later, the Third Circuit issued an important decision (subsequently amended, with minor changes that did not change the holding) that further develops CFAA case law post-Van Buren. The court held that CFAA liability, an anti-hacking statute, does not extend to workplace computer use violations. (NRA Group, LLC v. Durenleau, No. 24-1123 (3d Cir. Aug. 26, 2025) (vacated by Oct. 7, 2025 amended opinion), reh’g en banc denied (Oct. 7, 2025)). The court also addressed and rejected a novel claim of trade secret misappropriation based on access to account passwords.     

Together, the cases show how courts continue to interpret the reach of technology-related statutes in contexts never contemplated when those laws were first enacted.

In Cody v. Jill Acquisition LLC, No. 25-937 (S.D. Cal. June 30, 2025), the Southern District of California declined to enforce a retail site’s terms of use and compel arbitration, holding that the plaintiff, who used guest checkout to place an online order at the retail clothing site, did not have adequate notice of the terms and the arbitration clause. This case should serve as a wake-up call for online entities to reexamine electronic contracting processes. It exemplifies how, even if a website’s visual design and its placement of the hyperlinked Terms of Use during user checkout are comparable to other presentations that have been deemed enforceable, a court could still decline to enforce online terms if the context of the transaction is not the typical e-commerce transaction between a registered customer and a retail site. In this case, the court found that by checking out as a guest without creating an account, the user was less likely to expect a continuing relationship and, therefore, the site’s notice and presentation of the terms below the “Place Order” button were not conspicuous enough in this instance to bind the plaintiff.

On June 3, 2025, Oregon Governor Tina Kotek signed HB 2008 into law to amend the Oregon Consumer Privacy Act,[1] the state’s comprehensive data privacy law. Among other items, effective January 1, 2026, the “sale” of two categories of personal data will be prohibited

  • Precise geolocation information that can pinpoint an individual or device with a 1,750-foot radius, absent some specific communications or utility-related exceptions
  • Personal data of anyone under sixteen years of age, provided that the data controller “has actual knowledge that, or willfully disregards whether, the consumer is under 16 years of age”[2]

The location data provision echoes a similar prohibition that was passed in Maryland last year.[3] 

Location data is considered “sensitive” because it can be readily collected from mobile devices or web browsing activities and can reveal a great deal about an individual’s habits, interests and movements. Beyond targeted advertising, anonymized location data can be a valuable source of alternative data for businesses gathering insights on competitors or consumer foot traffic or migration patterns and population growth.

As a result, the Oregon law – and the possibility of other similar state enactments that could restrict the sale of precise location data – represents an important development affecting data brokers and entities that use such data for location-based advertising and profiling and to create other data products and insights from location data. HB 2008’s definition of “sale” may potentially affect not just direct sales of precise location data but bundling and other licensing arrangements, subject to certain exceptions and uses. The new law will also add to customers’ due diligence process examining their data vendors’ collection practices.

  • Law establishes national prohibition against nonconsensual online publication of intimate images of individuals, both authentic and computer-generated.
  • First federal law regulating AI-generated content.
  • Creates requirement that covered platforms promptly remove depictions upon receiving notice of their existence and a valid takedown request.
  • For many online service providers, complying with the Take It Down Act’s notice-and-takedown requirement may warrant revising their existing DMCA takedown notice provisions and processes.
  • Another carve-out to CDA immunity? More like a dichotomy of sorts…. 

On May 19, 2025, President Trump signed the bipartisan-supported Take it Down Act into law. The law prohibits any person from using an “interactive computer service” to publish, or threaten to publish, nonconsensual intimate imagery (NCII), including AI-generated NCII (colloquially known as revenge pornography or deepfake revenge pornography). Additionally, the law requires that, within one year of enactment, social media companies and other covered platforms implement a notice-and-takedown mechanism that allows victims to report NCII.  Platforms must then remove properly reported imagery (and any known identical copies) within 48 hours of receiving a compliant request.

In May 2024, we released Part I of this series, in which we discussed agentic AI as an emerging technology enabling a new generation of AI-based hardware devices and software tools that can take actions on behalf of users. It turned out we were early – very early – to the discussion, with several months elapsing before agentic AI became as widely known and discussed as it is today. In this Part II, we return to the topic to explore legal issues concerning user liability for agentic AI-assisted transactions and open questions about existing legal frameworks’ applicability to the new generation of AI-assisted transactions.

Background: Snapshot of the Current State of “Agents”[1]

“Intelligent” electronic assistants are not new—the original generation, such as Amazon’s Alexa, have been offering narrow capabilities for specific tasks for more than a decade. However, as OpenAI’s CEO Sam Altman commented in May 2024, an advanced AI assistant or “super-competent colleague” could be the killer app of the future. Later, Altman noted during a Reddit AMA session: “We will have better and better models. But I think the thing that will feel like the next giant breakthrough will be agents.” A McKinsey report on AI agents echoes this sentiment: “The technology is moving from thought to action.” Agentic AI represents not only a technological evolution, but also a potential means to further spread (and monetize) AI technology beyond its current uses by consumers and businesses. Major AI developers and others have already embraced this shift, announcing initiatives in the agentic AI space. For example:  

  • Anthropic announced an updated frontier AI model in public beta capable of interacting with and using computers like human users;
  • Google unveiled Gemini 2.0, its new AI model for the agentic era, alongside Project Mariner, a prototype leveraging Gemini 2.0 to perform tasks via an experimental Chrome browser extension (while keeping a “human in the loop”);
  • OpenAI launched a “research preview” of Operator, an AI tool that can interface with computers on users’ behalf, and launched beta feature “Tasks” in ChatGPT to facilitate ongoing or future task management beyond merely responding to real time prompts;
  • LexisNexis announced the availability of “Protégé,” a personalized AI assistant with agentic AI capabilities;
  • Perplexity recently rolled out “Shop Like a Pro,” an AI-powered shopping recommendation and buying feature that allows Perplexity Pro users to research products and, for those merchants whose sites are integrated with the tool, purchase items directly on Perplexity; and
  • Amazon announced Alexa+, a new generation of Alexa that has agentic capabilities, including enabling Alexa to navigate the internet and execute tasks, as well as Amazon Nova Act, an AI model designed to perform actions within a web browser.

Beyond these examples, other startups and established tech companies are also developing AI “agents” in this country and overseas (including the invite-only release of Manus AI by Butterfly Effect, an AI developer in China). As a recent Microsoft piece speculates, the generative AI future may involve a “new ecosystem or marketplace of agents,” akin to the current smartphone app ecosystem.  Although early agentic AI device releases have received mixed reviews and seem to still have much unrealized potential, they demonstrate the capability of such devices to execute multistep actions in response to natural language instructions.

Like prior technological revolutions—personal computers in the 1980s, e-commerce in the 1990s and smartphones in the 2000s—the emergence of agentic AI technology challenges existing legal frameworks. Let’s take a look at some of those issues – starting with basic questions about contract law.