Consent Misrepresentation

While you are figuring out what needs done in 2026 to comply with the EU AI Act, Oregon Attorney General issues guidance on what needs done RIGHT NOW because existing Oregon laws already apply to AI. Equally true of: Federal Trade Commission (stay tuned for overview of what incoming FTC Chair Ferguson thinks of this) US states WITH privacy laws and US States WITHOUT privacy laws. In short: "If you think the emerging world of Artificial Intelligence (“AI”) is completely unregulated under the laws of Oregon, think again!" In detail: UTPA (Unlawful Trade Practices Act): Can't use AI to mislead 🔹UTPA applies to the marketing, sale, or use of AI both directly and indirectly (an AI developer or deployer may be liable to downstream consumers for the harm its products cause and should take care to ensure transparency and accuracy in their products) 🔹Data Practices: misleading consumers about data practices, even when using AI, can still be considered deceptive under the law. If you advertise, offer, or sell an AI product or service, or employ AI in the advertising, offering, or sale of other goods or services, you may violate the UTPA if you: 🔹 Fail to disclose known material defect or material nonconformity, including inaccuracies (hallucinations) [like the FTC "AI Washing" cases] 🔹 Misrepresent characteristics, uses, benefits or qualities (e.g. use a chatbot but not disclose this) 🔹 Use AI to misrepresent sponsorship, approval, affiliation or connection (e.g fake reviews) or price reductions (e.g. AI generated "flash sale") 🔹 Use AI to set an unconscionably excessive price during an emergency 🔹 Use an AI-generated voice as part of a robocall campaign to misrepresent information 🔹 Use AI to employ an unconscionable tactic Oregon Consumer Privacy Act: 🔹 If you use personal data to train AI systems, you must clearly disclose this in an accessible and clear privacy notice; and you need consent if for collecting sensitive data [same as EU position] 🔹 If a developer purchases or uses another company’s data set for model training, it may be considered a “controller”. 🔹 You cannot legitimize the use of previously collected personal data to train AI models by altering privacy notices or TOU. You must obtain affirmative consent for any new or secondary uses. [Stricter than EU position] 🔹 Need to honor consumer rights 🔹 Need a DPIA b/c feeding consumer data into AI models and processing it in connection with these models likely poses heightened risks Oregon Consumer Information Protection Act: Data Breach 🔹 Personal data used by AI developers, suppliers and users - is subject to information security and data breach notification obligations Oregon Equality Act: Can't use AI to discriminate e.g. AI mortgage approval system that consistently denies loans to qualified applicants based on ethnic backgrounds #dataprivacy #dataprotection #privacyFOMO h/t Luis for spotting; pic by ChatGPT https://shorturl.at/8ZIlC

Yesterday, the U.S. District Court (SDNY) released its order and opinion in a lawsuit involving AI voice cloning. 🎙️ Voice actors Lehrman and Sage alleged that Lovo used AI to clone and sell synthetic versions of their voices without consent. They brought claims under New York civil rights and consumer protection laws, the Lanham Act, the Copyright Act, and common-law doctrines. ⚖️ The Court found federal trademark and copyright law inadequate to cover most claims. However, state laws and contracts offered substantial protection. ✅ Claims That Survived: 📝 Breach of Contract – Plaintiffs plausibly alleged Lovo violated explicit limits (e.g., “research only,” “test ads”) shared via chat. 🗣️ NY Civil Rights Law (§§ 50 & 51) – The Court broadly interpreted “voice” to include digital clones. Ongoing AI-generated outputs qualified as “republication,” keeping claims timely. Recognizability, commercial use, and NY nexus were all sufficiently pleaded. 🚨 NY Consumer Protection (GBL §§ 349 & 350) – Lovo’s offer of “full commercial rights” was materially misleading. The misrepresentation harmed both consumers and plaintiffs (as competitors via lost sales). 🎧 Direct Copyright Infringement (Sage) – Lovo allegedly used Sage’s actual recordings in pitch decks and YouTube videos beyond her Fiverr license. These promotional uses allowed the claim to survive. ❌ Claims Dismissed: 📛 Lanham Act (False Association & Advertising) – Plaintiffs’ voices were not "marks" or misrepresented in a way that met Lanham Act standards. 🎙️ Copyright (Voice Clones) – The law (17 U.S.C. § 114(b)) doesn’t protect imitations of recordings. ❗ Fraud – Dismissed under NY’s “out-of-pocket rule.” 📉 Common-Law Claims – Unjust enrichment, conversion, and unfair competition claims were preempted by NY Civil Rights Law. 🛠️ Claim Dismissed with Leave to Amend: 🤖 AI Training & Copyright – Plaintiffs may revise claims by specifying how their recordings were used to train Lovo’s AI (Genny model), potentially breaching contractual limitations beyond general Fiverr terms. Case Name: Paul Lehrman, et al. v. Lovo, Inc. Court: U.S. District Court, Southern District of New York Order Date: July 10, 2025 Case No.: 24-CV-3770 (JPO) Copy of the judgement enclosed. Read entire judgement for better understanding. #AILaw #VoiceCloning #DigitalIdentity #IPLaw #CivilRights #ConsumerProtection #AIandLaw #VoiceActors #NYLaw #Copyright #TechLaw #LanhamAct #AICompliance #GenerativeAI #CourtUpdate #LegalNews P.S. This post is shared for academic discussion and informational purposes only.

𝐊𝐬𝐡. 500,000 𝐀𝐰𝐚𝐫𝐝𝐞𝐝 𝐟𝐨𝐫 𝐅𝐞𝐚𝐭𝐮𝐫𝐢𝐧𝐠 𝐚 𝐏𝐡𝐨𝐭𝐨 𝐨𝐧 𝐚 𝐖𝐞𝐛𝐬𝐢𝐭𝐞! A top executive discovered his image being used on a company’s website without his consent. The businessman, who claimed to have held C-level roles at global companies, argued that his photo was used for commercial purposes, as a result he suffered reputational damage and misrepresentation of facts detrimental to his career. The company argued that he had signed 𝐦𝐨𝐝𝐞𝐥 𝐫𝐞𝐥𝐞𝐚𝐬𝐞 𝐟𝐨𝐫𝐦. However, the Data Commissioner found the release form 𝐢𝐧𝐬𝐮𝐟𝐟𝐢𝐜𝐢𝐞𝐧𝐭, as it failed to meet the requirements of the Data Protection Act —specifically since the release form did not capture the names alongside the signatures. The Complainant was awarded KES. 500,000 as compensation. Enclosed is a copy of the Decision. 𝐇𝐄𝐋𝐃 ➜ The Data Protection Act requires express consent for the use of personal data for commercial purposes. The Respondent failed to provide evidence that the Complainant gave such consent. ➜ The burden of proof for establishing consent lies with the data controller. ➜The Respondent’s reliance on a model release form, which did not clearly attribute consent to the Complainant, was insufficient. 𝐊𝐄𝐘 𝐋𝐄𝐒𝐒𝐎𝐍𝐒: ✔️ Ensure that the model release form complies with all relevant data protection regulations. ✔️ Document and keep records of consent. ✔️ Consent must be sensible, informed and voluntary. 𝐀𝐥𝐭𝐞𝐫𝐧𝐚𝐭𝐢𝐯𝐞𝐬 𝐭𝐨 𝐦𝐨𝐝𝐞𝐥 𝐫𝐞𝐥𝐞𝐚𝐬𝐞 𝐟𝐨𝐫𝐦 𝐚𝐧𝐝 𝐒𝐮𝐩𝐩𝐥𝐞𝐦𝐞𝐧𝐭𝐚𝐫𝐲 𝐌𝐞𝐚𝐬𝐮𝐫𝐞𝐬. ✅As laws and business practices evolve, so too should your model release forms. Conduct periodic reviews to ascertain compliance. ✅Instead of using generic forms, tailor the model release forms to the specific project or use-case to ensure they cover all necessary legal bases. ✅For more complex or high-stakes situations, consider using a detailed contract rather than a simple model release form. Contracts can provide more robust legal protection and address a wider range of issues. ✅Use Digital Consent Tools & platforms that offer electronic signatures and track consent history. The may ensure that the process is transparent and auditable. While model release forms are useful tools for obtaining consent, they must be drafted with precision and regularly reviewed to ensure legal effectiveness. They should be part of a broader strategy that includes comprehensive contracts and digital tools, especially when dealing with sensitive or high-value image rights/personalities. 𝑫𝑶 𝑻𝑯𝑰𝑺: Always ask for clear, documented consent before using someone’s photo /personal data. Keep good records, stay updated with the law. This will protect you from legal issues and respect people's privacy. 📘Every case tells a story. For insights into the precedents that shape the narratives of justice, follow my page share my posts and connect. Winnie Winnie Ngige., CIPM., #DataProtection #ImageRights #LegalCompliance

The New York State Attorney General's Office published a comprehensive 𝗴𝘂𝗶𝗱𝗲 𝗼𝗻 𝘄𝗲𝗯𝘀𝗶𝘁𝗲 𝗽𝗿𝗶𝘃𝗮𝗰𝘆 𝗰𝗼𝗻𝘁𝗿𝗼𝗹𝘀 (consent banners) to assist businesses in complying with New York's consumer protection laws. This is not issued under a privacy law – since New York law does not require such banners, but rather under consumer protection law. In other words, you may not have to implement a consent banner, but if you do you must ensure it works as intended and is not misleading. One key point I noticed is the idea that websites make representations to consumers, which can be express (in statements in a cookie pop-up or privacy notice), but also implied by the mere presence of the banner and the offering of privacy controls. This means that not only the statements must not mislead, but also the controls must work as represented. This goes beyond design, which is many times the focus. The guide finds several mistakes that lead to non-compliance: 🚫Uncategorized Tags: Many websites fail to categorize tracking tags correctly, leading to broken privacy controls. 🚫Misconfigured Tools: Consent-management and tag-management tools must be properly configured to work together. Misconfigurations can result in privacy controls not functioning as intended. 🚫Hardcoded Tags: Tags that are hardcoded into websites bypass consent-management tools, undermining user privacy choices. 🚫Tag Privacy Settings: While providers of tags offer settings to limit data collection, these are many times not observed outside of states with comprehensive privacy laws (e.g. California). This was honestly a surprise for me, and unfortunately this misleading practice it is not discussed further (probably bc it's B2B). 🚫Cookieless Tracking: Businesses must ensure that privacy controls are effective across all tracking technologies, not just cookies. This is mainly due to the implication of providing the control, which should work for everything the website does. It then goes into several recommendations: ✅Accurate Privacy Representations: Ensure that all statements about privacy controls are truthful and not misleading, which means privacy controls should work properly and as described. ✅Clear and Accessible Interface: Design privacy controls that are intuitive and easy to use – language chosen, colors, positioning, all matter. ✅Equal Weight to Options: Provide equivalent options for accepting and declining tracking, making it equally easy for users to choose either. Buttons must be equal in size, color, and emphasis  – something that is interesting to see given that it is still debated even in Europe. ✅Don’t add an X in the corner to close the page – this misleads people in thinking they reject. ✅Ongoing Reviews: Regularly review and test privacy controls to ensure they function correctly and align with user expectations. 📍 𝐒𝐮𝐛𝐬𝐜𝐫𝐢𝐛𝐞 to my newsletter for weekly updates and insights 👉 https://lnkd.in/dgxFWPmh

There is a thin line between marketing communication, misrepresentation and deceit. Before you launch a product, remember to get a licensed #dataprotectionexpert to scrutinise your privacy by design and communication, otherwise your product could open you to liability. A case study is Google. Google agreed to settle a $5 billion privacy lawsuit alleging that it spied on people who used the “incognito” mode in its Chrome browser — along with similar “private” modes in other browsers — to track their Internet use. The class-action lawsuit was hinged on the fact that the product misled users into believing that it wouldn’t track their Internet activities while using incognito mode. It argued that Google’s advertising technologies and other techniques continued to catalog details of users’ site visits and activities despite their use of supposedly “private” browsing.' A lot of products will be launched in 2024. Many companies will want to rely on their initial privacy compliance assessment, and give a blind eye to their new products or over the gaps identified in previous years audits or over the fact that compliance check and filing is annual. DON'T DO IT. The Director and the Data Protection Officer must be wise enough to do a data protection impact assessment over its products and include privacy by design on its new products. Another important activity to scrutinise is the communications of your marketing department. It is no longer enough to comply with advertising laws, but also important to know that when privacy compliance is in issue, your marketing communications will be one of the evidential basis for determining what is consented to. The inference and the actual text. The knowledge of data privacy has increased significantly in Nigeria. Thanks to the Nigeria Data Protection Commission- NDPC Nigerians, know where and how to lay a complain. Be compliant. E get why. #privacybydesign #product