Photo of Alicia A. Baiardo

Alicia A. Baiardo

Subscribe to Alicia A. Baiardo's Posts

Ali, a partner in the San Francisco office of McGuireWoods, is a commanding commercial litigator trusted by three of the largest U.S. banks and numerous Fortune Global 500 companies to defend high-stakes, multimillion-dollar class actions and other complex litigation. Her practice spans nationwide consumer class actions involving millions of class members, California-wide cases alleging unfair competition, fraud, violation of various consumer protection statutes, complex Ponzi-scheme matters brought against financial institutions, and the rapidly evolving landscape of mass arbitrations. She has a strong track record of successfully representing clients through trial, including defending major national banks in multidistrict class action litigation and individual class actions, skillfully navigating the regulatory implications that often accompany such matters.

Contact:Read more about Alicia A. Baiardo

California’s Invasion of Privacy Act (CIPA) is a 1967 criminal wiretapping statute being stretched to govern 2025-era internet technologies.  The result has been a patchwork of conflicting decisions that turn on hair-splitting distinctions about what it means to “read” a communication “in transit,” whether URLs and clickstream data constitute “contents,” and how third-party service providers fit within a statute that never contemplated real-time web analytics, session replay tools, or ad technology.Continue Reading California’s CIPA Jurisprudence Is Unworkable: The Legislature Should Fix It—Starting With SB 690

In a significant step toward strengthening consumer privacy protections, the California Privacy Protection Agency (CPPA) board has officially adopted a comprehensive set of updates to the California Consumer Privacy Act (CCPA) regulations.  These long-anticipated regulations—covering cybersecurity audits, risk assessments, and automated decision-making technology (ADMT)—mark a pivotal shift in the state’s data privacy enforcement landscape.Continue Reading New CCPA Rules Are Here: Is Your Business Ready for What’s Next?

Regulators of data privacy laws have expressed a desire in recent months to intensify enforcement around opt-out preference signals, also known as universal opt-out mechanisms (the “Opt-Out Signals”).

Opt-Out Signals allow consumers to automatically opt-out of the sale and sharing of personal information for targeted advertising across all websites they may visit through an internet

On June 3, 2025, the California Senate unanimously voted to amend the California Invasion of Privacy Act (“CIPA”) to exclude cookies and other commonly used internet tracking technologies from CIPA under certain circumstances.  The bill, Senate Bill 690, if passed by the other chamber and signed by the governor, will exempt companies who use tracking technologies for a “commercial business purpose” from the wiretapping provisions of CIPA.Continue Reading Emerging Defense in CIPA Lawsuits: Potent Yet Constrained by Legal and Technical Limitations

On Wednesday, August 24, 2022, the California Attorney General released a public statement addressing its first enforcement action under the California Consumer Privacy Act (“CCPA”) against Sephora. The Attorney General alleged that Sephora failed to disclose to consumers that it was selling personal information, it failed to honor requests submitted through Global Privacy Controls (“GPC”), and it failed to cure these violations within the 30-day period. The parties settled for a $1.2M fine and injunctive relief requiring Sephora to comply with the CCPA and accept GPC.
Continue Reading First CCPA Enforcement Action Shows Accepting User-Enabled Global Privacy Controls Is Mandatory

cybersecurity-blue-lock

The Utah Consumer Privacy Act (“UCPA”) passed by the Utah legislature was signed into law by Governor Spencer Cox on March 24, 2022 and becomes effective December 31, 2023. While companies conducting business in Utah will need to familiarize themselves with the law in order to become complaint if they are covered by the statute, the good news is that the UCPA creates only marginally different obligations than those found in California, Colorado, and Virginia’s data privacy laws.
Continue Reading New Utah Privacy Law Largely Overlaps with Existing State Statutes

As we discussed in Part I, the United States does not have a single, comprehensive federal law governing biometric data.  However, we have recently seen an increasing number of states focusing on this issue.  Part I summarized legislative activity on this issue in 2020.  In this Part II, we discuss noteworthy legislation to monitor in 2021.

What to Expect in 2021

At least two states—New York and Maryland—have already introduced biometrics legislation in this first month of 2021.

New York – AB 27

On January 6, 2021, the New York Assembly introduced the Biometric Privacy Act (BPA), a New York state biometric law aimed at regulating businesses handling biometric data.  BPA will prohibit businesses from collecting biometric identifiers or information without first receiving informed consent from the individual, prohibit profiting from the data, and will require a publicly available written retention and destruction policy.  As proposed, the statute contains a private right of action; and if passed, it will permit consumers to sue businesses for improperly collecting and using their biometric data.  The statute follows Illinois’s BIPA, allowing recovery of $1,000 per negligent violation and $5,000 per intentional violation, or actual damages, whichever is greater, along with attorney’s fees and costs, and injunctive relief.Continue Reading U.S. Biometrics Laws Part II: What to Expect in 2021

Data privacy laws have made significant breakthroughs in recent years, making it a top priority for businesses.  From the adoption of the European Union’s General Data Protection Regulation (GDPR) in 2016 to the enactment of the California Consumer Privacy Act (CCPA) in 2018 and the latest ballot approval of the California Privacy Rights Act (CPRA) in 2020, we continue to see data privacy laws develop and garner interest from consumers, businesses, and legislators alike.

Specific biometric privacy laws, in particular however, are often overshadowed by more general data privacy laws.  As we discussed in our prior article, biometrics are physical and behavioral human characteristics (i.e., face, eye, fingerprint, and voice features) that can be used to digitally identify a person.  As the collection and use of biometric data become more common in daily life and its applications in different industries continue to expand, new privacy considerations will emerge in this field.  Biometrics laws, in their own right, require separate recognition because of the nuanced application of these specific laws.

The United States does not have a single, comprehensive federal law governing biometric data.  Recently, we have seen an increasing number of individual states focus on this issue, and the recent introduction of legislation in a number of states specifically aimed at protecting the collection, retention, and use of biometric data.  In Part I, we summarize some of the legislative activity on biometric laws from 2020.  We will describe other noteworthy legislation to monitor for 2021 in Part II.Continue Reading U.S. Biometrics Laws Part I: An Overview of 2020

In Part II of this series, California-based Ali Baiardo, and London-based Alice O’Donovan, continue their comparison of the GDPR and California privacy law. To view Part I in the series, click here.

NEW DATA PROTECTION PRINCIPLES AND OBLIGATIONS ON BUSINESSES

a. Key data protection principles

The GDPR revolves around seven key data protection principles:

  1. Lawfulness, fairness and transparency;
  2. Purpose limitation;
  3. Data minimisation;
  4. Accuracy;
  5. Storage limitation;
  6. Integrity and confidentiality (security); and
  7. Accountability

Continue Reading California Privacy Rights Act: A Move Closer to GDPR? Part II

The recently-passed California Privacy Rights Act (CPRA) augments and supplements California’s existing privacy law, the California Consumer Privacy Act (CCPA).  We are sure many practitioners are wondering how it stacks up with the European Union’s General Data Protection Regulation (GDPR). See below for Part I of our two part series comparing the CPRA and the GDPR (and see Part II here).

HOW DOES THE CPRA CHANGE THE CCPA?

The CPRA makes several significant changes to the CCPA:

  • It introduces the concept of “sensitive personal data”;
  • It introduces new obligations on businesses, and GDPR-style “principles”;
  • It introduces new rights for consumers; and
  • It creates a new supervisory authority for data protection and privacy in California — the California Privacy Protection Agency.

These changes are very significant – but do they represent a move closer to GDPR, or a move away?Continue Reading California Privacy Rights Act: A Move Closer to GDPR? Part I