Find Your Lawyer

    Laura Popp-RosenbergRobert A. BeckerMassimo B. CapizziCarole E. KlingerCarlos CucurellaRichard Z. LehvLydia T. GobenaBarbara A. SolomonParker C. EudyJoyce M. FerraroTamar Niv BessingerJessica G. OgdenAdrian E. Harrison Jr.Esteban Monge-MoreraKatherine Lyon DaytonCharles T.J. Weigell, IIICourtney B. ShierAlexandra E. KochianChristina SauerbornAlejandra Camacho LunaJ. Asheton LemayJanet L. HoffmanJohn P. MargiottaSarah MarmonJames D. WeinbergerAmanda B. AgatiJason D. JonesEric T. GordonTodd MartinShelby P. RokitoJames D. SilbersteinDarra FrinoBrian LearyMaritza C. SchaefferAllison Strickland RickettsSherri N. DuitzCraig S. MendeCole S. MathewsAndrew N. FredbeckNadine H. JacobsonNancy DiConzaDavid A. DonahueAshford TuckerNicole TenoreNancy E. SabarraAngela RamanauskasMary StotteleRobin N. BaydurcanLauren NathanLeo Kittay

Search Again

Alerts, Articles and Published Works

October 2025 FZLZ Minute

USA

Anthropic case settled: Bartz v. Anthropic, No. C 24-05417 (N.D. Cal.)

In 2024, three authors filed a class action against Anthropic, maker of the AI chatbot Claude.

During discovery, plaintiffs learned that Anthropic purchased millions of new and used books, then stripped the bindings, cut the pages to size, scanned the books into digital form, and then discarded the paper originals. In addition to buying millions of books, Anthropic downloaded over seven million books from pirate websites.

In June 2025, Judge William Alsup held that Anthropic’s use of the books to train its large language model was “exceedingly transformative” and therefore constituted fair use. As to purchased books, the court said that because Anthropic discarded the paper copy, it was basically replacing the purchased copy with a “more convenient space-saving and searchable digital copy for its central library – without adding new copies, creating new works, or redistributing existing copies.”

But Anthropic “had no entitlement to use pirated copies for its central library,” the court held. “Creating a permanent, general-purpose library was not itself fair use excusing Anthropic’s piracy.”

Faced with possible damages for willful infringement of up to seven million books, the parties negotiated the following settlement, to which the court has given preliminary approval: 

• Anthropic will pay the class of plaintiffs at least $1.5 billion, plus interest. With around 500,000 copyrighted works covered by the settlement, this amounts to an estimated gross recovery of $3,000 per work. Anthropic will pay $3,000 for each for any additional works added later.

• Anthropic will delete all copies downloaded from pirate websites.

• Anthropic will receive a release only for conduct up to August 25, 2025. Claims arising out of conduct after August 25, 2025 will not be released by the Settlement, nor will any claims (past or future) arising out of allegedly infringing outputs from Anthropic’s AI models.

Plaintiffs’ counsel will receive 25% of the settlement amount, and the named Plaintiffs will be paid $50,000 each for their service.

The proposed settlement must be approved by the class.

Takeaway: Given the size of the settlement payment, AI companies should avoid using pirated materials to train their large language models and use instead materials that are either purchased or covered by a license agreement.

The proposed settlement agreement is attached.

DATA PRIVACY

CaliforniaI’m Just Browsing, So Opt Me Out: CCPA Amendment May Reduce Marketing Data

On October 8, 2025, California Governor Gavin Newsom signed into law AB 566, known as the California Opt Me Out Act (the “Act”) amending the California Consumer Privacy Act (“CCPA”) by providing a simple way for consumers to opt out of the sale or sharing of their personal information for targeted advertising. Starting January 1, 2027, companies that develop or maintain web browsers must include functionality that a consumer can easily use that allows the browser to send an opt-out preference signal (“OOPS”) to the websites of businesses the consumer visits. While the Act applies only to businesses subject to the CCPA that develop or maintain web browsers, the anticipated effect of browsers’ displaying a straightforward, general opt-out feature may broadly affect all companies subject to the CCPA.

Since January 2025, California has required businesses to recognize certain opt-out signals, such as the Global Privacy Control (commonly known as GPC), and abide by them as they sell and share personal information or limit use of sensitive personal information. Most major browsers already allow consumers to enable GPC. However, the Act will make OOPS features more conspicuous and easier to enable, thus spurring more consumers to opt out of targeted advertising. The anticipated effect of an increase in consumer opt-outs will likely require companies to evaluate and rethink their marketing and advertising strategies.

Obligating those who create or maintain browsers to comply with OOPS signals is a first in U.S. privacy law. However, compliance requirements do not fall entirely on the browser businesses, as the Act makes clear that they “shall not be liable for a violation. . . by a business that receives the opt-out preference signal.” In other words, companies operating their own websites bear the final burden of recognizing and honoring such signals, in addition to passing them to downstream participants within their third-party ecosystems.

The Act enables the California Privacy Protection Agency to adopt regulations regarding its implementation and administration. Such regulations should provide guidance about required OOPS technical configurations. The Act is currently silent on any details, including whether OOPS signals must be opted in or out by default. We continue to track rulemaking updates for additional information.

Depending on how the full implementation of the Act plays out over the coming year and the extent to which consumers take advantage of their privacy rights, the Act may serve as a trendsetting overlay to other states’ comprehensive privacy laws, significantly affecting companies’ marketing campaigns. Companies should begin planning now to build the basic required functionality into their websites, with the understanding that further work may be needed when the Act’s regulations are implemented.

Takeaway: Starting January 1, 2027, the newly enacted California Opt Me Out Act will require businesses subject to the CCPA that develop or maintain web browsers to enable an easy, conspicuous feature that allows California consumers to opt out of the sale or sharing of their personal information. Businesses covered by the CCPA must, in turn, be ready to recognize and honor these opt out signals and should plan ahead for what will likely be a change, and possibly a reduction, in the data available for targeted advertising and other AdTech-driven marketing strategies.

MarylandNew Online Data Privacy Act Expands Privacy Obligations in New Ways

The Maryland Online Data Privacy Act (“MODPA”), effective October 1, 2025, with enforcement for data processing activities set to begin after April 1, 2026, sets a high bar for compliance with some of the most restrictive and consumer-centric obligations among state privacy laws. MODPA’s broad scope applies to, among others, entities doing business in Maryland that control or process the personal data of at least 35,000 Maryland consumers in a calendar year – a relatively low threshold compared with other states’ privacy laws. Consequently, many small- to mid-sized companies exempt from other states’ laws may be subject to MODPA.

While it provides standard data subject rights that most other states provide (e.g., access, correction, deletion, opt-out of targeted advertising/profiling/automated decision-making), MODPA contains notable differences from other laws in several key areas, including the following:

  • Data Minimization. While all state privacy laws include data minimization requirements, they generally allow processing of personal data so long as it is reasonably related to the purposes stated in a business’s privacy notice. MODPA takes this restriction a step further and limits such collection and use to what is reasonably necessary and proportionate to provide or maintain the specific product or service that an individual consumer requested.
  • Heightened Restrictions for Sensitive Data. MODPA’s categories of sensitive data include, among others, race, ethnicity, national origin, religion, consumer health data, citizenship or immigration status, transgender or non-binary status, genetic or biometric data, the personal information of a child younger than 13, and a consumer’s precise geolocation (within 1,750 feet). Against the broad backdrop of these categories, MODPA contains a unique provision that prohibits the processing of sensitive personal data except with prior opt-in consent and only where such processing is “strictly necessary” to provide or maintain the product or service that a specific consumer has requested. Moreover, the sale of sensitive data is strictly prohibited, even where a consumer has provided explicit consent.
  • Protection for Personal Data of Minors. A business may not process the personal data of a consumer for the purposes of targeted advertising, nor may it sell the data of a consumer, if the controller knew or should have known that the consumer is under 18 years old. The “should have known” standard, unique among state privacy laws, places a heightened responsibility on the business collecting the personal data to reasonably determine whether an individual accessing the business’s services is below the age of majority.
  • Geofencing Prohibited. Businesses are prohibited from using geofencing technologies, which create a virtual perimeter around a particular location to detect when a mobile device is near it, to identify, track, collect data from, or send notifications to a consumer within 1,750 feet of a mental health, reproductive, or sexual health facility.

The details of MODPA described above capture only a few of the obligations imposed on data controllers and processors. Such obligations will require, in many cases, deeper examination of and changes to companies’ privacy programs. Businesses subject to MODPA should start to prepare now for its upcoming enforcement by:

  • Creating a data inventory, paying close attention to sensitive categories of data.
  • Conducting required data protection assessments for processing that involves a heightened risk of harm to consumers, which under the statute includes sales of personal data, use of data for targeted advertising, and profiling.
  • Evaluating automated decision-making systems by assessing how decision-making algorithms are being used.
  • Reviewing consent management processes and notices to consumers, which must be clear and provide easy methods for consumers to control whether they consent to sensitive data processing.
  • Updating privacy notices, which must explicitly state whether personal data will be sold or shared and explain how consumers can exercise their opt-out rights.

MODPA does not provide consumers a private right of action, instead leaving enforcement decisions to the Maryland Attorney General. For now, a minimum 60-day cure period exists for businesses notified of violations; however, this grace period is left to the discretion of the Attorney General’s Office, and this notice-and-cure period sunsets on April 1, 2027. If the entity receiving notice of violation fails to remedy the problem within the cure period, penalties may reach up to $10,000 per violation, with fines for repeat violations up to $25,000 for each subsequent occurrence.

Takeaway: Maryland’s comprehensive privacy law became effective on October 1, 2025, but will not apply to any personal data processing activities before April 1, 2026. Its requirements are closely linked to consumer expectations, and the law contains provisions covering data minimization, limitations on use of sensitive data, and protections for minors, among others. Companies should evaluate their privacy programs now to avoid violating this new and potentially far-reaching privacy law.

INTERNATIONAL

European Union Lunapark v. Hardeco: EU Trade Marks Directive prevails

Background:  In 2009, Lunapark Scandinavia Oy Ltd. secured a Finnish registration for DRACULA, covering confectionary goods.  Before Lunapark registered the mark, however, another local company, Karkkimies Oy, had already been importing candy using the term DRACULA, but did not have a trademark registration.  In October 2020, Lunapark sued Hardeco (then owner of Karkkimies) in the Finnish Market Court for trademark infringement, seeking an injunction and damages. In response, Hardeco claimed Lunapark had forfeited its right to enforce the mark, by its long-term failure to act. The court, relying on Finnish private law principles which require parties to bring actions “within a reasonable time” of becoming aware, or being in a position to become aware, of an alleged infringement, ruled for Hardeco. (These Finnish private law principles are analogous to the U.S. legal principles of acquiescence and laches.) Lunapark appealed to the Supreme Court of Finland, which referred to the Court of Justice of the European Union (CJEU) the question of whether the broad “reasonable time” principles of Finnish private law could be applied, beyond what is provided in Article 9 of the EU Trade Marks Directive 2015/2436 (TMD). 

The CJEU ruled in favor of Lunapark, reasoning that Article 10 of the TMD provides the registered mark owner the exclusive right to prevent third parties from making unauthorized use of similar marks and that “a national court cannot, in the context of a dispute concerning the exclusive right conferred by a trademark, limit the exercise of that right beyond what is provided for in Article 18(1) of Directive 2015/2436, read in conjunction with Article 9(1) or (2) thereof.” Article 9, which concerns acquiescence, provides that where “the proprietor of an earlier trade mark . . . has acquiesced, for a period of five successive years, in the use of a later trade mark registered in that Member State while being aware of such use, that proprietor shall no longer be entitled on the basis of the earlier trade mark to apply for a declaration that the later trade mark is invalid in respect of the goods or services for which the later trade mark has been used, unless registration of the later trade mark was applied for in bad faith.” The dispute here, however, was not between owners of two registered marks but between an owner of an earlier registered mark and a prior user of an unregistered mark. In this context, the CJEU concluded that the Finnish court incorrectly applied a “reasonable time” standard based in national law, which was broader than that permitted under the TMD.    

Takeaway:  It is crucial to understand the principles set out in the European Union Harmonization Directive when seeking to rely on national law. The “supremacy” of EU law was applied here to preclude reliance on Finland‘s “reasonable time” private law principles. To be safe, trademark owners are advised to register their marks sooner rather than later given the certainty provided in Article 18(1) of the EU Trade Marks Directive. In addition, long-term users of unregistered marks in EU Member States should understand that such use may not provide protection from enforcement by owners of later registered marks.

Tanzania Deadline December 1, 2025: Mandatory Recordal of Trademarks for goods entering the country

To combat counterfeiting and further strengthen IP rights, Tanzania will now require trademark owners to record with the Chief Inspector of Merchandise Marks all registered trademarks used for goods entering the country. The application for recordal must include the following information and materials: Full applicant details, place of manufacture, a certified copy of the registration certificate(s), a sample or good photo of the goods, any licensing details, and proof of payment of the recordal fee. In addition, trademark owners must appoint a representative officially registered with the Fair Competition Commission. The term of recordal is one year and annual renewal will be required. Only marks registered in Tanzania are eligible for recordation in Tanzania. If the affected marks are not yet registered in Tanzania, however, the proprietor may submit, as supporting documentation, certified copies of registration(s) from other jurisdictions.      

Takeaway: Since it could take time to gather the information and material required for recordal and to appoint a local representative, trademark owners should begin the process now, if they have not done so already. Without timely recordal by the December 1 deadline, goods bearing the marks will be barred from entry at Customs.