Data Security And Privacy Liability – Takeaways From The Sedona Conference Working Group 11 Midyear Meeting In Ft. Lauderdale

Duane Morris Takeaways: Data privacy and data breach class action litigation continue to explode. At the Sedona Conference Working Group 11 on Data Security and Privacy Liability, in Fort Lauderdale, Florida, on November 6-7, 2025, Justin Donoho of the Duane Morris Class Action Defense Group served as a moderator for a panel discussion, "Legislative Drafting Considerations: Lessons from Colorado's Privacy and AI Law Intersection." The working group meeting, which spanned two days and had over 40 participants, produced excellent dialogues on this topic and others including website advertising technologies, judicial perspectives on privacy and data breach litigation, onward transfer of consumer PII in M&A and bankruptcy contexts, venue, forum, and choice of law in privacy and data breach class actions, privacy and data security regulator roundtable, revisiting notice and consent for facial recognition, and application of attorney-client privilege in the cybersecurity context.

The Conference's robust agenda featured dialogue leaders from a wide array of backgrounds, including government officials, industry experts, federal and state judges, in-house attorneys, cyber and data privacy law professors, plaintiffs' attorneys, and defense attorneys. In a masterful way, the agenda provided valuable insights for participants toward this working group's mission, which is to identify and comment on trends in data security and privacy law, in an effort to help organizations prepare for and respond to data breaches, and to assist attorneys and judicial officers in resolving questions of legal liability and damages.

Justin had the privilege of speaking about lessons from the intersection of the Colorado Privacy Act (CPA) and Colorado AI Act (CAIA) and how these lessons might guide future legislatures when drafting AI and data privacy statutes. Highlights from his presentation included identifying lessons learned from the intersection of the CPA and CAIA and, among them, discussing some of the human steps a company may perform in using an AI hiring tool to avoid triggering the CPA's opt-out right in factual scenarios where that right might apply, as those human steps are discussed in his article, " Five Human Best Practices to Mitigate the Risk of AI Hiring Tool Noncompliance with Antidiscrimination Statutes,"Journal of Robotics, Artificial Intelligence & Law, Volume 8, No. 4, July-August 2025.

Finally, one of the greatest joys of participating in Sedona Conference meetings is the opportunity to draw on the wisdom of fellow presenters and other participants from around the globe. Highlights included:

1. Experts of all stripes presenting a draft opus on advertising technologies that describes ways our laws could move beyond outdated statutes with draconian statutory penalties by focusing instead on any actual harms resulting from such technologies.
2. A lively dialogue among my panelists and other participants dissecting the Colorado Privacy Act, Colorado AI Act, and those statutes' application to AI hiring tools in an effort to offer guidance to future legislators drafting similar statutes.
3. Federal and state judges offering tips for advocacy when presenting technical cybersecurity and data privacy issues to the court.
4. Panelists with different backgrounds discussing the law regarding when a company that has obtained personal data with consent can and cannot transfer the data in M&A and bankruptcy contexts.
5. Litigators from both sides of the "v." debating venue, forum, choice of law, MDL, and CAFA issues in the context of privacy and data breach class actions.
6. State regulators discussing their increasing data privacy and cybersecurity departments and priorities for enforcement in these areas.
7. Data privacy lawyers and experts discussing the evolution of facial recognition technology and the need to tailor notice and consent processes to risks associated with the technologies and use cases involved.
8. Cybersecurity lawyers and experts discussing best practices for maintaining attorney-client privilege when responding to a cybersecurity incident.

Thank you to the Sedona Conference Working Group 11 and its incredible team, the fellow dialogue leaders, the engaging participants, and all others who helped make this meeting in Fort Lauderdale, Florida, an informative and unforgettable experience.

For more information on the Duane Morris Class Action Group, including its Data Privacy Class Action Review e-book, and Data Breach Class Action Review e-book, please click the links here and here.