State Privacy & AI News - 1/10

Welcome to The Patchwork Dispatch, a fortnightly newsletter that brings you the top 5 recent developments in consumer privacy and AI legislation, regulation, and enforcement from across the U.S. states. It’s a new year and we are seeing new bills being filed by the truckload. But as always, we will only ever provide five updates, restricted to a fortnightly cadence. For more complete news and analysis on a more timely basis, your organization may want to consider joining the Future of Privacy Forum.

1. Controversial AI bills return (in placeholder form)

Two of the most prominent state proposals to regulate artificial intelligence in 2024 were California SB 1047 and Connecticut SB 2. The proposals took very different approaches with different scopes, but ultimately met similar fates. SB 1047 was focused on protections against “critical harms” such as mass casualty events resulting from the use of very high complexity “frontier” artificial intelligence systems. SB 2 was more of an omnibus package and included provisions regulating synthetic content, automated decision making systems, general purpose AI, and support for workforce development.

SB 1047 passed the state legislature but was ultimately vetoed by Governor Newsom who faulted the bill in part for not taking into account whether a covered system would be deployed in high-risk environments. SB 2 passed the Connecticut Senate, but ultimately stalled following a veto threat from Governor Lamont (no relation). However, the provisions of SB 2 that would have regulated high-risk AI decision making systems ultimately informed the enactment of the successful Colorado SB 205, a first in the nation AI law.

This year, placeholder bills (currently lacking statutory language) have been filed marking the return of both frameworks. In California, Senator Wiener (D) has filed SB 53 which appears to court Governor Newsom by suggesting that substantive rights and protections will be informed by the Governor’s Joint California Working Group on AI Frontier Models. In Connecticut, 23 Senators have introduced SB 2, an act concerning Artificial Intelligence. Retaining the same, single digit bill number signals that the proposal is a caucus priority of Democratic Leadership in the state senate (underscored by a blog from the caucus that provides additional information about the framework).

Whether and how these frameworks have been fine-tuned (heh) could substantially influence the U.S. AI debate in 2025.

2. As Colorado goes, so goes the nation?

As described above, Colorado was a trailblazer on AI in 2024, enacting broad (some say “comprehensive”) rights and protections focused on limiting unlawful discrimination from the use of artificial intelligence systems to make consequential decisions about individuals. While Colorado awaits implementing regulations and remains in an active process debating possible amendments and revisions to the law, the Colorado AI Act appears to have inspired a number of the early AI bills filed this year.

Legislation focused on the use of AI to reach consequential decisions that shares similar definitions and substantive provisions with the Colorado law as currently enacted has already been introduced in Massachusetts (HD 396), New Mexico (HB 60), New York (A 768), and Virginia (HB 2094). The degree to which these bills align or diverge with Colorado (and will so over their legislative journeys) has yet to be studied, though certain distinctions already pop out. For example, the New York proposal contains provisions on general purpose AI systems, harkening back to last year’s early iterations of Connecticut SB 2, while the Massachusetts bill appears to be a streamlined, less prescriptive version of the Colorado law.?

3. Or will the ‘California Effect’ re-exert dominance for Al law??

While California’s restrictive “Frontier Model” bill did not make it over the finish line, the Golden State did enact a number of more limited AI bills in 2024 spanning a range of issues (18 new laws by some counts). Two of the more significant bills signed into law were focused on transparency requirements in generative AI systems - SB 942 and AB 2013. We’ve covered these bills extensively in prior editions but in short, SB 942 is focused on tools and disclosures (such as watermarking) to let individuals know that they are viewing or interacting with synthetic content. In contrast, AB 2013 is focused on requiring developers of generative AI systems to make detailed disclosures about the datasets used to train their systems.

It appears that other states may choose to follow California’s lead on transparency requirements for GenAI. Representative Shavers of Washington State has introduced two bills very closely following the California laws, HB 1168 (modeled on AB 2013) and HB 1170 (modeled on SB 942). Notably, these bills are also the first proposals tracked by the Patchwork Dispatch to be scheduled for a hearing this year. Tune in, should you please, on January 17 where both bills will be considered before the House Technology, Economic Development, & Veterans Committee.

4. Okay, but what about Comprehensive Privacy?

It is time we returned to our roots as a state privacy law newsletter to find… huh, not a lot going on! With 19 state laws on the books, perhaps there is only so much blood the states can squeeze from one stone. While it’s still early, only two comprehensive state privacy bills have been filed so far this year (joining the pre-filed bills from 2024 in South Carolina and Oklahoma), these are the New York Data Protection Act (A 974) and Pennsylvania HB 78.

Every year New York is the most active (in terms of bills getting introduced) of any state on consumer privacy, with as many as 6 or 7 different comprehensive privacy bills sometimes getting filed in a single session. In the modern privacy era, the leading framework in New York has been Senator Thomas’ New York Privacy Act which has passed the state senate on a couple of occasions. However, Thomas is no longer a member of the legislature, making it unclear which, if any, comprehensive bill will gain traction in the empire state in 2025. For its part, A 974 is arguably a Washington Privacy Act-style bill with additional data broker registration requirements; however, it is uncommonly prescriptive in the details.

Pennsylvania is another state that can see multiple comprehensive bills filed per year (though typically no more than three). Last year Representative Neilson’s relatively standard Connecticut-style privacy proposal passed the State House by a 139-62 vote. Neilson is back with HB 78 this year, notably filed with bipartisan support.

5. More privacy amendments under consideration in Virginia

With an early and short legislative session, Virginia tends to be something of a bellwether state for tech policy. Last year, around a dozen proposed amendments to the state's second-in-the-nation comprehensive consumer privacy law, the Virginia Consumer Data Protection Act were filed, largely focusing on establishing additional protections for children. Only one amendment made it over the finish line however, Delegate Maldonado’s (D) HB 707 focused on risk assessment and data minimization requirements to protect child data.

This year we have already counted six distinct VCDPA amendments up for consideration:

• HB 2250: The VCDPA improved on the California Consumer Privacy Act in many respects with an accessible and practical framework that added opt-in consent requirements and stronger deletion rights. However, it has since been eclipsed by many subsequent state laws, which have largely modeled on the Connecticut Data Privacy Act. This amendment offered by Delegate Maldonado would largely bring the VCDPA in-line with the prevailing standards for state privacy laws: strengthened definitions of “sensitive data”, “sale”, and “biometric data”, providing for the exercise of consumer rights through universal opt-out mechanisms, heightened protections for teen data, and sunsetting the law’s 'right to cure' provision.?
• HB 2043: This bill would create novel substantive data minimization requirements, limiting secondary use of personal data and user-generated content without consent. It would also raise penalties and add a private right of action to the VCDPA.
• HB 1817: This bill would require verifiable parental consent for any individual under age 18 to open an account on a social media platform. It would also give parents the ability to consent to the collection and use of their child’s data by the social media platform without also consenting to disclosures to third parties.
• SB 769: This bill would create opt-out rights with respect to the automatic placement of “cookies” on browsers and require opt-in consent for companies to use non strictly-necessary cookies.?
• SB 783: This bill would require controllers to obtain verifiable parental consent for essentially any collection and use of personal data of children and teenagers.
• SB 854 / HB 1624: Similar to the New York SAFE for Kids Act (currently in a rulemaking process), this bill would require social media platforms to conduct “commercially reasonable” age verification and obtain verifiable parental consent in order to offer so-called “addictive feeds” to individuals under age 18.

Virginia's legislative session is scheduled to conclude on February 22.

As always, thanks for stopping by.

Keir Lamont is Senior Director for U.S. Legislation at the Future of Privacy Forum