State Privacy & AI News - 2/21

Welcome to The Patchwork Dispatch, a fortnightly newsletter that brings you the top 5 recent developments in consumer privacy and AI legislation, regulation, and enforcement from across the U.S. states. For some of our newer readers, a disclaimer that we thought was obvious: writing about state bills is not the same as endorsing, opposing, or drafting those bills. Okay, on to the updates!

1. Connecticut Introduces Amendments to Comprehensive Privacy Law

The Nutmeg State has quietly become one of the most influential incubators of tech policy across the entire nation. Red and Blue states alike have passed comprehensive privacy frameworks modeled on Connecticut’s fifth-in-the-nation data privacy law; Connecticut’s approach to protecting children online is gaining traction (more below) and has not (yet) received a constitutional challenge; and last year’s Colorado SB-205 focused on high-risk decisionmaking technologies was heavily influenced by a similar proposal in Connecticut that did not make it over the finish line.

Stakeholders should therefore sit up and take notice when Connecticut proposes to amend its landmark data privacy law. This week, two amendments to the CTDPA were introduced in the General Law Committee: the broad SB 1356 and the narrower SB 1295 focused on children.?

SB 1356 would make a number of significant changes focused on expanding and strengthening Connecticut’s privacy law, these include:

• Adopting a Maryland-style data minimization provision with respect to the collection of personal data by tying permissible collection to what is “reasonably necessary” to offer a product or service requested by a consumer. Ironically, Maryland is currently considering an amendment (HB 1365) to align its data minimization provision governing the collection of personal data to what currently exists in Connecticut… it’s a switch-a-roo!
• Broadening the "actual knowledge or willfully disregards" standard for protecting minors' data to "knowledge fairly implied on the basis of objective circumstances", a KOSA-style term.
• Broadening the definition of biometric data to a 'can identify' standard from a 'used to identify' standard.
• Broadening the definition of "sensitive data" with various categories found in other state privacy laws including philosophical beliefs (CA), any financial data (NJ), status as nonbinary or transgender (OR), and neural data.
• Lowering the applicability threshold to cover businesses that process the personal data of more than 35,000 residents (down from 100k) or that process any sensitive data. The sensitive data standard would be particularly significant, especially paired with the expansion of the definition of sensitive data to include any financial information.
• Expanding applicability to include nonprofit organizations and switching from an entity-level to data-level carveout under the federal Gramm-Leach-Bliley Act (GLBA).
• Creating an Oregon-style right to access a list of third parties to whom a business has disclosed personal data AND requiring the disclosure of those specific third parties within privacy notices (potentially drastically expanding the length of privacy policies).
• Tweaking the scope of the right to opt-out of significant profiling decisions (expanding) and the law's internal operations exception (narrowing).

SB 1356 will receive a first hearing on February 26th.

The SB 1295 amendment is narrower. It would primarily amend the SB3 children's privacy amendments to the CTDPA to add “physical or mental health” to the definition of heightened risk of harm to minors as part of the Act’s duty of care.? Such a broad allusion to “mental health” of child and teen users may raise objections as a potential regulation of lawful content. This bill has not yet been scheduled for a hearing.

2. Virginia Sends Bills to Governor as Session Wraps Up

Forty-Eight state legislatures are now in session, but on Saturday, Virginia will become the first state session of 2025 to officially close its doors for the year. We believe that Governor Youngkin (R) will have 7 days to act on legislation after he receives it from the legislature. While there is still a little bit of runway left to move bills in the Commonwealth, it’s a good time to assess where some significant tech bills currently stand:

• SB 754: Would amend the Virginia Consumer Protection (not Privacy!) Act to prevent businesses from obtaining, disclosing, or selling reproductive or sexual care information unless they obtain consent. Notably, Virginia’s Consumer Protection Act includes a private right of action. This bill has cleared the legislature on contested votes.
• HB 2094: A Colorado SB 205-style bill focused on regulating AI systems used to reach consequential decisions about individuals has passed the state House (52-46) and Senate (21-19). Democrats have largely supported this bill while Republicans have opposed it, so we are closely watching how Governor Youngkin (R) will act. Notably, this bill is somewhat narrower than Colorado’s law, applying to “machine learning” systems that serve as the “principal basis” for covered decisions.
• SB 854: Originally a VCDPA amendment restricting access to “addictive feeds,” this proposal has been substituted to require social media companies to conduct age verification and set a default 1-hour per day time limit for users under 16. It has passed both chambers unanimously.
• SB 1023: This proposed VCDPA amendment would have banned the sale of precise geolocation data (even with consent!) It passed the State Senate by a 35-5 vote, but has been tabled in the House.

3. Montana Looks to Amend Comprehensive Privacy Law

The influential Senator Zolnikov (R) who passed the nation’s seventh state comprehensive privacy law has introduced SB 297 which would update and strengthen Montana’s privacy act.?These amendments would not go as far as Connecticut’s proposed amendments (discussed above), but they still include significant changes such as:

• Creating a Connecticut/Colorado-style ‘duty of care’ and risk assessment requirements for businesses to take steps to avoid heightened risk of harm to known minors under 18 years of age.
• Lowering the law’s coverage threshold from processing the data of 50,000 residents to 25,000 residents. Montana deserves credit for being the first state law to adopt a sub-100k coverage threshold in its initial iteration.
• Expanding the scope of the law to cover many nonprofits as well as narrowing the GLBA carveout to a data-level exemption for non-financial institutions.
• Narrowing the consumer right to access to prevent disclosures of particularly sensitive types of information that could create security vulnerabilities (e.g., SSNs, account passwords, biometric data).
• Adopting the "actual knowledge or willfully disregards” knowledge standard for adolescent data protections, consistent with the vast majority of state privacy laws.?
• Creating unique-to-Montana prescriptive requirements for the form and details business privacy notices.
• Cutting the law’s ‘opportunity to cure’ potential violations from 60 to 30 days.

On February 19 the bill passed the Senate Judiciary Committee. The cross-over deadline in Montana is a sneaky-soon March 4.?

4. Vermont Privacy Effort Now Three Separate Bills

In 2024, Vermont claimed the dubious distinction as the first ever state to pass a comprehensive consumer privacy bill that received a veto. Governor Scott took issue with the bill’s private right of action, potential Constitutional infirmities with Age-Appropriate Design Code-style provisions, and for lacking alignment with neighboring state privacy laws. Now, Rep. Priestley has split last year's broad privacy bill into three distinct proposals:??

• HB.208 is the Vermont Data Privacy and Online Surveillance Act. This far-reaching comprehensive privacy bill has been broadened in significant ways from last year’s H.121. It expands upon Maryland’s data minimization standard by providing that processing of personal data (not just collection) must be reasonably necessary to offer a requested product or service. It preserves last year’s private right of action targeted to large businesses and data brokers involving sensitive data misuse, but now provides for statutory damages of $5,000 per violation and does not include a PRA sunset. The bill also has some new wrinkles, for example it provides that consumer deletion rights may be exercised through global device settings and would require that certain businesses rename their privacy notices to “surveillance” policies.
• H.210 is the Vermont Age-Appropriate Design Code Act. Unlike prior AADCs, H.210 would not create any requirement for businesses to conduct either risk assessments or to obtain third-party audits. The bill also takes new steps in seeking to avoid regulating content, explicitly providing that content viewed by minors will not violate the minimum duty of care to avoid “emotional distress” to minors. However, it also veers back towards the California AADC by granting the State AG authority to draft rules on conducting “age assurance”. Finally, the bill replicates the Maryland AADC’s “Luigi’s Mansion Problem” by limiting data retention to the duration of a minor’s active engagement with a service.
• H.211 would amend Vermont's first-in-the-nation data broker registry law with California Delete Act-style provisions. It would allow the Secretary of State to establish data broker registration fees (currently set at $100/year), require brokers to disclose the categories of data they collect, share metrics about consumer rights requests, and to undergo compliance audits. Most significantly, it would provide for the creation of an “Accessible Deletion Mechanism” to permit consumers or their agents to issue a bulk deletion request to every data broker registered in the state. Fortunately, unlike California’s Delete Act, the Vermont bill is focused solely on the deletion of brokered personal information. California’s law and regulations do not distinguish between brokered and non-brokered data and could cause consumers to unwittingly delete entire online accounts en masse if there is not a statutory or regulatory fix.

Vermont’s legislative session runs through May 9th.

5. South Carolina House Passes Age-Appropriate Design Code v 3.0

Despite an injunction in California and a new lawsuit in Maryland, more and more states including Nebraska, Oklahoma, Washington and Vermont (discussed above) are considering new iterations of the Age-Appropriate Design Code Act (AADC) framework. In prior years, AADCs were most popular in deep blue states, but now they seem to be gaining bipartisan support. There was close competition, but on February 19, South Carolina officially became the first state of the year to pass an AADC through a legislative chamber when H.3431 passed the House by a 89-14 vote.

Casual observers could be forgiven for not even realizing that H.3431 is an AADC as the bill is titled the “South Carolina Social Media Regulation Act” and the first section of the law establishes an age verification framework for accessing social media companies. However, the bill also includes a section on Age-Appropriate “Code Design” (??) establishing numerous privacy, safety, and design rules and restrictions on a broad range of online services.

The bill’s AADC obligations include a “duty of care” to prevent a wide range of harms to minors including severe “psychological harm” and “emotional distress”, potentially landing the bill back in “proxies for content”-land. Notably however, this version of the AADC avoids the “Luigi’s Mansion Problem” by tying permissible data processing activities to elements of an online service that a user is “knowingly” engaged with (dropping the “actively” language). Similar to the proposed Nebraska AADC, South Carolina’s bill does not require businesses to conduct risk assessments and instead mandates third party audits “describing the online service as it pertains to minors.” While age verification or estimation is not explicitly required under the AADC portions of H.3431, a description of “age verification or estimation methods used” is an element of the third party audit requirement, potentially raising additional First Amendment questions.

South Carolina’s legislative session closes on May 8th.

As always, thanks for stopping by.

Keir Lamont is Senior Director at the Future of Privacy Forum