State Privacy & AI News - 2/7

Welcome to The Patchwork Dispatch, a fortnightly newsletter that brings you the top 5 recent developments in consumer privacy and AI legislation, regulation, and enforcement from across the U.S. states. This has been an uncommonly eventful fortnight, even for the fast-shifting state landscape. Let’s dive in:

1. NetChoice Files Suit Against Maryland Age-Appropriate Design Code Act

Stop us if you’ve heard this one before: On February 3rd the trade association NetChoice filed suit seeking to strike down Maryland’s Age-Appropriate Design Code Act (AADC), largely on First Amendment grounds.

NetChoice has previously had success in ongoing litigation enjoining California’s version of the AADC (as well as a host of different types of laws focused on age verification, content moderation, and child online safety). The drafters of the Maryland AADC took steps to try to avoid the Constitutional questions that have plagued California’s law since its inception, including by removing the requirement for businesses to estimate the age of their users and the explicit direction to restrict access to lawful content. However, NetChoice nevertheless found plenty about Maryland’s law to take issue with. In particular the trade group’s filing claims the law’s “best interest of children” standard and “likely to be accessed by children” applicability threshold are unconstitutionally vague. Similar to their litigation in California, NetChoice also argues that the data protection impact assessment requirement constitutes unconstitutional compelled speech.??

The “best interests of children” standard is particularly important in the context of Maryland’s AADC because the law requires that businesses affirmatively act to ensure the best interests of children are met across their operations and data processing activities. This is a stark contrast to California’s approach which instead allows businesses to avoid certain obligations under the CA AADC if consistent with “best interests.” Furthermore, while the California AADC required companies to estimate the age of their users proportionate to risks of harm, Maryland instead adopts a “likely to be accessed by children” applicability standard modeled in part on the federal COPPA statute. However, practically speaking, there are significant differences between what makes a website likely to be accessed by 12 year olds versus those likely to be accessed by 17 year olds. Finally, though Maryland’s DPIA requirements are not explicitly tied to assessing and limiting access to “potentially harmful” content, the law’s focus on evaluating the potential for “psychological or emotional” harm to any children may constitute a ‘proxy for content’ that the Ninth Circuit took issue with in the California litigation.

NetChoice fails to address the MD AADC’s “Luigi’s Mansion” problem (the law technically bans all child and teen online accounts in the state of Maryland by forbidding the storage of data unless a minor is actively using a service), but they do make a related argument that the broad definition of “processing” data requires companies to evaluate and risk liability under the “best interests” standard whether they choose to store or delete personal data (darned if you do, darned if you don’t).

NetChoice has filed numerous lawsuits against child online safety laws, typically seeking injunctions before they go into effect. The Maryland AADC litigation is unique because the law has been in effect since October, 2024. Though, also unusual for a flashy new state privacy law, our team has found no instances of the state AG (the Maryland AADC’s enforcement authority), publicly discussing or providing guidance about the Act. It seems possible that the timing of this suit was made with the 2025 state legislative cycle in mind. Several hours after filing suit, NetChoice was on the ground in Lincoln Nebraska, testifying in opposition to a new-look Age Appropriate [Online] Design Code Act (LB 504) supported by the Cornhusker state’s Governor and Attorney General. Nebraska’s “AADC 3.0” model contains a host of novel provisions that are sure to be the subject of future analysis in The Patchwork Dispatch.

2. Virginia House Passes Bill Regulating the Use of AI for Consequential Decisions

February 4th was the deadline for bills in Virginia’s short legislative session to make it out of their chamber of origin. Four significant privacy and AI bills remain in play in the Commonwealth, most prominently HB 2094 which passed the state House by a 51-47 vote.

HB 2094 is a Colorado SB 205-style bill focused on placing responsibilities on the developers and deployers of ‘high-risk’ automated decisionmaking systems used to reach consequential decisions about individuals. As passed by the House, the current version of HB 2094 largely aligns with the overall framework and focus of Colorado’s law enacted last year. However, the Virginia approach does contain several meaningful distinctions, likely reflecting active engagement and input from stakeholder groups.?

The Virginia bill’s key shifts from Colorado’s first-in-the-nation automated decisionmaking law include:

• Virginia’s definition of “artificial intelligence” focuses on systems that are based on “machine-learning”. Whereas Colorado has a broader, OECD-style definition focused on systems that reach inferences from inputs.
• Virginia has a slightly broader scope of regulated “consequential decisions” including those involving parole and martial status. Unlikely Colorado, Virginia does not include “essential government services”, but that might be covered in separate legislation focus on public body use of 'high-risk' AI.
• Both Virginia and Colorado govern systems used as a “substantial factor” in making consequential decisions. However, Virginia’s definition of “substantial factor” is somewhat cleaner, focused on the use of a system’s outputs without “meaningful consideration” by a human.
• Virginia would not require developers of AI systems to make affirmative reports to the Attorney General upon notice or discovery of a potential incident This provision is one of the most contested elements of the Colorado law.
• With respect to enforcement, Virginia establishes a framework for the Attorney General to provide businesses with an opportunity to cure an alleged violation. Furthermore, Virginia would not establish rulemaking authority.

Virginia's legislative session adjourns February 22nd.

3. More CPPA Leadership Turmoil as Debate on New Rules Rages

As the California Privacy Protection Agency continues to seek a new Executive Director to replace long-time Agency lead (and first employee) Ashkan Soltani, additional turnover has reached the Agency’s leadership. On Friday, January 31st, Bloomberg’s Titus Wu broke the news that California House Speaker Rivas has replaced Vinhcent Le on the Agency’s 5-member board. Le stated that he was informed that the Speakers office “wanted to move in a different direction.”

Le was a member of the CPPA’s “New Rules Subcommittee” and therefore involved in the development of the Agency’s current set of draft regulations on automated decisionmaking technology (ADMT), risk assessments, and cybersecurity audits. The initial public comment period on this draft will close on February 19th but has already been marked by extensive industry pushback including questions about practicality, whether the Agency is leapfrogging the legislature and Governor's office on establishing rules for AI, whether the proposed rules exceed the Agency’s statutory authority, and the Agency’s own estimate that the rules will impose 3.5 billion USD in direct costs on in-state businesses during their first year in effect. In particular, the draft rules seek to expand rights and obligations with respect to ADMT beyond traditional “consequential decisions” but to include use of personal data for model training, first-party behavioral advertising, and profiling based systematic observations. The replacement of Le is not likely to tip the overall balance in the Agency’s approach to these draft rules as the current rulemaking process was initiated with a 4-1 vote of the Board.

Le has been replaced with Brandie Nonnecke, co-director of the Berkeley Center for Law and Technology and the UC Berkeley AI Policy Hub. The sole remaining original member of the Agency’s Board is now Chairperson Urban, also a professor at UC Berkeley.

4. Georgia to Have Another Go at Comprehensive Privacy

The “Georgia Consumer Privacy Protection Act” (SB 111) has been filed by Senator Albers and six co-sponsors. This proposal is most closely modeled on Tennessee's data privacy law, including a high-applicability threshold (data of 175,000+ in-state residents) and an affirmative defense for organizations that "reasonably conform” to the NIST privacy framework or a comparable program.?

In terms of what would make Georgia unique, there’s a carveout to the definition of biometric data that would exclude information “captured and converted to a mathematical representation.” We haven’t seen this exclusion enter any state laws previously, but proposals to amend the Illinois Biometric Information Privacy Act frequently include similar language (including HB 2838 this year).?

The prior version of this bill passed Georgia's State Senate by a 37-15 vote last year, but hit an unexpected speedbump when local advocates successfully lobbied for the removal of certain carveouts for data and entities already subject to existing federal privacy laws - which went in then came back out. The current version of the Georgia Consumer Privacy Protection Act as re-filed contains what we would consider the ‘standard’ exceptions for a comprehensive U.S. state privacy law.

5. Colorado AI Task Force Issues Closely Watched Report

Colorado’s Artificial Intelligence Impact Task Force composed of policymakers and stakeholders has issued its Report and Recommendations concerning possible revisions to clarify, refine, or otherwise improve SB 205, Colorado’s 2024 law governing the use of ‘high-risk’ AI decisionmaking systems. The report comes short of recommending specific statutory changes to the law, and instead recommends continuing discussions and engagement with stakeholders in the coming weeks and months.

Helpfully, the report does provide examples of important topics of discussion between members of the Task Force and categorizes areas of possible amendment to SB 205 based on the level of consensus or disagreement between key stakeholder groups. For example, issues where “consensus on changes appears achievable with additional time and stakeholder engagement” include more specifically defining what qualifies as a regulated “consequential decision” and changes to the information and documentation that AI developers are required to provide deployers. On the other hand, issues with “firm disagreement” where “creativity will be needed” cover topics such as the definition of “substantial factor” the mechanics of the law’s “duty of care” and whether to alter the law’s small business carveout.?

Any amendments to SB 205 that move in Colorado this year will likely be closely watched throughout the country, especially as other states consider their own proposals to govern ‘high risk’ decisionmaking systems that draw from Colorado’s approach.

As always, thanks for stopping by.

Keir Lamont is Senior Director for U.S. Legislation at the Future of Privacy Forum