State Privacy News - 10/4

1. Newsom Signs Bills!

California Governor Newsom has signed several significant privacy and AI bills into law including:

• AB 2013 which will require publicly-available Generative AI developers to publicly disclose information about the training data of their systems including "high-level" information about their data sources, how the data furthered the intended purpose of the system, the number of data points used, and whether the data included any personal information.
• AB 1008 a California Consumer Privacy Act (CCPA) amendment specifying that personal information “can” exist in abstract digital formats including AI systems capable of outputting personal information. There has been considerable debate about whether this could include the weights of large language models and the practical implications of such a determination. Ultimately, the impact of this bill will likely be left to guidance or enforcement actions from California's privacy regulators.
• SB 1223 a CCPA amendment classifying “neural data” as a category of sensitive personal information under the CCPA meaning such information will be subject to user rights to 'limit use and disclosure' when such information is used to infer characteristics. Similar to the Colorado Privacy Act neural data amendment, most media coverage has dramatically overstated the impact of this amendment, in this case, inaccurately suggesting that neural data was previously completely unregulated under the CPPA.

2. Newsom Vetoes Bills!

California Governor Newsom has vetoed several significant privacy and AI bills, preventing them from becoming law (unless the state legislature breaks its 44 year streak of not overriding vetoes) including:

• SB 1047 which would have required developers of very large “foundation models” take steps to prevent these AI systems from causing or significantly enabling “critical harms” and to develop an external system shutdown capability. Notably, the Governor’s veto message faults the proposal for only focusing on the largest and most expensive AI models.
• AB 3048 which would have amended the CCPA to require web browsers and mobile OS to directly provide settings for opt-out preference signals (OOPS) allowing consumers to invoke both opt-out of sale/share of personal data and limit the use/disclosure of sensitive personal information rights. While often portrayed as a straightforward requirement to require browsers to offer native OOPS settings, the drafting of this bill produced a number of complexities that risked scrambling the emerging opt-out landscape. For instance, if read literally, AB3048 would likely have required certain 'privacy forward' web browsers that send the Global Privacy Control by default without offering user controls to add "settings" to enable additional user choice over the exercise of their privacy rights. Furthermore, the only presently recognized OOPS signal, the Global Privacy Control, would not have been a qualifying signal under AB3048 as it does not invoke the right to limit the use and disclosure of sensitive personal information. The Governor's?veto message argued that OOPS settings in the mobile OS context would be better addressed by developers prior to regulators.
• AB 1949 which would have amended the CCPA to require “affirmative authorization” (undefined) either from a parent/guardian or teen user for any collection, sale, sharing, use, or disclosure of the data of minors under age 18 and providing for the transmittal of binding device signals that communicate that a user is a minor, similar to “age-flags” under the New York Child Data Protection Act. The Governor’s veto message expresses concern about requiring businesses to distinguish between adult and minor users at the point of data collection.

3. California Gears Up for Next Round of Rulemaking

On November 8 the California Privacy Protection Agency (CPPA) will host a board meeting where it intends to initiate formal rulemaking on a new round of sweeping California Consumer Privacy Act (CCPA) regulations . The hearing was originally scheduled for today, October 4, so in a fascinating twist, the CPPA will for once not make news on a Dispatch Friday! The posted regulations are essentially identical to a draft posted in July of this year but the estimate of Year One direct costs to California businesses has come down from $4 billion to $3.5 billion with the completed regulatory impact assessment .

In many places, the draft regulations go much further than any existing state privacy law, they also fill in important gaps left by the California Privacy Rights Act ballot initiative. In particular they cover:

• Opt-out rights with respect to automated decisionmaking technology. These would create, for the first time, rights to opt-out of targeted advertising based on first party data, significant decisions that result in access to significant life opportunities, and the use of personal data to train ADMT.
• Prescriptive risk assessment requirements, including an obligation to affirmatively send abridged risk assessments to the CPPA.
• Cybersecurity audit and certification requirements, which have been criticized by industry stakeholders as a "back-door" to new substantive cybersecurity requirements.
• Classifying the personal data of adolescents as a category of "sensitive data" - a first for US state privacy law.
• A de facto expansion of the CCPA's data deletion right to extend to data collected from third party sources (this would be an alignment with other state privacy laws).

4. California Holds the Line on Expansive Delete Act Regulations

The California Privacy Protection Agency has also recommended that the Agency Board finalize draft rules concerning data broker registration requirements under the California Delete Act (SB 362 ). Surprisingly, the Agency determined that no changes to the draft regulations were necessary in response to the 130 pages of public feedback received during the formal rulemaking period.

Should the draft regulations clear remaining administrative hurdles, they will significantly expand the range of companies that will be required to register as data brokers in the state of California. While the Delete Act provides that organizations without a "direct relationship" with consumers that sell personal data must register, the regulations further provide that a business does not have a "direct relationship" if it sells (defined broadly) any data that is not collected directly from a data subject. The Agency argued that this definition was necessary because "[t]o interpret the law otherwise would allow businesses to leverage any single interaction (even if such interaction is superficial or misleading) the consumer has with any component of their business—no matter how fleeting or passive—as a means to forever broker their personal information without necessarily having to register as a data broker."

Numerous industry commentors warned that taking such a maximalist interpretation of the term "data broker" under the Act would be inconsistent with consumer expectations and water down the utility of the actual registry (see generally, img. 1).

The question of what entities will be required to register as data brokers in California is critical because ultimately, brokers will be required to respond to bulk deletion requests issued by individuals and their agents to every registered business. What's more, the Delete Act does not distinguish between first party and third party data held by a broker, it instead provides that a broker shall "delete any personal information related to that consumer" who issued a bulk deletion request. Both industry and civil society groups cautioned the Agency that requiring businesses that collect first party data to join the data broker registry and to be subject to bulk deletion requests would harm consumers with the unexpected loss of accounts and first party data such personal photos uploaded to websites. However, the Agency repeatedly responded that:

To the extent the comment seeks clarification about deletion obligations under SB 362 beginning in 2026, the Agency intends to address that topic as part of a future rulemaking package. This package specifically clarifies registration requirements.

5. New State Laws Take Effect

On October 1st, three significant new state privacy laws took effect:

1. The Montana Consumer Data Privacy Act . This comprehensive privacy statute is modeled very closely on Connecticut privacy law. Compared to other state privacy laws, businesses will need to process the personal information of a proportionately large number of Montanans (50,000) in order to be in scope. However, the MCDPA deserves credit as the first state to lower the default applicability threshold below the prior state law default requiring processing the data of 100,000 in-state residents, regardless of a state's population.
2. The Maryland Age Appropriate Design Code Act . This is the second US AADC statute following California (which has been enjoined). The Maryland law took steps to avoid the constitutional infirmities that plagued the California law, for example it does not require businesses to conduct "age estimation", removed explicit obligations to limit access to 'potentially harmful content', and removes the ability for the State AG to second guess whether an organization's content moderation decisions align with posted policies. However, it also introduced a number of new ambiguities and complexities. For example, the prohibition on "processing" a child's data that is not "reasonably necessary to provide an online product that the child is actively and knowingly engaged with" would probably ban services from offering any child or teen accounts if read literally.
3. The SB3 (2023) child privacy amendments to the Connecticut Data Privacy Act. The key obligation of these amendments is the creation of a "duty of care" for operators to use reasonable care to avoid "heightened risk of harm" to minors using their services. Covered harms avoid content-focused injuries that have plagued online safety laws and and include (1) unfair or deceptive treatment or unlawful disparate impact, (2) financial, physical or reputational injury, and (3) offensive intrusion upon the solitude or seclusion, or the private affairs or concerns of a minor. This law has served as the basis of recent amendments to the Colorado Privacy Act.

Information about the Connecticut child privacy amendment is included in the Attorney General's FAQ page on the Connecticut Data Privacy Act. However, our staff has not been able to find any recent announcements or information about the newly effective privacy laws from the Attorneys General of either Montana or Maryland.

As always, thanks for stopping by.

Keir Lamont is the Director for U.S. Legislation at the Future of Privacy Forum