State Privacy News - 11/1

Welcome to The Patchwork Dispatch, a fortnightly newsletter that brings you the top 5 recent developments in consumer privacy and artificial intelligence legislation, regulation, and enforcement from across the U.S. states. Legions of loyal readers noticed that we skipped an edition and filled our PO box with both letters of concern and a barrage of demands for new state law updates. Have no fear, our staff is healthy, well, and full of energy - it just so happened that there wouldn't have been much to report on two weeks ago. But now, the states are gearing up for what is sure to be an action packed 2025 legislative session and so are we!

1. Draft AI Bill Circulated in Texas

As first reported by Austin Jenkins of pluribus news, Representative Capriglione has circulated draft text of a broad artificial intelligence governance framework for stakeholder feedback. Long time readers of the Dispatch will be familiar with Rep. Capriglione as the key sponsor of the Texas Data Privacy and Security Act which raised the bar for state privacy protections in several key ways. The proposed Texas Responsible AI Governance Act (TRAIGA) contains areas of clear alignment with the Colorado AI Act and similar proposals from this year's state sessions, suggesting that state lawmakers are approaching concerns about AI with interoperability in mind. However, getting into the details, TRAIGA is in some respects significantly narrower than existing US AI frameworks while in other ways it is significantly broader.

With respect to regulated uses of AI, TRAIGA goes further than prior US proposals that have been primarily focused on unlawful discrimination. First, in addition to provisions restricting unlawful discriminatory processing the bill addresses “unlawful use or disclosure of personal data and deceptive manipulation or coercion of human behavior.” Second, the bill would create more targeted requirements for developers of Generative AI systems (requiring record keeping for training datasets) and for digital service providers / social media platforms (requiring commercially reasonable efforts to prevent advertisers from discriminatory uses of AI). Finally, TRAIGA contains an EU AI Act-style list of "prohibited uses and unacceptable risk" covering AI use cases such as the production of harmful visual material and social scoring. Violations of this prohibited use list could be enforced through a private right of action.

Turning to covered systems, TRAIGA is arguably a mixed bag. The definition of "artificial intelligence" departs from the broad OECD -inspired standard that has become commonplace in US AI policy and instead requires that in-scope systems must be capable of the more advanced feature of "learning and adapting behavior by analyzing how the environment is affected by prior actions." On the other hand, the scope of covered high-risk AI includes systems that are a "contributing factor" (a broad standard) in "access to" (not solely provision or denial of) critical life opportunities.

In terms of covered entities, TRAIGA adopts the "developer" / "deployer" distinction but adds a new class of entities termed "distributors" (who make an AI system available on the market). The bill would also broadly carve out firms that qualify as "small businesses" under US SBA standards (generally those with fewer than 500 employees).

TRAIGA would also update the Texas comprehensive privacy law to specifically account for AI systems, most notably creating a new right to opt out of the sale or sharing of personal data for use in AI systems. Finally, the Act would provide for the creation of a regulatory "sandbox program" as well as a "Texas Artificial Intelligence Council" with rulemaking authority.

2. California Launches Data Broker Registration Sweep

On October 30, the California Privacy Protection Agency (CPPA) announced an investigative sweep of data broker registration compliance under the Delete Act . The Delete Act (which modified California's 2019 data broker law) transferred authority over California's data broker registry from the Attorney General to the CPPA and provided that covered businesses were required to register as data brokers by January 31 of this year. CPPA's enforcement head Michael Macko is quoted as stating that the Division will seek to recover statutory fines ($200/day) from brokers that failed to register "because it's unfair to the data brokers who have complied with their obligations."

This enforcement sweep is particularly notable because implementing regulations defining who, exactly, must register as a data broker in California have yet to be finalized. While the Delete Act provides that only businesses that sell data and lack a "direct relationship" with consumers are data brokers, the current draft regulations instead provide that an entity can still be a data broker if they sell information that they do not collect directly from a customer (regardless of any other relationship) or go three years without interacting with a consumer. The Agency may vote to submit these proposed rules to the Office of Administrative Law for finalization during a November 8 board meeting (as well as launch a broad new CCPA rulemaking... but that's for a future edition).

This is the second sector-wide action announced by the CPPA's enforcement division, following a review of the data practices of connected vehicle manufacturers and related technologies in July 2023.

3. DC Council Hears Health Privacy Bill

On October 17 the DC Council Health Committee heard the Consumer Health Information Privacy Protection Act (CHIPPA ) supported by the office of Attorney General Schwalb. CHIPPA is essentially a Washington State My Health, My Data Act copycat, though it would require consent for any collection or use of consumer health data rather than permitting data processing if necessary to offer a requested product or service. Many of the counter-intuitive elements of MHMDA, such as a definition of "collection" than includes any processing of consumer health data have been replicated in CHIPPA. The Committee also accepted written testimony through October 31st. Of note, Chair Henderson cautioned industry that ‘this will not be a 7 month process’ and that they should engage sooner rather than later.

4. CCIA and NetChoice File Suit Against Florida HB 3

On October 28, trade associations CCIA & NetChoice filed suit to prevent Section 1 of Florida HB 3 (2024) from taking effect. This lawsuit is the latest in a long line of cases challenging the constitutionality of statutes seeking to prevent children and teens from accessing "social media" platforms. The contested part of HB 3 bans individuals younger than 14 from holding social media accounts and requires parental consent for 14 and 15 year olds to open such accounts. Implementing regulations require covered platforms to perform "reasonable age verification" if they should "reasonably have been aroused to question" whether a user is a child. The law is currently scheduled to take effect on January 1, 2025.

The plaintiffs make a series of (now very much well trodden) First Amendment (as well as unconstitutional vagueness and COPPA preemption) arguments. For those of us in privacyland, as part of laying out the argument that HB3 impermissibly burdens adults' First Amendment protected activities, the plaintiff argue that: "[b]y forcing adults to either surrender sensitive personal information to access protected speech or forgo that First Amendment activity entirely, such requirements 'discourage users from accessing' online services and 'completely bar' some adults from doing so."

A fun wrinkle in this litigation is that Governor DeSantis actually vetoed an earlier version of this framework which would have directly mandated age verification in all circumstances, citing the need for adults to engage in anonymous speech, and HB 3 is intended to be a "different, superior" framework.

5. Colorado Puts Finishing Touches on Proposed Privacy Regulations

On October 30, the Colorado Department of Law finalized its proposed update to the Colorado Privacy Act (CPA) implementing regulations. Overall, the Department's draft rules are a largely straightforward implementation of (significant) statutory changes from two amendments to the CPA enacted this year: HB-1130 (regulating biometric identifiers) and SB-41 (Connecticut-style children’s privacy protections). The newly revised draft regulations contain only a very narrow tweak to a provision concerning Attorney General opinion letters (new language in blue below):

This change appears to have been made in response to a request submitted by the Colorado Information Sharing Consortium and is intended to reduce the potential for duplicative opinion letter requests. The Department is soliciting public input on the draft regulations through November 7 and will also hold a public feedback hearing on that same date.

As always, thanks for stopping by.

Keir Lamont is Senior Director for U.S. Legislation at the Future of Privacy Forum