State Privacy News - 12/13

Welcome to The Patchwork Dispatch, a fortnightly (well, in this case monthly) newsletter that brings you the top 5 recent developments in consumer privacy legislation, regulation, and enforcement from across the U.S. states.

1. Michigan On The Move:

Privacy remains on the agenda in Michigan’s ‘lame duck’ session that runs through December 23. In recent weeks, the Senate has passed two significant privacy bills: SB 659 (comprehensive privacy) by a vote of 20-15 and SB 1082 (focused on reproductive care data) by a vote of 20-16.

SB 659 is most notable for including a novel data minimization standard that appears inspired by both the California and Maryland privacy laws:

• Collection of personal data must be limited to what is reasonably necessary and proportionate to provide or maintain a product or service requested by the consumer (MODPA style) AND consistent with the consumer's reasonable expectations (CCPA-style)
• Collection (not processing) of sensitive data must be limited to what is strictly necessary to provide or maintain a specific product or service requested by the consumer.

SB 1082, “The Reproductive Health Data Privacy Act” has also been amended since the last edition of the Dispatch. Changes to this MHMDA-style bill with more restrictive data minimization provisions include (1) providing that covered data does not include aggregated and deidentified data, (2) adding new permissible purposes for data processing necessary for security and product maintenance, and (3) establishing service provider requirements.

2. Another Youth Safety Bill Tee’d Up In New York

It was a banner year for youth online safety in New York State with the enactment of the SAFE For Kids Act and New York Child Data Protection Act, both of which are in a rulemaking process. Legislative activity shows no sign of slowing down however, as on November 20, the “New York Children’s Online Safety Act” was introduced for the 2025 session. This bill targets online gaming and social media platforms and aims to prohibit interactions between minors (under age 18) and users that they are not “connected” with. This includes restrictions on direct communication, viewing a covered minor’s profile, tagging a minor in posts, and engaging in financial transactions with a minor. Such restrictions could only be overridden with parental consent. Notably, the bill affirmatively requires covered platforms to conduct “commercially reasonable age verification” of all users which, somewhat ironically given the data collection this would entail, is a requirement under the proposal's “privacy by default” section.

3. Texas Enforcement Remains in the Spotlight

On December 12, Texas Attorney General Paxton announced the first public enforcement activity pursuant to the Texas Data Privacy and Security Act: investigations into 15 companies regarding privacy and safety practices for minors. These investigations also invoke the Texas Securing Children Online through Parental Empowerment (“SCOPE”) Act which was previous the basis of litigation against TikTok. The announcement notes the TDPSA’s "strict notice and consent" requirements and the SCOPE Act’s parental consent requirements for sharing minor’s personal data. The announcement also emphasizes that the “protections of these laws extend to how minors interact with AI products.”

This announcement follows on the heels of reporting by Suzanne Marie Smalley of The Record who has discovered (through public record requests), five “notices of violations” pursuant to the TDPSA sent by the Texas AG to various companies [1] [2] [3] [4] [5]. The alleged violations include: (1) various deficiencies in disclosures including information about data sharing practices and how consumers may exercise their rights, (2) failure to provide the TDPSA’s unique disclosure: “NOTICE: We may sell your sensitive personal data," (3) processing sensitive data without opt-in consent, (4) failure to provide required opt out rights, and (5) discriminating against consumers that exercise their right to delete data by denying them services. Notably, all of these allegations appear based on a bare reading of the companies’ privacy notices, underscoring the importance of these public disclosures.

4. Utah Enters First AI Sandbox Agreement

Utah became one of the first states to adopt artificial intelligence legislation this year, enacting the Utah AI Policy Act (SB 149) in March. The primary governance intervention under SB 149 is a requirement to disclose whether an individual is interacting with generative artificial intelligence rather than a human in certain regulated contexts. However, the Act also created an “Office of AI Policy” empowered to grant “regulatory mitigation agreements” enabling businesses to develop and test artificial intelligence systems with reduced liability if certain requirements are met. For example, an agreement may specify limits on fines for certain regulatory violations, establish a cure period, or make other accommodations “while the value of AI technologies is being assessed in a specific application.” Regulatory mitigation agreements may be in place for 12 months, with the possibility of one additional 12 month extension.

On December 2, the Office of AI Policy announced its first regulatory agreement with the mental health app ElizaChat, intended for use in Utah school districts. The nine page agreement document lays out obligations for ElizaChat including risk monitoring and maintaining data security measures, disclosures to users, reports to the Office, and the types of incidents for which the State will forgo enforcement should these requirements be satisfied.

5. New Colorado Rules Finalized

On December 5 the Colorado AG’s office finalized a new round of Colorado Privacy Act regulations to account for the new biometrics (HB-1130) and child privacy amendments (SB-41) and to establish procedures for issuing opinion letters. On the whole, the regulations are a largely straightforward implementation of the new statutory requirements. The final version of the rules does include some changes made in response to stakeholder feedback. For example, the Department added new language permitting organizations to roll a biometric identifier notice into a general privacy notice under certain circumstances. The regulations also now include explicit requirements for obtaining and refreshing consent from employees for the use of biometric data - notably specifying that consent obtained during a hiring process is not sufficient. There are still a couple more procedural hurdles that the rules must go through before taking effect.

As always, thanks for stopping by.

Keir Lamont is Senior Director for U.S. Legislation at the Future of Privacy Forum