State Privacy News - 2/23

Welcome to The Patchwork Dispatch, a fortnightly newsletter that brings you the top 5 recent developments in consumer privacy legislation, regulation, and enforcement across the U.S. states. Here's everything you need to know since our last issue:

1. Hotly Anticipated Proposals to Address Discrimination in Artificial Intelligence Systems Formally Introduced

Over the past week, 2024's two most highly-anticipated bills that seek to broadly regulate business development and use of high-risk Artificial Intelligence systems officially dropped:

• On February 15, California AB 2930 was introduced by Assemblymember Bauer-Kahan, a near-reintroduction of AB 331, which advanced from the House Committee on Privacy and Consumer Protection last year.
• On February 21, Connecticut SB 2's text was formally released, the bill is backed by 22 of the Nutmeg state's 36 senators. This legislation appears to be the product of a working group established as part of last year's SB 1103, which primarily focused on regulating government use of AI systems.

Substantively, AB 2930's business requirements appear largely the same as last year's AB 331; however, enforcement mechanisms have been modified (for example there is no private right of action in this version). The bill seeks to ban algorithmic discrimination in automated decision tools that are used to reach consequential decisions. It divides responsibilities for impact assessments, disclosures, and governance programs between both the developers and deployers of regulated AI systems. Organizations would also have an obligation, where technically feasible, to accommodate individual requests not to be subject to consequential decisions made solely on the output of an automated tool. Notably the press statement announcing AB 2930 includes statements of support from major industry players Microsoft and Workday.

Connecticut SB 2 similarly focuses on algorithmic discrimination and divides responsibilities between the developers and deployers of high-risk AI systems. It is narrower than AB 2930 in that it does not establish a qualified individual right to opt-out of covered decision-making systems, but goes further by creating requirements governing generative AI systems. It also takes a different approach than AB 2930 by establishing a duty of care to avoid algorithmic discrimination and ties risk management programs to NIST standards. Finally, consistent with Connecticut's tendency to pass omnibus bills, SB 2 would address various other AI topics, including synthetic images and provide for the establishment of a "Connecticut Citizens AI Academy".

Connecticut and California have arguably been the two most influential states in the development of US state privacy law, and it appears they may be poised to play a similar role for AI governance. Furthermore, contrary to similar proposals introduced in other states, California and Connecticut are both at the outset of their legislative sessions and their AI bills have already garnered significant support. AB 2930 and SB 2 are therefore crucial proposals to follow for stakeholders in AI policy. If you're reading this article, that's you, so make sure you've hit that subscribe button to get all the latest state legislative updates from The Patchwork Dispatch.

2. Appellate Court Holds that California Can Enforce CCPA Regulations Immediately Upon Finalization

On February 9th, the California Third Appellate District Court overturned a ruling from the Sacramento Superior Court and held that the California Privacy Protection Agency (CPPA) can begin immediate enforcement of California Consumer Privacy Act (CCPA) regulations upon their finalization. The lower court had determined that the CCPA's July 1, 2022 "timeline for adopting" final regulations coupled with the July 1, 2023 enforcement date evidenced voter intent to establish to a 1-year gap between finalization of regulations and the start of enforcement.

In terms of short term practical effect, CCPA-regulated businesses will only lose a few weeks of compliance runway as the CPPA's first set of implementing regulations were belatedly completed on March 29, 2023 so were slated to become enforceable next month. The bigger impact for businesses will likely be a significantly shortened timeline for being subject to enforcement of future regulations. As a reminder, the Agency is currently engaging in a major effort to craft regulations on risk assessments, cybersecurity audits, and individual opt-out rights with respect to automated decisionmaking technologies. While the rulemaking process itself takes many months in California, proposed regulations have typically been altered multiple times before being submitted to the Office of Administrative Law for finalization.

Notably, the Appellate Court's analysis included consideration of the Voter Guide for Proposition 24 (2020). This was the ballot initiative that voters adopted to create California Privacy Right Act (CPRA) amendments to the CCPA that provided for the establishment the CPPA and charged the Agency with promulgating numerous implementing regulations. The Court stated that "nothing in the Voter Guide supports the conclusion that the voters contemplated a one-year delay in enforcement connected to the approval of final regulations." This line of analysis may prove valuable to the CPPA should future questions of statutory interpretation for the CCPA emerge, as the Voter Guide's description of the CPRA amendment is extremely limited and high-level - amounting to only 737 words - so is unlikely to ever clearly resolve contested aspects of a law as detailed and complex as the CCPA.

The California Chamber of Commerce rapidly appealed the latest holding to the California Supreme Court. The Chamber takes particular issue with the Appellate Court's standard of review, arguing that it would "provide carte blanche for agencies to violate their statutory obligations unless the drafters expressly anticipate the agency’s violations of the law."

3. Privacy Advocates Weigh in Against California's Child Privacy Law

Sticking with California privacy litigation updates, on February 14th various amicus briefs were made available in the NetChoice suit against the California Age-Appropriate Design Code Act of 2022 (CA AADC). Of particular note, three prominent consumer privacy and free expression groups filed against the CA AADC.

First, an American Civil Liberties Union filing states that while the California legislature framed the CA AADC as a consumer privacy law, "the actual text of the law reveals a different regulation: one that expressly and impermissibly engages in content-based discrimination in the name of protecting consumer privacy and children." The ACLU proceeds to argue that the CA AADC will ironically "exacerbate privacy and security concerns because age estimation requires the collection and analysis of user data."

Second, the Electronic Frontier Foundation and Center for Democracy and Technology briefly re-merged to file a joint brief which argues that the CA AADC's age estimation requirement "violates the First Amendment because it imposes significant burdens on adults' access to constitutional speech" and that "[a]ge-verification schemes like the AADC’s also frustrate all users’ First Amendment rights to speak anonymously online."

Notably, both briefs called on the Ninth Circuit to strike down the CA AADC on narrower grounds than the District Court's injunction. They argued that the Court can invalidate the CA AADC without weighing in on the law's bona fide consumer privacy aspects such as data minimization and DPIA requirements and restrictions on "dark patterns." They go on to advocate that if the Court does address these topics, it should affirm that privacy obligations of this nature should be subject to intermediate scrutiny and can often survive First Amendment challenges.

The Reporters Committee for Freedom of the Press also filed a brief against the CA AADC. It argues that the law would apply to most online news publishers and that the Act's explicit restrictions on permitting children to witness harmful or potentially harmful "content" would impose obligations on publishers to "modify or delete lawful, First Amendment-protected news content based on whether it, in the view of the state, could pose harms to people under the age of 18." This brief was joined by a series media organizations including the Associated Press, Boston Globe, the New York Times, POLITICO, and Reuters News. In fact, the biggest name in American media not to join the amicus brief may be The Patchwork Dispatch.

4. California Attorney General Concludes Second CCPA Settlement

This is shaping up to be another very California-centric edition of the Dispatch, but our intrepid reporters go wherever the action is. On February 21st, the California Attorney General's Office announced its second ever enforcement settlement under the California Consumer Privacy Act, reaching a $375,000 penalty and injunctive terms with the food delivery platform DoorDash.

The AG's complaint dinged DoorDash for CCPA (and CalOPPA) alleged violations for participating in a "marketing co-op" (which encompassed data "sales" under the CCPA) without proper disclosures or offering the required opt-out mechanisms. While the present enforcement action may not be as eye-catching as the Attorney General's 2022 settlement with Sephora (which also focused on ad practices) that resulted in a $1.2 million dollar fine, it may prove more influential in other ways.

For example, the types of data transfers that DoorDash allegedly engaged in as part of the co-op are not as obviously CCPA-"sales" as the activities at issue in the Sephora case, so the settlement may establish broader precedent for Agency enforcement authority. The AG's complaint also argues that DoorDash failed to take advantage of its opportunity to cure the alleged violations even though it had stopped the "sales" to the marketing co-op and instructed its customers to delete the data because "personal information and inferences about DoorDash’s customers had already been sold downstream to other companies and beyond the marketing co-op’s members, including to a data broker that re-sold the data many times over," rendering DoorDash unable to restore its customers to the "same position they would have been if their data had never been sold." In effect, the genie was out of the bottle.

While California's 'right to cure' has now sunset, similar statutorily guaranteed opportunities for businesses to resolve alleged violations have been included in every comprehensive state privacy law enacted since the CCPA. While critics of these provisions often argue that they function as a 'get out of jail free card,' in this case, DoorDash was unable to avoid penalty with a 'cure' due to the nature of the alleged violation. This action may inform function of the right to cure in other state privacy laws.

5. Kentucky Privacy Bill Becomes first 2024 Comprehensive Privacy Proposal to Clear A State Chamber

For a nice change of pace, here's a much more traditional Patchwork Dispatch update. On February 20th, Kentucky HB 15 passed the State House on a 92-0 vote, officially becoming the first comprehensive state privacy proposal of 2024 to pass a state chamber. Substantively, the thing to know about HB 15 is that it is extremely close to the Virginia Consumer Data Protection Act with an expanded scope for protected biometric data.

Kentucky HB 15 should not be confused with Kentucky SB 15, which is a broader consumer privacy bill that has various unique characteristics including user opt-out rights with respect to online “tracking”, controller requirements to disclose the specific third parties (and their locations) to which personal data is shared, a GDPR-style 'lawful bases for processing' minimization requirement, and a digital civil rights provision.

SB 15 has been pending in the Senate since its introduction on January 2nd; however, last year's version of SB 15 passed the State Senate by a 32-2 vote, suggesting it could see movement again. Should both Kentucky proposals gain momentum (not to mention Utah-style HB 24), we will be interested to track how Lexington lawmakers reconcile the differences between the frameworks.

As always, thanks for stopping by.

Keir Lamont is the Director for U.S. Legislation at the Future of Privacy Forum