State Privacy News - 5/31

Welcome to The Patchwork Dispatch, a fortnightly newsletter that brings you the top 5 recent developments in consumer privacy legislation, regulation, and enforcement from across the U.S. states. We cover a lot of bills in this issue, but we wouldn't do it if we didn't think they are all important. Let's jump right in:

1. Governor Polis Enacts Nation Leading Colorado AI Act

On May 17th, Governor Polis signed the Colorado AI Act (SB 205) into law, making Colorado the first US state to adopt broad regulations governing high-risk AI systems used in making consequential decisions about individuals. For a summary of the CAIA's key elements, see the Future of Privacy Forum's Two-Page Cheat Sheet.

Notably, Polis enacted the law "with reservations", expressing concern about the "impact this law may have on an industry that is fueling critical technological advancements across our state for consumers and enterprises alike." The Governor further expressed a desire for the legislature to consider stakeholder input and advance amendments before the law's February, 2026 effective date. Long time state privacy watchers may recall that Polis called for similar "clean-up legislation" upon enacting the third-in-the-nation Colorado Privacy Act (which never materialized).

Stakeholders are already setting the stage for the debate over possible amendments to the CAIA. For example, after previously suggesting that passing the Colorado AI Act would be a "big mistake", some civil society advocates now "applaud" its enactment while calling for strengthening amendments, such as clarifying the exemption for systems that perform "narrow procedural tasks". In contrast, one industry group is seeking changes about "aspects of the legislation that do not reflect the roles of different businesses within the AI value chain." This may be in reference to notice obligations between the developers and deployers of AI systems that were not included in the final version of Connecticut SB 2, the framework upon which the CAIA is based.

As a fun aside, the CAIA was (technically) finalized and will take effect prior to the European Union's AI Act. Call it the "Denver Effect"?

2. Crossover Deadline In California

The deadline for California bills to advance out of their chamber of origin was May 24th - a hurdle cleared by a large number of potentially significant privacy and artificial intelligence proposals summarized below:

California Consumer Privacy Act Amendments

• AB 1949: This bill would establish near-blanket opt-in consent requirements for any collection or use of the personal information of minors under the age of 18. It would also delete the CCPA's "actual knowledge or willfully disregards" standard for applying protections to child data and instead require the California Privacy Protection Agency to establish new "age verification" requirements. The CPPA would also be charged with repurposing 'opt-out preference signals' under the CCPA to allow users to signal their age to websites. This is a sweeping proposal that implicates many hot button legal, policy, and technical issues and includes concepts that were already struck down in the NetChoice litigation against the California Age-Appropriate Design Code Act. Notably, the California Privacy Protection Agency itself has raised significant concerns with the bill, noting that it could "reduce privacy by incentivizing businesses to collect even more information from all users."
• AB 2877: This bill would amend the CCPA to require "developers" of "artificial intelligence" systems (two new terms) to obtain opt-in consent in order to use the personal information of individuals under age 16 to train AI systems. The bill further provides that minors' data must be "deidentified and aggregated" before being used for AI training, a requirement that may be in tension with the existing text of the CCPA which provides that the Act is not intended to restrict a business's ability to use deidentified and aggregated data.
• AB 3048: This bill would require web browsers operating in California to include a native setting that enables a consumer to send an opt-out preference signal to businesses they interact with through the browser. It would also provide additional agency rulemaking authority to expand the devices required to offer such default settings. The California Privacy Protection Agency has endorsed this bill.
• SB 1223: This bill would add "neural data" as a category of "sensitive information" under the CCPA. This bill is likely to draw numerous comparisons to Colorado HB 1058, which classified certain neural data as "sensitive" under the Colorado Privacy Act, but they contain significant differences. For example, SB 1223 does not replicate the Colorado amendment's loophole that only treats "neural data" as sensitive when "used for identification purposes". However, SB 1223 would be subject to California's comparatively weak protections for sensitive data: opt-out rather than opt-in rights that only apply to sensitive data used for inferring characteristics. Should SB 1223 advance, The Patchwork Dispatch editorial board encourages our friends in mass media not to replicate the same errors in coverage that they made with the Colorado neural data law.

Artificial Intelligence Bills

• SB 1047: The "Safe and Secure Innovation for Frontier Artificial Intelligence Models Act." This bill would require the developers of certain Artificial Intelligence models to undertake various pre- and post-training safety measures. These requirements would include implementing a written safety and security program, providing annual certifications to a new government agency, and implementing a capability to promptly enact a full shutdown of the system. Notably, there is a high threshold for covered AI models - those trained with a quantity of computing power greater than 10^26 integer or floating-point operations. This standard appears to be adopted from the Biden Administration's Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence.
• AB 2930: This bill is of a similar scope to the Colorado AI Act discussed above. It would establish requirements for both the deployers and developers of automated decision tools that are a substantial factor in consequential decisions. Rather than the 'duty of care' approach used in the CAIA, this bill aims to prohibit the use of automated decision tools that result in algorithmic discrimination.?
• SB 942: The "California AI Transparency Act." This bill would require entities that offer a generative AI system with over 1 million monthly visitors to provide visible disclosures that content has been generated by AI and to create an "AI detection tool" that allows individuals to query whether content was created in whole, or in part, by the provider's generative AI system.
• AB 2013: This bill would require AI developers to publicize information regarding the data and training methods for their AI systems including the sources or owners of the data used for training, a description of how the data furthers the intended purpose of the system, and the number of data points included in the datasets.
• AB 3211: The "California Provenance, Authenticity and Watermarking Standards Act." This bill would require Generative AI providers to place imperceptible and maximally indelible watermarks containing provenance data into their synthetic content and to conduct AI red-teaming to test such watermarks. The bill also seeks to require disclosures about synthetic content on large online platforms and to require new recording devices sold in the state to offer users with the option to place "authenticity" and "provenance" watermarks on content produced by the device.

Things have a tendency to get very California-focused here on The Patchwork Dispatch in the second half of the calendar year, so expect to see more on these bills in future editions as Sacramento inches closer to its end of session on August 31st. Stakeholders should also be aware that California Governor Newsom recently expressed concern about the potential for the state to 'over-regulate, over-indulge, and chase a shiny object' with respect to AI regulation that could put California in a 'perilous position.'

3. Numerous New York Bills In Play As End of Session Draws Near

In what will undoubtedly be the biggest news out of New York this week, Albany's legislative session is scheduled to conclude on June 6. As is often the case in the Empire State, various privacy bills are in position to make rapid progress in the final few days. At time of writing, the following significant privacy proposals appear to remain in play:

• S365 The New York Privacy Act. A comprehensive privacy proposal that is currently on the Senate floor calendar. A similar version of this bill came within a hair's breadth of being enacted in 2023.
• S158 the New York Health Information Privacy Act. This proposal is of a similar scale to the Washington My Health My Data Act though it contains various important distinctions. Of particular note, a covered organization must receive "valid authorization" to process health data unless such processing strictly necessary. Furthermore, such valid authorization cannot be obtained until at least 24 hours after a user first registers with a service. A prior version of this bill passed the state senate unanimously in January 2024. Read more on this bill from Hintze Law's Felicity Slater here.
• S7695 the New York Child Data Protection Act. This bill would restrict the processing of teen data unless "strictly necessary" for an identified activity or with informed consent. It would also provide for the establishment of a new class of device signals called "Age Flags" that would convey whether a user is a minor and whether they consent to data processing. Governor Hochul, Attorney General James, and former Secretary of State Hillary Clinton have all endorsed this bill.
• A8148: The Stop Addictive Feeds Exploitation (SAFE) For Kids Act. This bill would create a number of restrictions on social media platforms including a requirement to conduct "commercially reasonably" age verification, obtain parental consent to offer an "addictive feed" to an individual under age 18, create new parental controls, set time restrictions on push notifications, and respect "Age Flags" (discussed above). This bill has also been endorsed by Governor Hochul, Attorney General James, and former Secretary of State Clinton.

Note that the close of session in New York is often a wild ride, so all of these bills could be further amended. Additionally, should any of these bills pass it still may not be the end of the story as New York enables the Governor to make post-session changes to legislation through "chapter amendments".

4. Virginia Enacts Minor VCDPA Amendment on Minors

Following a tense back and forth with the Democratic-controlled legislature, on May 17 Virginia Governor Youngkin enacted HB 707 / SB 361, which adds additional child privacy protections to the landmark Virginia Consumer Data Protection Act.

First, the bill adds new data minimization requirements including a restriction on the processing of child data unless "reasonably necessary" to provide a product (subject to parental consent). Second, the bill adds new data protection impact assessment requirements for controllers that offer online services, products, or features directed towards consumers that the controller has actual knowledge are children. These new requirements will take effect on January 1, 2025.

Notably, the Governor's signing statement argues that "the bill does not go as far as it should, particularly by excluding minors over the age of 13 from protection" and notes that the Administration will work "with the legislature and stakeholders to further strengthen these protections next session."

5. Minnesota Makes Eighteen

On May 24th, Governor Walz signed HF 4757 containing the Minnesota Consumer Data Privacy Act into law, making Minnesota the 18th state to enact comprehensive privacy legislation. The law builds upon the popular 'Washington Privacy Act' framework in meaningful ways, particularly in creating a new individual right to contest the result of significant profiling decisions, requiring covered entities to maintain a "data inventory", and creating new requirements for completing privacy impact assessments and notices. My colleague Jordan Francis has provided a full readout of the new law.

Our state privacy patchwork has been updates accordingly.

As always, thanks for stopping by.

Keir Lamont is the Director for U.S. Legislation at the Future of Privacy Forum