State Privacy News - 9/20

Welcome to The Patchwork Dispatch, a fortnightly newsletter that brings you the top 5 recent developments in consumer privacy legislation, regulation, and enforcement from across the U.S. states. Our Editor-in-Chief, Keir Lamont, will be attending the IAPP's Privacy. Security. Risk. Conference in Los Angeles next week to speak on a panel about (what else?) state privacy law with Cobun Zweifel-Keegan, J.D., CIPP/US, CIPM and Laura Riposo VanDruff . Stop by to cheer, heckle, or just say 'hi' if you feel so inclined!

1. Bill Signing Time in California

All legislative activity in California is now with the Governor’s office where a number of privacy and AI bills await action from Governor Newsom. The biggest update this edition is that on September 19, Newsom signed SB 942 the California AI Transparency Act into law, establishing first-of-its-kind transparency and disclosure requirements for popular Generative AI providers. The primary focus of the Act is for covered providers to include latent disclosures within synthetic content such as AI-generate images, audio, and video that (to the extent technically feasible) disclose information about the provenance of such content. The Act will take effect on January 1, 2026.

The Governor has also signed various bill packages (1 ) (2 ) (3 ) intended to crack down on deepfakes in elections, sexually explicit deepfakes, and to protect the digital likeness of actors. These are all important topics, but are largely outside the Patchwork Dispatch's wheelhouse.

Governor Newsom's pen has certainly been active this week, so it is possible that additional AI / privacy bills will have been signed (or vetoed) by the time this newsletter reaches you. Many in the tech policy community are paying close attention to SB1047 which would strictly regulate very large “frontier" AI models. While the Governor has yet to indicate how he will act on this bill, he recently expressed concern that the proposal could have a “chilling effect” on the open source community.

2. NetChoice Notches Another Win

The trade association NetChoice has won another injunction of a state online safety law. On September 10, the Utah District Court granted a request for preliminary injunction of SB 194 which requires social media to conduct age verification of users and places additional restrictions on minors' social media accounts. There is a long and complicated procedural history here that we won't bore you with, but basically the Utah legislature amended its original social media regulation this year in an attempt to sidestep some constitutional infirmities after NetChoice originally filed suit in December 2023.

The Court determined that the amended Act regulates content and is therefore subject to strict scrutiny. It then found that that state did not show the the law advances a compelling interest or is narrowly tailored. In particular, the holding notes that the state has not "provided evidence establishing a clear, causal relationship between minors’ social media use and negative mental health impacts." The inclusion of the Surgeon General's Advisory on Social Media and Youth Mental Health in the record actually cut against the state on this point as the Advisory suggests that social media has the potential to both benefit and harm children and adolescents based on a variety of individual factors.

3. Colorado Privacy Regulations - Round 2

The Colorado Department of Law has initiated a new rulemaking under the Colorado Privacy Act (CPA). The Department's draft rules are a largely straightforward implementation of statutory changes from two amendments to the CPA enacted this year: HB-1130 (regulating biometric identifiers) and SB-41 (Connecticut-style children’s privacy protections). The most prescriptive element of the draft are new requirements to provide a "Biometric Identifier Notice" at or before the collection of covered data. This obligation will also extend to certain companies and datasets outside the scope of the bulk of the CPA. Finally, the draft regulations also establish procedures for how organizations may request, and the Attorney General's Office may provide, opinion letters and interpretive guidance (this is a rulemaking topic required by the underlying CPA).

The Department is soliciting public input on the draft regulations through November 7 and will also hold a public feedback hearing on that date.

4. New Jersey Privacy Amendment Introduced

Two Assemblymembers have introduced AB 4741 , a proposed amendment to New Jersey's comprehensive consumer privacy law (which is scheduled to take effect in January, 2025). This amendment would require the de-identification of personal data prior to its sale. It would also mandate a rulemaking to establish new standards for the de-identification of personal data.

Deidentified data is already outside the scope of New Jersey privacy act so in practice, this amendment would likely function as a ban on the sale of personal data (which would be a first for any US state privacy law). Notably, a recent California proposal (AB 2877 ) would have banned the use of child data to train AI systems unless consent was obtained and the data was also deidentified, suggesting a new state privacy trend may be underway.

5. Texas Enters Settlement with GenAI Health Company

In 2024, the Texas Attorney General's Office has been the number one US state privacy enforcer with a bullet. On September 18 the Texas AG’s Privacy Unit announced a new settlement under the Texas Deceptive Trade Practices Act. This settlement involved a genAI company which allegedly made false and misleading statements about the accuracy and safety of products that were used in Texas hospitals to summarize patient condition and treatment for hospital staff. As part of the settlement, the company must make disclosures of known limitations of its products and any training needed to facilitate proper use. No financial penalty was reached.

As always, thanks for stopping by.

Keir Lamont is the Director for U.S. Legislation at the Future of Privacy Forum