State Privacy News - 9/6

Welcome to The Patchwork Dispatch, a fortnightly newsletter that brings you the top 5 recent developments in consumer privacy legislation, regulation, and enforcement from across the U.S. states.

1. California Privacy Bills

California's legislative session closed on August 31st with the state passing a record setting six amendments to the California Consumer Privacy Act of 2018, the majority of which are now awaiting action from Governor Newsom who has until the end of the month to sign, veto, or allow to become law. Here are the key takeaways from these bills in descending order of likely impact:

• AB 1949 : This bill will require a not-currently defined form of consent ("affirmative authorization") for any collection; sale or sharing; or use or disclosure of the personal information of minors under age 18. Teenagers shall provide authorization in their own capacity whereas a parent or guardian must provide authorization on behalf of a minor. The enrolled version of the bill retains the CCPA's "actual knowledge or willfully disregards" knowledge standard, though prior iterations would have required businesses to conduct age verification. AB 1949 also requires businesses to treat users as minors if a consumer indicates through a device signal that they are a minor (without detailing any technical standards and seemingly regardless of whether or not the user is, in fact, a minor). This provision is similar to the concept of "Age-Flags" in the recently enacted New York Child Data Protection Act which is currently in a rulemaking process .
• AB 3048: This bill will require web browsers and (following-rulemaking) mobile operating systems to offer settings to enable users to send opt-out preference signals (OOPS) to exercise their rights to opt-out of the sale or sharing of data and/or to limit the use and disclosure of their sensitive personal data by default. Currently, users have to download plug-ins to send OOPS through major browsers such as Chrome and Safari. While the proposal is not prescriptive about the form that opt-out settings must take, it leaves the door open for detailed Agency rulemaking to establish such standards. Ironically, by requiring browsers to offer an OOPS "setting" this bill (if interpreted literally), could also require significant changes from 'privacy-focused' browsers such as Brave that currently send OOPS by default without prominent notices to their users or offering the ability to disable such signals. The bill is also likely to encourage the development of new Opt-Out Preference Signals, as the only presently recognized OOPS, the Global Privacy Control , was developed for the browser context and is explicitly not intended to invoke the right to limit the use and disclosure of sensitive personal data under the CCPA.
• SB 1223 and AB 1008 : Together these bills will add "neural" data as a category of sensitive data under the CCPA. Contrary to Colorado's neural data amendment , under this bill neural data is not limited solely to information used for identification purposes. They will also specify that personal data can exist in various contexts, such as "abstract digital formats, including... artificial intelligence systems capable of outputting personal information." Depending on how this provision is interpreted, California regulators could argue that personal information exists within LLMs, which would raise numerous operational questions and is contrary to leading guidance from European Regulators.
• AB 1884 will explicitly require businesses that acquire personal information as part of an acquisition of another company to honor prior opt-out requests from consumers.
• AB 3286 (already enacted) makes certain minor amendments, including tying the CCPA’s monetary applicability thresholds to the Consumer Price Index.

2. California AI Bills

California also passed several bills regulating different aspects of Artificial Intelligence technologies.

• SB-1047 seeks to regulate the development of very high-complexity "frontier" AI models that exceed certain computational power and training cost thresholds. The bill would require developers to take a number of actions to avoid risk of "critical harms" including to maintain a 'kill switch' to shut down covered systems, implement a safety and security protocol, hire third-party auditors, and make annual statements of compliance to the Attorney General. This bill has been the subject of extensive debate and an effort to encourage Governor Newsom to veto the proposal seems likely.
• SB 2013 would require developers of generative AI systems to post documentation regarding the data used to train the system such as the number of data points in the datasets, a description of the types of data points within the datasets, whether the datasets include any data protected by copyright, trademark or patent, and whether the datasets include any personal information or aggregate consumer information.
• SB 942 would require generative AI providers to make publicly accessible AI detection tools and to include latent provenance disclosures in AI-generated content

Several California AI bills failed to make it over the finish line in the waning days of session. Most notably AB 2930 , a bill to restrict discriminatory outcomes in the use of automated decision tools to reach consequential decisions, was withdrawn by its sponsor following Amendments that would have limited the scope to just decisions in the private employment context.

3. Enforcement of the California AADC on Hold

Last edition we covered the Ninth Circuit's opinion in NetChoice v. Bonta , which upheld a preliminary injunction of the California Age Appropriate Design Code Act with respect to requirements that businesses conduct data protection impact assessments (tied to obligations that businesses take steps to prevent minors from accessing 'potentially harmful' content). In that edition we observed that technically the Ninth Circuit's holding means that the non-DPIA provisions of the AADC are in effect, including a controversial and constitutionally suspect requirement that businesses estimate the age of their users with a reasonable level of certainty appropriate to the risks of use. However, a stipulation filed on August 28th reveals that California has agreed to stay enforcement of the Age-Appropriate Design Code until March 6, 2025 and not seek to enforce the law retroactively.

4. Texas HB 18 Partially Enjoined

On August 30 the U.S. District Court for the Western District of Texas partially granted a motion from the Computer & Communications Industry Association and NetChoice for a preliminary injunction of Texas HB 18 - a broad online safety and content regulation law primarily focused at social media companies. The Attorney General's office is appealing the decision.

The Court struck down HB 18's "monitoring-and-filtering" provisions on First Amendment grounds under a strict scrutiny analysis. These provisions would require covered entities to detect certain categories of content and prevent them from being displayed to known minors. The Court argued that the law does "little more than vaguely gesture at what speech must be restrained" and is also under-inclusive, noting that "[a] teenager can read Peter Singer advocate for physician-assisted suicide in Practical Ethics on Google Books but cannot watch his lectures on YouTube or potentially even review the same book on Goodreads." In contrast, the Court did not enjoin the law's provisions regarding data privacy, parental controls, and disclosure provisions, noting that these requirements are "largely unrelated to First Amendment expression."

Readers should note that this case is CCIA & NetChoice v. Paxton concerning social media regulation HB 18, *NOT* NetChoice & CCIA v. Paxton concerning social media regulation HB 20 that went to the Supreme Court this year - it sure would be embarrassing to mix that up at pub trivia!

5. California Privacy Protection Agency Issues Second Enforcement Advisory

On September 24 that California Privacy Protection Agency issued an Enforcement Advisory on the topic of so-called "dark patterns." The Advisory largely restates existing California Consumer Privacy Act (CCPA) law and regulation, emphasizing that "dark patterns" are about effect, not intent and that choice interfaces should be easy to understand and give consumers symmetrical choices. The Advisory also provides a factual scenario using example interfaces that seek consumers' consent to use their personal information - which is not an explicit requirement under the CCPA.

This is the CPPA’s second-ever enforcement advisory. The first, released in April 2024, addressed the application of data minimization rules to consumer rights requests (don't collect more data than you need in order to implement a request).

As always, thanks for stopping by.

Keir Lamont is the Director for U.S. Legislation at the Future of Privacy Forum