0
Photo of American flag and California flag on a flagpole with a palm tree in the background.

California Wraps Its 2024 Legislative Session with Data Privacy & AI Bills

AI & Algorithms, California, CCPA, State Privacy Laws, United States , , , , ,
California’s legislative session closed on August 31, 2024 with a series of data privacy and AI bills. Over the course of September, Governor Newsom signed 17 bills covering AI technologies. This wave of legislation comes a year after Governor Newsom signed an Executive Order to help ensure California is ready for next wave of AI technologies.   Below is an overview of new and noteworthy AI and data privacy bills, beginning with six amendments to the California Consumer Privacy Act (CCPA) followed by a range of signed and vetoed AI-related bills.   Passed CCPA Amendments  
  1. SB 1223and AB 1008: Neural Data, Personal Information and AI Systems
What Does the CCPA Require? Currently, the CCPA requires a business collects that collection personal information about a consumer to limit its use of the consumer’s sensitive personal information. “Sensitive personal information” includes biometric information for the purposes of identifying a consumer, but not neural data. Additionally, the CCPA does not specify if personal information can exist in various formats.   What Changes? Under SB 1223, the CCPA’s definition of “sensitive personal information” would be expanded. It would include consumer’s neural data, or “information that is generated by measuring the activity of the consumer’s central or peripheral nervous system, and that is not inferred from nonneural information.”   Under AB 1008, the CCPA would also specify that “personal information can exist in various formats,” including physical, digital or abstract information, which may be in the form of encrypted files, metadata, or AI systems capable of outputting personal information.   Governor Newsom signed SB 1223 and AB 1008 into law on September 28, 2024. Both laws will become applicable on January 1, 2025.  
  1. AB 1824: Opt-Out Right, Mergers
What Does the CCPA Require? The CCPA states that consumers shall have the right to opt out of a business selling or sharing their personal information. However, the Act does not specify the requirements for honoring those requests upon a merger or acquisition.   What Changes? Under this bill, if a business transfers personal information to another business as part of a merger, acquisition, bankruptcy or other transaction, they must comply with the original opt-out requests of the transferring business.   Governor Newsom signed AB 1824 into law on September 29, 2024. This law takes effect on January 1, 2025.  
  1. AB 3286: Monetary Thresholds, Grants
What Does the CCPA Require? The CCPA grants the Attorney General rights to adjusting monetary thresholds to reflect an increase in the Consumer Price Index.   What Changes? This bill removes the responsibility of adjusting monetary thresholds from the Attorney General and places it on the California Privacy Protection Agency, among other minor changes.   Governor Newsom signed AB 3286 on July 15, 2024, and the law goes into effect on January 1, 2025.     Vetoed CCPA Amendments  
  1. AB 1949: Collection of Personal Information of a Consumer Less than 18 Years of Age
What Does the CCPA Require? The CCPA provides a consumer with specific rights regarding their personal information. Currently, the CCPA prohibits a business from selling or sharing personal information of a consumer if the business has actual knowledge that the consumer is less than 16 years old, unless they or their parent or guardian have properly consented.   What Changes? This bill would raise that age from 16 to 18 years old, meaning that a business shall not sell or share the personal information of one who is between 13 and 18 years old unless the consumer or their parent or guardian consents. A business shall not share or sell information of a child younger than 13 years old unless their parent or guardian consent.   Additionally, this bill would require a business to treat a consumer as younger than 18 years old if the consumer transmits a signal indicating they are younger than 18. The bill retains the CCPA’s “actual knowledge or willful disregard” standard for violations.   Finally, the bill requires California’s Attorney General to adopt regulations that include technical specifications for an opt-out preference signal that allows the consumer to specify if they are less than 13 years old, or between 13 and 18 years old.   Governor Newsom vetoed AB 1949 on September 28, 2024.  
  1. AB 3048: Opt-Out Preference Signals
What Does the CCPA Require? The CCPA states that consumers shall have the right to opt out of a business selling or sharing their personal information. To send opt-out preference signals now, users have to download plugins for major browsers which may vary by browser type.   Currently, the only opt-out preference signal recognized by the CCPA per Attorney General Rob Bonta’s FAQ page and supporting resources by the California Privacy Protection Agency (CPPA)  is the Global Privacy Control (GPC). However under the CCPA, the GPC is intended only to communicate with Do Not Sell requests for a global privacy control. Still, this is an enforced area of privacy law: In 2022, a Final Judgment and Permanent Injunction against Sephora ordered the company to pay $1.2 million to resolve claims that Sephora did not process opt-out requests set through privacy controls.    What Changes? This bill is targeted at businesses who develop or maintain browsers, mandating that they must include settings that enable consumers to send an opt-out preference signal to businesses they interact with on the browser. After rulemaking and agency adoptions, the bill would also prohibit a business from developing or maintaining a mobile operating system that does not include opt-out preference signal settings. These provisions would go into effect beginning January 1, 2026.   Governor Newsom vetoed AB 3048 on September 20, 2024.   Passed AI Bills  
  1. SB 2013: Generative Artificial Intelligence, Training Data Transparency
Who Does This Apply to? This bill applies to “generative artificial intelligence” systems or services, which is defined as AI that can “generate derived synthetic content…that emulates the structure and characteristics of the [AI’s] training data.” There is no consumer use or monetary threshold, such that this definition seems to be far-reaching.   What Changes? This bill requires that the developers of all covered generative AI systems available to Californians must post information on their website. This information must include the data used to train the AI system or service, and a high-level summary of the datasets used in the system.   Bill SB 2013 was signed by Governor Newsom on September 28, 2024. This law will go into effect on January 1, 2026.  
  1. AB 2885: Artificial Intelligence, Definition
Who Does This Apply to? According to the preamble of the bill, the definition applies to actions taken by the Department of Technology, local agencies, the California Online Community College, and social media companies, under requirements of existing laws.   What Changes? The term “artificial intelligence” for these purposes would be altered to include an “engineered or machine-based system that varies in its level of autonomy” and can generate output based on inferences made from its input.   Bill AB 2885 was signed by Governor Newsom on September 28, 2024. Provisions of this law will go into effect on January 1, 2025.  
  1. SB 942: California AI Transparency Act
Who Does This Apply to? This bill applies to “covered providers,” which includes persons that create, code or otherwise produce generative AI systems with over 1 million monthly visitors and are within California state.   What Changes? Under this bill, covered providers would be required to make publicly accessible AI detection tools. They would also be required to provide the user an option to include a disclosure, as well as provide a latent disclosure in content created or altered by the generative AI system.   Governor Newsom signed SB 942 into law on September 19, 2024, along with other bills addressing concerns around AI:  
  • SB 926prohibits creating and distributing sexually explicit realistic images of a person when those images are intended to cause serious emotional distress of the person. This bill is targeted at AI-generated sexually explicit content. Similarly, AB 1831 expands the existing child pornography statutes to include content created or altered by generative AI.
 
  • SB 981requires social media platforms to provide Californians with a mechanism to report digital identity theft on platform. Following the aim of Bill 926, this would include reporting AI images of a certain person whose identity has been stolen appearing to be engaged in certain sexual acts.
 
  1. AB 3030: Health Care Services, Artificial Intelligence
Who Does This Apply to? This bill applies to health facilities, clinics, physician’s offices, or other health group practices that use generative AI for communications about patient clinical information. “Patient clinical information” is defined as information relating to the health status of a patient, and specifically excludes administrative matters, such as appointment scheduling, billing, or “other clerical or business matters.”   What Changes? Under this bill, generative AI which pertains to clinical information must include: 1) a disclaimer that indicates the communication was generated by AI at the beginning of the interaction, and 2) clear instructions on how that patient can contact the appropriate person.   Governor Newsom signed AB 3030 into law on September 28, 2024. The law goes into effect immediately.   Similarly, SB 1120 was passed on September 28, 2024 and provides specific restrictions for health care service places or disability insurers who use AI in their decisionmaking. Under this law, health service plans must have specific policies and procedures in place, and must be overseen by a medical director with an unrestricted license to practice medicine in the state of California.  
  1. AB 1836: Use of Likeness, Digital Replica
Who Does This Apply to? This bill is intended to protect intellectual property, and applies to those creating digital replicas of another’s likeness. A “digital replica” means a “computer-generated, highly realistic electronic representation” that one can readily identify as a likeness of the person being replicated.   What Changes? This bill makes a person who makes or distributes a digital replica of a deceased personality’s voice or likeness, without that person’s consent, liable for the greater of $10,000 or the amount actually suffered.   Governor Newsom signed AB 1836 into law on September 17, 2024. The law goes into effect immediately.   Similarly, Governor Newsom also signed AB 2602 into law on the same date. This law prohibits personal or professional service contracts that contain provisions for the use of a digital replica or likeness for a general purpose, unless the individual is represented by legal counsel. Instead, the contract must contain a reasonably specific description of the intended uses of the digital replica.  
  1. SB 2355: Political Advertisements, Artificial Intelligence
Who Does This Apply to? This bill applies to committees who create, publish or otherwise distribute political advertisements. These advertisements include all political ads that contain any image, audio, or video that is “generated or substantially altered” using AI.   What Changes? Under this bill, there are specific requirements for each format of ad. For example, a video advertisement shall include disclosures at the beginning or end of the advertisement and must be displayed for five or ten seconds, depending on the length of the ad.   Governor Newsom signed AB 2355 into law on September 17, 2024. The law goes into effect immediately.   Similarly, Governor Newsom also signed AB 2655 and AB 2839 into law on September 17, 2024.   AB 2655, known as the Defending Democracy from Deepfake Deception Act of 2024, requires large online platforms (those with at least 1 million California users) to: 1) remove deceptive and digitally modified election content from their platforms, or 2) to label that content before and after the election if the content has been reported to the platform.   AB 2839 prohibits the knowing distribution of advertisements or other election communication that contains materially deceptive content within 120 days of an election in California, and in some cases, 60 days after an election.   Vetoed AI Bills
  1. SB 1047: Safe and Secure Innovation for Frontier Artificial Intelligence Models Act
Who Does This Apply to? This bill is directed toward high-complexity AI models, such as those whose floating operations exceed $100,000,000. Other than requirements in state data privacy laws and the Colorado AI Act, there are no AI laws of this scale enacted in the U.S.   What Changes? For these covered models, the bill has various requirements, including a written safety and security protocol, submission of that protocol to the Attorney General, and implementing the ability to promptly enact a shutdown.   Under this bill, the Attorney General may bring a civil action for a violation that causes death or harm to people or property, or that constitutes an imminent risk to public safety. Notably, this penalty is calculated by computing power. For the first violation, the penalty will be no more than 10% of the cost of the quantity of computing power used to train the covered model, and subsequent violations may not exceed 30% of that value.   Governor Newsom vetoed SB 1047 on September 29, 2024. In his decision, Governor Newsom considered that “California is home to 32 or the world’s 50 leading AI companies.” He noted that the bill applies only to these extensive and large-scale models, while “[s]maller, specialized models may emerge as equally or even more dangerous than the models targeted by SB- 1047 – at the potential expense of curtailing the very innovation that fuels advancement in the favor of public good” by these large-scale models.
0
Chicago Grand Central Looking Up

2024 U.S. regulatory enforcement priorities for data & AI

AI & Algorithms, California, CCPA, Resource, State Privacy Laws, United States
In late 2023 and early 2024, federal and state regulators signaled their enforcement priorities regarding the use of data and AI. These enforcement priorities range from sweeping investigations into entire labor sectors to targeting specific uses of technology.
FEDERAL

FTC. The FTC continues bringing actions against companies over their improper use of AI, increasing the risks of LLMs and generative AI. On March 8, 2024, the Federal Trade Commission (FTC) entered a stipulated order with Rite Aid prohibiting the pharmacy chain from using any machine-based systems to analyze biometric information. A month before, the FTC announced proposed rules combating the use of AI to impersonate individuals, which includes potentially imposing a rule that would declare it unlawful for an AI platform to provide goods or services that the platform knows or has reason to know is being used to harm consumers through impersonation.

SEC. In a surprising regulatory move, the Securities and Exchange Commission (SEC) took action against two entities that made misleading disclosures regarding their use of AI. On March 18, 2024, the SEC announced a $400,000 settlement against two investment advisers for making false and misleading statements about their purported use of AI. The investors allegedly stated in its SEC filings, in press releases, and on their websites that they were harnessing AI tools in certain ways, when in fact they were not. The SEC published an AI and investment fraud alert, signaling that they will likely continue monitoring AI-related disclosures.

CALIFORNIA

Data Minimization. On April 2, 2024, the California Privacy Protection Agency (the Agency) released its first Enforcement Advisory notice, emphasizing that covered businesses must apply the principle of data minimization to every purpose for which they collect, use, retain, and share personal information. Specifically, the Agency focused on the principle of data minimization during two scenarios: (1) responding to a consumer’s request to opt-out of sale/sharing and (2) verifying a consumer’s identity. Failure to adhere to the principle of data minimization may constitute a violation of the California Consumer Privacy Act (CCPA) and its regulations.

Amended CCPA Regulations. On March 29, 2024, the amended CCPA regulations will take effect and be enforceable. These regulations were originally supposed to take effect on March 29, 2023, but the California Chamber of Commerce filed suit on March 30, 2023, arguing that the amended regulations could not enter into force until one year after finalization. The court agreed, thereby effectively pushing the enforcement date back to March 29, 2024. However, a California appellate court subsequently reversed that decision, thereby making the regulations effective immediately.

The Agency and the California Attorney General have indicated that they anticipate aggressively enforcing the new regulations, and since covered entities had nearly an extra year to comply with the new regulations, California regulators may not be lenient in providing cure periods for noncompliance with the new regulations.

Streaming Services. On January 26, 2024, the California Attorney General announced investigative sweeps into “popular streaming apps and devices,” and sending letters to businesses that fail to comply with the CCPA. Specifically, the AG’s sweep focuses on whether streaming services are complying with the CCPA’s opt-out requirements for selling or sharing consumer personal information. The sweep includes analyzing whether the streaming services “do not offer an easy mechanism for consumers who want to stop the sale of their data.” For example, consumers using a SmartTV should be able to easily enable a “Do Not Sell My Personal Information” setting in the streaming service and have that choice honored across different devices.

Connected Vehicles and Related Technologies. On July 31, 2023, the Agency announced investigative sweeps into the data privacy practices of connected vehicle manufacturers and related technologies. The Agency conducted the review under the CCPA and its regulations enforceable at the time, with a focus on whether connected vehicle manufacturers and the like provided consumers with rights under the law (e.g., right to know, right to delete, and right to opt out of sale/share). However, the Agency has not indicated whether the sweep will continue into 2024 as the new regulations take effect, so connected vehicle manufacturers and producers of related technologies should remain vigilant.

COLORADO

Global Privacy Control. In the fall of 2023, the Colorado Department of Law accepted applications for universal opt-out mechanisms (UOOMs) that, under the Colorado Privacy Act (CPA), covered businesses would need to respect as a means for consumers to opt out of the sale of personal data or the sharing of personal data for targeted advertising. In December of 2023, the Colorado Attorney General announced that it selected the Global Privacy Control (GPC) as the UOOM the AG considers valid under the CPA.

Beginning on July 1, 2024, organizations subject to the CPA must ensure they are able to accept consumer opt-out requests made using the GPC, and the AG has announced that it “will prioritize for enforcement” compliance with the Department’s list of acceptable UOOMs.

CONNECTICUT

General Enforcement. On February 2, 2024, the Connecticut Attorney General released a report on the Connecticut Data Privacy Act (CTDPA), which detailed the AG’s enforcement efforts and priorities. Since the CTDPA took effect, the AG has issued cure notices to covered entities in a wide range of industries, including retail, fitness, event services, career services, parenting technologies, and home improvement.

The cure notices identified the following deficiencies:

    • Lacking or inadequate disclosures (e.g., failure to inform consumers completely or sufficiently about their rights under the law);
    • Lacking rights mechanisms (e.g., failure to provide a webpage that enables consumers to opt out of targeted advertising or sale of data);
    • Burdensome rights mechanisms (e.g., rights mechanisms that did not take into account the ways consumers normally interact with the company); and,
    • Broken / inactive rights mechanisms (e.g., non-working links or dead-end mechanisms).

Taken together, the report indicates an interest in the AG to ensure covered entities (in a wide range of industries) provide sufficient privacy disclosures and compliant rights mechanisms.

BEST PRACTICES CHECKLIST As we move through 2024, businesses should consider the following to lower their risk of enforcement actions:
  • Analyze State Privacy Thresholds. Each of the US state privacy laws feature their own thresholds of applicability that must be met before a business must comply with the law, so businesses must continually monitor whether they have satisfied any of these numerous thresholds. To help, we have compiled all of the state privacy law thresholds.
  • Create Data Maps. Because state and international privacy laws impose certain obligations on specific types of data (e.g., personal v. sensitive) and processing activities (e.g., using AI for significant decisions), businesses should create data maps to monitor and document their information practices.
  • Respect Opt-Out Signals. Where a state privacy law requires respecting opt-out preference signals, ensure that you have implemented a means for websites to recognize and respect such signals, and disclose to consumers that they have the right to use such opt-out mechanisms (e.g., Global Privacy Control).
  • Review Policies. While many of the disclosure requirements of US privacy laws and regulations overlap, there are intricate differences between them, so businesses should review external-facing policies to ensure the disclosures remain accurate and compliant.
  • Conduct DPIAs. Conduct a data protection impact assessment (DPIA) to the extent required by applicable state privacy laws or review existing DPIAs to ensure they remain compliant with applicable laws.
  • Analyze AI Tools. Understand and document how the business uses AI tools, which includes understanding the AI’s inputs and outputs, ensuring appropriate data minimization and IP safeguards are implemented, and analyzing disclosures regarding the use of the AI tools. This includes implementing an internal AI policy that covers whether and to what extent employees can use AI tools.
0
Flag of California, depicting a large brown bear beside a red star, above the words "California Republic."

California Delete Act allows consumers to easily delete data from all data brokers in California

California, CCPA, Data Brokers
On October 10, 2023, California Governor Gavin Newsom announced that he had signed into law Senate Bill 362, which is otherwise known as the Delete Act.[1] The full text of the Delete Act can be found here. The Delete Act is a landmark law seeking to provide consumers with a one-stop-shop mechanism for deleting the consumer’s personal information from all data brokers covered by the law.[2] Under current provisions, consumers must submit individual deletion requests to each data broker, but the Delete Act intends to provide a universal opt-out mechanism that allows consumers to send a single deletion request to all data brokers. To do this, the law charges the California Privacy Protection Agency with developing the one-stop-shop mechanism by January 1, 2026. While the technical and operational specifics of the mechanism are unknown, the law provides broad guidelines for what the mechanism must achieve, which expressly includes allowing consumers to make a single request that “every data broker that maintains any personal information delete any personal information related to the consumer held by the data broker or associated service provider or contractor.”[3] In addition, the law shifts data broker registration in California from the California Department of Justice to the California Privacy Protection Agency – presumably to provide the Agency with a database for the purposes of facilitating the consumer’s deletion request.[4] Previously, failure to register as a data broker amounted to $100 penalty for each day the data broker failed to register; however, the Delete Act doubles the fine to $200 per day. The law also imposes new disclosure obligations on covered data brokers, requiring them to disclose to consumers whether the data broker collects consumers’ precise geolocation, reproductive health care data, or information of minors. Starting in 2029, the data broker must disclose whether it has undergone an audit pursuant to the law. At this time, it remains unclear how the Agency will satisfy the creation of a one-stop-shop deletion mechanism, but data brokers in California should be prepared to adapt to a new government-imposed deletion mechanism. We will continue monitoring the Agency’s progress as the deadline approaches.
[1] https://www.gov.ca.gov/2023/10/10/governor-newsom-signs-legislation-10-10-23/ [2] Sec. 1798.99.86(a). [3] Sec. 1798.99.86(a)(2). [4] Section 1798.99.82 of the Civil Code is amended to read: 1798.99.82. (a) On or before January 31 following each year in which a business meets the definition of data broker as provided in this title, the business shall register with the California Privacy Protection Agency pursuant to the requirements of this section.
0
Image of computer circuitry in a harsh red tint.

The Risks of LLMs and Generative AI

AI & Algorithms, CCPA, Children, EEA & UK, GDPR
[Modified version originally published as International Insights Article: Privacy implications for organizations using generative AI, by Lily Li, on OneTrust DataGuidance, June 2023.] Well, the cat is out of the bag – or at least the chat is. Generative AI and large language models (“LLMs”) are here to stay. From philosophical conversations between the dead to Murakami-inspired artworks for downtown LA, the possibilities of user-friendly AI are limitless. Regulators are scrambling to enforce existing legislation and enact new legislation to contain this trend. But, like all enforcement, it will take time. As a result, many companies are moving quickly to adopt and deploy these tools, testing the legal and ethical boundaries of AI. To stay competitive, companies should not wait for data protection regulators to play cat-and-mouse games with these nascent technologies. Instead, companies need to be proactive and adopt strategies to implement transparent and trustworthy AI – not just to avoid lawsuits and regulatory fines – but to protect their data and their brands. Companies also need to be able to account for the data they input into their generative AI or LLM algorithms, or else risk destruction of these algorithms altogether. In this article, we’ll discuss the latest privacy and security risks from generative AI and LLMs, a few of the existing privacy laws that apply to these technologies, and the potential for algorithmic disgorgement or deletion in response to privacy violations.   Social Engineering and Identity Verification Generative AI has clearly passed the Turing test. From all outward appearances, companies and their employees cannot tell the difference between human-generated and AI-generated text. This makes it easier for traditional phishing emails and other scams to look legitimate to readers — making it far more likely for employees to click on malicious links and download malware. Going one step further, generative AI can create realistic identities. From resumes to cover letters, online social media profiles to sample work product, these tools can improve a threat actor’s ability to pass itself off as a well-rounded individual, bypassing normal screening tools and even HR processes. In this era of remote work, it is easy to imagine malicious actors getting onboarded and hired due to their made-up “skills” and turning into insider threats once they gain access to company systems. This risk increases for companies that rely on virtual assistants and employees, where there are even fewer external validations of identity. While companies often rely on phishing training and cyber insurance to mitigate traditional cyber-attacks, this is not enough going forward. Many cyber insurance policies exclude social engineering attacks, exclude activities involving managers or other high-level employees, or confine social engineering and phishing attacks to technological attacks and not traditional identity theft, crime, and fraud. Consequently, companies should consider AI-based email filtering systems and EDR/MDR systems to combat sophisticated phishing attacks. Security awareness training should extend beyond phishing training and include identification verification and reporting of suspicious activity across the organization. Companies should also consider HR and other vendor onboarding policies to include in-person vetting or other external validation for recruiting and outsourcing.   Privacy and DSAR Risks
  • Is Processing of Personal Data for Generative AI Lawful?
Large language models, and similar machine learning tools, have a privacy problem. All these systems rely on processing vast quantities of public and sometimes proprietary data to generate responses and analysis. Absent further safeguards, these inputs will likely contain personal data. Which then begs the question, where does this data come from and is the processing lawful? This question came to a head recently in Italy, where data protection authorities issued a temporary ban on ChatGPT,[1] citing OpenAI’s failure to provide transparent notices regarding how it processes the personal data of users and data subjects (required under Articles 12, 13, and 14 of the GDPR). More importantly, the authorities found no legal basis under Article 6 of the GDPR for the collection and processing of personal data to train OpenAI’s algorithms. Impacted data subjects did not consent to the processing and, reading between the lines, OpenAI’s legitimate interest was an insufficient basis for processing given the: (i) failure to provide notice; (ii) inability to correct and delete data; and (iii) heightened privacy risks for children due to the lack of age verification techniques. OpenAI subsequently addressed Italy’s concerns in sufficient detail to resume services,[2] but it remains unclear whether other data protection regulators in the EU will also confront OpenAI over the GDPR’s transparency and lawful bases requirements. If businesses utilize generative AI and LLMs, they should be prepared to provide compliant privacy notices to data subjects, and either obtain their explicit consent or conduct a legitimate interest analysis prior to submitting any personal data to AI or LLM platforms. These data privacy risks also exist in the United States. The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (“CPRA”), also requires businesses to provide transparent privacy notices and privacy rights to individuals. In addition, CPRA has imported the GDPR concepts of data minimization and proportionality. Personal data processing needs to be “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected.”[3] Consequently, companies should be wary of taking existing datasets containing personal information and running them through generative AI systems, if this use runs contrary to the expectations of data subjects when they originally submitted the data. Companies may need to re-evaluate their privacy notices and provide further notices regarding AI processing. Furthermore, both GDPR and the CPRA (and similar US state laws) require covered organizations to give individuals the right to opt out of automated processing or automated decision-making, including profiling.[4] While California lawmakers have yet to issue regulations concerning automated decision-making, it will likely align with GDPR concepts. This means that individuals will have the right to opt-out of AIs making decisions that have legal effects, such as those surrounding employment, housing, or access to services and benefits. So, for those who are wondering, you can’t have chatbots all the way down — eventually, there needs to be a human decisionmaker at the end of the line.  
  • Who Owns the Data? Privacy Rights to Correct and Delete
Generative AI and LLMs also call into question the ownership and control of personal data. GDPR, CCPA, HIPAA, and GLBA, among other regulations, require covered entities to obtain contractual commitments with vendors that process personal data, PHI, or NPI on their behalf.[5] By giving company personal data to an AI system absent formal review, companies may be in violating these laws, trading away the privacy of their customers, and giving up valuable IP to third parties. To combat this problem, companies should always read the terms and privacy policies of any new AI and LLM tools to confirm, as an initial step:
  • The company owns all content provided to the AI system and any output generated by the AI
  • The AI provider will provide appropriate technical and organizational measures to protect personal data
  • The AI provider will maintain the confidentiality of data and limit use of the data to those purposes disclosed by the AI provider (and similarly, disclosed by the company to the relevant data subjects)
  • The AI provider will assist the company in responding to privacy requests, including those that require correct and deletion of personal data
  • The AI provider has appropriate data transfer mechanisms in place if personal data will cross borders
Assuming the generative AI or LLM terms and privacy policies cover the items above, the company may need to negotiate additional clauses under GDPR, CCPA, HIPAA, and GLBA depending on whether regulated data is provided to these platforms. If these contractual commitments do not exist, then companies should consider policies prohibiting the disclosure of personal or proprietary data — or else risk unauthorized access or even public disclosure of this information. Even if the terms and privacy policies guarantee the confidentiality of data, companies should still validate whether the generative AI or LLM model appropriately de-identifies or anonymizes personal data or proprietary data when it improves its language models. One of the most concerning issues with generative AI is its inexplicability — often the programmers creating the model do not even understand how the AI is generating its output. Thus, even if a data subject submits a deletion or correction request, it is unclear whether this request will be propagated through the model to remove/amend information that was previously fed into the model. Consequently, companies should test any generative AI or LLM model to confirm whether identifiable data is output from the model, based on test inputs. Finally, even if a company does not input personal information into a generative AI or LLM platform, employees may be tempted to use these platforms to research or create media about a known individual. Unfortunately, generative AI regularly creates false information about individuals. At best, this may trigger notification to data subjects under Article 14 of the GDPR “from which source the personal data originate, and if applicable, whether it came from publicly accessible sources” — so they are aware of the processing and can exercise any privacy rights. At worst, publication of this personal data may be grounds for a defamation lawsuit. Once again, companies need to implement robust identity verification and external validation of AI output concerning personal data.  
  • Children’s Privacy
The impact of generative AI and LLM products on children will be tremendous, given the ease and accessibility of chatbots, and the vast potential for personalized education, gaming, and social services. Companies operating in this space should pay close attention to children’s privacy rules that may impact their use or provision of generative AI and LLM products and services. California’s Age-Appropriate Design Code, modeled after the UK’s Age appropriate design code, for instance, requires data protection impact assessment and a “high level” of privacy for online providers of services, products, or features that are “likely to be accessed by children.”[6] This law covers children under the age of 18. In addition, COPPA – a US federal privacy law – requires clear and conspicuous privacy notices and affirmative consent by parents prior to collection of personal information from children under 13. Companies that offer products and services that may be attractive to children will need to implement these heightened privacy requirements, or in the alternative, implement robust age-gating techniques.   Regulatory Enforcement and Algorithmic Disgorgement Once an AI system is trained on bad data, can it be saved? According to the U.S. Federal Trade Commission (FTC) – perhaps not. While there is currently no comprehensive federal legislation in the United States governing privacy or AI, the FTC does have the ability to regulate “unfair and deceptive acts or practices in or affecting commerce.”[7] The FTC has interpreted its enforcement power to include unfair and misleading practices regarding the collection and use of personal data – including, for example, actions against Cambridge Analytica for harvesting of Facebook user data, and against GoodRx Holdings for its unauthorized disclosures of consumers’ personal health information to Facebook, Google, and other companies.[8] The FTC’s scrutiny of privacy and security practices extends to AI. In January 2021, the FTC entered a settlement order with photo storage service, Everalbum, over allegations that it deceived consumers about its use of facial recognition technology.[9]  While Everalbum allegedly represented that it would not apply facial recognition to users’ content unless they opted-in, it applied facial recognition technology by default for most users without any ability to turn this feature off. As part of the settlement order, the FTC required Everalbum to delete all facial recognition models or algorithms developed with Everalbum users’ photos or videos. More recently, the FTC required algorithmic destruction in an action against WW International, Inc., formerly known as Weight Watchers, and a subsidiary called Kurbo, Inc.[10] According to FTC Chair Lina Khan, “Weight Watchers and Kurbo marketed weight management services for use by children as young as eight, and then illegally harvested their personal and sensitive health information….Our order against these companies requires them to delete their ill-gotten data, destroy any algorithms derived from it, and pay a penalty for their lawbreaking.” Thus, AI companies face potential deletion or disgorgement of their algorithms if they collect personal data in an unfair or deceptive manner. While it may be tempting to amass larger and larger datasets to build the best algorithms, companies that rely on improper collection of data may find themselves bereft of their most valuable intellectual property.   Move Deliberately and Create Things Generative AI and LLMs do not operate in a vacuum. They derive from the voices, both inspired and insipid, from all corners of the world wide web. And they create fabulous and fabulously weird content. We encourage companies to take advantage of generative AI and LLMs to create the next generation of personalized education, medicine, and creative exploration. At the same time, we encourage companies to be mindful of the existing rules that protect our privacy, so that transparent and trustworthy AI can be the foundation of these new creations.  
[1] https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9870847 [2] https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9881490#english [3] Cal. Civ. Code Section 1798.100(c) [4] GDPR, Article 22; Cal. Civ. Code Section 1798.185(a)(16) [5] See, e.g., GDPR, Article 28; Cal. Civ. Code Section 1798.140(ag)(1); 45 CFR Section 164.504(e)(Business Associate requirements under HIPAA) [6] Cal. Civ. Code Section 1798.99.31(a) [7] 15 U.S.C. Sec. 45(a)(1) [8] See https://www.ftc.gov/news-events/topics/protecting-consumer-privacy-security/privacy-security-enforcement for a list of FTC enforcement actions concerning privacy and cybersecurity [9] https://www.ftc.gov/news-events/news/press-releases/2021/01/california-company-settles-ftc-allegations-it-deceived-consumers-about-use-facial-recognition-photo [10] https://www.ftc.gov/news-events/news/press-releases/2022/03/ftc-takes-action-against-company-formerly-known-weight-watchers-illegally-collecting-kids-sensitive
0
A map of the United States, with pins pushed into various areas as if indicating places visited.

An overview of the twenty (and counting!) US state comprehensive privacy laws

California, CCPA, Resource, State Privacy Laws, United States
[Last updated: Mar. 27, 2026] Since 2018, US state legislative bodies have shown no signs of slowing their efforts to pass comprehensive privacy laws. While these laws often mirror one another, they also often differ in notable and material ways. This creates a complicated patchwork of obligations and requirements for businesses navigating the data ecosystem, because operating nationwide may require formulating a compliance approach broad enough to satisfy all of the different US state comprehensive privacy laws. The first step to formulating compliance efforts is to determine which laws apply, and that requires analyzing each law’s threshold for applicability and effective date. To assist with this first step, the following list provides a brief overview of the current US state comprehensive privacy laws. Please note that this list does not include each law’s exemptions and exceptions.

CALIFORNIA

Law: The California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 Applies to: For-profit entities that, jointly or alone, collect and control the processing of California residents’ personal information and meet at least one of the following criteria:
  • Annual gross revenue in preceding calendar year that exceeds $26,625,000.
  • Annually buys, sells, or shares personal information of 100,000 or more California residents or households.
  • Derives 50% or more of annual revenue from selling or sharing California residents’ personal information.
Effective date: January 1, 2020 Enforcement authorities: Dual enforcement shared between the California Attorney General and the California Privacy Protection Agency, with a limited private right of action for certain data breaches. Enforcement date: July 1, 2023

COLORADO

Law: The Colorado Privacy Act Applies to: Entities that conduct business in Colorado or produce / deliver commercial products or services intentionally targeted to Colorado residents and satisfy one of the following criteria:
  • Controls or processes personal data of 100,000 or more Colorado residents during a calendar year.
  • Controls or processes personal data of 25,000 or more Colorado residents and derives revenue or receives a discount on the price of goods or services from the sale of personal data.
Effective date: July 1, 2023 Enforcement authorities: Both the Colorado Attorney General and district attorneys are empowered to enforce the law. Enforcement date: July 1, 2023

CONNECTICUT

Law: The Connecticut Data Privacy Act Applies to: For-profit entities that conduct business in Connecticut or produce products or services targeted to Connecticut residents and during preceding calendar year satisfied one of the following criteria:
  • Controlled or processed personal data of 35,000 or more Connecticut residents (excluding personal data controlled or processed solely for the purpose of completing a payment transaction);
  • Controlled or processed any amount of sensitive data of Connecticut residents (excluding personal data controlled or processed solely for the purpose of completing a payment transaction); or
  • Offered for sale any amount of personal data of Connecticut residents.
Effective date: July 1, 2023 Enforcement authorities: Connecticut Attorney General Enforcement date: July 1, 2023

DELAWARE

Law: The Personal Data Privacy Act Applies to: Entities that conduct business in Delaware or produce products / services targeted to Delaware residents and satisfy one of the following criteria:
  • Control or process personal data of 35,000 or more Delaware residents (excluding personal data controlled or processed for the purpose of completing a payment transaction).
  • Control or process personal data of 10,000 or more Delaware residents and derive more than 20% of gross revenue from the sale of personal data.
Effective date: January 1, 2025 Enforcement authorities: Delaware Department of Justice Enforcement date: January 1, 2025

FLORIDA

Law: The Florida Digital Bill of Rights Applies to: For-profit entities (with an annual gross revenue in excess of $1 billion) that conduct business in Florida and that, jointly or alone, collect and control the processing of personal data about Florida residents, and satisfy one of the following criteria:
  • Derives 50% or more of its global gross annual revenue from the sale of advertisements online, including targeted advertising.
  • Operates a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computer service that uses hands-free verbal activation (but not including vehicle-integrated speakers or software operated by a motor vehicle manufacturer or subsidiary thereof).
  • Operates an app store or a digital distribution platform that offers at least 250,000 different software applications for consumers to download or install.
Effective date: July 1, 2024 Enforcement authorities: Florida Attorney General Enforcement date: July 1, 2024

INDIANA

Law: The Indiana Consumer Data Protection Act Applies to: For-profit entities that conduct business in Indiana or produce products / services targeted to Indiana residents and during a calendar year satisfy one of the following criteria:
  • Control or process personal data of 100,000 or more Indiana residents.
  • Control or process personal data of 25,000 or more Indiana residents and derive more than 50% of gross revenue from the sale of personal data.
Effective date: January 1, 2026 Enforcement authorities: Indiana Attorney General Enforcement date: January 1, 2026

IOWA

Law: The Iowa Consumer Data Protection Act Applies to: For-profit entities that conduct business in Iowa or produce products / services targeted to Iowa residents and during a calendar year satisfy one of the following criteria:
  • Control or process personal data of 100,000 or more Iowa residents.
  • Control or process personal data of 25,000 or more Iowa residents and derive more than 50% of gross revenue from the sale of personal data.
Effective date: January 1, 2025 Enforcement authorities: Iowa Attorney General Enforcement date: January 1, 2025

KENTUCKY

Law: The Kentucky Consumer Data Protection Act Applies to: For-profit entities that conduct business in Kentucky or produce products / services targeted to Kentucky residents and during a calendar year satisfy one of the following criteria:
  • Control or process personal data of 100,000 or more Kentucky residents.
  • Control or process personal data of 25,000 or more Kentucky residents and derive more than 50% of gross revenue from the sale of personal data.
Effective date: January 1, 2026 Enforcement authorities: Kentucky Attorney General Enforcement date: January 1, 2026

MARYLAND

Law: Maryland Online Data Privacy Act of 2024 Applies to: Entities that conduct business in Maryland or produce products / services targeted to Maryland residents and satisfy one of the following criteria:
  • Control or process personal data of 35,000 or more Maryland residents (excluding personal data controlled or processed for the purpose of completing a payment transaction).
  • Control or process personal data of 10,000 or more Maryland residents and derive more than 20% of gross revenue from the sale of personal data.
Effective date: October 1, 2025

(However, the law will not have any effect on or application to processing activities prior to April 1, 2026.)

Enforcement authorities: Maryland Attorney General Enforcement date: October 1, 2025

MINNESOTA

Law: The Minnesota Consumer Data Privacy Act Applies to: Entities that conduct business in Minnesota or produce products / services targeted to Minnesota residents and satisfy one of the following criteria:
  • Control or process personal data of 100,000 or more Minnesota residents (excluding personal data controlled or processed for the purpose of completing a payment transaction).
  • Control or process personal data of 25,000 or more Minnesota residents and derive more than 25% of gross revenue from the sale of personal data.
Effective date: July 31, 2025 Enforcement authorities: Minnesota Attorney General Enforcement date: July 31, 2025

MONTANA

Law: The Montana Consumer Data Privacy Act Applies to: For-profit entities that conduct business in Montana or produce products / services targeted to Montana residents and satisfy one of the following criteria:
  • Control or process personal data of 25,000 or more Montana residents (excluding personal data controlled or processed for the purpose of completing a payment transaction).
  • Control or process personal data of 15,000 or more Montana residents and derive more than 25% of gross revenue from the sale of personal data.
Effective date: October 1, 2024 (spooky season!) Enforcement authorities: Montana Attorney General Enforcement date: October 1, 2024

NEBRASKA

Law: Nebraska Data Privacy Act Applies to: For-profit entities that:
  • Conduct business in Nebraska or produce products / services consumed by Nebraska residents;
  • Process or engage in the sale of personal data; and
  • Are not a small business as defined by the US Small Business Administration.
Effective date: January 1, 2025 Enforcement authorities: Nebraska Attorney General. Enforcement date: January 1, 2025

NEW HAMPSHIRE

Law: An Act Relative to the Expectation of Privacy Applies to: For-profit entities that conduct business in New Hampshire or produce products / services targeted to New Hampshire residents and satisfy one of the following criteria:
  • Control or process personal data of 35,000 or more New Hampshire residents (excluding personal data controlled or processed for the purpose of completing a payment transaction).
  • Control or process personal data of 10,000 or more New Hampshire residents and derive more than 25% of gross revenue from the sale of personal data.
Effective date: January 1, 2025 Enforcement authorities: New Hampshire Attorney General. Enforcement date: January 1, 2025

NEW JERSEY

Law: Senate Bill 332 Applies to: Entities that conduct business in New Jersey or produce products / services targeted to New Jersey residents and satisfy one of the following criteria:
  • Control or process personal data of 100,000 or more New Jersey residents (excluding personal data controlled or processed for the purpose of completing a payment transaction).
  • Control or process personal data of 25,000 or more New Jersey residents and derive revenue, or receive a discount on the price of any goods or services, from the sale of personal data.
Effective date: January 15, 2025 Enforcement authorities: New Jersey Attorney General. Enforcement date: January 15, 2025

OKLAHOMA

Law: Oklahoma Consumer Data Privacy Act Applies to: For-profit entities that conduct business in Oklahoma or produce products / services targeted to Oklahoma residents and satisfy one of the following criteria:
  • Control or process personal data of 100,000 or more Oklahoma residents.
  • Control or process personal data of 25,000 or more Oklahoma residents and derive more than 50% of gross revenue from the sale of personal data.
Effective date: January 1, 2027 Enforcement authorities: Oklahoma Attorney General Enforcement date: January 1, 2027 (with a 30-day cure period)

OREGON

Law: Senate Bill 619 Applies to: Entities that conduct business in Oregon or produce products / services targeted to Oregon residents and satisfy one of the following criteria:
  • Control or process personal data of 100,000 or more Oregon residents (excluding personal data controlled or processed for the purpose of completing a payment transaction).
  • Control or process personal data of 25,000 or more Oregon residents and derive more than 25% of gross revenue from the sale of personal data.
Effective date: July 1, 2024 Enforcement authorities: Oregon Attorney General Enforcement date: July 1, 2024

RHODE ISLAND

Law: The Rhode Island Transparency and Privacy Protection Act Applies to: For-profit entities that conduct business in Rhode Island or produce products / services targeted to Rhode Island residents and satisfy one of the following criteria:
  • Control or process personal data of 35,000 or more Rhode Island residents (excluding personal data controller or processed for the purpose of completing a payment transaction).
  • Control or process personal data of 10,000 or more Rhode Island residents and derive more than 20% of gross revenue from the sale of personal data.
Effective date: January 1, 2026 Enforcement authorities: Rhode Island Attorney General Enforcement date: January 1, 2026

TENNESSEE

Law: The Tennessee Information Protection Act Applies to: For-profit entities (with revenue in excess of $25 million) that conduct business in Tennessee producing products / services targeted to Tennessee residents and satisfy one of the following criteria:
  • Control or process personal data of 175,000 or more Tennessee residents.
  • Control or process personal data of 25,000 or more Tennessee residents and derive more than 50% of gross revenue from the sale of personal data.
Effective date: July 1, 2025 Enforcement authorities: Tennessee Attorney General Enforcement date: July 1, 2025

TEXAS

Law: The Texas Data Privacy and Security Act Applies to: For-profit entities that conduct business in Texas or produce products / services targeted to Texas residents and satisfy all of the following criteria:
  • Control or process personal data of Texas residents.
  • Are not a small business as defined by the US Small Business Administration.
(However, the law imposes limited restrictions on for-profit entities that are classified as small businesses by the US Small Business Administration.) Effective date: July 1, 2024 Enforcement authorities: Texas Attorney General Enforcement date: July 1, 2024

UTAH

Law: The Utah Consumer Privacy Act Applies to: For-profit entities (with annual revenue in excess of $25 million) that conduct business in Utah or produce products / services targeted to Utah residents and satisfy one of the following criteria:
  • Control or process personal data of 100,000 or more Utah residents during a calendar year.
  • Control or process personal data of 25,000 or more Utah residents and derive more than 50% of gross revenue from the sale of personal data.
Effective date: December 31, 2023 Enforcement authorities: Utah Attorney General and the Department of Commerce’s Division of Consumer Protection Enforcement date: December 31, 2023

VIRGINIA

Law: The Virginia Consumer Data Protection Act Applies to: For-profit entities that conduct business in Virginia or produce products / services targeted to Virginia residents and satisfy one of the following criteria:
  • Control or process personal data of 100,000 or more Virginia residents during a calendar year.
  • Control or process personal data of 25,000 or more Virginia residents and derive more than 50% of gross revenue from the sale of personal data.
Effective date: January 1, 2023 Enforcement authorities: Virginia Attorney General Enforcement date: January 1, 2023
1 2 3 4