Photo of David Stauss

 

David routinely counsels clients on complying with privacy laws such as the EU's General Data Protection Regulation, the California Consumer Privacy Act, the Colorado Privacy Act, and other state privacy laws. David is certified by the International Association of Privacy Professionals as a Privacy Law Specialist, Certified Information Privacy Professional (US and EU), Certified Information Privacy Technologist, and Fellow of Information Privacy.

Keypoint: The attorney general’s office modified the Colorado Privacy Act Rules to create a process for issuing opinion letters and interpretative guidance and to address the biometric and children’s privacy amendments passed by the Colorado legislature during the 2024 session.

On December 6, the Colorado attorney general’s office notified the public that it has adopted updated Colorado Privacy Act (CPA) Rules. The office provided a clean version of the new rules as well as a redline of the changes.

The new rules create a process for issuing opinion letters and interpretive guidance. They also modify the existing language in the CPA Rules to address two bills passed by the Colorado legislature during its 2024 session – SB 41 (kid’s privacy) and HB 1130 (biometric privacy). You can read more about the SB 41 and SB 1130 here and here.

The adopted rules come after the office published draft rules in September and held a public hearing in November. The office made modifications to the rules based on public feedback received during that process.

The new rules still need to clear two hurdles before they go into effect. According to the attorney general’s office, “[a]s the final step in the rulemaking process, the Department has requested a formal opinion on the adopted rules from the Attorney General. After that formal opinion is issued, the rules will then be filed with the Secretary of State, and they will become effective 30 days after they are published in the state register.”

In the below article, we provide a brief summary of the more notable provisions in the new rules. For ease of analysis, the article discusses the rules based on the three topics they address: (1) biometric privacy, (2) children’s privacy, and (3) opinion letters and interpretive guidance.

Keypoint: Of the ten privacy- and AI-related bills passed by the California legislature in the 2024 legislative session, Governor Newsom signed seven into law and vetoed three by the September 30 deadline.

Throughout the 2024 legislative session, we have been tracking numerous privacy- and AI-related bills pending in California. Ten of those bills passed the state legislature before the legislative session ended on August 31 (nine of which passed in the final week of August). Governor Newsom had a deadline of September 30 to sign or veto the bills that passed. Of the ten total bills, he signed seven into law and vetoed three bills. Those seven bills scheduled to go into effect consist of four laws related to privacy and three laws related to AI.

The below article provides a summary of the ten bills that Governor Newsom either signed into law or vetoed.

Keypoint: The proposed draft amendments modify the Colorado Privacy Act Rules to create a process for issuing opinion letters and interpretative guidance and to address the biometric and children’s privacy amendments passed by the Colorado legislature this year.

On September 13, 2024, the Colorado Attorney General’s office published proposed draft amendments to the Colorado Privacy Act (CPA) Rules. The office also announced a rulemaking hearing on Thursday, November 7, 2024, and will accept written public comments until that date.

The draft proposed amendments create a process for issuing opinion letters and interpretive guidance. They also modify the existing language in the CPA Rules to address two bills passed by the Colorado legislature this year – SB 41 (kid’s privacy) and HB 1130 (biometric privacy). You can read more about the SB 41 and SB 1130 here and here.

In the below post, we provide a short summary of some of the more notable parts of the proposed amendments.

Keypoint: The California legislature closed its 2024 session by passing five privacy-related bills and four AI-related bills.

On Saturday, August 31, the California legislature closed its 2024 session. During the past calendar year, we tracked numerous privacy and AI-related bills with fourteen of them passing out of their chamber of origin prior to the legislative deadline. For the past month, we have been tracking thirteen of those bills with weekly updates (the fourteenth bill already having passed through the legislature). Of the six privacy-related bills we have been tracking, five ultimately passed the legislature during the final week of the session. Four of the seven AI-related bills also passed. 

The below article first provides a summary of the bills that passed during the final week of the session. The article then provides an overview of all fourteen bills.

Keypoint: The California legislature enters into the final week of its session with many bills still under consideration.

We are currently tracking thirteen privacy and AI-related bills that previously crossed chambers prior to the legislative deadline. With the California legislature closing on August 31, we will be providing weekly updates on the progress of these bills.

Keypoint: Although not nearly as far-reaching as the Colorado AI Act, the Illinois law adds to the growing patchwork of state laws that regulate artificial intelligence.

On August 9, Illinois Governor J.B. Pritzker signed HB 3773 into law. The bill, which goes into effect January 1, 2026, amends the Illinois Human Rights Act to regulate the use of artificial intelligence in certain employment settings. In the below article, we provide a summary of the law and its provisions.

Keypoint: The appellate court ruled that the California Age-Appropriate Design Code Act’s impact assessment provision is unconstitutional and remanded the case back to the trial court to consider the constitutionality of the other challenged provisions.

On August 16, the Ninth Circuit Court of Appeals issued an opinion in NetChoice v. Bonta on the constitutionality of California’s Age-Appropriate Design Code Act (AADC). The appellate court affirmed the district court’s decision in part and vacated it in part. The appellate court affirmed the district court’s ruling that NetChoice was likely to succeed in showing that the AADC’s data protection impact assessment requirement violates the First Amendment. Based on that ruling, the appellate court affirmed the district court’s decision to enjoin enforcement of that requirement. The appellate court vacated the remainder of the district court’s ruling, determining that it is unclear from the record whether the remaining provisions of the AADC challenged by NetChoice violate the First Amendment. The appellate court remanded the case to the district court to consider the constitutionality of those provisions and whether the law’s unconstitutional provisions are severable from the remainder of the law.

In the below article, we provide an overview and analysis of the Ninth Circuit’s ruling.

Keypoint: Companies onboarding AI products and services need to understand the potential risks associated with these products and implement contractual provisions to manage them.

With the rapid emergence of artificial intelligence (AI) products and services, companies using these products and services need to negotiate contractual provisions that adequately address the unique issues they present. However, given that this area is new and rapidly emerging, companies may not appreciate that the use of AI may raise unique contractual issues. Even if companies do realize it, they may not know what those provisions should state. In addition, many AI-related contractual terms are complicated and confusing, oftentimes containing new terms and definitions that companies are unfamiliar with handling. 

In the below article, we identify key considerations when reviewing or preparing AI-related contracts. Although there may be other considerations depending on the specific use case, the below considerations should provide the reader with a useful starting point for how to address this issue.

Keypoint: Last week, several privacy and AI bills passed out of committee (with some receiving amendments) while two bills died in committee.

We are currently tracking thirteen privacy and AI-related bills that previously crossed chambers prior to the legislative deadline. With the California legislature closing on August 31, we will be providing weekly updates on the progress of these bills.

Keypoint: Last week, the California legislature returned from its summer recess and began moving forward with privacy and AI legislation prior to the August 31 session closing date.

We are currently tracking thirteen privacy and AI-related bills that previously crossed chambers prior to the legislative deadline. With the California legislature closing on August 31, we will be providing weekly updates on the progress of these bills.