Photo of David Stauss [Former Attorney]

David Stauss [Former Attorney]

 

Formerly with Husch Blackwell, David routinely counseled clients on complying with privacy laws such as the EU's General Data Protection Regulation, the California Consumer Privacy Act, the Colorado Privacy Act, and other state privacy laws.

Keypoint: While the act does not include many provisions found in the more recent consumer data privacy laws, it would expand privacy notice obligations in one significant way although the applicability and scope of that requirement is unclear due to the lack of an important definition.

On June 13, 2024, the Rhode Island legislature passed the Rhode Island Data Transparency and Privacy Protection Act (SB 2500 / HB 7787). The act will now move to Governor Daniel McKee for consideration. Assuming the act becomes laws, it will go into effect on January 1, 2026.

The act is based on the Washington Privacy Act model but diverges from the prevalent forms of that model in two ways. First, the act contains a unique privacy notice requirement that would require entities to disclose the third parties to whom they sell or “may sell” personally identifiable information. However, the applicability and scope of that potentially onerous requirement is unclear because the act does not define personally identifiable information. Second, the act does not include some provisions that have become commonplace in recently passed laws such as data minimization language and an obligation to recognize universal opt-out mechanisms.

In the below article, we provide a summary of the act’s more notable provisions. As with prior bills, we have added the Rhode Island act to our chart providing a detailed comparison of laws enacted to date.

Keypoint: The California legislature is considering several bills that, if passed, would add to the nation’s emerging legal patchwork governing the use of artificial intelligence.

In mid-May, Colorado Governor Jared Polis signed the Colorado Artificial Intelligence Act (CAIA) into law, making Colorado the first state to enact legislation governing the use of high-risk artificial intelligence systems. Earlier this year, Utah enacted SB 149, which creates limited obligations for private sector companies deploying generative artificial intelligence, including disclosing its use.

The California legislature is currently considering seven AI-related bills that, if passed, would add to the growing patchwork of state AI laws. All of these bills have passed their chamber of origin and are currently being considered by the opposite chamber. While many state legislatures have already closed for the year, California’s legislative session does not end until August 31, 2024, meaning that there is still time for California to pass one or more bills.

In the below article, we briefly summarize these bills (as they are currently drafted) and identify their current status. We previously discussed four of these bills in our April 25 AI Legislation Update.

Keypoint: The Minnesota bill contains several unique requirements and provisions, including a novel right to question the result of a profiling decision, privacy policy provisions that increase interoperability with existing state laws, and new privacy program requirements such as a requirement for controllers to maintain a data inventory.

On May 19, the Minnesota legislature passed the Minnesota Consumer Data Privacy Act (HF 4757 / SF 4782). The bill, which is sponsored by Representative Steve Elkins, was passed as Article 5 of a larger omnibus bill. The bill next moves to Governor Tim Walz for consideration.

The Minnesota bill largely tracks the Washington Privacy Act model but with some significant and unique variations. For example, the bill creates a novel right to question the result of a profiling decision and have a controller provide additional information regarding that decision. It also contains privacy policy requirements that are intended to increase interoperability with other state consumer data privacy laws. Further, the bill contains provisions requiring controllers to maintain a data inventory and document and maintain a description of policies and procedures the controller has adopted to comply with the bill’s provisions. We discuss those requirements and provisions, along with others, in the below article.

As with prior bills, we have added the Minnesota bill to our chart providing a detailed comparison of laws enacted to date.

Keypoint: Last week, Colorado passed children’s privacy and artificial intelligence bills, Vermont passed a consumer data privacy bill, Maryland’s consumer data privacy and AADC bills were signed into law, and Minnesota is on the cusp of passing a consumer data privacy bill.

Below is the sixteenth weekly update on the status of proposed state privacy legislation in 2024.

Keypoint: If signed into law, Colorado will become the first state to enact legislation regulating the use of high-risk artificial intelligence systems.

On May 8, the Colorado legislature passed the Colorado Artificial Intelligence Act (SB 205). If signed by Governor Jared Polis, Colorado will become the first state to enact legislation that broadly addresses the use of artificial intelligence, in particular the use of artificial intelligence in high-risk activities. The bill is co-sponsored by Senate Majority Leader Robert Rodriguez and House Representatives Manny Rutinel and Brianna Titone.

In the below article, we first provide context and background on the bill. We then provide a summary of the bill’s provisions.

Keypoint: Colorado employers and controllers that collect and process biometric data and identifiers will need to comply with disclosure, consent, and retention requirements beginning on July 1, 2025.

In late April, the Colorado legislature passed HB 1130, which amends the Colorado Privacy Act (CPA) to add protections for an individual’s biometric data and identifiers. Subject to the procedural formalities in the legislature, the bill will move to Colorado Governor Jared Polis for consideration. Assuming the bill becomes law, it will go into effect on July 1, 2025, and create several new obligations for entities that collect biometric data and identifiers. In addition, the bill’s requirements will apply to more entities than are currently covered by the CPA and will apply to employee data.

In the below article, we first provide a brief overview of the CPA’s existing treatment of biometric data. We then discuss the new obligations created by HB 1130.

Keypoint: Since our last update, the Connecticut Senate passed an algorithmic discrimination bill, an algorithmic discrimination bill was introduced in Colorado and passed the Colorado Senate Judiciary Committee, and an algorithmic discrimination bill passed out of a California committee.

Below is our fourth update on the status of pending US artificial intelligence (AI) legislation that would affect the private sector.