Photo of Shelby Dolen

Clients and legal teams appreciate Shelby’s passion for the law as it relates to protecting technology and company assets. She regularly monitors and researches fast-changing consumer privacy laws, with the understanding that critical strategy and success for any business includes oversight of data privacy policies and intellectual property portfolios.

Keypoint: If signed into law, Colorado companies that process children’s data will have new requirements beginning on October 1, 2025.  

Prior to the legislature closing on May 8, Colorado lawmakers passed SB 41, which amends the Colorado Privacy Act (CPA) to add protections for children’s data privacy. If signed into law by Colorado Governor Jared Polis, it will go into effect on October 1, 2025. The bill creates new obligations for entities that offer any online service, product, or feature to minors (under 18). The bill is modeled on Connecticut’s SB 3 signed into law last June.

In the below article, we provide an overview of the obligations under SB 41 and the key differences between SB 41 and Connecticut’s SB 3.Continue Reading Colorado Legislature Passes Children’s Data Privacy Bill

Keypoint: If signed into law, Colorado will become the first state to enact legislation regulating the use of high-risk artificial intelligence systems.

On May 8, the Colorado legislature passed the Colorado Artificial Intelligence Act (SB 205). If signed by Governor Jared Polis, Colorado will become the first state to enact legislation that broadly addresses the use of artificial intelligence, in particular the use of artificial intelligence in high-risk activities. The bill is co-sponsored by Senate Majority Leader Robert Rodriguez and House Representatives Manny Rutinel and Brianna Titone.

In the below article, we first provide context and background on the bill. We then provide a summary of the bill’s provisions.Continue Reading Colorado Legislature Passes First-in-Nation Artificial Intelligence Bill

Keypoint: The Utah legislature repealed and replaced the Utah Social Media Act in response to a lawsuit challenging the law on constitutional grounds.

Prior to closing in early March, the Utah legislature passed two bills (SB 194 and HB 464) that repeal and replace the Utah Social Media Regulation Act, which the legislature passed just last year. The bills are the second part of a legislative process in which Utah lawmakers amended the Act in response to a lawsuit filed by an Internet trade association challenging the Act on constitutional grounds. The Utah legislature previously pushed back the Act’s effective date to delay the legal challenge while lawmakers worked to revise the Act. In the below article, we provide a brief background on the Act and then discuss the changes made by the two bills.Continue Reading Utah Legislature Repeals and Replaces Utah Social Media Regulation Act

Keypoint: 2024 will again see numerous developments in children’s privacy law.

As the 2024 state legislative season begins, it’s clear that lawmakers are again focused on children’s privacy. For the past few years, lawmakers have introduced different children’s privacy models, on both the federal and state level. However, regulating this specific area of law has its own set of challenges. We are releasing our 2024 State Children’s Privacy Law Tracker, which identifies enacted legislation and states considering legislation. Bookmark the page and use it as a resource.

For an update on children’s state privacy law, see below where we outline recent developments, children’s privacy laws that go into effect in 2024, and proposed laws this legislative session.Continue Reading Children’s State Privacy Law Update and Tracker Released

Keypoint: Privacy professionals will have their hands full with compliance deadlines over the next year.

Over the past few years, states have enacted numerous privacy laws, including broad consumer data privacy laws, children’s privacy laws, consumer health data privacy laws, and data broker laws. The enactment of so many privacy laws in such a short period of time has created an avalanche of compliance deadlines for businesses. In the below article, we identify the upcoming deadlines for this year (January 2024 through January 2025). We also provide a brief background on the various laws and, where available, links to our prior posts on each. We also have provided a chart identifying the deadlines.

In addition to the deadlines identified below, businesses subject to the California Consumer Privacy Act (CCPA) should keep in mind that CCPA § 1798.130(5) requires businesses to update their privacy policies “at least once every twelve months” and CCPA Regulation § 7011(e)(4) requires businesses to state when their privacy policy was last updated. Businesses should update their privacy policies to comply with this annual requirement.Continue Reading Upcoming 2024 State Privacy Law Compliance Deadlines

Keypoint: The Utah Division of Consumer Protection published proposed rules regulating social media companies under Utah’s Social Media Regulation Act.

On October 15, 2023, the Utah Division of Consumer Protection (the “Agency”) published proposed rules for Utah’s Social Media Regulation Act (“SMRA”). As required by the SMRA, the draft rules outline requirements for age verification and consent methods. These draft rules come just a month following federal district courts in California, Texas, and Arkansas enjoining children’s online laws from going into effect in those states.

In the below post, we first provide background on the SMRA. We then provide a summary of the substantive sections of the proposed rules and lastly outline key takeaways.Continue Reading Utah Proposes Rules for Social Media Regulation Act

Keypoint: A California federal district court granted NetChoice’s motion for preliminary injunction, finding that the California Age-Appropriate Design Code Act likely violates the First Amendment.

On September 18, 2023, the United States District Court for the Northern District of California granted NetChoice’s motion for preliminary injunction, enjoining Rob Bonta, Attorney General of the State of California, from enforcing the California Age-Appropriate Design Code Act (AADC). The ruling comes only weeks after federal district courts in Texas and Arkansas enjoined children’s online laws from going into effect in those states.

In the below post, we provide a brief background on the AADC, analyze the court’s ruling, and provide some context and takeaways on how it could impact privacy laws more generally.Continue Reading Court Enjoins California Age-Appropriate Design Code Act

Keypoint: Enforcement by the California Privacy Protection Agency of the new CCPA regulations will be delayed until March 2024, but the Agency can still enforce the CCPA statutory changes as of July 1, 2023.

As first reported by Amy Miller at mlex, on June 30, 2023, Judge Arguelles of the Superior Court of California entered an Order granting, in part, the California Chamber of Commerce’s Petition for Writ of Mandate and Compliant for Declaratory and Injunctive Relief. In so doing, the Court held that enforcement of any final regulation published by the California Privacy Protection Agency must be stayed for a period of 12 months from the date that regulation becomes final. This means the Agency cannot enforce the new California Consumer Privacy Act (CCPA) regulations finalized on March 29, 2023, until March 29, 2024. Importantly, the ruling does not prohibit the Agency or the Attorney General’s Office from enforcing the statutory changes to the CCPA that went into effect on January 1, 2023.Continue Reading Enforcement of New CCPA Regulations Delayed By Court Ruling

Keypoint: With the Board’s approval secured, the Agency will now send the final rulemaking package to the Office of Administrative Law for review.

On Friday, February 3, 2023, the Board of the California Privacy Protection Agency (Agency) voted to adopt and approve the Agency’s rulemaking package. The rulemaking package includes a redline of the final regulations, a final statement of reasons, and two appendices to the final statement of reasons with responses to comments received during the 45 day and 15 day comment periods. The Agency did not substantively change the regulations from the draft the Agency published in November.Continue Reading CPPA Board Approves CPRA Regulations

The landscape of U.S. state privacy law is changing once again. In 2022, the California legislature passed The California Age-Appropriate Design Code Act (AB 2273), a first-in-the-nation law based on the United Kingdom’s Age-Appropriate Design Code. In 2023, more states are following California’s lead and introducing bills that seek to regulate private entities’