Photo of TK Lively

TK counsels clients on complying with data privacy laws such as the California Consumer Privacy Act, the Colorado Privacy Act, and other state privacy laws. TK is certified by the International Association of Privacy Professionals as a Certified Information Privacy Professional (US).

Keypoint: If signed into law, Colorado will become the first state to enact legislation regulating the use of high-risk artificial intelligence systems.

On May 8, the Colorado legislature passed the Colorado Artificial Intelligence Act (SB 205). If signed by Governor Jared Polis, Colorado will become the first state to enact legislation that broadly addresses the use of artificial intelligence, in particular the use of artificial intelligence in high-risk activities. The bill is co-sponsored by Senate Majority Leader Robert Rodriguez and House Representatives Manny Rutinel and Brianna Titone.

In the below article, we first provide context and background on the bill. We then provide a summary of the bill’s provisions.

Keypoint: Colorado employers and controllers that collect and process biometric data and identifiers will need to comply with disclosure, consent, and retention requirements beginning on July 1, 2025.

In late April, the Colorado legislature passed HB 1130, which amends the Colorado Privacy Act (CPA) to add protections for an individual’s biometric data and identifiers. Subject to the procedural formalities in the legislature, the bill will move to Colorado Governor Jared Polis for consideration. Assuming the bill becomes law, it will go into effect on July 1, 2025, and create several new obligations for entities that collect biometric data and identifiers. In addition, the bill’s requirements will apply to more entities than are currently covered by the CPA and will apply to employee data.

In the below article, we first provide a brief overview of the CPA’s existing treatment of biometric data. We then discuss the new obligations created by HB 1130.

Keypoint: Privacy professionals will have their hands full with compliance deadlines over the next year.

Over the past few years, states have enacted numerous privacy laws, including broad consumer data privacy laws, children’s privacy laws, consumer health data privacy laws, and data broker laws. The enactment of so many privacy laws in such a short period of time has created an avalanche of compliance deadlines for businesses. In the below article, we identify the upcoming deadlines for this year (January 2024 through January 2025). We also provide a brief background on the various laws and, where available, links to our prior posts on each. We also have provided a chart identifying the deadlines.

In addition to the deadlines identified below, businesses subject to the California Consumer Privacy Act (CCPA) should keep in mind that CCPA § 1798.130(5) requires businesses to update their privacy policies “at least once every twelve months” and CCPA Regulation § 7011(e)(4) requires businesses to state when their privacy policy was last updated. Businesses should update their privacy policies to comply with this annual requirement.

Keypoint: Enforcement by the California Privacy Protection Agency of the new CCPA regulations will be delayed until March 2024, but the Agency can still enforce the CCPA statutory changes as of July 1, 2023.

As first reported by Amy Miller at mlex, on June 30, 2023, Judge Arguelles of the Superior Court of California entered an Order granting, in part, the California Chamber of Commerce’s Petition for Writ of Mandate and Compliant for Declaratory and Injunctive Relief. In so doing, the Court held that enforcement of any final regulation published by the California Privacy Protection Agency must be stayed for a period of 12 months from the date that regulation becomes final. This means the Agency cannot enforce the new California Consumer Privacy Act (CCPA) regulations finalized on March 29, 2023, until March 29, 2024. Importantly, the ruling does not prohibit the Agency or the Attorney General’s Office from enforcing the statutory changes to the CCPA that went into effect on January 1, 2023.

Keypoint: With the Board’s approval secured, the Agency will now send the final rulemaking package to the Office of Administrative Law for review.

On Friday, February 3, 2023, the Board of the California Privacy Protection Agency (Agency) voted to adopt and approve the Agency’s rulemaking package. The rulemaking package includes a redline of the final regulations, a final statement of reasons, and two appendices to the final statement of reasons with responses to comments received during the 45 day and 15 day comment periods. The Agency did not substantively change the regulations from the draft the Agency published in November.

With state legislatures opening across the country, lawmakers in numerous states are introducing bills to regulate private entities’ processing of biometric information. These bills, many of which are similar to the Illinois Biometric Information Privacy Act (BIPA), could change the landscape of U.S. state privacy law.

With the influx of bills, we are releasing our