Key point: Colorado has repealed and replaced the Colorado AI Act, amid years of skepticism from industry critics.
On May 14, Colorado Governor Jared Polis signed SB 26-189 into law, repealing and replacing the landmark Colorado Artificial Intelligence Act (CAIA), just under two months before it was set to take effect. CAIA was enacted in 2024 with an amended effective date of June 30, 2026.
Key point: Beginning November 10, 2025, DoD contracting officers will begin adding Cybersecurity Maturity Model Certification (CMMC) requirements to solicitations, and contracting officers “shall not award a contract, task order, or delivery order to a [contractor] that does not have a current CMMC status at the CMMC level required by the solicitation.”
Key point: CMMC took another step towards reality, with OIRA clearing for publication the DFARS proposed rule that will add CMMC requirements as a condition of award for new contracts.
Key point: “Winning the Race: America’s AI Action Plan,” the Trump Administration’s summary approach to federal artificial intelligence (AI) policy, and three new Executive Orders (EO) propose a wide-ranging federal strategy intended to solidify U.S. leadership in AI. For business leaders and public sector stakeholders, the Action Plan and EOs may be a double-edged sword: catalyzing AI innovation through deregulation, but in turn creating a complex, opaque compliance environment that demands careful navigation.
Keypoint: Last week, Montana’s legislature inched closer to significantly revising its consumer data privacy law, Oregon’s consumer data privacy amendment bills advanced, and there were numerous developments with Arkansas’ bills in advance of its upcoming adjournment.
Below is the fourteenth weekly update on the status of proposed state privacy legislation in 2025. As always, the contents provided below are time-sensitive and subject to change.
Keypoint: As we break for the holidays, we wanted to wish you and your families happiness and health, and leave you with an attempt at some privacy holiday humor. We look forward to bringing you more privacy news and analysis in 2022.
A Privacy Christmas Story
‘Twas the night before Christmas as I toiled away,
Counting the minutes until Christmas day,
When all of a sudden from out of the blue,
I received a meeting invite from Santa that’s who,
You see Santa’s been watching as all over the globe,
Countries (except the US) have enacted privacy codes,
Santa, he said, would like to comply,
So he asked if I could give it a try,
[After clearing conflicts, receiving a retainer and entering into an engagement letter …..]
Keypoint: If passed, the bill would, among other changes, broaden Nevada’s existing right to opt out of sales of covered information.
In late March, we first reported that the Nevada legislature is considering a bill that would amend Nevada’s online privacy notice statutes, NRS 603A.300-360, to provide for a broader right to opt out of sales. On April 20, the Nevada Senate unanimously passed an amended version of SB260. The bill is now with the Assembly Committee on Commerce and Labor.
As an update to our previous post, HHS announced that the deadline to submit comments on their proposed rule to revise HIPAA regulations was extended until May 6, 2021. Changes contemplated by the proposed rule involve relaxing certain privacy standards, strengthening individuals’ rights to access their protected health information (PHI) and other initiatives that