US data privacy laws by state

On November 27, 2023, the California Privacy Protection Agency (CPPA) released a preliminary discussion draft of its upcoming regulations surrounding the use of ”automated decision-making technologies”—a term broadly defined to include not only AI, but any “system, software, or process” using computation to make or help make decisions.

The draft regulations are broken down into three main sections:

Notably, the regulations would require businesses to make substantial disclosures about how their technology works, including the logic it uses to make decisions, the extent to which humans are involved in the decision-making process, and even details of how the technology was used to make specific decisions about a given consumer.

Colorado has already imposed some significant disclosure requirements around businesses’ use of decision-making technology, but California’s proposed approach would be unique as no other state currently requires businesses to tell consumers how technology was used to make individual decisions.

Keep in mind that these discussion drafts are very preliminary, not even part of the official rulemaking process. The CPPA will eventually publish official draft regulations on this topic, which will kick off the notice-and-comment process and eventually lead to final regulations. But if the CPPA’s prior rulemaking is any guide, these initial regulations should give a good preview of the finished product. Many specifics will change, but the concepts and goals will likely remain largely the same.

The CPPA will meet to discuss the draft rules in its next meeting, currently scheduled for December 8.

Beginning July 1, 2024, the Colorado Privacy Act (the “CPA”) requires covered businesses to recognize signals from Universal Opt-Out Mechanisms (“UOOMs”) and process them as requests to opt out of sales and targeted advertising. To facilitate this, the CPA requires the state’s Attorney General to create and maintain a public list of the UOOMs that covered businesses will be required to recognize when that portion of the CPA goes into effect.

While there is still some time before businesses are required to recognize UOOMs, Colorado took a significant step on the road towards enforcement on November 21, when its Attorney General released a “shortlist” of the UOOMs that are being considered for inclusion on the final list.

The shortlist lives up to its name as only three UOOMs made the cut: Global Privacy Control, which sends an opt-out signal to websites via a browser or plugin; OptOutCode, focused on vehicle-related privacy; and The Opt-Out Machine, which sends opt-out requests to data brokers via email. The Attorney General will now accept public comment on whether each of these three UOOMs should be included in the final list from now until December 11, 2023. Businesses will only be required to recognize UOOMs that make it onto the final list, which the Attorney General is required to release on or before January 1, 2024. Stay tuned to this space for further updates.

Negotiations around Europe’s AI Act continued to progress this month, with decision-makers eyeing an upcoming December 6 meeting as a possible place to reach an agreement on the substantive provisions of the proposed law. While these negotiations had been proceeding smoothly since the European Parliament passed its version of the AI Act in June of this year, the bill hit a snag on November 10 when several EU member states raised objections to some of the law’s key provisions, including those related to the use of AI by law enforcement and how the Act would be enforced.

These objections initially led to some pessimism about whether the EU would be able to reach an agreement on the text of the law before the new year, but recent reports indicate that lawmakers still believe they can reach a consensus in time for the December 6 meeting. If they fail to do so, discussions around the Act will likely be delayed until 2024.

For more details on the AI Act and its potential impact on businesses, see Wilson Sonsini’s Privacy and Data Protection blog

We launched Research last month, a new tool to keep you informed about the law and how businesses should follow it.

With Research, you can easily search US and EU privacy laws by location, topic, and subtopic. This helps you quickly find the rules that matter to your organization without sifting through complex legal jargon.

In addition to the laws, our Research Center includes “Privacy Request Responses.”

These are pre-written messages your organization can customize when responding to privacy requests from consumers. You can filter these responses by location, request type, who made the request (like a consumer or an employee), and how you want to respond (granting, denying, or a mix). These responses are designed to comply with local laws, and some come with helpful “Action Items” explaining what the law says and any extra changes needed to ensure your responses are legally sound.

The best part? The Research Center is available to all our privacy customers as part of their subscription. You can access it by clicking “Research” on your SixFifty dashboard’s left side.

2023 was a busy year for privacy. On top of the several states that passed general consumer privacy laws, Washington and Nevada enacted new, more targeted laws that regulate “Consumer Health Data,” which the laws define as any personal data that relates to an individual’s physical or mental health. These laws are noteworthy because they apply to any organization that collects even a single piece of Consumer Health Data, regardless of how big the organization is or how extensive its data collection practices are.

With that in mind, organizations that do business in either state should review both laws to determine whether they have to comply before they go into effect on March 31 of next year (or June 30 for small businesses in Washington).

For organizations that do have to comply, SixFifty is here to help. We will be releasing a State Health Privacy module in the coming weeks 🎉, which will contain all of the documentation you need to comply with both of the new laws. We will also be updating our Research Center to include Washington and Nevada so you can easily understand what the laws require. Stay tuned to this space for further updates.

President Biden on October 30 issued an executive order around the use of artificial intelligence by the federal government and its contractors. The lengthy order covers significant ground, ranging from directing the National Science Foundation to help develop new privacy-enhancing techniques (including stronger cryptography) to requiring federal agencies to account for how they collect and use data, including whether personal data is purchased from data brokers. Biden also called on Congress to enact comprehensive consumer privacy legislation as an important part of governing AI; whether his request will help move the perennially stalled federal privacy legislation process forward remains to be seen.

While the executive order is limited to the federal government directly, it is still expected to have ripple effects throughout the privacy landscape in the United States. The government’s privacy requirements around its contractors, for example, will lead to new privacy standards and practices within the private sector. In particular, the executive order mandates the creation of new standards for conducting risk assessments—which a few states have started to require themselves—and methods of measuring and mitigating bias in AI, a topic that has seen much interest but little concrete progress. You can read more in Wilson Sonsini’s client alert about the order.

Costco is the latest company to face litigation over how it uses tracking pixels on its website. A lawsuit filed in Washington state court alleges that the company used a tracking pixel from Meta, the parent company of Facebook and Instagram, on its pharmacy website, potentially disclosing sensitive health information to the company. CostCo has not yet filed a response to the complaint, and any final outcome could take a long time, but this is another reminder right now for companies to be thoughtful about how they use tracking pixels and cookies on different parts of their websites and apps.

The EU–U.S. Data Privacy Framework has only been in effect for a few months but—to the surprise of no one—has already faced challenges in court in the EU. The Framework allows US companies to take advantage of an adequacy decision for easily transferring personal data out of the EU by completing a self-certification process with the Department of Commerce (you can see our August Privacy Update for more information on the program).

The first judicial challenge to the Framework was filed by French Member of European Parliament Philippe Latombe in September. The European Union General Court on October 12 declined to put a pause on the program, and MEP Latombe appealed that decision on October 30. Although the process for a Member of European Parliament to challenge the DPF is somewhat faster than that of private parties, the litigation faces significant hurdles and a final decision is likely over a year away.

33 states sued Meta on October 24 alleging that the company designed Facebook and Instagram to exploit children and teenagers for profit via “psychologically manipulative product features.“ The charges against Meta include unfair and/or deceptive acts or practices under various states’ consumer protection laws, as well as alleging a violation of COPPA for knowingly collecting the personal information of children under 13 without parental consent.

Detailed analysis of the lawsuit is available on Wilson Sonsini’s Privacy and Data Protection blog.

On Thursday, September 21, the UK Government announced the finalization of the UK–U.S. data bridge (the “Bridge”). Like the EU–U.S. Data Privacy Framework already in place, the new Bridge will simplify the transfer of data from the UK to the U.S.

The Bridge will take effect on October 12, 2023, just a few weeks away. Unlike the EU–U.S. data bridge, the Bridge cannot be used by itself. It can only be used if done in conjunction with the already established EU–U.S.

Data Privacy Framework self-certification process. Self-certification to the Bridge is done through the same portal those organizations wishing to transfer data out of the EU into the US have to use. A detailed explanation of how to do that can be found in this SixFifty support article.

Delaware governor, John Carney, finally signed their state’s consumer privacy law into effect on September 11 (the legislature passed it back in June). This makes Delaware the latest in a long line of states that have enacted state-specific consumer privacy laws.

The law will not go into effect until January 1, 2025, and is similar to Virginia’s and Colorado’s consumer privacy laws.

In August of last year, California legislation passed the California Age-Appropriate Design Code Act (the “Act”). The Act greatly increased the protections around California children’s data. It required that qualified organizations had to estimate the child’s age; conduct impact assessments; and significantly restrict how the organization collects, uses, and shares children’s data, among other things.

The law was set to go into effect on July 1, 2024, just under nine months from now. However, by order of a federal judge, the law is being put on hold, under a preliminary injunction, because the judge believes the Act is likely to be found unconstitutional. The case is not over, hence a preliminary injunction, so the outcome is not yet decided. Nonetheless, this development injects significant uncertainty into businesses’ preparation for compliance.

On the last day of the legislative session, September 14, the California legislature passed Senate Bill 362, commonly known as the Delete Act. The new law still needs to be signed by the governor; there are no expectations that he will not sign it and he has until October 14 to do so.

The Delete Act adds additional compliance requirements for data brokers in the state, and makes it so that California residents can make a single deletion request that all registered data brokers must comply with. Rather than the law itself outlining all the duties, effective date, and enforcement, the legislator empowered the CPPA to come up with a system to effectuate such deletion requests. If signed into law it will be yet another area where the CPPA will be providing further guidance to covered organizations in the coming years.

California’s Attorney General (“AG”) announced on September 14 a $93 million settlement with Google over their location-privacy practices with regard to California residents data. Google was allegedly collecting, storing, and using residents’ location data for profiling and advertising purposes inappropriately. The AG said that the state’s investigation “revealed that Google was telling its users one thing – that it would no longer track their location once they opted out – but doing the opposite and continuing to track its users’ movements for its own commercial gain.” Along with the fine Google is required to take steps to be more transparent with their users on how their data is being used.