STATE & LOCAL LAWS & REGULATIONS
California Privacy Protection Agency Advances New Security, ADMT Regulations: The California Privacy Protection Agency (“CPPA”) initiated the formal rulemaking process for proposed regulations on cybersecurity audits, risk assessments, and automated decision-making technologies (“ADMT”) at its November public meeting. The proposed regulations would regulate artificial intelligence (“AI”), which would fall within the definition of ADMT. The proposed regulations define ADMT as “any technology that processes personal information and uses computation to execute a decision, replace human decision-making, or substantially facilitate human decision-making” and specifically includes AI and profiling. The proposed rules would provide consumers with a number of rights with respect to ADMT, including the right to opt out of the use of ADMT and to appeal significant decisions relating to a business’s use of ADMT. The proposed rules would also require businesses to conduct risk assessments related to certain uses of ADMT, among other things. As it relates to cybersecurity, the proposed regulations would require certain businesses to conduct cybersecurity audits. Cybersecurity audits would require identification, assessment, and documentation of the business’s cybersecurity program, including authentication, encryption, zero trust architecture, and other areas. Businesses would be required to submit a written certification to the CPPA on an annual basis that the cybersecurity audit was completed. The formal comment period for the proposed rules opened on November 22, 2024, and will close on January 14, 2025.
California Privacy Protection Agency Adopts New Data Broker Regulations: The CPPA also formally adopted new data broker regulations. The new regulations would define a “direct relationship” under California’s data broker law as a relationship where “a consumer intentionally interacts with a business for the purpose of obtaining information about, accessing, purchasing, using, or requesting the business’s products or services within the preceding three years.” The new regulations would also require data brokers to disclose the types of personal information the data broker collects that are subject to other laws, such as the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act and information on the products and services the data broker offers that are covered by those laws. If the regulations are approved by the California Office of Administrative Law, they will become effective on January 1, 2025.
Colorado AG Releases Revisions to Draft Colorado Privacy Act Rules: The Colorado Attorney General’s Office released the second version of its proposed amendments to the Colorado Privacy Act rules. This round of revisions seeks to take into account concerns expressed through public input to the first draft of the amendments. The rules address two laws amending the Colorado Privacy Act that heightened protections for biometric data and children’s data that were signed into law in 2024. The amendments to the Colorado Privacy Act require businesses operating in Colorado to keep written policies on how they handle and dispose of biometric data and to provide consumers with notice of the collection of biometric information take effect July 1, 2025. The draft rules define the notice and consent requirements for biometric data, including notice and consent requirements for employees, contractors, and subcontractors. Amendments to the Colorado Privacy Act relating to children’s data take effect on October 1, 2025, and will require companies to use “reasonable care” to avoid harms to a consumer they know is under 18 and limit use and collection of minors’ data.
Reproductive Data Privacy Legislation Introduced in Michigan: SB 1082, the Reproductive Data Privacy Act (“RDPA”) was introduced in the Michigan legislature. The RDPA is modeled after Washington’s My Health, My Data Act, but would apply specifically to entities that provide products or services related to a person’s reproductive health data. Reproductive health data is defined under the law as “information that is linked or reasonably linkable to an individual and that identifies the individual’s past, present, or future reproductive health status.” Reproductive health status is in turn defined as including, but not limited to, reproductive health, menstrual cycle, fertility, pregnancy, pregnancy outcome, plans to conceive, or type of sexual activity. The RDPA would require entities to provide notice and obtain consent from consumers before collecting or processing reproductive health data, and to minimize the reproductive health data that they collect to only that data which is necessary to perform the purposes for which it is collected, among other things. As introduced, the RDPA would also provide consumers with a private right of action to seek statutory damages between $100 and $750 per violation or actual damages, whichever is greater.
Texas Lawmaker Releases Draft Comprehensive AI Legislation: Representative Giovanni Capriglione (R) released draft legislation entitled, the Texas Responsible AI Governance Act. Representative Capriglione stated he intends to introduce the legislation in the 2025 Texas State legislative session. The draft legislation provides for a risk-based approach and borrows a number of concepts from the Colorado AI Act that was passed in 2024 and similar Connecticut legislation that failed to pass last year. The legislation would require developers and deployers of high-risk AI systems to use “reasonable care” to avoid algorithmic discrimination, including through regular testing and requiring non-compliant AI systems to be disabled or recalled until problems are resolved. High-risk systems are defined by the draft legislation as an AI system that makes or is a contributing factor in a consequential decision, which is a decision that has a material legal, or similarly significant effect, on a consumer’s access to, cost of, or terms of employment, financial services, healthcare, and certain essential services, among other things. Lawmakers in other states around the U.S. are expected to introduce AI legislation in 2025.
FEDERAL LAWS & REGULATIONS
CFPB Releases Report on State Consumer Laws and Consumer Financial Data: The Consumer Financial Protection Bureau (“CFPB”) released a report examining federal and state privacy protections for consumers’ financial data. The report finds that all of the major state data privacy laws passed to date exempt financial institutions, financial data, or both if they are already subject to the Gramm-Leach-Bliley Act or Fair Credit Reporting Act. The report further finds that existing federal laws are limited in scope and may not protect consumers from companies’ novel and increasingly pervasive methods of collecting and monetizing data. The report encourages state lawmakers to consider these gaps and to extend the protections of state privacy laws to financial data to help regulate and provide consumer protections with respect to, monetization of consumer financial data and commercial surveillance.
CFPB Finalizes Rule on Oversight of Digital Payment Apps: The CFPB also finalized a rule to supervise large nonbank companies offering digital funds transfer and payment wallet apps. The CFPB previously maintained enforcement authority over the funds transfer and payment activities of such companies, but the new rule will extend the CFPB’s proactive supervisory authority over the industry. Companies offering these products that handle more than 50 million transactions a year will now be supervised under federal law like large banks, credit unions, and other financial institutions already supervised by the CFPB. The CFPB stated that the new rule will enable to supervise companies in key areas, including data privacy and surveillance, errors and fraud, and debanking. This includes extending federal law allowing consumers to opt out of certain data collection and sharing, providing mechanisms to dispute transactions that are incorrect or fraudulent, and protecting consumers from loss of access to their payment apps without notice.
32 State AGs Write Congressional Leaders to Urge Passage of Kids Online Safety Act: In a letter written by Tennessee Attorney General Jonathan Skrmetti, 32 state attorneys general urged Congress to pass the Kids Online Safety Act (“KOSA”). The attorneys general highlighted that KOSA would enhance online protections for minors by requiring platforms to automatically enable their strongest safety protections instead of offering them on an opt-in basis, allow minors and parents to disable manipulative design features and algorithmic representations, and provide parents with new tools to report dangerous content. The House Energy and Commerce Committee advanced KOSA in September, but House leadership appears not to have made its passage a priority amid concerns that KOSA would violate the First Amendment. State laws in California, Texas, Ohio, Utah, and Arkansas that provide for varying types of online protections for minors have faced legal challenges alleging similar constitutional violations.
FTC Issues Paper on Smart Devices and Software Updates: The Federal Trade Commission (“FTC”) released a paper that stated 89 percent of smart device products surveyed by the FTC did not disclose on their websites how long the products would receive software updates, which can help patch security flaws in the devices and ensure they continue to operate properly. The staff paper stated that manufacturers’ failure to inform prospective purchasers about the duration of software updates for products sold with written warranties may violate the Magnuson Moss Warranty Act, which requires that written warranties on consumer products costing more than $15 be made available to prospective buyers prior to sale. Failing to provide software update information to consumers could also violate the FTC Act if manufacturers make express or implied representations about how long the product is useable, according to the paper.
NIST Releases Initial Public Draft of Privacy Workforce Taxonomy: The National Institute of Standards and Technology (“NIST”) announced the release of the initial public draft of the NIST Privacy Workforce Taxonomy (“Workforce Taxonomy”). The Workforce Taxonomy contains Task, Knowledge, and Skill Statements aligned with the NIST Privacy Framework, Version 1.0, and the NICE Workforce Framework, which establishes a common lexicon to describe cybersecurity work and workers. The Workforce Taxonomy is intended to help organizations better achieve their desired privacy outcomes, support recruitment, and inform the education and training of professionals.
U.S. LITIGATION
Blank Rome Secures Landmark Ruling on Retroactive Application of BIPA Amendments: A Blank Rome team representing DNJ Intermodal Services LLC prevailed in striking the complainant’s prayer for relief, which sought $1,000 or $5,000 for each of the thousands of times six plaintiffs allegedly had their hands scanned at work. Will County Judge Roger D. Rickmon found—perhaps the first among Illinois state judges—that a recent amendment to the Biometric Information Privacy Act (“BIPA” or “the Act”), which stipulates that a business collecting identical biometric data multiple times from the same person in violation of the law is liable for only a single violation, applies retroactively to claims that arose and were filed prior to August 2, 2024, the effective date of the Act. This landmark ruling shaves potential BIPA damages for most pending cases from astronomical damages of millions (or hundreds of millions) of dollars to $1,000 or $5,000 per person. The question of whether BIPA’s amendment applies retroactively is simmering in courts throughout the state of Illinois and is expected to eventually make its way up to Illinois’ Courts of Appeals and perhaps the Illinois Supreme Court.
Tech Group Files Challenge to California Social Media Addiction Law: NetChoice, a technology industry trade group that has challenged a number of recently enacted social media laws around the country on constitutional grounds, filed a complaint and motion for preliminary injunction asking a California federal court to strike down California’s Protecting Our Kids from Social Media Addiction Act (the “Act”). NetChoice argues that the Act violates the First Amendment by restricting how and when personalized feeds can be disseminated and also by “placing multiple restrictions on minors and adults’ ability to access covered websites and, in some cases, blocking access altogether.” Among other things, the Act would require that covered platforms display content chronologically, rather than in a personalized way. NetChoice also flagged the Act’s requirements that platforms obtain parental consent to show minors personalized feeds and send minors notifications during school hours or late at night as unconstitutional restrictions on speech. NetChoice instituted a challenge to California’s Age-Appropriate Design Code Act last year and secured a court decision temporarily enjoining that law.
Company and Ex-employee Settle Trade Secret Lawsuit Involving AI Application Recording of Phone Calls: A former salesman of cloud technology company CX360 settled the company’s trade secrets lawsuit against him, which included allegations that he used an artificial intelligence application to record company conference calls. The employee was terminated by CX360 in February of 2024. After that, the company claimed that it discovered the former salesman forwarded confidential messages to his personal email address, which amounted to theft of trade secrets for company accounts. The alleged theft came to light when Otter AI, an AI call recording and transcription application, tried to join a sales manager’s call under the ex-employee’s name after the employee was terminated. The District Court hearing the case previously issued a temporary injunction ordering the former employee to assign his Otter AI account to CX360 as part of the court order that he return all company property and customer information to CX360.
U.S. ENFORCEMENT
FTC Proposes Settlement with AI-Enabled Review Platform: FTC announced that it has entered into a settlement with CGL Projects, Inc. d/b/a Sitejabber (“Sitejabber”), which provides an AI-enabled consumer review platform. The FTC alleged that Sitejabber misrepresented to consumers that the ratings and reviews it published came from consumers who experienced the reviewed product or service, artificially inflating average ratings and review counts. Sitejabber collected ratings and reviews for its online business clients from consumers at the time of purchase (e.g., asking consumers to rate/review their overall shopping experience so far), before they received or had the chance to experience the products or services they bought. The proposed order against Sitejabber specifically prohibits Sitejabber from misrepresenting, or assisting anyone else in misrepresenting, any ratings, average ratings, or reviews it publishes, and requires that such ratings or reviews reflect the views of customers who actually received or experienced the product or service purchased.
CPPA Announces Settlements with Data Brokers: Following their announcement of a public investigative sweep of data broker registration compliance, the California Privacy Protection Agency (“CPPA”) has settled with two data brokers, Growbots, Inc. (“Growbots”) and UpLead LLC (“Uplead”), for failing to register as a data broker and pay an annual fee as required by California’s Delete Act. Growbots will pay $35,400 to resolve the CPPA’s claims that the company failed to register between February 1, 2024, and July 26, 2024. UpLead will pay $34,400 to resolve the CPPA’s claims that the company failed to register between February 1, 2024 and July 21, 2024. In addition to the fines, both companies have agreed to injunctive terms, including agreeing to pay the CPPA’s attorney fees and costs resulting from any non-compliance. The Delete Act imposes fines of $200 per day for failing to register by the deadline.
FCC Proposes Fine Against Chinese Video Doorbell Manufacturer: The Federal Communications Commission (“FCC”) proposed a fine against Hong Kong, China-based smart home device manufacturer, Eken, for violations of FCC rules that require the company to designate an agent located in the United States. The FCC found that the mailbox of Eken’s designated agent had been inactive since 2019. Providing a false address for a designated agent on three FCC applications constitutes three apparent violations of FCC rules. Accordingly, the FCC proposed three penalties of the maximum forfeiture amount allowed under the law against Eken, totaling $734,872. The FCC also announced it would audit the certifications that used the same U.S. designated agent information as Eken. The FCC’s Enforcement Bureau is further continuing its investigation into privacy and data security issues related to Eken, following news reports that Eken’s video doorbells exposed users’ home IP addresses and Wi-Fi network names and allowed access to photos and videos from household cameras by third parties.
New York Attorney General and New York State Department of Financial Services Fine Auto Insurance Companies for Data Breaches: The New York Attorney General and New York State Department of Financial Services (“NYDFS”) settled with two auto insurance companies, the Government Employees Insurance Company (“GEICO”) and The Travelers Indemnity Company (“Travelers”), for data breaches the companies experienced, resulting in the personal information of approximately 120,000 New York residents being compromised. The data breaches were part of an industry-wide campaign by hackers to steal consumers’ personal information, including driver’s license numbers and dates of birth. For GEICO, the cyberattacks occurred by exploiting vulnerabilities on GEICO’s consumer-facing insurance quotes website and insurance agents’ quoting tool. For Travelers, the cyberattacks occurred through compromised agent credentials. The New York Attorney General and NYDFS settled with the companies with GEICO agreeing to pay $9.75 million and Travelers $1.55 million in penalties. The companies also agreed to implement specific security controls, including maintaining a data inventory, authentication procedures, logging and monitoring systems, and threat response procedures.
FTC Proposes Settlement with AI Security Screening Company: The FTC has proposed a settlement with Evolv Technologies (“Evolv”) for the misleading claims Evolv allegedly made with respect to its AI-powered security screening system. The FTC alleged that Evolv deceptively advertised that its scanners would detect all weapons (when it failed, for instance, to detect knives but flagged harmless personal items like laptops) and made misleading claims that its use of AI made its scanners more accurate, efficient, and cost-effective than metal detectors. Under the proposed settlement, Evolv is required to notify certain K-12 school customers that they can cancel their contracts. Additionally, the proposed settlement prohibits Evolv from misrepresenting its scanners’ accuracy, false alarm rates, and ability to detect weapons; the screening speed of its scanners and labor costs compared to the use of metal detectors; testing or the results of any testing; and any material aspect of its scanners’ performance, including the use of AI.
HHS Announces Settlement of Ransomware-Related Enforcement Action with Healthcare Provider: The U.S. Department of Health and Human Services Office of Civil Rights (“OCR”) announced that it had entered into a settlement with Plastic Surgery Associates of South Dakota for alleged violations of the HIPAA Security Rule arising from a 2017 ransomware attack. Threat actors infected nine workstations and two servers with ransomware after obtaining access to Plastic Surgery Associates’ network through a brute force attack on their remote desktop protocol. The records of 10,229 individuals were affected and the provider was unable to restore affected data from backups. OCR stated its investigations revealed multiple potential violations of the HIPAA Security Rule, including failures to conduct a compliant risk analysis or implement security measures sufficient to reduce risks and vulnerabilities to electronic protected health information to a reasonable and appropriate level. Plastic Surgery Associates will pay $500,000 and implement a corrective action plan that requires them to take steps to resolve potential HIPAA Security Rule violations. OCR also reiterated a number of recommendations that covered entities and business associates should take to prevent or mitigate cyber threats, including integrating risk analysis and risk management into business processes, utilizing multi-factor authentication, and encrypting protected health information.
INTERNATIONAL LAWS & REGULATIONS
European AI Office Publishes First Draft of General-Purpose AI Code of Practice: The first draft of the General-Purpose AI Code of Practice (“Code of Practice”), written by independent experts, was published by the European AI Office. The Code of Practice will detail the EU AI Act rules for providers of general-purpose AI models and general-purpose AI models with systemic risk. The EU AI Act rules on general-purpose AI will become effective in August 2025. The EU AI Office is facilitating the creation of the Code of Practice to provide additional detail on those rules. The Code of Practice is intended to guide the future development and deployment of trustworthy and safe general-purpose AI models, including principles of transparency and copyright-related rules, as well as how systemic risk is evaluated. The EU AI Office plans to facilitate four drafting rounds of the Code of Practice with the final round planned to occur in April 2025.
EU AI Office Launches Consultation of AI System Definition and Prohibited AI Practices Under EU AI Act: The EU AI Office announced it is launching a multi-stakeholder consultation on the application of the definition of an AI system and the prohibited AI practices established in the AI Act. The consultation is targeted to stakeholders, including providers and deployers of AI systems such as businesses, governmental authorities, academia and research institutions, trade unions and other workers' representatives, and the general public. The EU AI Office prepared a questionnaire for the consultation, which will be open for comment through December 11, 2024. Questions include requests from stakeholders to rate or select elements of the definition of AI systems and prohibited AI practices that would most benefit from additional clarification.
EDPB Adopts First Report on EU-U.S. Data Privacy Framework: The European Data Protection Board (“EDPB”) adopted a report on the first review of the EU-U.S. Data Privacy Framework (“DPF”), a mechanism that allows for the lawful transfer of EU personal data to companies in the U.S. that certify compliance with the DPF. The EDPB noted that the U.S. Department of Commerce took all relevant steps to implement the certification process. This includes developing a new website, updating procedures, engaging with companies, and conducting awareness-raising activities. It also noted that the redress mechanism for EU individuals has been implemented and that there is comprehensive complaint-handling guidance published in both the U.S. and EU. However, due to the low number of complaints received so far under the DPF, the EDPB highlighted that it would be important for U.S. authorities to separately monitor the DPF compliance of certified companies. The EDPB recommended that the next review of the EU-U.S. adequacy decision regarding the DPF should occur within three years or less.
Australian Information Commissioner Publishes Tracking Pixel Guidance: The Office of the Australian Information Commissioner (“OAIC”) released guidance for private sector organizations to assist them in meeting their obligations under the Australian Privacy Act when using third party tracking pixels on their websites. The Guidance clarifies that organizations seeking to deploy third-party tracking pixels on their websites are responsible for ensuring they are configured and used in a way that is compliant with the Australian Privacy Act and the Australian Privacy Principles. The Guidance also states that, when deploying third-party tracking pixels, organizations should adopt a data minimization approach to ensure that pixels are configured to limit the collection of personal information to the minimum necessary, ensure sensitive information is not disclosed to third parties through tracking pixels, and ensure that privacy policies and notifications contain clear and transparent information about the use of third-party tracking pixels, among other things.
Daniel R. Saeedi, Rachel L. Schaller, Ana Tagvoryan, P. Gavin Eastgate, Timothy W. Dickens, Gabrielle N. Ganze, Jason C. Hirsch, Tianmei Ann Huang, Adam J. Landy, Amanda M. Noonan, and Karen H. Shin also contributed to this article.