Will AI Help or Hinder Federal Privacy Legislative Efforts?

Efforts to pass a federal data privacy law have dragged on for many years. During that time, unrelenting technological advancement simultaneously has produced new innovations that amplify calls for clear rules and complicated congressional conversations that might lead to such legislation. Artificial Intelligence (AI) is the latest such instigator/troublemaker.

Generative AI offerings – such as OpenAI's ChatGPT, Google's Gemini, and Meta AI – depend upon Large Language Models (LLMs) trained on massive amounts of data. The more data used to train the LLM, the better the results. Consequently, generative AI raises substantial questions relating to privacy. (By way of example, the image below was created with OpenAI's DALL-E using the prompt "create an image of generative AI and data privacy.")

In her Opening Statement regarding a recent Senate Commerce, Science and Transportation Committee hearing titled "The Need to Protect Americans' Privacy and the AI Accelerant," Chair Maria Cantwell (D-WA) wrote that "[w]e are being surveilled … tracked online in the real world, through connected devices. And now, when you add AI, it is like putting fuel on a campfire in the middle of a windstorm." AI, she argued, "increases the need for passing legislation soon."

This heightened concern, however, to date has not generated legislative progress on data privacy. The American Privacy Rights Act of 2024, about which I wrote in "Congressional Leaders Return Privacy to the Front Burner," an April 2024 Perspectives from FSF Scholars, has yet to advance beyond a discussion draft. It was scheduled for markup by the House Energy and Commerce Committee on June 27, 2024, but that markup was cancelled at the last minute, a development I described in a post to the Free State Foundation's blog.

Prompting an unsettling sense of déjà vu, already one state has taken stalled congressional matters into its own hands. On May 17, 2024, Colorado Governor Jared Polis signed into law Senate Bill 24-205, "Concerning Consumer Protections in Interactions with Artificial Intelligence Systems."

Broadly speaking, Senate Bill 24-205, which goes into effect on February 1, 2026, requires that developers of "high-risk" AI systems "use reasonable care to protect consumers from any known or reasonably foreseeable risks of algorithmic discrimination."

We shall see if other states follow Colorado's lead – and, if so, whether another unwanted privacy-related "patchwork" emerges.

Tennessee Is State Number Eight to Pass a Privacy Law

On May 11, 2023, Governor Bill Lee signed the Tennessee Information Protection Act ("TIPA"). The Volunteer State is the third to adopt a comprehensive data privacy statute in 2023 (after Indiana and Iowa) and the eighth overall (joining the Golden State's California Consumer Privacy Act and California Privacy Rights Act and similar-yet-unique laws passed in Virginia, Colorado, Connecticut, and Utah).

As I cautioned in a March 2021 Perspectives from FSF Scholars, multiple, inconsistent state laws inevitably will lead to "[c]ounterproductive consumer confusion, along with unreasonably burdensome and unjustifiably costly compliance obligations." At that time, just two states – California and Virginia – had enacted legislation. Today, with that total rapidly approaching double digits, such concerns exponentially are greater.

Consumer rights established by the TIPA include the right to know that a covered entity is processing personal information; to access, correct, delete, and obtain a copy of that data; and to opt out of the sale of personal information. In addition, a covered entity must disclose, upon request, categorical information regarding personal information that was sold, and obtain a consumer's consent before processing "sensitive data."

Covered entities ("controllers") that share personal information with third parties ("processors") must include certain provisions in their contracts to protect these consumer privacy rights. Controllers also must conduct data protection assessments under certain circumstances (for example, if they engage in targeted advertising, process "sensitive data," or sell personal information).

The TIPA does not create a private right of action. The Attorney General is responsible for enforcing its provisions. Covered entities have 60 days to cure an alleged violation.

Perhaps most notably, the TIPA requires that covered entities "create, maintain, and comply with a written privacy program that reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework entitled 'A Tool for Improving Privacy through Enterprise Risk Management Version 1.0.'"

The TIPA becomes effective on July 1, 2024.

Seven States and Counting: Indiana Passes Privacy Law

Activity at the state level continues to complicate further the overall privacy landscape. On May 1st, Indiana Governor Eric Holcomb signed into law Senate Bill 5 (S.B. 5), the Indiana Consumer Data Privacy Act (ICDPA). Indiana is the second state to pass a comprehensive data privacy law in 2023 (Iowa was the first, as I noted in a recent post to the Free State Foundation blog) and the seventh overall (after California, not once but twice, Virginia, Colorado, Connecticut, Utah, and the aforementioned Iowa).

Meanwhile, Montana and Tennessee could follow quickly: bills in both states have made it to their respective governor's desks.

Uniquely, and apparently to provide an opportunity to learn how similar (but by no means identical) statutes in other states fare, the ICDPA will not go into effect until July 1, 2026. (Currently, only the laws enacted in California and Virginia are in force. The big day in Colorado and Connecticut is July 1st of this year, in Utah it is December 31st, and in Iowa it is January 1, 2025.)

Based largely (though, again, not entirely) on the Virginia Consumer Data Protection Act, the ICDPA creates several consumer rights: to know, to access, to correct, to delete, and to port data, as well as the ability to opt out of its processing/sale.

And it requires businesses, among other things, to provide a privacy notice and other disclosures, to obtain affirmative consent before processing "sensitive personal data," to conduct data protection impact assessments, and to enter binding contracts with third-party data processors to ensure that they, too, respect consumer privacy rights.

The ICDPA will be enforced exclusively by the Indiana attorney general. (It does not establish a private right of action.) In addition, it provides businesses with a 30-day cure period.

At the federal level, the House Committee on Energy & Commerce's Innovation, Data, and Commerce Subcommittee held a hearing on April 27th titled "Addressing America's Data Privacy Shortfalls: How a National Standard Fills Gaps to Protect Americans' Personal Information." It was the sixth Committee hearing on the topic of privacy thus far this legislative session.

In a joint statement, Committee Chair Cathy McMorris Rodgers (R – WA) and Subcommittee Chair Gus Bilirakis (R – FL) wrote that "[t]he Energy and Commerce Committee is building momentum this Congress towards enacting comprehensive national privacy and data security legislation."

Fittingly, in his opening statement, Subcommittee Chair Bilirakis acknowledged that the data privacy picture "only gets more complicated as fifty different states move towards their own data privacy laws, meaning an increasingly complicated and confusing landscape for consumers and for business."

Iowa Is State No. 6 to Pass a Privacy Statute

On March 28, Iowa Governor Kim Reynolds signed Senate File (SF) 262, "an Act relating to consumer data protection, providing civil penalties, and including effective date provisions." Following in the footsteps of California (here and here), Virginia, Colorado, Utah, and Connecticut, Iowa has become the sixth state to pass its own unique take on a comprehensive data privacy law.

With Congress still unable to agree upon the details of a national privacy framework, this most recent addition to the steadily expanding list of inconsistent state statutes further exacerbates compliance headaches for companies and adds to consumer confusion.

Laws in California and Virginia already are in effect. The start date for those in Colorado and Connecticut is July 1, 2023. Utah's statute becomes valid at the end of this year. And Iowa's SF 262 kicks in on January 1, 2025.

In other state-level privacy news, both California and Colorado recently finalized rulemaking proceedings arising from their respective comprehensive data privacy statutes:

• On March 29, the California Office of Administrative Law approved the initial set of rules implementing the California Privacy Rights Act, also known as Proposition 24. Adopted by the California Privacy Protection Agency (CPPA), the first-of-its-kind state agency specifically dedicated to privacy, the rules became effective immediately. By statute, however, California's Office of Attorney General cannot initiate enforcement efforts until July 1. (Once officially processed, those rules, which substantively are unchanged from the drafts voted on by the CPPA in February, will be available here.)
• On March 15, the Colorado Attorney General's Office announced that it had filed with the Colorado Secretary of State's Office final versions of its rules implementing the Colorado Privacy Act. Like the statute itself, those rules will go into effect on July 1.

At the federal level, meanwhile, the American Data Privacy and Protection Act, the first bill of its kind to make it out of congressional committee, remains in limbo. However, there have been two House Commerce Committee hearings on the topic of privacy thus far in 2023.

The first, entitled "Promoting U.S. Innovation and Individual Liberty through a National Standard for Data Privacy," was held by the Innovation, Data, and Commerce Subcommittee on March 1.

The second, a full Committee hearing entitled "TikTok: How Congress Can Safeguard American Data Privacy and Protect Children from Online Harms," took place on March 23.

In a media appearance shortly thereafter, Chair Cathy McMorris Rodgers (R-WA) stated that the testimony of TikTok CEO Shou Chew puts "more urgency on us passing a national data privacy law to protect [America] from the next technological tool or weapon that China may put together'" and that "[w]e need a national data privacy standard … and that's what Ranking Member Pallone and I have worked on and we're going to introduce this Congress because we need to take action."

Privacy Recap: Regulatory Developments in California, Colorado

As the promising-but-flawed American Data Privacy and Protection Act awaits a House floor vote and the revised deadline for comments on the FTC's highly problematic privacy Advance Notice of Proposed Rulemaking looms, state activity continues to fill the federal void.

In California, the only state where a comprehensive data privacy law has gone into effect, enforcement is underway – while, simultaneously, efforts to adopt rules implementing the Golden State's second privacy statute near the finish line. And in Colorado, the rulemaking process relating to its privacy law is just getting started.

In August, California Attorney General Rob Bonta announced a $1.2 million settlement with Sephora, Inc. regarding several alleged violations of the California Consumer Privacy Act (CCPA), which became valid law at the beginning of 2020.

According to the complaint, Sephora "did not tell consumers that it sold their personal information," "did not provide consumers with an easy-to find 'Do Not Sell My Personal Information' link," and did not configure its website "to detect or process any global privacy control signals, such as the 'Global Privacy Control' (GPC)."

As explained in the GPC website FAQs, the GPC "is a proposed specification designed to allow Internet users to notify businesses of their privacy preferences, such as whether or not they want their personal information to be sold or shared. It consists of a setting or extension in the user's browser or mobile device and acts as a mechanism that websites can use to indicate they support the specification."

Under the CCPA, the enabling of a universal opt-out mechanism such as the GPC has the same legal effect as clicking on a "Do Not Sell My Personal Information" link.

While the Sephora settlement is the first of its kind, it is by no means the only enforcement action undertaken by the California Attorney General's office. As noted in the Press Release, "[s]ince July 1, 2020, the Attorney General has issued notices to a wide array of businesses alleging noncompliance with the CCPA. Notices to cure have been issued to major corporations in the tech, healthcare, retail, fitness, data brokerage, and telecom industries, among others."

In addition, and as I detailed in "California Voters Approve the California Privacy Rights Act: A Detailed Analysis of Its Requirements and Impact," a November 2020 Perspectives from FSF Scholars, the Consumer Privacy Rights Act of 2020 (CPRA), which builds upon and modifies the CCPA, created the California Privacy Protection Agency (CPPA), the nation's first (and, at present, only) state agency dedicated to consumer privacy.

Once established, the CPPA assumed privacy-related rulemaking responsibilities from the office of the Attorney General. On May 27, 2022, the CPPA released draft CPRA regulations. Publication of a Notice of Proposed Rulemaking on July 8, 2022, formally started the process. The comment period closed on August 23, 2022.

On October 17, 2022, the CPPA released a modified draft of the CPRA regulations, as well as an explanation of the modified text. The CPPA Board will discuss, and potentially adopt some or all of the proposed rules, at virtual meetings this Friday and Saturday.

Per the CPPA's website, "[t]he proposed regulations (1) update existing CCPA regulations to harmonize them with CPRA amendments to the CCPA; (2) operationalize new rights and concepts introduced by the CPRA to provide clarity and specificity to implement the law; and (3) reorganize and consolidate requirements set forth in the law to make the regulations easier to follow and understand."

Colorado was the third state out of five so far – the others are California, Virginia, Utah, and Connecticut – to adopt a comprehensive data privacy statute. I summarized the major provisions of the Colorado Privacy Act (CPA) in an April 2021 post to the Free State Foundation's blog.

The CPA, which is scheduled to go into effect on July 1, 2023, authorizes the Colorado Attorney General to craft rules generally "for the purpose of carrying out" the CPA as well as a specific rule regarding "the technical specifications for one or more universal opt-out mechanisms that clearly communicate a consumer's affirmative, freely given, and unambiguous choice to opt out of the processing of personal data for purposes of targeted advertising or the sale of personal data."

On October 10, 2022, Colorado Attorney General Phil Weiser's office published a Notice of Proposed Rulemaking (NPRM). Comments are due on or before February 1, 2023 – but earlier deadlines apply if they are to "inform the stakeholder meetings" scheduled for November 10, 15, and 17, or are to be considered at the rulemaking hearing on February 1, 2023.

Specific topics addressed in the NPRM include: the substantive requirements for privacy notices, the scope of the consumer rights established by the CPA and the processes by which those rights are exercised, specifications for universal opt-out mechanisms, the duties of businesses ("controllers") that collect personal information, and the method by which consent is obtained ("including the prohibition against obtaining agreement through the use of Dark Patterns").

Exhibit C(O) in the Case for a Federal Data Privacy Law: The Colorado Privacy Act

Colorado became the third state to enact comprehensive data privacy legislation when, on July 8, 2021, Governor Jared Polis signed the Colorado Privacy Act (CPA). With the passage of each new state law the rights of consumers become more uncertain, the compliance challenges for businesses become more complicated, and the urgent need for a preemptive federal statute becomes even more pronounced.

California was the first state to occupy the void created by congressional inaction, Virginia the second.

In fact, two comprehensive data privacy proposals have become law in California: (1) the state legislature in 2018 passed the California Consumer Privacy Act (CCPA), which I described in "California's Heavy-Handed Approach to Protecting Consumer Privacy: Exhibit A in the Case for Federal Preemption," an October 2019 Perspectives from FSF Scholars, and (2) voters in last year's election approved the California Privacy Rights Act, which I discussed in a November 2020 Perspectives.

The Virginia Consumer Data Protection Act (VCDPA), meanwhile, became law in March 2021. I summarized its provisions in a February 2021 post to the FSF Blog.

Prior to the VCDPA's passage (it goes into effect on January 1, 2023), the CCPA as a practical matter assumed the role of a national privacy standard, as many businesses determined that it is easier to comply with the CCPA's requirements throughout the country than to try to separate out, and treat differently, California residents. But once Virginia Governor Ralph Northam signed the VCDPA, which is similar but by no means identical to the CCPA, the compliance headache for businesses expanded exponentially.

As I explained in March 2021's "Inconsistent State Data Privacy Laws Increase Confusion and Costs," as more states embark on their own, unique paths, businesses are forced to choose between two problematic options: (1) developing and implementing multiple state-specific compliance regimes, an endeavor fraught with risk given that, as a technical matter, Internet traffic knows no borders, or (2) aggregating the most onerous obligations set forth in the growing number of state laws and abiding by that evolving "worst of" collection nationwide.

The passage of the CPA, which I detailed in an April 2021 FSF Blog post and which goes into effect on July 1, 2023, further exacerbates that situation.

The remedy, of course, is a federal data privacy regime that preempts state laws.

In that regard, I note that President Biden's July 9, 2021, "Executive Order on Promoting Competition in the American Economy" urges the FTC to consider adopting rules addressing unfair data collection:

To address persistent and recurrent practices that inhibit competition, the Chair of the FTC, in the Chair's discretion, is also encouraged to consider working with the rest of the Commission to exercise the FTC's statutory rulemaking authority, as appropriate and consistent with applicable law, in areas such as … unfair data collection and surveillance practices that may damage competition, consumer autonomy, and consumer privacy.

FTC Commissioner Christine Wilson (R), who spoke about data privacy at both the 2021 and 2020 (video) Free State Foundation Annual Telecom Policy Conferences, last month indicated that, given the failure of Congress to act and the proliferation of inconsistent state laws, she has "reluctantly come to consider whether we should begin a privacy rulemaking proceeding at the Federal Trade Commission."

Federal legislation, however, is the preferred path forward. More to the point, what is needed is a comprehensive data privacy statute that preempts state laws, treats all businesses with access to personal information the same, provides consumers with adequate disclosures and allows them to "opt out" of the use of their non-sensitive data, empowers the FTC with exclusive enforcement authority, and rejects a private right of action.

Unfortunately, press reports indicate that congressional activity on privacy once again has "stalled." Might the silver lining to the CPA's passage be the additional pressure needed to reignite those efforts?

Time will tell.

Colorado Lawmakers Introduce Data Privacy Bill

Colorado is the latest state to consider comprehensive data privacy legislation.

On March 19, State Senators Robert Rodriguez (D), Chair of the Business, Labor & Technology Committee, and Paul Lundeen (R), Minority Whip, introduced SB 21-190, the Colorado Privacy Act (the Act).

Should the Act become law, consumers at any time could opt-out of the sale, collection and/or use of "personal data," which the Act defines as "information that is linked or reasonably linkable to an identified or identifiable individual."

In addition, covered businesses would be required to obtain opt-in consent before processing "sensitive personal data," defined as: (1) "personal data revealing racial or ethical origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status," (2) "genetic or biometric data that may be processed for the purpose of uniquely identifying an individual," or (3) the personal data of individuals below the age of 13.

Covered businesses would be required to conduct and document data protection assessments in connection with activities "that present a heightened risk of harm to a consumer," such as the the processing of sensitive personal data, the processing of personal data for targeted advertising or profiling purposes, or the sale of personal data.

While confidential, covered businesses would have to make such data protection assessments available to the Attorney General upon request.

Covered businesses also would be required to make available "a reasonably accessible, clear, and meaningful privacy notice"; "specify the express purposes for which personal data is collected and processed" and not process personal data "for purposes that are not necessary to or compatible with" those specified purposes without first obtaining the consumer's consent; and abide by duties of data minimization, care, and avoidance of unlawful discrimination.

Consumers, meanwhile, would be granted the following rights: the rights to access, correct, and delete personal data; the right to data portability; and the ability to appeal denied requests to exercise these rights.

The Act would not create a private right of action. Instead, the Colorado Attorney General and district attorneys would have exclusive enforcement authority. Remedies would include injunctive relief and civil penalties up to $2,000 per violation, not to exceed $500,000 for any related series of violations.

If adopted into law, the Act would become effective on January 1, 2023.

For additional posts to the Free State Foundation Blog discussing state data privacy legislation, please click here (Florida) and here (Virginia).

For a Perspectives from FSF Scholars describing the worst-of-all-worlds compliance nightmare, costs, and confusion that multiple, inconsistent state data privacy laws would impose on both businesses and consumers, please click here.

And for a post describing recently introduced federal legislation that would preempt state laws, please click here.