The legal landscape surrounding the creation, use and governance of artificial intelligence (AI) is rapidly changing and growing, imposing significant obligations on business and new rights for individuals. In recent months, the US has seen new AI laws and regulations, both passed and proposed, at both the federal and state levels. The following details some recent developments in the US. There is a clear trend towards notifying consumers that they are interacting with AI, protecting individuals from the risks of AI, as well as an emphasis on AI governance. But stay tuned—these ...

So far 2024 has seen a flurry of new and proposed state comprehensive privacy legislation. Nebraska and Kentucky are the two latest states to jump on the bandwagon. Both follow the now familiar framework established by the Virginia Consumer Data Protection Act. We explore each below.

New Hampshire.  On March 6, 2024, New Hampshire Governor Chris Sununu signed the state’s first comprehensive consumer privacy bill into law. The New Hampshire Privacy Act (the “NHPA”) is now the fourteenth such law to be passed in the United States, joining likes of California, Oregon, Montana, Iowa, Indiana, and Tennessee, just to name a few. The NHPA is slated to take effect January 1, 2025 and will be enforced by the New Hampshire Attorney General.

Like many of its predecessors, the NHPA provides New Hampshire residents with rights to access, correct, and delete their personal ...

Last week we wrote about the California Court of Appeals’ February 9th decision vacating the trial court’s June 2023 order delaying enforcement of the California Privacy Rights Act (“CPRA”).  After that decision, we were left to wonder whether the plaintiff, the California Chamber of Commerce (the “Chamber”), would pursue an appeal. This week we got our answer. On February 20th the Chamber filed a petition with the California Supreme Court seeking review of the Court of Appeals’ decision.

The Chamber’s petition is unsurprising, given its staunch opposition to ...

On February 9, 2024, a California Court of Appeals vacated a June 2023 order delaying enforcement of the California Privacy Rights Act’s (CPRA) implementing regulations. It has been a long journey for the California Privacy Protection Agency (CPPA), which promulgated the regulations almost a year ago, on March 29, 2023. The CPPA planned to begin enforcement of the regulations as early as July 1, 2023, but last spring, the California Chamber of Commerce (Chamber) filed a lawsuit arguing for delayed enforcement. In June 2023, a California superior court ruled in favor of the ...

Last week, the White House issued an update on President Biden’s October 30, 2023 Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (the “AI EO” or “EO”). The update detailed the progress made on the EO directives, including among others, using the Defense Production Act to require AI companies to make specific reports on their AI systems to the government and proposing a rule that would require cloud companies to report foreign use of their services to train AI models and verify the identities of foreign customers. As ...

In July, Oregon’s governor signed into law the Oregon Consumer Privacy Act (“OCPA”), making Oregon the eleventh state to enact a comprehensive privacy law.  The OCPA goes into effect on July 1, 2024.  Covered business other than applicable non-profits must comply with the OCPA by that date.  Applicable non-profits will become subject to the OCPA on July 1, 2025.   

On June 30, 2023, a court in Sacramento issued an order enjoining enforcement of the implementing regulations promulgated by the California Privacy Protection Agency (CPPA) under the California Privacy Rights Act of 2020 (CPRA). If the order stands, enforcement will be delayed until March 29, 2024.

In June, Texas became the tenth state with a comprehensive privacy law. The Texas Data Privacy and Security Act (“TDPSA”) contains familiar provisions from other state privacy laws regulating the collection, use, processing, and treatment of consumers’ personal data, but also has Texas-specific provisions. The TDPSA will be effective as of July 1, 2024, allowing a one-year compliance period.

This month, Indiana, Montana and Tennessee passed comprehensive privacy laws. Each tracks closely the comprehensive privacy laws outside of California, but with some variations. None applies to employee data or has a private right of action.  All have cure rights. Tennessee uniquely provides an affirmative defense for controllers who follow the NIST privacy framework. Tennessee’s law will go into effect July 1, 2024, giving businesses just over a year to prepare to comply. Indiana’s law affords businesses more time to comply – it will not take effect until January 1, 2026. Montana’s law will go into effect October 1, 2024. Below is a summary of key points from each law.

About Data Points: Privacy & Data Security Blog

The technology and regulatory landscape is rapidly changing, thus impacting the manner in which companies across all industries operate, specifically in the ways they collect, use and secure confidential data. We provide transparent and cutting-edge insight on critical issues and dynamics. Our team informs business decision-makers about the information they must protect, and what to do if/when security is breached.

Stay Informed

* indicates required
Jump to Page

Subscribe To Our Newsletter

Stay Informed

* indicates required

By using this site, you agree to our updated Privacy Policy and our Terms of Use.