Data Points: Privacy & Data Security Blog

In 2024, Colorado enacted the Colorado Artificial Intelligence Act, establishing the nation’s most comprehensive state-level frameworks for regulating high-risk AI systems. The law applies to AI used in consequential decision-making such as housing, employment, healthcare, education, and financial or lending services. The law was originally scheduled to take effect on February 1, 2026. However, recent legislative developments have altered that timeline and raised questions about the law’s future scope and implementation.

We’re about one month away from the effective date of Maryland’s version of a state comprehensive privacy law--the Maryland Online Privacy Act (MODPA).

On August 22nd, the Consumer Financial Protection Bureau (the “CFPB”) published an advanced notice of proposed rulemaking (an “ANPR”) relating to a reconsideration of the CFPB’s current Personal Financial Data Rights Rule (the “Current PFDR Rule”) that had been previously released in late 2024 pursuant to the authority of Section 1033 of the Dodd-Frank Act [1] . The Current PFDR Rule requires that data providers (i.e., banks and other financial institutions) make available to consumers and their authorized third parties (such as FinTech service providers) certain covered data in the data provider’s control or possession concerning a covered consumer financial account.

Effective January 1, 2026, the Texas Responsible Artificial Intelligence Governance Act (TX H.B. 149, 2025) takes a unique approach to AI regulation—pulling threads from the EU AI Act, Colorado's comprehensive AI statute, and national innovation policy, while weaving in Texas-specific priorities.

Colorado was the third state in the U.S. to pass comprehensive privacy legislation, following in the footsteps of California and Virginia (the Colorado Privacy Act (the “CPA”).  Now Colorado is increasing protections again, this time for biometric data effective July 1, 2025, and minors (defined as a consumer under the age of 18), effective October 1, 2025. Because the scope of coverage for both controllers and data subjects increases with these amendments, entities dealing with consumers or employees in Colorado should carefully review  whether they are subject to these changes and begin the process of revising their policies, notices, and assessments.

In February 2025, the Virginia legislature passed a bill governing high risk artificial intelligence. On March 24, 2025, Governor Youngkin vetoed it.

On February 14, 2025, New York’s Governor Hochul signed into law A.B. 920, which amended the state’s Information Security Breach and Notification Act to add personal health information to the types of data that constitute “private information” requiring notice to affected persons.

On June 29, 2024, Rhode Island’s governor signed the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) into law. The RIDTPPA will go into effect January 1, 2026. The law generally aligns with other comprehensive data privacy laws, with a few notable exceptions, such as no cure period for violations disclosure requirements for third-party data sales, and the broad applicability of privacy notice requirements.

On October 22, 2024, the Consumer Financial Protection Bureau (the “CFPB”) finalized its personal financial data rights rule (“The Final 1033 Rule” or the “Final Rule”) that would require data providers to make available to consumers and their authorized third parties certain covered data in the data provider’s control or possession concerning a covered consumer financial product or service. This Final Rule comes a year after the CFPB initially proposed the rule (the “Proposed Rule”) in October of 2023.

On May 24, 2024, Minnesota’s governor signed the 18^th comprehensive state privacy law since California enacted the first comprehensive data privacy legislation in 2018. The Minnesota Consumer Data Privacy Act (“MCDPA”) will take effect on July 31, 2025. The MCDPA is similar in many ways to current data privacy laws but also has some elements unique to the MCDPA.