Data Points: Privacy & Data Security Blog

Effective January 1, 2026, the Texas Responsible Artificial Intelligence Governance Act (TX H.B. 149, 2025) takes a unique approach to AI regulation—pulling threads from the EU AI Act, Colorado's comprehensive AI statute, and national innovation policy, while weaving in Texas-specific priorities.

Colorado was the third state in the U.S. to pass comprehensive privacy legislation, following in the footsteps of California and Virginia (the Colorado Privacy Act (the “CPA”).  Now Colorado is increasing protections again, this time for biometric data effective July 1, 2025, and minors (defined as a consumer under the age of 18), effective October 1, 2025. Because the scope of coverage for both controllers and data subjects increases with these amendments, entities dealing with consumers or employees in Colorado should carefully review  whether they are subject to these changes and begin the process of revising their policies, notices, and assessments.

In February 2025, the Virginia legislature passed a bill governing high risk artificial intelligence. On March 24, 2025, Governor Youngkin vetoed it.

On February 14, 2025, New York’s Governor Hochul signed into law A.B. 920, which amended the state’s Information Security Breach and Notification Act to add personal health information to the types of data that constitute “private information” requiring notice to affected persons.

On June 29, 2024, Rhode Island’s governor signed the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) into law. The RIDTPPA will go into effect January 1, 2026. The law generally aligns with other comprehensive data privacy laws, with a few notable exceptions, such as no cure period for violations disclosure requirements for third-party data sales, and the broad applicability of privacy notice requirements.

On October 22, 2024, the Consumer Financial Protection Bureau (the “CFPB”) finalized its personal financial data rights rule (“The Final 1033 Rule” or the “Final Rule”) that would require data providers to make available to consumers and their authorized third parties certain covered data in the data provider’s control or possession concerning a covered consumer financial product or service. This Final Rule comes a year after the CFPB initially proposed the rule (the “Proposed Rule”) in October of 2023.

On May 24, 2024, Minnesota’s governor signed the 18^th comprehensive state privacy law since California enacted the first comprehensive data privacy legislation in 2018. The Minnesota Consumer Data Privacy Act (“MCDPA”) will take effect on July 31, 2025. The MCDPA is similar in many ways to current data privacy laws but also has some elements unique to the MCDPA.

The legal landscape surrounding the creation, use and governance of artificial intelligence (AI) is rapidly changing and growing, imposing significant obligations on business and new rights for individuals. In recent months, the US has seen new AI laws and regulations, both passed and proposed, at both the federal and state levels. The following details some recent developments in the US. There is a clear trend towards notifying consumers that they are interacting with AI, protecting individuals from the risks of AI, as well as an emphasis on AI governance. But stay tuned—these ...

So far 2024 has seen a flurry of new and proposed state comprehensive privacy legislation. Nebraska and Kentucky are the two latest states to jump on the bandwagon. Both follow the now familiar framework established by the Virginia Consumer Data Protection Act. We explore each below.

New Hampshire.  On March 6, 2024, New Hampshire Governor Chris Sununu signed the state’s first comprehensive consumer privacy bill into law. The New Hampshire Privacy Act (the “NHPA”) is now the fourteenth such law to be passed in the United States, joining likes of California, Oregon, Montana, Iowa, Indiana, and Tennessee, just to name a few. The NHPA is slated to take effect January 1, 2025 and will be enforced by the New Hampshire Attorney General.

Like many of its predecessors, the NHPA provides New Hampshire residents with rights to access, correct, and delete their personal ...