Data Points: Privacy & Data Security Blog

On October 29th, the Eastern District of Kentucky (the “Court”) enjoined the CFPB from enforcing the Personal Financial Data Rights Rule (the “Rule”) until it has completed its reconsideration of the Rule.[1] The Rule had been released by the Consumer Protection Financial Bureau (“CFPB”) in October of 2024 pursuant to the CFPB’s authority under Section 1033 of the Dodd-Frank Act.[2] The Rule requires financial institutions to share consumers’ personal financial data with other providers at no cost upon the consumer’s request. The Court, having determined that challenges to the Rule were likely to succeed on the merits, has now enjoined the CFPB from enforcing the Rule, finding that requiring financial institutions to comply with the Rule while it is under reconsideration by the CFPB would cause irreparable harm.

In October, California Governor Gavin Newson signed into law Senate Bill No. 446 (“SB 446”), amending the state’s data breach notification statute, California Civil Code Section 1798.82. SB 446 passed the California Senate and State Assembly unanimously. The law will go into effect on January 1, 2026, meaning that individuals or companies doing business in California will need to ensure their incident response plans are updated for the new year.

In 2024, Colorado enacted the Colorado Artificial Intelligence Act, establishing the nation’s most comprehensive state-level frameworks for regulating high-risk AI systems. The law applies to AI used in consequential decision-making such as housing, employment, healthcare, education, and financial or lending services. The law was originally scheduled to take effect on February 1, 2026. However, recent legislative developments have altered that timeline and raised questions about the law’s future scope and implementation.

We’re about one month away from the effective date of Maryland’s version of a state comprehensive privacy law--the Maryland Online Privacy Act (MODPA).

On August 22nd, the Consumer Financial Protection Bureau (the “CFPB”) published an advanced notice of proposed rulemaking (an “ANPR”) relating to a reconsideration of the CFPB’s current Personal Financial Data Rights Rule (the “Current PFDR Rule”) that had been previously released in late 2024 pursuant to the authority of Section 1033 of the Dodd-Frank Act [1] . The Current PFDR Rule requires that data providers (i.e., banks and other financial institutions) make available to consumers and their authorized third parties (such as FinTech service providers) certain covered data in the data provider’s control or possession concerning a covered consumer financial account.

Effective January 1, 2026, the Texas Responsible Artificial Intelligence Governance Act (TX H.B. 149, 2025) takes a unique approach to AI regulation—pulling threads from the EU AI Act, Colorado's comprehensive AI statute, and national innovation policy, while weaving in Texas-specific priorities.

Colorado was the third state in the U.S. to pass comprehensive privacy legislation, following in the footsteps of California and Virginia (the Colorado Privacy Act (the “CPA”).  Now Colorado is increasing protections again, this time for biometric data effective July 1, 2025, and minors (defined as a consumer under the age of 18), effective October 1, 2025. Because the scope of coverage for both controllers and data subjects increases with these amendments, entities dealing with consumers or employees in Colorado should carefully review  whether they are subject to these changes and begin the process of revising their policies, notices, and assessments.

In February 2025, the Virginia legislature passed a bill governing high risk artificial intelligence. On March 24, 2025, Governor Youngkin vetoed it.

On February 14, 2025, New York’s Governor Hochul signed into law A.B. 920, which amended the state’s Information Security Breach and Notification Act to add personal health information to the types of data that constitute “private information” requiring notice to affected persons.

On June 29, 2024, Rhode Island’s governor signed the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) into law. The RIDTPPA will go into effect January 1, 2026. The law generally aligns with other comprehensive data privacy laws, with a few notable exceptions, such as no cure period for violations disclosure requirements for third-party data sales, and the broad applicability of privacy notice requirements.