Category Archives: U.S. State Privacy Laws

Does California’s Delete Act Have the “DROP” on Data Brokers?: Updates and Insights from the Recent Stakeholder Session

 by Christine E. Lyon, Christine Chong, Jackson Myers, and Ortal Isaac

Photos of the authors

From left to right: Christine E. Lyon, Christine Chong and Jackson Myers. (Photos courtesy of Freshfields Bruckhaus Deringer LLP)

The California Delete Act will make it easier for California consumers to request deletion of their personal information by so-called “data brokers,” a term that is much broader than companies may expect (see our prior blog post here). In particular, the Delete Act provides for a universal data deletion mechanism—known as the Data Broker Delete Requests and Opt-Out Platform, or “DROP”—that will allow any California consumer to make a single request for the deletion of their personal information by certain, or all, registered data brokers. In turn, by August 2026, data brokers will be required to regularly monitor, process, and honor deletion requests submitted through the DROP.

While the DROP’s policy objectives are fairly straightforward, it is less clear how the DROP will work in practice. For example, what measures will be taken to verify the identity of the consumer making the request, to ensure that the requesting party is the consumer they claim to be? What measures will be taken to verify that a person claiming to act as an authorized agent for a consumer actually has the right to request deletion of that consumer’s personal information? Unauthorized deletion of personal information may result in inconvenience or even loss or harm to individuals, which raises the stakes for the California Privacy Protection Agency (CPPA) as the agency responsible for building the DROP.

Continue reading

Recently Enacted AI Law in Colorado: Yet Another Reason to Implement an AI Governance Program

by Avi GesserErez Liebermann, Matt KellyMartha HirstAndreas Constantine PavlouCameron Sharp, and Annabella M. Waszkiewicz

Photos of the authors.

Top left to right: Avi Gesser, Erez Liebermann, Matt Kelly, and Martha Hirst. Bottom left to right: Andreas Constantine Pavlou, Cameron Sharp, and Annabella M. Waszkiewicz. (Photos courtesy of Debevoise & Plimpton LLP)

On May 17, 2024, Colorado passed Senate Bill 24-205 (“the Colorado AI Law” or “the Law”), a broad law regulating so-called high-risk AI systems that will become effective on February 1, 2026.  The law imposes sweeping obligations on both AI system deployers and developers doing business in Colorado, including a duty of reasonable care to protect Colorado residents from any known or reasonably foreseeable risks of algorithmic discrimination.

Continue reading

Land of 10,000 Data Lakes: Minnesota Consumer Data Privacy Act Signed into Law

by Nancy Libin, John D. Seiver, and Jevan Hutson

Photo of the authors.

From left to right: Nancy Libin, John D. Seiver, and Jevan Hutson. (Photos courtesy of Davis Wright Tremaine LLP)

Minnesota is the 18th state to enact a consumer data privacy law.

On May 25, 2024, Minnesota Governor Tim Walz signed the Minnesota Consumer Data Privacy Act (the “Act”), which takes effect on July 31, 2025, for most controllers and on July 31, 2029, for certain postsecondary educational institutions. Minnesota is the 18th state to enact a comprehensive consumer data privacy law.

The Act adopts the same framework as most other state privacy laws but includes several novel provisions, including broader rights for Minnesota residents who are subject to profiling in furtherance of decisions that produce legal or similarly significant effects.

We highlight key aspects of the Act below.

Continue reading

Maryland Legislature Passes State Privacy Bill with Robust Requirements and Broad Threshold for Application

by Marshall Mattera and Amanda Pervine

Photo of the author

Marshall J. Mattera (photo courtesy of Hunton Andrews Kurth)

The Maryland legislature recently passed the Maryland Online Data Privacy Act of 2024 (“MODPA”), which was delivered to Governor Wes Moore for signature and, if enacted, will impose robust requirements with respect to data minimization, the protection of sensitive data, and the processing and sale of minors’ data.

Continue reading

Mitigating AI Risks for Customer Service Chatbots

by Avi Gesser, Jim PastoreMatt KellyGabriel KohanMelissa Muse and Joshua A. Goland  

photos of authors

Top left to right: Avi Gesser, Jim Pastore, and Matt Kelly. Bottom left to right: Gabriel Kohan, Melissa Muse and Joshua A. Goland (photos courtesy of Debevoise & Plimpton LLP)

Online customer service chatbots have been around for years, allowing companies to triage customer queries with pre-programmed responses that addressed customers’ most common questions. Now, Generative AI (“GenAI”) chatbots have the potential to change the customer service landscape by answering a wider variety of questions, on a broader range of topics, and in a more nuanced and lifelike manner. Proponents of this technology argue companies can achieve better customer satisfaction while reducing costs of human-supported customer service. But the risks of irresponsible adoption of GenAI customer service chatbots, including increased litigation and reputational risk, could eclipse their promise.

We have previously discussed risks associated with adopting GenAI tools, as well as measures companies can implement to mitigate those risks. In this Debevoise Data Blog post, we focus on customer service chatbots and provide some practices that can help companies avoid legal and reputational risk when adopting such tools.

Continue reading

Kentucky Set to Enact Comprehensive State Privacy Law

by Lisa Sotto, Marshall Mattera, and Amanda Pervine

Lisa Sotto and Marshall Mattera (photos courtesy of Hunton Andrews Kurth LLP)

Update: On April 4, 2024, Governor Andy Beshear signed H.B. 15 into law, making Kentucky the 16th state to enact a comprehensive data privacy law.

On March 27, 2024, the Kentucky legislature passed a comprehensive data privacy bill (“H.B. 15”), which was delivered to the Governor for signature.  If H.B. 15 is enacted, Kentucky will join the growing list of states with comprehensive data privacy laws.  

Continue reading

State Governments Move to Regulate AI in 2024

by Louis W. Tompros, Arianna Evers, Eric P. Lesser, Allie Talus, and Lauren V. Valledor

Photos of authors

(Left to right) Louis W. Tompros, Arianna Evers, Eric P. Lesser, Allie Talus, and Lauren V. Valledor (Photos courtesy of Wilmer Cutler Pickering Hale and Dorr LLP)

Recently, New York Governor Kathy Hochul proposed sweeping artificial intelligence (AI) regulatory measures intended to protect against untrustworthy and fraudulent uses of AI. Presented as part of her FY 2025 Executive Budget, the bill would amend existing penal, civil rights and election laws—establishing a private right of action for voters and candidates impacted by deceptive AI-generated election materials and criminalizing certain AI uses, among other measures. Governor Hochul’s proposals are part of a wider trend of governors and state lawmakers taking more expansive measures to regulate AI that deserve attention from businesses developing and using AI.

Continue reading

U.S. Cybersecurity and Data Privacy Outlook and Review – 2024

by Alexander H. Southwell and Snezhana Stadnik Tapia

Photos of authors

From left to right: Alexander H. Southwell and Snezhana Stadnik Tapia (photos courtesy of Gibson, Dunn & Crutcher LLP)

As with previous years, the privacy and cybersecurity landscape continued to evolve substantially over the course of 2023. We recently provided a review of some of the most significant developments on this topic in the U.S. in the eleventh edition of Gibson Dunn’s U.S. Cybersecurity and Data Privacy Outlook and Review.

Below we summarize the past year’s developments and future prospects, including the wave of new privacy and cyber legal and regulatory advances at the federal and state levels. This past year, states continued to take the lead on enacting privacy legislation and branches of the federal government focused on data security, sensitive data, and artificial intelligence (“AI”). The surge of civil litigation with respect to web-tracking technologies also endured. In 2024, we expect an amplified focus on privacy and cybersecurity issues, as well as with respect to emerging technologies such as AI, to continue.

Continue reading

Navigating Compliance Risks in Robotics Applications within EU and US Legal Frameworks

by Wanda R. Lopuch Ph.D

New Technologies in the European Union and the United States

Photo of author

(Photo courtesy of author)

In the realm of technological innovation, robotics stands out due to its rapid growth and transformative potential. However, this potential brings myriad compliance risks, particularly when navigating the complex legal landscapes of the European Union (EU) and the United States (US). Below, I explore these risks, focusing on the divergent legal frameworks of the EU and the US and the challenges they pose to robotics application.

Continue reading

CPPA’s Regulatory Enforcement Restored: It’s Time to Get Compliant

 by Beth Burgin Waller and Patrick J. Austin

Photos of authors

From left to right: Beth Burgin Waller and Patrick J. Austin (photos courtesy of authors)

For businesses subject to California Consumer Privacy Act (CCPA), privacy compliance just became urgent. A California appellate court agreed on February 9, 2024 with the California Privacy Protection Agency (CPPA) that there is no statutory requirement for a one-year gap between approval of privacy regulations and enforcement of those regulations. Overturning a stay of enforcement at the trial court level, the California appellate court held that CCPA regulations can be enforceable upon finalization. This means for businesses subject to the CCPA, there is no ramp-up period between new regulations being finalized and the agency enforcing those new regulations.

Continue reading