A status check on the state of artificial intelligence regulation in the U.S.

Takeaways

  • Executive Order 14365 has so far not brought any clarity or consistency to U.S. artificial intelligence (AI) regulations.
  • No U.S. state AI laws have been challenged or overturned (yet).
  • Businesses should be careful about not overcorrecting to early federal pressure on AI regulations. Even if they are overturned, organizations would still have consumer protection, anti-bias, and anti-discrimination obligations that state regulators and Attorneys General will enforce in the AI context through other mechanisms.

OpenAI released GPT-4 in March 2023. By then, it was already the fastest-growing software application in the history of the human race. Artificial intelligence had already been deployed across many businesses, but the rapid proliferation of large language models into everyday life transformed AI regulation from a niche concern into the top priority of legislative sessions nationwide. There was a scramble to regulate and then understand (in that order) this new technology, resulting in over-drafted measures followed by industry pushback and a subsequent contraction due to the chilling effect that reactionary regulation can have on business investment.[1]

Continue Reading The Curious Case of Executive Order 14365’s Impact on AI Regulation

Takeaways

  • The CCPA Dives Into Internal Governance. The new amendments introduce three major regulatory pillars: new requirements for Automated Decision-Making Technology (ADMT), mandatory annual cybersecurity audits, and a requirement for businesses to conduct pre-processing data protection risk assessments.
  • ADMT. The CCPA has adopted pre-notice, risk assessment, consumer opt-out, and access obligations, as have been found in more recent privacy laws, with regard to automated decision-making and profiling.
  • Mandatory Executive Oversight. Members of a business’s executive management team are now directly responsible for overseeing the new mandatory cybersecurity audits and risk assessments and are responsible for making the necessary related certifications to the California Privacy Protection Agency (CPPA).
  • Phased Compliance Deadlines. The new regulations will likely be effective within the next four months and have compliance deadlines extending from 2027 through 2030.

Summary

After a tortured process taking years, the California Privacy Protection Agency has finalized the long-awaited amendments to the CCPA Regulations. The final package of regulations, now spanning more than 100 pages, is pending final review by the California Office for Administrative Law (OAL). If the OAL files the regulations by August 31, 2025, they will take effect on October 1, 2025. If the filing occurs between September 1 and November 30, the regulations will take effect on January 1, 2026.

Continue Reading New CCPA Regulations: Culture Change and the Rise of the ex ante Framework

Key Takeaways:

  • The Minnesota Consumer Data Privacy Act (the “Act”) follows established trends regarding transparency, data minimization, and required assessments, but represents the next evolution in consumer rights under U.S. state-by-state privacy legislation.
  • The Act provides consumers with special rights related to profiling, that is, automated processing of personal data to evaluate, analyze, or predict personal aspects of an individual, including through AI, not found in other state laws.
  • The Act requires covered organizations to adapt and expand their existing compliance programs in order to respond to these new consumer rights.

Summary:

Starting July 31, Minnesota will join the growing list of U.S. states with its own comprehensive consumer data privacy law, but with a key difference. Signed into law in 2024, the Minnesota Consumer Data Privacy Act follows the broader national trend toward stronger data protection and use standards. Like other U.S. state privacy laws, the Act requires covered organizations to:

Continue Reading The Minnesota Consumer Data Privacy Act Is the Next Evolution in Consumer Privacy Rights

Takeaways

  • Increased federal deregulation and related actions are further destabilizing the already tenuous foundation of the Data Privacy Framework (DPF). European privacy regulators have been issuing guidance indicating that they expect a European pull-back from the DPF.
  • Businesses that rely on the DPF should maintain their certification, but should move now to prepare to activate alternative data transfer mechanisms, such as the standard contractual clauses, and update lapsed transfer and data privacy impact assessments.
  • Review current cloud-storage arrangements and consider regionalizing European data storage to avoid EU-to-U.S. data transfers, especially if your cloud provider is relying on DPF certification to legitimize GDPR data transfers.

After years of litigation, false starts, and invalidated frameworks, the U.S. had finally achieved a simplified path for GDPR compliant transfers of personal data from Europe. However, European reaction to the recent changes on the U.S. side of the pond indicates a wavering in the support of the EU-U.S. Data Privacy Framework (DPF) and threatens to send the U.S. back into the data transfer dark ages.

Continue Reading Status Check: Support Is Quickly Eroding for the EU-U.S. Data Privacy Framework

We’re not playing horseshoes here, folks. It’s time to review your consumer privacy rights forms and mechanisms.

Key Takeaways

  • The fields relating to requests to opt-out of sale/sharing and requests to limit should only solicit the information strictly necessary to complete the request, which is likely less than the other more substantive requests (like access and delete). This applies to authorized agent opt-out requests as well.
  • For the more substantive requests (like access and delete), re-evaluate how much information is actually necessary for you to fulfill the consumer’s request. Ensure your form is not asking for anything extraneous.
  • Review your cookie consent toggles to ensure that the exact number of steps are involved in opting-out of certain cookies as they are for opting-in.
  • Ensure you have CCPA-compliant contracts with your advertising technology providers saved in your files.
Continue Reading Close Enough Is Not Good Enough When It Comes to Consumers’ Privacy Rights

Takeaways

  • Conflicting court rulings regarding the retroactivity of the BIPA Amendment create significant legal ambiguity for businesses facing pending lawsuits.
  • It is crucial for businesses to stay informed about ongoing BIPA litigation developments, as outcomes could have substantial financial implications.

While enacted in 2008, the Illinois Biometric Information Privacy Act (“BIPA”) did not emerge as a significant source of litigation until nearly 10 years later. From 2015 to 2023, there was nearly a 7,000% increase in BIPA claims. Although this snowball effect can be partially attributed to the rapid evolution of biometric technologies, a series of Plaintiff-friendly decisions also spurred BIPA filings. With recent developments on the legislative front and in the courtroom, has BIPA litigation finally reached its peak?

Continue Reading Interpretation of BIPA Amendment Splits the Courts: Implications for Businesses

As AI continues to advance at a rapid pace, two notable foreign players have emerged: DeepSeek and Qwen. These powerful AI models, developed by a Chinese lab and Alibaba, respectively, have garnered attention for their impressive capabilities and potential to disrupt the AI industry. However, alongside their technological prowess comes a host of privacy concerns that warrant closer examination. This article delves into the privacy pitfalls associated with these AI models and explores the implications for users and the broader AI ecosystem.

Continue Reading Privacy Pitfalls in AI: A Closer Look at DeepSeek and Qwen

Takeaways

  • Human Authorship is Essential for Copyright Protection
  • AI as an Assistive Tool Does Not Negate Copyright Eligibility
  • Transparency in Disclosures is Crucial

The U.S. Copyright Office has released Part 2 of its comprehensive report on AI, delving into the complex issue of copyrightability for works created using generative AI systems. This eagerly anticipated report addresses the fundamental questions surrounding human authorship, creative control, and copyright protection in an era of rapidly advancing AI technologies. As generative AI continues to reshape creative industries, the Copyright Office’s findings provide crucial guidance on how existing copyright law applies to AI-assisted and AI-generated works.

In its report, the Copyright Office reaffirms several fundamental principles while providing clarity on how existing copyright law applies to works involving AI. Key findings from the report include

Continue Reading The Future of Creativity: U.S. Copyright Office Clarifies Copyrightability of AI-Generated Works

In Greek mythology, Sisyphus was punished by Hades for cheating death (twice) by forcing him to roll an immense boulder up a hill only for it to roll back down every time it neared the top. AI stakeholders know the feeling. Attempting to keep pace with the downpour of artificial intelligence-related regulation, guidance, rules and requirements emerging over the past two years feels like a mythical challenge.

At any point in time, there are 50 U.S. states, five inhabited territories, the White House, a federal district, a dozen federal agencies, a hundred-odd state agencies and a couple thousand municipalities all tackling the same question: what are the rules for a safe, legal and generally non-evil deployment of artificial intelligence tools?

Different regulators have come up with different answers to that question. What have they focused on so far?

Continue Reading Understanding Trends in AI Legislation

Colorado just became the first U.S. state to pass a law (Senate Bill 24-205 “SB 24-205” or the “CAIA”) regulating consumer harms arising out of artificial intelligence (“AI”). While the CAIA will not go into effect until February 2026, it is part of a growing trend in the U.S., including, most notably, the White House’s guidance on “Algorithmic Discrimination Protections” published at the end of 2023.

Continue Reading Colorado’s Artificial Intelligence Act (CAIA) – The First U.S. State Law Regulating Consumer Harms Arising Out of AI