State Privacy & AI News - 12/27

Welcome to The Patchwork Dispatch, a fortnightly newsletter that brings you the top 5 recent developments in consumer privacy and AI legislation, regulation, and enforcement from across the U.S. states. Before we begin, our Editor-in-Chief has published his annual not-a-predictions column laying out the big questions that will shape the state privacy landscape in 2025, read it here.

1. Contours of AI Debate Enter Greater Focus through Colorado Task Force Meeting

The Patchwork Dispatch has previously covered the Colorado AI Impact Task Force which is charged with developing recommendations for improvements and clarifications to the Colorado AI Act (CAIA) before it takes effect in February, 2026. A Task Force meeting on December 20th was particularly informative, featuring specific proposals to amend the CAIA from two coalitions - one representing public interest groups and the other representing tech associations. We explore key points of divergence between the two coalitions below:

Algorithmic Discrimination: The CAIA is focused on establishing guardrails to protect against algorithmic discrimination in the use of AI systems to render consequential decisions (impacting housing, employment, etc.) The law defines “algorithmic discrimination” to encompass the use of a covered system that results in unlawful discrimination or impact on the basis of protected categories.

• Public interest groups sought to remove the “unlawful” qualifier from the definition of algorithmic discrimination, focusing instead on use of systems in a manner that discriminates, causes disparate impact, or otherwise makes unavailable the equal enjoyment of goods, services, or other activities or opportunities as related to consequential decisions on the basis of protected classifications.
• In contrast, industry groups sought to explicitly tie the definition of “algorithmic discrimination” to the use of a covered AI system that results in a violation of state or federal anti-discrimination law.

Substantial Factor: The minimum degree of autonomy a system must exercise in rendering a consequential decision in order to be covered by the law is a key issue in the AI debate (think 'human in the loop'). The CAIA applies to the use of AI systems that make or are a “substantial factor” in making consequential decisions, defined to mean that the output of an AI system must both assist in and be capable of altering the outcome of a consequential decision.

• The public Interest coalition appeared mostly satisfied with the CAIA's current approach to "substantial factor", but suggested that should this definition be opened back up, they would push to use the broader “contributing factor” standard under the draft Texas Responsible AI Governance Act (TRAIGA) which would only require a covered system to be “intended to be considered” solely or with other criteria in making a consequential decision (more on that below as this standard has been significantly narrowed in the latest version of TRAIGA).
• Industry groups did not provide preferred language, but signaled that they are workshopping a proposal that they hope will provide a "clearer scope" for what contributes to a consequential decision.

Duty of Care: The CAIA imposes a ‘duty of care’ on developers of high-risk AI systems to avoid any known or reasonably foreseeable risks of algorithmic discrimination from their products and creates a rebuttable presumption that an organization complying with the Act has satisfied this requirement.

• Industry groups sought to narrow the duty to encompass only “known” rather than “reasonably foreseeable” risks of algorithmic discrimination. They further proposed expanding protections for businesses by removing the rebuttable presumption mechanism and to instead provide that a business shall be deemed to satisfy the duty if it otherwise complies with the Act.
• Public interest groups sought to abandon the forward-looking duty of care approach entirely and to instead prohibit the sale of covered AI systems that result in algorithmic discrimination. This approach is closer to AB 2930 that passed the California Assembly this year but failed to be enacted.

There were many more points of distinction between the two camps on issues including consumer rights, notices, and enforcement - but as much as I appreciate my readers - I’m not spending my whole holiday season writing them all up. However, with lawmakers set to work on automated decisionmaking technology rules next year in at least Texas (see below), Virginia, Connecticut, and California (via regulations), it will be important for stakeholders seeking to productively engage with state AI proposals to understand these key points of tension.

2. Retooled Texas AI Bill Formally Introduced

The Patchwork Dispatch has previously covered the Texas Responsible Artificial Intelligence Governance Act which was circulated in draft form in October. On December 23, TRAIGA was formally introduced as HB 1709 by Rep. Capriglione, chair of the Artificial Intelligence & Emerging Technologies Select Committee and primary author of Texas’ comprehensive privacy law.

The version of TRAIGA as filed contains numerous revisions from its draft version, likely reflecting input from a broad cross section of industry stakeholders. Here are five changes that stood out on an initial read:

• The definition of “algorithmic discrimination” has been modified to explicitly link to unlawful discrimination based on a protected classification in violation of state or federal law.
• The definition of “artificial intelligence system” has been revised, now focusing on use of “machine learning” and related technologies to train systems to perform tasks normally associated with human intelligence or perception. The original definition focused on the ability of a system to learn from and adapt its behavior based on how its own outputs impacted the environment. Overall, the new definition is likely narrower than many other US regulatory frameworks which are often derived from the OECD standard.
• The level of autonomy a covered system must possess in making consequential decisions has been narrowed from a “contributing factor” (discussed above) to a “substantial factor” standard. The new standard provides that a system's output must be “weighed more heavily than any other factor relating to the consequential decision” in order to be subject to the framework.
• The list of “prohibited uses” has been narrowed, removing a provision that would have required opt-in consent for any use of an AI system for emotion recognition. 
• The private right of action for violations of the list of prohibited uses of AI has been removed, with enforcement now left solely to the Attorney General.

The Texas legislative session will run from January 14 through June 2.

3. California to Take Another Swing at Mandatory Opt-Out Settings

This year the California Privacy Protection Agency (CPPA) endorsed AB 3048 which would have required browsers and mobile operating systems in the state to provide ‘native’ opt-out preference signal (OOPS) settings to allow consumers to exercise certain privacy rights by default. Despite broad support in the legislature, Governor Newsom vetoed AB 3048, taking specific issue with requiring mobile operators to provide technological settings which do not currently exist.

In response, CPPA staff proposed to support a new bill next session that would only require web browsers to offer such OOPS settings (this technology already exists, albeit with a caveat discussed below). However, in a rare move, at a December 19 meeting the CPPA Board rejected the staff’s recommendation and voted (5-0) to once again support legislation that would require default OOPS in both browsers and mobile OS.

The staff’s proposal also included in a proposal for a “technical amendment” that would actually appear to fix a major issue with this year’s AB 3048. As passed by the legislature, AB 3048 would have required platforms to provide signal mechanisms that exercise consumer rights to BOTH opt out of sale and sharing of personal data AND to limit the use and disclosure of sensitive personal data. However, the only signal specification the state has currently recognized, the Global Privacy Control, is explicitly only intended to exercise the right to opt out of sale/shares and would therefore not have been a qualifying signal under AB 3048. The staff proposal recommended tying future legislation to existing CPPA regulations on OOPS which notably only describe the right to opt out of sale/shares. Unfortunately, neither the Board members nor agency staff used the December meeting to discuss the matter of specifically which consumer rights they actually want OOPS to exercise.

4. Broad Consumer Privacy Bills Re-filed / Pre-filed in South Carolina and Oklahoma

For the past two years the Patchwork Dispatch has tracked the emergence of and areas of alignment and divergence between comprehensive state privacy laws in the United States, which now number 19 (or 20) in total. Two bills of this category that will be considered in the 2025 sessions were recently filed in South Carolina and Oklahoma.

In South Carolina Rep. Guffey has filed H 3401 for the second year in a row. This is a consumer privacy bill modeled on the Florida Digital Bill of Rights Act, complete with narrow applicability to only very large organizations in very specific lines of business. Guffey has also re-filed H 3400 and H 3402, both Age-Appropriate Design Act-style bills. The prior versions of these proposals did not see traction in the Palmetto state.

The Oklahoma Computer Data Privacy Act (OCDPA) was introduced as HB 1012 for (I think) the fifth time. Reading this proposal is a bit like looking at a time capsule of the state privacy debate from yesteryear - it is modeled on the California Consumer Privacy Act (pre-California Privacy Rights Act amendments) and is therefore both more convoluted and in many ways narrower than the Washington Privacy Act-style bills that emerged post-2021. For example, the bill lacks features such as heightened protections for sensitive data or a consumer right to correct inaccurate information. Prior versions of the OCDPA did manage to pass the State House in 2021 and 2022 but failed to gain traction in the State Senate on those occasions. The 2023 and 2024 versions of the bill failed to advance in either chamber.

5. Five New State Laws to Take Effect Early in the New Year

On New Year’s Day four new comprehensive state privacy laws (Delaware, Iowa, Nebraska, and New Hampshire) are scheduled to take effect with New Jersey slated to closely follow on January 15. A brief reminder about what makes each of these impending laws unique (or not unique):

Delaware Personal Data Privacy Act: The DPDPA has a low coverage threshold (processing data of 35,000 residents) and explicitly recognizes ‘pregnancy’ as a category of sensitive data. Heightened protections (opt-in consent requirements) for certain uses (targeting advertising and sales) of adolescent data will extend to individuals who are 16 and 17 years of age. Individuals will also have stronger deletion rights with respect to organizations that ingest data from third party sources. Finally, the carve out for “publicly available data” is comparatively narrow, extending to information that a consumer has lawfully made available to the general public through “widely distributed media.”

Iowa SF 262: This law is in contention with Utah and Rhode Island for being the narrowest “comprehensive” state privacy law. The drafters appear to have unintentionally omitted a provision affirmatively establishing a right to opt-out of online targeted advertising, but we’ve seen some businesses nevertheless read such a protection into the law. The 90-day right to cure is also unique for state privacy laws, which typically establish a 45 or 60 day grace period.

New Hampshire SB 255: This law is essentially the Connecticut Data Privacy Act (pre-SB 3 amendments that expanded protections for child and health data). New Hampshire originally contained a unique wrinkle providing for limited rulemaking to add prescriptive requirements for notices and the exercise of consumer rights, but that was later removed.

Nebraska Data Privacy Act: The NDPA aligns most closely with the Texas Data Privacy and Security Act, notably tying the threshold for small business exceptions to U.S. Small Business Association standards but also requiring small businesses to obtain opt-in consent in order to sell sensitive personal data.

New Jersey S332: This law largely aligns with prior WPA-style laws albeit with areas of greater drafting ambiguity including on important issues such as consumer rights and enforcement. It also treats “financial information” (without further specification or clarification) as sensitive personal data and is one of only a handful of states to explicitly require the completion of a risk assessment prior to commencing data processing. The law does direct the Department of Law and Public Safety to promulgate implementing regulations, but to date no rulemaking package has been issued.

As always, thanks for stopping by.

Keir Lamont is Senior Director for U.S. Legislation at the Future of Privacy Forum