On Friday, November 8, 2024, the California Privacy Protection Agency board voted 4-1 to commence the formal rulemaking process for the draft regulations on Automated Decisionmaking Technology (ADMT), Risk Assessments, Cybersecurity Audits, and Insurance Companies. The formal rulemaking process will begin with a 45-day public comment period. During this time, CPPA staff will gather and analyze public comments, which will inform potential amendments and revisions to the regulations. The period will likely be extended to…
On September 29, 2024, California Governor Gavin Newsom vetoed Senate Bill 1047, which would have enacted the Safe and Secure Innovation for Frontier Artificial Intelligence Models Act (the “Act”) to create a comprehensive regulatory framework for the development of artificial intelligence models. The veto embodies the dilemma that has emerged around the regulation of AI applications: how can laws prevent harms in the use and development of AI, while promoting innovation and harnessing the power…
“Neural data” is the newest addition to the ever expanding California Consumer Privacy Act (CCPA). Signed into law on September 28, 2024, SB 1223 amends the CCPA to add “personal information that reveals neural data” to the categories of personal information that constitute sensitive personal information. It further amends the CCPA to define “neural data” as “information that is generated by measuring the activity of a consumer’s central or peripheral nervous system, and that is…
The California Privacy Protection Agency has issued an Enforcement Advisory on the topic of dark patterns. The California Consumer Privacy Act uses the term “dark patterns” to refer generally to user interfaces that subvert or impair consumers’ autonomy, decisionmaking, or choice when asserting their privacy rights or consenting to personal information processing activities. For example, when businesses provide choices to consumers, such as via cookie banners or in privacy preference centers, choices must be clear…
If passed, SB-1047, the California Safe and Secure Innovation for Frontier Artificial Intelligence Model Act, would introduce product safety, documentation and reporting obligations on developers of AI systems. Currently awaiting passage in the state Assembly, the bill would be a landmark regulation for the burgeoning AI industry. The law as currently written would mainly target larger AI projects developed by companies with extensive resources, rather than smaller startups. However, operators of data centers would also…
In Brief Various players in the health care industry are or will soon be subject to new requirements relating to sexual and reproductive health data under a pair of bills passed last year amending the California Confidentiality of Medical Information Act (the “CMIA”). Many of the central provisions of bills AB 254 and AB 352, which were both signed into law by Governor Gavin Newsom in September 2023, came into effect on January 1, 2024.…
Background On February 28, 2024, California State Senator Dave Min proposed Senate Bill (SB) 1394, a new measure aimed at preventing vehicular data from being used to perpetuate domestic violence. Under the proposal, automobile manufacturers would be required to disable access to remote vehicle technologies upon the request of a victim of domestic violence. The bill arrives amid increasing reports of incidents of domestic abusers exploiting vehicular location tracking features to stalk and harass victims…
Organizations subject to the Washington State My Health My Data Act (generally any organization with physical premises in Washington, and many organizations without it) are preparing for compliance by March 31, 2024. And should, in addition to the overall compliance requirements and immediate action items, be aware that the Washington Attorney General updated its guidance on the requirements for a consumer health privacy policy. Section 4(1)(b) of the My Health My Data Act explicitly provides…
If your organization does business across the U.S. and collects consumer health data (broadly defined, health inferences generated from non-health data count), compliance with U.S. state consumer health privacy laws is just around the corner. Consumer health privacy laws in Nevada (Senate Bill 370) and Washington (the My Health My Data Act) become fully operative for regulated entities on March 31, 2024. Requirements specific to consumer health data are already operative in Connecticut. Here are…
Chapter 22.8 of the California Business and Professions Code imposes requirements on social media companies with annual gross revenues of $100 million or more to submit “terms of service reports” to the California Attorney General, with the first report due by January 1, 2024. The statute is currently the subject of a constitutional challenge, but covered companies should not delay preparing reports in case the lawsuit drags on or is unsuccessful. The law applies to…