Q3 2024: This Quarter in Privacy and AI

Written By Jackie WilKosz
Title slide: Q3 In Privacy & AI Recap.

The following insights reflect Jackie’s personal analysis of the recent updates. While we hope you find them helpful, they are not legal advice. Reading this does not create an attorney-client relationship. You should not act on this information without seeking professional counsel.

Here’s the Q3 “Quarter in Privacy and AI” recap. Wow, it was a very busy quarter, and there’s a lot to cover! Here we address some of the highlights. For those new to the Quarter recap, it’s a quick summary of key happenings in the world of data protection and AI from the quarter. While there’s always an abundance of news, we try to capture what we think may be of greatest interest or most relevant to our clients. As a reminder, our take-aways are Jackie’s thoughts on the updates and not intended to be legal advice.

Quarter in AI:

  • The EU AI Act officially entered into force on August 1. This starts the clock ticking on when the various phases of compliance requirements will go into effect. First up, in February 2025, the provisions related to prohibited systems and obligations on AI literacy go into effect. The obligations applicable to general purpose AI models go into effect in August 2025.

  • In September, California signed several new AI bills into law. One is AB-2013, Generative AI: Training Data Transparency, which requires a generative AI system or service to post disclosures about the data used to train the system or service. There is an exception for Gen AI systems/services used for security purposes. Another is SB-942, California AI Transparency Act, which requires a Gen AI provider to make available an "AI detection tool" that can be used to identify content as AI-generated. This law applies only to Gen AI providers with over 1 million monthly users. Getting a theme? Transparency is key! (Wondering what happened to the contentious bill, SB-1047, requiring audits and testing? It was vetoed.)

  • In the world of employment, in August Illinois adopted an AI bill that amends the state's civil rights law. The amendment prohibits the use of AI where it has the effect of discriminating on the basis of protected classes for purposes of "recruitment, hiring, promotion, renewal of employment, selection for training or apprenticeship, discharge, discipline, tenure, or the terms, privileges, or conditions of employment." Under the amendment, failure to provide notice of the use of AI for these purposes is also a civil rights violation. It goes into effect January 1, 2026.

  • Take-away 1: Prepare now for EU AI compliance. The "final countdown" has begun (cue the song, I know you know it). Identify your model(s) or system(s) and what classification(s) might apply to determine your obligations.

  • Take-away 2: If you're an employer planning to use AI for recruiting in Illinois (or really in any state), get your disclosures ready and your governance plan in action to mitigate the risk of discrimination.

  • Take-away 3: It's all about communication! We've been saying this for a while--Disclosure requirements are proliferating, so be planning and prepping your AI disclosures now if you haven't already.

Quarter in Privacy: It’s all about state privacy laws once again for Q3. This quarter we see an emphasis on biometric privacy. Read on!

  • Put on those cowboy boots--the Texas privacy law (H.B. 4, or the Texas Data Privacy and Security Act) went into effect on July 1 (with the exception of the global opt-out provisions, which go into effect on January 1, 2025). The Texas law applies to companies that are not "small businesses" as defined by the U.S. Small Business Administration--so dig out those NAICS codes to figure out if the law might apply to you. The law does have a 30 day cure period and exempts B2B and employment data.

  • Oregon's privacy law, the Oregon Consumer Privacy Act, also went into effect on July 1.

  • While technically a Q4 update, note that the Montana privacy law (the Montana Consumer Data Privacy Act) went into effect on October 1.

  • In September, the California governor signed into law S.B. 1223 that amends the CCPA to add neural data to the scope of "sensitive personal information" covered under the law's protections. What is "neural data"? It’s defined to mean "information that is generated by measuring the activity of a consumer’s central or peripheral nervous system, and that is not inferred from nonneural information." Word to the wise--Colorado already amended its Privacy Act to add biological data, including neural data, earlier this year.

  • In a turn of events that comes as a sigh of relief for many business, Illinois amended its Biometric Information Privacy Act ("BIPA") in August to curtail the possible scope of damages. Under the amendments, a violation for a single individual, using the same identifier and the same method of collection is considered to be one violation regardless of the number of times the biometric information was collected. Previously, courts had held that a violation occurred each time an identifier was collected. Translation: the astronomical potential damages for a BIPA lawsuit have been reigned in.

  • Take-away: New state laws continue to come into effect. Be sure you're aware of which states have laws in effect as of now and proactively plan for additional state laws going live soon. Determine if you meet the applicability thresholds, and if you do, evaluate what you already have in place that you can leverage and what net-new actions you need to take.

Quarter in Enforcement:

  • Adding to the arsenal of state privacy enforcement firepower, New Hampshire announced the creation of a Data Privacy Unit in August. The new unit will be housed within the Consumer Protection and Antitrust Bureau of the New Hampshire AG's office. New Hampshire's privacy law goes into effect in January 2025.

  • There's no room for the dark (patterns, that is) in the golden state. The California privacy regulator--the California Privacy Protection Agency ("CPPA") issued an enforcement advisory in September regarding dark patterns. What does the advisory say? User interfaces for privacy choices need to be easy to understand and offer “symmetry in choice” (i.e., more privacy protective choices should not be more difficult to exercise). The advisory emphasizes that whether a UI is a dark pattern is based on effect rather than intent. (Claiming “we didn’t mean to!” is not a defense, friends.)

  • It's quite the enforcement rodeo in Texas! In July, the Texas AG reached a $1.4 billion settlement with Meta over biometric privacy. This is the largest privacy settlement ever obtained by a single state. The settlement is the result of a 2022 lawsuit brought by the TX AG under the Texas Capture or Use of Biometric Identifier Act for the collection of biometric data without consent. The TX AG also recently filed a lawsuit against GM for its handling of driving data and has issued letters to suspected data brokers for failure to register. That TX AG is actively wrangling non-compliance!

  • Take-away: Get your compliance ducks in a row, as states are gearing up for--and are already beginning to actively enforce--their privacy laws.

  • Take-away: Review your opt-out UIs and be vigilant to weed out anything that could have a confusing or subversive effect.

Jackie WilKosz
Previous

Q4 2024: This Quarter in Privacy and AI

Next

Q2 2024: This Quarter in Privacy and AI