Q2 2024: This Quarter in Privacy and AI

Written By Jackie WilKosz
Title slide: Q2 In Privacy & AI Recap.

Welcome to the Enlightened Privacy, PC “Quarter in Privacy” recap! Here’s your recap for Q2, 2024.

What is the Quarter in Privacy Recap?

This is a quick summary of some of the key happenings in the world of data protection and privacy from the past quarter. While there’s always an abundance of news in privacy, we try to capture what we think may be of greatest interest or most relevant to those of you doing privacy day-to-day. Our intention with this recap is to provide thoughtful and helpful updates to keep you informed and maybe even a little entertained. Enjoy! And if you like the recap or have suggestions, please let us know! We’d love to hear your feedback.

Quarter in AI — Quick Recap: AI is here to stay, and we’re including a new section just for AI in our quarterly update. Enjoy!

  • We’re starting to see emerging AI legislation in US states.
    — In May, Colorado passed the Colorado AI Act, which imposes regulatory requirements for developers and deployers of “High Risk AI Systems.” These are AI systems used to make decisions in areas that could have legal and discriminatory implications, such as education, financial services, employment, and health care. The CO AI Act goes into effect in February 2026.
    Utah’s new law, the Utah AI Policy Act, just went into effect in May. The Utah law imposes disclosure obligations regarding the use of generative AI and imposes responsibility on companies for consumer protection violations of Gen AI outputs (that’s right, you can’t say “the AI did it!”).

  • NIST recently released its Generative AI Profile. This Gen AI Profile accompanies the NIST AI Risk Management Framework and provides guidance around how companies can implement the Framework in the Gen AI context.

  • Max Schrems is back, this time in the AI world! His privacy rights organization NOYB filed a complaint against ChatGPT with the Austrian data protection authority. NOYB is claiming that ChatGPT’s approach to privacy rights violates the GDPR, based on ChatGPT’s inability to correct misinformation that it generates about an individual.

  • Take-away: Be on the lookout for more AI legislation from individual states. Take a look at the new state AI laws and the NIST Gen AI profile as helpful resources for building out your AI governance program.

New U.S. State Privacy Laws: Here’s our roundup of the states that passed comprehensive privacy legislation in the past quarter. (It’s starting to feel like a game of “what states haven’t passed privacy legislation?!”) In Q2, we saw 4 new states pass privacy legislation. Here’s the roster: Kentucky (effective Jan. 1, 2026), Maryland (effective Oct. 1, 2025), Minnesota (effective July 31, 2025), and Nebraska (effective Jan. 1, 2025). Everyone’s getting in on the privacy legislation party these days (except Vermont, see below)! That makes 18 states in total that have signed comprehensive privacy legislation into law.

  • What’s in the new laws? Here’s a quick highlight reel:
    — All four of the laws contain obligations similar to what we’ve seen under other state privacy laws, like Colorado’s. These include data minimization requirements, data protection impact assessment requirements, and privacy notice requirements.
    — All four provide for the same basic consumer data rights we’ve seen in most of the other state privacy laws.
    — While the Kentucky, Maryland and Minnesota laws have numeric applicability thresholds similar to Colorado, Nebraska’s law takes a similar approach to Texas — it applies to persons that are not “small businesses” as defined by the U.S. Small Business Administration. This means that Nebraska’s law will likely apply more broadly, the way we’ve seen under the Texas law.
    Take-away: Evaluate your U.S. state privacy compliance program and start preparing now to expand it to cover these new states between January 2025 and January 2026, if needed. Pay attention to Nebraska’s law, as it may apply to you even if the others don’t.

  • In a shocking turn of events, Vermont’s legislature passed privacy legislation only to have it vetoed by the governor! (Gasp, I know.) This is the first time we’ve seen privacy legislation vetoed. Why did Vermont not join the party, you ask? The governor’s veto statement cited concerns that the bill created an “unnecessary and avoidable level of risk” and made Vermont an “outlier.” Some of the issues the governor mentioned included the private right of action, kids code, and disadvantages for small and medium-sized businesses resulting from what the governor referred to as the expansiveness and complexity of the law. The governor’s recommendation? Adopt Connecticut’s law.

Enforcement Updates: This quarter, we’ll focus on CCPA enforcement. What’s the latest in CCPA enforcement, you ask? Well, the regulators have been busy.

  • In April, the California Privacy Protection Agency (“CPPA”) issued its first enforcement advisory focused on data minimization. The advisory makes it clear that data minimization applies to the handling of personal information for responding to CCPA data rights requests. The CPPA stated that it is seeing organizations asking consumers to provide “excessive and unnecessary” personal information related to CCPA requests. The advisory provides example use cases and questions to ask to determine if your organization is requesting an appropriate level of information to respond to requests. Take-away: Review the types and volume of personal information you collect to process data rights requests and ensure the data meets the data minimization standards.

  • In June, the California AG announced a settlement with Tilting Point Media LLC, a gaming company, related to children’s privacy violations in a popular children’s game app about Sponge Bob (my inner child would definitely play that game). The proposed settlement consists of a $500,000 civil fine plus injunctive terms related to data collection and disclosure. According to the AG, the app violated the CCPA and COPPA by collecting children’s personal information without verifiable parental consent. The AG stated that the app failed to use neutral methods for asking age and misconfigured SDKS that resulted in collection and disclosure of children’s personal information without proper consent.

  • Take-away: If you’re potentially processing children’s data, review your age screens and make sure you’re obtaining proper consent for all processing.

The latest on the draft Federal Privacy Bill, the American Privacy Rights Act (“APRA”): Where are we at with the APRA? Is it still in existence? Yes, it does still exist. It was moving along through congress, until an abrupt halt on June 27. As of that date, it faces an uncertain future. Here’s a little more info, in case you’re curious and want to follow the journey (I’m thinking of the APRA as the little cartoon bill from Schoolhouse Rock):

  • The draft underwent a round of significant revisions as of late June. Notably, those revisions removed the language about opt-out rights for consequential decisions and civil rights and algorithms.

  • On June 27, the House Committee on Energy and Commerce was scheduled to meet for a markup of the bill when it was canceled at the last minute. Due to partisan pressures, the bill may be nearing its end. Right now the APRA is sitting on the steps of the Capitol looking pretty sad!

Want to know more? Need help figuring out how these developments impact you? We’re here to help! Just reach out to info@enlightenedprivacy.com.

Looking for a refresher of last quarter’s highlights? Click here.

Jackie WilKosz
Previous

Q1 2024: This Quarter in Privacy and AI
Next

Here We Go (Again?): Adequacy Granted for EU-U.S. Data Privacy Framework