Welcome back to the second installment of our three-part series for Data Privacy Week 2025. We previously discussed the foundations of data privacy laws, and now we will focus on the current landscape of U.S. state privacy laws and consider important updates that companies should be aware of. Stay tuned for our third article later this week discussing our outlook for 2025.
Getting Up to Speed
2024 was a big year for state data privacy laws, with seven states passing legislation, bringing the total number of states with a comprehensive data privacy law up to 19. For companies, this has created a patchwork of laws and regulations that need to be continuously monitored and tracked. States also considered and passed laws that supplement their comprehensive privacy laws. To understand the current legal landscape, we focus on the current rulemaking activity in California and Colorado, set to be finalized and effective in 2025.
California’s Rulemaking Activity
The California’s Privacy Protection Agency (CPPA), the regulatory authority created by the California Privacy Rights Act, is still working on its statutorily mandated rulemaking activity. The CPPA’s proposed regulations concerning updates, insurance, cybersecurity audits, risk assessments, and automated decision-making technology (ADMT) underwent public comment, which closed on January 14, 2025. The regulations expand upon the requirements companies face under the California Consumer Privacy Act (CCPA).
The proposed regulations require businesses that process 'consumers' personal information (the CCPA’s definition of consumers includes employees) to perform annual cybersecurity audits where the processing poses "significant risk to consumer security."
Under the CPPA, a business in scope of the CCPA presents a "significant risk" if it:
- Derives 50% or more of its annual revenues from selling or sharing data; or
- Processes the personal information of over 250,000 consumers or the sensitive personal information of over 50,000 consumers in the previous calendar year.
Under the CCPA, those thresholds look a little different. A business’s processing is considered to present a significant risk if one of the following is true: its annual gross revenues is in excess of $25 million in the preceding calendar year; it buys, sells, or shares the personal information of 100,000 or more consumers or households; or derives 50% or more of its revenue from selling or sharing consumers' personal information.
This threshold is significant in its broad application, given that sensitive personal information includes, but is not limited to, data such as a consumer’s social security number, driver’s license, state identification card, passport number, and/or racial or ethnic origin, religious beliefs, or union membership.
Additionally, the proposed regulations state that businesses must "implement a cybersecurity program that ensures personal information is secure and that the security of that information is assessed annually." Businesses must conduct these audits according to a specific framework, ensuring that "the audit identifies vulnerabilities, and the business takes actions to rectify any identified issues."
The proposed rules add definitions for artificial intelligence (AI) and ADMT. The definition of ADMT includes "technology" that processes personal information and uses computation to execute a decision, replace human decision-making, or substantially facilitate human decision-making. The term "technology" includes software or programs, including those derived from machine learning, statistics, other data-processing techniques, or AI.
The proposed regulations require businesses to provide consumers with a "Pre-use Notice," detailing how the business uses ADMT, as well as how it is trained, and provides consumers with an option to opt-out of the ADMT’s processing of their personal information. Additionally, if a business provides ADMT to another business, the provider must supply all necessary facts for the recipient to conduct its own risk assessment. When a business trains ADMT and permits another business or person to use it, the business must offer a plain language explanation of any requirements or limitations relevant to the use of the technology.
Colorado’s Privacy Regulation Updates
Effective July 1, 2023, Colorado implemented key updates to its Colorado Privacy Act (CPA), setting it apart from other state laws:
- Definition of Minor: Colorado now distinguishes between a child (under 13 years of age) and a minor (under 18 years of age). The Children’s Online Privacy Protection Act (COPPA) sets the federal floor and requirements for the processing of personal information collected from children under 13. Colorado is unique in that minors' personal information will be afforded more protections, in contrast to states like Florida that prohibit minors from accessing social media platforms without parental consent, and California, which finds its California Age-Appropriate Design Code Act enjoined in the 9th Circuit Court of Appeals in NetChoice v. Bonta.
- Biometric Data Notification: Businesses collecting biometric identifiers such as fingerprints and facial recognition must provide distinct, explicit notifications to consumers, explaining why such data is being collected and how long it will be retained. This notice appears to be similar to that required under the heavily litigated Illinois Biometric Information Privacy Act (BIPA). However, Colorado does not provide a private right of action, which made BIPA a beacon for the plaintiffs' bar.
These developments, along with Colorado’s Consumer Protections for Artificial Intelligence Act, continue to position California and Colorado as privacy leaders. As states invest more time and resources into data privacy efforts, the higher the likelihood any federal privacy bill with a preemption clause, like the American Privacy Rights Act and American Data Privacy Protection Act, is dead on arrival.
Be on the lookout for our next installment during this Data Privacy Week, with a focus on the future of privacy law.
For more information, please contact us or your regular Parker Poe contact. You can also subscribe to our latest alerts and insights here.