SB 5 in Five: What to Know About Connecticut’s New AI Law

Connecticut’s SB 5 fits a lot of AI obligations into a small bill number. This week, Governor Lamont (D) signed the 39-section bill into law, creating new requirements across several fast-moving areas of AI policy, including companion chatbots, automated employment decision tools (AEDTs), social media, and provenance data. The law also includes provisions related to frontier AI whistleblower protections, AI-related layoff notices, and planning for a state AI regulatory sandbox, making it one of the broader state AI packages enacted this year. The law’s provisions phase in over time, with effective dates ranging from October 2026 to January 2028.

The law follows several years of debate in Connecticut over how to regulate AI, including last year’s SB 2, which cleared the Senate but ultimately fell apart after a veto threat from Governor Lamont over concerns that the bill could hamper innovation. SB 5 takes a different path. Rather than establishing a single comprehensive high-risk AI framework, it stitches together a set of more targeted obligations, alongside provisions focused on innovation, workforce development, and future study.

The result is a wide-ranging law that touches many of the AI issues currently moving through state legislatures. With so much packed into SB 5, here are five things to know about Connecticut’s new AI law.

Note: The Governor also signed SB 4, a broad privacy bill that establishes a data broker registry and accessible deletion mechanism, regulates data-driven pricing, updates the CTDPA, and regulates direct-to-consumer genetic testing, which is covered in FPF’s recent blog.

1. Companion chatbots get their Connecticut chapter

SB 5 gives companion chatbots their Connecticut chapter, adding the state to a growing list of jurisdictions (New York, California, Washington, Oregon, Nebraska, Idaho, Iowa, and Georgia) writing rules for chatbot systems that can sustain relationships with users. The law would impose baseline protections for all users, including safety protocols for suicidal ideation and clear non-human disclosures, while also introducing minor-specific safeguards such as parental tools to manage privacy and screen time, as well as limits on engagement-maximizing features. For those following this rapidly evolving area, FPF maintains a continuously updated chatbot legislation tracker that monitors activity in this space.

Scope: SB 5 uses a detailed set of carveouts to narrow the systems covered, similar to Nebraska’s and Idaho’s laws. But Connecticut’s definition of “AI companion” is more targeted: it focuses on systems that provide adaptive, human-like responses and can sustain a relationship over time. One carveout is especially notable: the law excludes “narrow, task-specific” tools that provide outputs related to a discrete topic or function, so long as the tool’s primary function is not to discuss mental health. Similar narrow-task carveouts appear in other state chatbot laws, but Connecticut’s version appears narrower because the exclusion may not apply where the tool’s primary function is mental health-related.

Requirements for all users: SB 5 follows several other companion chatbot laws enacted this year in setting a familiar baseline: safety protocols, non-human disclosures, and safeguards to keep AI companions from presenting themselves as human. Operators would need to publicly post safety protocols using “evidence-based methods” to detect and “clinical best practices and expertise” to respond to user expressions indicating suicide, self-harm, or physical violence. Because “evidence-based methods” and “clinical best practices” are not defined, operators may face questions about what detection tools or clinical inputs are sufficient to meet that standard.

The law would also require clear non-human disclosures when an AI companion could reasonably lead a user to believe they are interacting with a human. Like Washington and Georgia, Connecticut applies a one-hour disclosure interval for minors and a three-hour interval for adults. Although the law distinguishes between users, the shorter minor-focused interval could become the practical default if operators choose to comply uniformly.

Minor-Specific Requirements: For minors, SB 5 moves beyond “tell users it is AI” and into the harder question of how companion chatbots are designed to interact and build relationships over time. Similar to Oregon’s law, Connecticut’s protections apply when an operator “knows or has reason to believe” that a user is under 18, a standard that may require operators to account for contextual signals, not just direct knowledge of age.

Similar to Washington’s chatbot law, SB 5 would require operators to prevent their chatbots from engaging in certain harmful conduct before providing an AI companion to a minor, including encouraging disordered eating or physical violence; romantic interactions; and manipulative techniques intended to extend engagement, such as encouraging isolation from family or friends or fostering inappropriate emotional dependence. Terms like “inappropriate emotional dependence” and “disordered eating” are not further defined, raising questions about how operators should distinguish benign interactions from those prohibited under the law. The law also includes a broader provision prohibiting operators from “optimizing user engagement in any manner that disregards” the minor-specific safeguards, which may extend the reach of the minor protections beyond listed outputs.

Finally, SB 5 also requires tools for parents and minors to manage screen time and account settings, a feature that appears in other state chatbot laws, including Idaho, Nebraska, and Georgia. 

Enforcement: SB 5 would make violations an unfair or deceptive trade practice enforced by the Attorney General, keeping the law in the AG-enforcement lane rather than creating a private right of action. These requirements take effect January 1, 2027.

2. For employment AI, SB 5 asks for a heads-up, not an audit or assessment

Employment AI gets its turn in SB 5, with new transparency requirements for automated employment-related decision technologies (AEDTs) used to shape decisions about hiring, promotion, discipline, and discharge. The section draws from broader ADMT laws, including California’s CPPA ADMT regulations, the Colorado AI Act as originally enacted in 2024, as well as employment-specific laws such as New York City’s LL 144. But unlike other state frameworks, Connecticut does not require AEDTs to undergo bias audits or risk assessments. Instead, SB 5 focuses on disclosures and written notice to applicants and employees, similar to the revised Colorado ADM Act.

Scope: SB 5 is narrower than broader ADMT frameworks that apply across sectors such as housing and education. It covers AEDTs that are a “substantial factor” used to “make or materially influence” an employment-related decision. The law defines “substantial factor” as something that “meaningfully alters” the outcome, a narrower definition than the Colorado AI Act’s 2024 language covering systems that are “capable of altering” or “assist” in making a consequential decision.

Notice obligations: The notice obligations are allocated between actors in the AI value chain, similar to the current and previous version of the Colorado AI law. Beginning October 1, 2027, developers that market AEDTs for employment decisions would need to provide deployers with information about the tool. Deployers would then need to disclose to employees or applicants that an AEDT has been deployed, the purpose and nature of the decision, the tool’s trade name, the categories and sources of personal data used, how that data will be assessed, and contact information for the deployer. Developers and deployers do not need to disclose trade secrets, but must tell individuals when information is withheld on that basis.

Civil rights and enforcement: SB 5 may be notice-first, but it is not notice-only. The law also amends Connecticut’s human rights statute to clarify that using an AEDT is not a defense to discrimination claims, while allowing courts or the commission to consider evidence of anti-bias testing and related efforts when evaluating those claims. That consideration of anti-bias testing also builds on a related theme in last year’s amendments to the Connecticut Data Privacy Act, which included an exemption allowing controllers to process personal data for internal use to allow them to use data for bias testing. California and Illinois have similarly amended employment or human rights laws to address automated decision systems in the workplace. As a result, entities may not be required to conduct bias testing or assessments under Connecticut law, but are strongly encouraged to reduce their regulatory risk. 

Violations would be treated as unfair or deceptive trade practices and enforced by the Attorney General, with a potential 60-day cure period through the end of 2027 and no private right of action. These requirements take effect October 1, 2026.

3. Social media and AI regulations increasingly become the dynamic duo in online safety

As the online safety landscape continues to evolve and other jurisdictions weigh pairing social media and chatbot regulations—Connecticut strikes first by incorporating a section on online safety obligations for social platforms into SB 5. Similar to laws enacted in California and New York, SB 5 restricts operators from providing minors under 18 access to a platform that “recommends, selects, or prioritizes for display…media items” shared by other users—also known as personalized recommender systems–unless certain requirements are met. 

Age assurance and parental consent: As is commonly the case in social media frameworks, SB 5 requires that covered operators implement “commercially reasonable and technically feasible methods” to determine whether a user is an adult or a minor. In the case of a minor, a covered operator may not offer access to personalized recommender systems without first obtaining parental consent. Unlike California and New York, however, SB 5 does not authorize agency rulemaking to provide guidance on acceptable forms of age assurance under this law, potentially creating ambiguity for compliance teams. 

Default safety features: The law also requires certain minor-specific default safety features seen in other recent frameworks, such as South Carolina’s Age Appropriate Design Code (AADC), including preventing unconnected users from viewing or contacting minor accounts and restricting minors from viewing “sensitive content.” Notably, SB 5 broadly defines “sensitive content” to include any material violative of platform community standards, “or any similar guidelines or standards” established by the covered operator. Lastly, in a novel move, covered operators would be required to limit minors’ access to personalized recommender systems to one hour per day by default, comparable to a recently enjoined obligation in Virginia. Only a minors’ parent can adjust the default time limit on personalized recommender system access through parental control mechanisms.

Parental controls: Covered operators must establish and provide parents or guardians access to prescribed controls for supervising the accounts of their children. These controls include providing parents the ability to prevent minors from receiving notifications outside of preset timeframes and limiting minor access to personalized recommender systems to specific times indicated by the parent. SB 5 would also require covered platforms to provide parents with a mechanism for setting the minor’s account to a protected mode that does not allow unconnected users to view published content of or exchange messages with minors—although it is unclear how this particular parental tool is supposed to be implemented alongside the seemingly identical default safety feature noted above.

Disclosures: SB 5 requires covered operators to provide two kinds of disclosures. First, minors must be provided a health warning from the Surgeon General concerning the potential harms of social media use. Secondly, covered operators must annually disclose to the state Attorney General’s office, in a publicly accessible format, information related to platform use, such as the total number of covered users for whom the covered operator obtained parental consent, enabled default settings, and the average amount of time covered users spent on the platform per day. SB 5’s reliance on disclosure obligations follows a growing trend of requiring various kinds of disclosures in online safety legislation to both individuals, like in Colorado’s recently enjoined social media warnings law, and to state entities for public accessibility, like in South Carolina’s AADC.

Enforcement: A covered operator’s violation of these requirements constitutes an unfair or deceptive trade practice under Connecticut consumer protection law, which includes a private right of action in addition to state enforcement authority. These requirements become effective on January 1, 2028.

4. AI provenance rules make their way east in SB 5

SB 5 picks up the provenance trend seen in western states–adding Connecticut to the growing list of states setting requirements for AI-generated content. SB 5 would require covered providers to include provenance data in content that is created or materially altered by a generative AI system. California spearheaded AI provenance data disclosure with the California AI Transparency Act, enacted in 2024 and amended in 2025. Other states with provenance data laws include Utah and Washington.

The provision is relatively targeted. It applies to covered providers that produce publicly accessible generative AI systems for personal use with more than 1 million monthly users. It also focuses on content that is created or “materially altered” by a generative AI system, while excluding minor modifications such as changes in color or resizing. That distinction helps to focus the law’s requirement on more meaningful generative AI edits, rather than changes unlikely to affect the substance of the content.

The law requires provenance data to be difficult to tamper with or remove. At the same time, covered providers are not required to include information relating to an identified or reasonably identifiable individual, trade secrets, or confidential or proprietary information.

These provenance requirements are narrower than SB 5’s provisions on chatbots or AEDTs, but still notable because they place Connecticut within a growing state-level push to make AI-generated and altered content easier to trace. Other provenance data bills are still pending in states like Arizona and New Jersey. These requirements take effect October 1, 2026.

5. Whistleblowers, layoff notices, and sandboxes get targeted treatment in SB 5

SB 5 also borrows from a few other state AI playbooks, like frontier AI protections and regulatory sandboxes. But in both cases, Connecticut takes a narrower path. Rather than creating a full frontier model governance framework or immediately launching a sandbox program, SB 5 focuses on employee whistleblower protections and planning for a potential future sandbox, as well as a targeted AI-related layoff notice requirement.

Frontier AI whistleblower protections: SB 5 borrows the language of frontier AI laws, but not the full architecture. Like California’s SB 53 and New York’s RAISE Act, it defines key terms such as “frontier developer,” “large frontier developer,” and “catastrophic risk.” But unlike broader frontier AI frameworks, SB 5 does not require developers to publish governance frameworks, issue transparency reports, or establish critical safety incident reporting mechanisms. Instead, it focuses on solely protecting employees who report certain serious AI-related risks.

The law would prohibit frontier developers from penalizing covered employees for protected whistleblower activity and bar retaliation against employees who report, with reasonable cause, conduct they believe poses a specific and substantial danger to public health or safety due to a catastrophic risk. Large frontier developers would also need to create an internal reporting process by January 1, 2027, allowing employees to anonymously report such risks, provide updates to reporting employees, share reports with directors quarterly, and notify employees of their rights. These requirements take effect October 1, 2026.

AI-related layoff notices: SB 5 also includes a workforce disclosure provision. Employers issuing plant-closing or mass layoff notices would need to disclose to the Labor Department whether the layoffs are related to the employer’s use of AI. These requirements take effect October 1, 2026.

Regulatory sandbox planning:  SB 5 directs the Commissioner of Economic and Community Development to develop a plan for an AI regulatory sandbox program, joining a small but growing group of states (Utah, Texas, and Delaware) that have adopted AI sandbox frameworks. The program would allow approved applicants to test innovative AI systems under reduced regulatory requirements.

But here too, Connecticut starts with a blueprint. SB 5 requires planning for a potential sandbox, not the immediate launch of one, and asks the Commissioner to assess the feasibility of a reciprocal, multistate sandbox model. Recommendations are due by January 1, 2028.

Conclusion

SB 5 does not create one comprehensive AI framework. Instead, it reflects a broader trend in state AI policymaking of setting targeted obligations across several use cases, from companion chatbots and employment tools to provenance data and frontier AI employee protections. As states continue experimenting with issue-specific AI laws, Connecticut’s SB 5 offers another example of how significant AI regulation can emerge through issue-specific provisions. Additionally, as states continue to pursue substantive online safety frameworks for minors, whether other jurisdictions will pair social media regulation with chatbot safety requirements remains a trend to watch.

Third Time’s the Charm: Connecticut Enacts Annual Privacy Update

The Connecticut Data Privacy Act (CTDPA) has been revised multiple times since being enacted in 2022: SB 3 added heightened protections for consumer health data and for minors in 2023; and SB 1295 in 2025 expanded the law’s scope, updated and added consumer rights, modified the data minimization and purpose limitation requirements, prescribed impact assessment requirements for profiling, and further heightened protections for minors. Like clockwork, Connecticut has once again passed new privacy legislation.

This year’s efforts include more CTDPA amendments, a new California Delete Act–style data broker registry and accessible deletion mechanism, restrictions on data-driven pricing, and regulation of direct-to-consumer genetic testing. These changes came in a trio of bills: SB 4, HB 5222, and HB 5563. The bulk of the new requirements are located in SB 4, but, due to legislative procedure and timing, there were additional ‘clean-up’ amendments to SB 4 in the other two bills. Governor Lamont signed SB 4 on May 27. Although at the time of publication we are still waiting for HB 5222 and HB 5563 to be signed, this blog post assumes that these bills will be enacted and provides an overview of all three bills’ main requirements.

Key elements of these bills: 

• Privacy Updates: The CTDPA amendments are less significant than prior revisions in SB 3 or SB 1295. The biggest change is that the law will now ban the sale of precise geolocation data, whether by a controller or a third party. The amendments also narrow the definition of publicly available information, expand the deletion rights, and add transparency requirements for the use of facial recognition technology for security/fraud prevention. 
• Data Brokers: Connecticut becomes the second state to enact a Delete Act that both requires data brokers to annually register with the state and creates an accessible deletion mechanism allowing consumers to submit deletion requests to many data brokers at once. 
• Data-Driven Pricing: Amidst growing public scrutiny over data-driven pricing, this law bans “surveillance pricing” by a retail seller or third-party delivery service, subject to exceptions, and subjects any other person engaged in “surveillance pricing” to mandatory disclosures.
• Genetics: Connecticut becomes the latest state to regulate direct-to-consumer genetic testing companies. This law includes a slightly unusual “property” right for consumers over their biological samples and DNA testing results. 

Note: The legislature also passed SB 5, a broad AI bill that addresses companion chatbots, automated decisionmaking technology, social media, and other AI-related provisions. If that bill is signed by the Governor, then FPF will cover it in a separate blog post.

CTDPA Updates (SB 4, Sections 12-16; HB 5222, Section 45)

The updates to the CTDPA primarily affect publicly available information, the consumer deletion right, the sale of precise geolocation data, and the use of facial recognition technology for security purposes in retail. Many of these changes are responsive to legislative recommendations in enforcement reports from the Connecticut AG. 

• Publicly Available Information: This bill narrows the definition of “publicly available information,” including by adding exceptions for obscene visual depictions, information created by combining personal data with publicly available information, genetic data (unless made publicly available by the consumer), information provided by a consumer on a publicly accessible website or online service (subject to additional criteria), nonconsensual intimate images, and nonconsensual intimate synthetically created images. 

• Deletion: Prior to SB 4 being enacted, the deletion right extended to personal data provided by, or obtained about, the consumer. This bill expands that right to also apply to some publicly available information. Specifically, a consumer shall have the right to delete (i) publicly available information that is collated and combined to create a consumer profile made available to a user of a publicly accessible website for compensation or free of charge, (ii) publicly available information made available for sale, or (iii) any inference generated from information described in (i) or (ii). 
• Precise Geolocation Data: This bill prohibits controllers or third parties from selling a consumer’s precise geolocation data. This is consistent with an emerging trend in state privacy law. Maryland banned the sale of sensitive data in 2024. Both Oregon and Virginia banned the sale of precise geolocation data in 2025 and 2026, respectively. 
• Facial Recognition Technology: Like most state comprehensive privacy laws, the CTDPA includes a broad exception for preventing, detecting, protecting against or responding to security incidents, identity theft, fraud, and similar activities. This bill adds new requirements for a controller (or consumer health data controller) who uses facial recognition technology (“FRT”) pursuant to that exception. FRT is defined as “any technology that analyzes facial features in still images or video to uniquely and personally identify a specific individual.” Notably, this definition does not reference the existing definition of “biometric data.” To use FRT for the security/fraud exception, a controller must: (i) exclusively use FRT to match still images or video to a database maintained exclusively by the controller; and (ii) post clearly legible signage at entrances (other than an entrance to an area restricted to authorized employees) that alerts consumers that FRT is in use and provides a conspicuous hyperlink or quick response code that directs consumers to the controller’s FRT policy. The FRT policy that a controller maintains must include contact information for the AG’s office and “may” disclose the controller’s policies concerning “interactions between the controller’s . . . loss prevention officers and consumers.” A controller is not required to comply with these requirements if they have obtained the consumer’s consent to use FRT “in the course of a commercial transaction.”

These requirements will be effective October 1, 2026.

Data Brokers (SB 4, Sections 1-10; HB 5222, Sections 39-43)

Connecticut joins California, Oregon, Texas, and Vermont by creating a data broker registry. Starting January 1, 2027, this bill would prohibit a “data broker” from selling or licensing “brokered personal data” in Connecticut unless the data broker is actively registered with the Department of Consumer Protection. 

• Data Broker: Any business or portion of a business that sells or licenses brokered personal data to another person;
• Brokered Personal Data: One or more of the listed personal data elements concerning a consumer, if categorized or organized for sale or license to a third party. These data elements include name, address, date or place of birth, mother’s maiden name, unique biometric data (used to identify or authenticate the consumer), name or address of a member of the consumer’s immediate family or household, SSN or other government-issued ID number, or other information that (alone or combined) would allow a reasonable person to identify the consumer with reasonable certainty. 

Notable exemptions include: personal data collected or sold in compliance with the Driver’s Privacy Protection Act; consumer reporting agencies and furnishers to the extent they are engaged in activities regulated by FCRA; financial institutions, affiliates and nonaffiliated third parties to the extent they are engaged in activities regulated under Title V of GLBA; covered entities, business associates, and protected health information under HIPAA; and narrow exceptions for activities such as selling or licensing publicly available information (defined narrowly), providing digital access to materials such as newspapers, or providing directory assistance. 

Registration will be annual, cost $2,500, and require applications to include extensive, mandated disclosures (e.g., a public website with information on how consumers can exercise consumer rights under the CTDPA, whether the data broker collects certain listed categories of personal information, whether and to what extent the data broker is subject to regulation under FCRA, GLBA, and HIPAA). 

The Commissioner of Consumer Protection will establish and update a public website disclosing the information each data broker includes in its registration application. Similar to the California Delete Act, this bill will also require the state to—by July 1, 2028—establish an accessible deletion mechanism that will allow consumers to submit a single deletion request to (up to) all registered data brokers. The Commissioner has authority to adopt regulations to implement sections 2-8 of the bill. Data brokers will be required to comply with deletion requests submitted via the accessible deletion mechanism once every 45 days starting on October 1, 2028. Also consistent with the Delete Act, data brokers will be required to undergo independent third-party audits once every three years (starting in 2031). The penalties under the new data broker provisions are $200 per day per consumer for each violation. 

There are two unique aspects of Connecticut’s data broker requirements worth flagging. First, the law is scoped broadly and, unlike other state data broker laws, does not clearly carve out data collected in the context of a first-party relationship. For example, most laws define a data broker as a business that (1) collects and sells personal information concerning a consumer with whom the business does not have a direct relationship, or (2) sells personal data that the business did not collect directly from the consumer. The closest thing to a first-party relationship exception in this bill is a carve out for a business that collects information concerning a consumer if the consumer is or was “in a contractual relationship with the business” or any “similar” relationship. This provision is similar to, but less defined than, language in Oregon’s and Vermont’s laws carving out a business that collects information about a consumer who is a past or present customer, subscriber, or user of the business’s goods or services. 

The second ambiguity to note is inconsistent scoping regarding “brokered personal data” versus “personal data.” For example, the obligation for data brokers to comply with a verified deletion request provides that a data broker must “delete any personal data such registered data broker maintains concerning the participating consumer.” This bill adopts the definition of “personal data” from the CTDPA: “any information that is linked or reasonably linkable to an identified or identifiable individual.” However, that term is broader than “brokered personal data,” as utilized within the definition of “data broker,” which is limited to an enumerated list of identifiers. As a result, data brokers may be required to delete more information than what is required to label them as a data broker.

Data-Driven Pricing (HB 5563, Section 501)

This bill (1) bans surveillance pricing by a retail seller or third-party delivery service, subject to exceptions, and (2) subjects any other person engaged in surveillance pricing to mandatory disclosures. 

• Surveillance Pricing: Establishing a customized price for a consumer good or service that is specific to a consumer (or group of consumers) based in whole or in part on the consumer’s personal data collected (A) through any technology or technological method, system, or tool [examples given include biometric monitoring, camera, device tracking, or sensor] and (B) by the person establishing the customized price, directly or indirectly. 
• The following activities do not constitute “surveillance pricing,” provided that the retail seller or third-party delivery service prominently posts the discount, discounted price, and terms and conditions in language readily understandable by the average consumer:
  • Establishing a discounted price for purposes such as retaining a customer, reestablishing a customer, attracting a new customer, cross-selling an item, or reengaging a lapsed customer; 
  • Establishing different prices due to justifiable differences in costs incurred in providing the good or service (e.g., due to physical location or delivery distance) or justifiable temporal differences; 
  • Establishing a discounted price
    • based on publicly disclosed uniform terms and conditions available to any consumer, 
    • available to all consumers in a broadly defined group (e.g., veterans) based on publicly disclosed discounts and uniform terms and conditions, or
    • through a loyalty, membership, or rewards program that a consumer affirmatively enrolls in; and 
  • Correcting an erroneous price.
• Retail Seller: A retailer (including retail food establishments) engaged in making sales, at retail, of “tangible personal property” (which includes “digital goods”). 
• Third-Party Delivery Service: An entity—outside of the operation of a retail food establishment’s business—that facilitates delivery or online ordering services to customers of a retail food establishment.

The prohibition on surveillance pricing is narrowly targeted to retail sellers and third-party delivery services. Earlier this year, Maryland enacted a similar but narrower law, the Protection From Predatory Pricing Act (HB 895), which regulates food retailers’ and third-party delivery service providers’ use of dynamic pricing, personal data, and protected class data in setting prices for food. 

The disclosure requirements broadly apply to “any person” doing business in Connecticut who engages in surveillance pricing for any reason other than to establish a discounted price for a consumer good or service as part of an online transaction, and who (online) advertises or promotes the price, labels a consumer good with the price, or publishes a statement, image, or announcement disclosing the price. These requirements include providing a mandated disclosure stating “THIS PRICE WAS INCREASED USING YOUR PERSONAL DATA” and informing consumers of their rights under the CTDPA. The disclosure must be “readily visible to the average consumer.” No disclosure is required if the price is the bona fide market price, as defined in the bill. The disclosure requirement is similar to that under New York’s Algorithmic Pricing Disclosure Act.

These provisions are subject to entity-level exemptions, including for persons licensed to operate under the state’s insurance laws and persons whose activities are based on data provided in a consumer report covered by FCRA or data reflecting factors a credit can consider under the Equal Credit Opportunity Act. 

Violations of these provisions will be enforced exclusively by the AG as unfair or deceptive trade practices. These requirements will be effective February 1, 2027.

Procedural Note: HB 5563 is substituting its own data-driven pricing requirements in place of those in HB 5222, which was in turn repealing and substituting the data-driven pricing section in SB 4. 

Genetic Testing (SB 4, Sections 17-19)

In their most recent enforcement report, the Connecticut OAG “urge[d] the legislature to adopt a standalone genetic data privacy law.” This bill responds to that call, making Connecticut the second state this year after South Dakota (SB 49) to enact a direct-to-consumer genetic testing privacy law. The requirements for direct-to-consumer genetic testing companies include—

• Transparency and mandatory disclosures to consumers; 
• Obtaining express consent for collecting, using or disclosing a consumer’s genetic data; 
• Obtaining separate consent for disclosures or transfers of genetic data to any person other than a vendor or service provider, secondary uses of genetic data, and retention of a biological sample after completion of the testing;
• Obtaining informed consent pursuant to 45 C.F.R. Part 46 for disclosure or transfer of genetic data to a third party for research purposes; 
• Limits on disclosing consumers’ genetic testing results to any person other than the consumer (without express consent or pursuant to a court order, warrant, or subpoena);
• Limits on disclosing a consumer’s genetic data to the consumer’s employer, certain insurers, or third parties whom the company knows or reasonably should know intend to use the data for marketing or targeted advertising; 
• Implementing reasonable security measures to protect biological samples and genetic data; and
• Implementing a process for consumers to access their genetic data, have their genetic data deleted, have their biological samples destroyed, and revoke previously given consent for research.

Similar to Texas’s law, this law also provides consumers with a “property right in, and . . . the right to exercise exclusive control over,” their biological samples used by a direct-to-consumer genetic testing company as well as results of DNA testing by the company. These requirements will be effective October 1, 2026.

* * *

Looking to get up to speed on the existing state comprehensive consumer privacy laws? Check out FPF’s 2025 report, Anatomy of a State Comprehensive Privacy Law: Charting the Legislative Landscape. 

Colorado Revises Its AI Act: What Changed and Why

On May 15, Governor Polis signed SB 189, revising the Colorado AI Act (CAIA) after two years of intense negotiations and national debate over the original 2024 law’s approach to AI regulation. The revised law, the Colorado ADM Act (CADMA), reflects a fundamental shift in approach: shifting from an algorithmic discrimination framework to a transparency-focused one, as well as narrowing the scope of covered AI systems, streamlining disclosures and consumer rights, and replacing governance requirements with liability allocation under existing anti-discrimination laws. 

This post examines the key changes between CAIA and CADMA, explores the context that drove these revisions, and analyzes their practical implications. Side-by-side legislative comparison chart below.

From Anti-Discrimination Governance to Transparency 

Enacted in 2024, Colorado SB 205 (Colorado AI Act) (CAIA) aimed to mitigate risks of discriminatory outcomes from AI-driven decisions in consequential domains by regulating how such systems are developed and deployed. The law subjected developers and deployers to a duty of care to protect consumers from algorithmic discrimination, with such duty presumptively fulfilled if the developer or deployer complied with the Act’s requirements. For developers, those requirements included: disclosing information to deployers regarding known limitations, possible biases, and risk mitigation measures; making publicly available information regarding high-risk AI systems and known or foreseeable risks of algorithmic discrimination; and notifying the state AG upon discovery that a high-risk AI system caused algorithmic discrimination. For deployers, those requirements included: maintaining a risk management policy and program to identify and mitigate the risk of algorithmic discrimination; annually conducting impact assessments on high-risk AI systems; publicly disclosing information regarding high-risk AI use and how known or foreseeable risks of algorithmic discrimination were managed; and also notifying the state AG upon discovery of algorithmic discrimination. See full overview of requirements in FPF’s Colorado AI Act Policy Brief (2024). 

CADMA eliminates CAIA’s governance requirements and references to algorithmic discrimination, focusing instead on transparency. Where risk is mentioned, it refers only to undefined “known risks” or “known limitations” rather than discrimination-specific concerns. Key areas of this shift include: 

• Removal of the duty of care to mitigate algorithmic discrimination; 
• Removal of algorithmic discrimination incident reporting; 
• Removal of risk management and impact assessments regarding algorithmic discrimination; and 
• Narrowing of transparency requirements and removal of disclosing bias-related information, now only “known limitations”;

Changes in Scope 

CADMA regulates “covered automated decision-making technology” (ADMT), defined as technology that processes personal data and is used to materially influence consequential decisions. In contrast, CAIA regulated “high-risk AI systems” that were a substantial factor in, or are capable of altering, consequential decisions. Although this change was likely intended to streamline coverage, CADMA’s scope is not easily characterized as simply narrower or broader than CAIA’s. It may apply to a narrower set of technologies, but its definition of “consequential decision” may be broader and its exceptions differ from CAIA’s. 

• Covered Technologies: CADMA narrows the scope of covered technologies through two requirements: systems must process personal data and actually be used to “materially influence” decisions—contrasting with CAIA’s lower bar of being a “substantial factor” or merely capable of altering outcomes. 
• Covered Decisions / Domains: Both versions address the same domains (employment, housing, education, etc.), but CADMA may broaden coverage by: (1) lowering the impact threshold—decisions need only “relate to” a covered domain, rather than have a “material, legal, or similarly significant effect” as under CAIA; and (2) expanding decision types beyond CAIA’s “provision or denial of, or cost or terms of” to include “delay” and “alteration.” However, CADMA narrows employment coverage to hiring decisions only, whereas CAIA applied to a broader set of employment decisions.
• Exemptions: CADMA does not include CAIA’s small deployer exemption. It retains most other CAIA exemptions but removes AI-enabled video games, public interest research, and entities subject to federal standards or contracts. It also narrows CAIA’s broad exemption for legal compliance and investigations to cover only anti-terrorism and money laundering activities. Notably, CADMA adds a new exemption for advertising, which CAIA would have covered under decisions regarding “access to” consequential domains.

Streamlining Disclosures and Consumer Rights 

CADMA maintains three of CAIA’s transparency requirements regarding covered systems, though in narrower form. However, it removes CAIA’s general disclosure requirement regarding any consumer-facing AI system. 

• Developers to Deployers: Developers must still provide information to deployers regarding the covered ADMT, though narrowed from CAIA’s “disclosures and documentation” to a general statement regarding the ADMT’s use, limitations, and monitoring. 
• Deployers to Consumers (Pre-Use): Deployers must still provide information to consumers prior to ADMT use, but CADMA narrows the upfront disclosure to only a statement that ADMT is being used and instructions for obtaining additional information.  Details about the system’s purpose and the nature of the decision are required only when the ADMT produces an adverse outcome.
• Deployers to Consumers (Post-Adverse Decision): If an adverse decision is reached pursuant to covered ADMT use, deployers must provide consumers a plain language description of the consequential decision and the role the covered ADMT played, instructions on how to request additional information, and an explanation of their rights. 

Similarly, CADMA largely maintains the CAIA’s consumer rights (e.g., right to explanation, correction, and appeal) but limits them to instances of adverse decisions. Consumers must be able to request the name of the covered ADMT, the inputs used, and the categories and sources of personal information used; they must be provided the opportunity to correct any inaccurate personal data used by the covered ADMT pursuant to the Colorado Privacy Act (CPA); and they must be provided an opportunity for meaningful human review and reconsideration, to the extent commercially reasonable. Notably, deployers would only need to inform consumers of their existing rights under the CPA when an adverse decision is reached (despite the CPA not containing such limitation). Unlike the CAIA, it does not appear that deployers must respond to consumer requests in a specific time period. 

Additionally, while not detailed here, CADMA includes sections regarding when notices under other laws, such as FERPA, satisfy these requirements. Developers and deployers must maintain necessary recordkeeping to demonstrate compliance for at least three years. The state AG may conduct rulemaking on the post-adverse disclosures and consumer rights. 

From Prescriptive Compliance to Discrimination Liability 

The liability framework represents one of CADMA’s most fundamental departures from CAIA. CAIA established a statutory duty of care: compliance with the Act’s breadth of governance, transparency, and consumer rights requirements created a rebuttable presumption that developers and deployers had fulfilled their obligations. Noncompliance exposed entities to AG enforcement, though defendants could assert an affirmative defense by demonstrating they had cured the violation and adopted a recognized risk management framework, such as NIST’s AI RMF. Courts would ultimately assess whether an entity’s conduct was “reasonable” under the duty of care—functionally applying a negligence standard. Importantly, CAIA did not displace liability under existing anti-discrimination statutes, though compliance documentation likely would have served as evidence in both CAIA enforcement actions and parallel discrimination claims.

In contrast, CADMA eliminates the duty of care framework and most governance requirements, making entities primarily liable for transparency and consumer rights violations. Noncompliance triggers AG enforcement, though entities receive a 60-day cure period before penalties attach. CADMA replaces CAIA’s algorithmic discrimination controls by clarifying that existing anti-discrimination law applies to developers and deployers of covered ADMT. However, developers may not be liable if a deployer uses their ADMT in a manner unintended by the developer. CADMA also restricts indemnification, where deployers cannot contractually shift liability to developers.

In practice, this means entities face narrower compliance obligations under CADMA with a 60-day cure opportunity before penalties. However, navigating the courts may become less predictable without prescribed controls to establish “reasonableness” or safe harbors. Additionally, the “intended use” standard for discrimination liability, alongside the indemnification prohibition, makes documentation critical: developers need clear specifications about proper deployment, while deployers must demonstrate they followed those specifications or accept liability for misuse. 

Conclusion

After two years of contentious debate and revision, Colorado’s AI regulation has finally reached legislative resolution. With the law scheduled to take effect before the next legislative session, entities can begin compliance planning after prolonged uncertainty. Senator Rodriguez’s retirement further marks the close of this legislative chapter. While others, such as CAIA co-sponsor Representative Brianna Titone (D), may pursue future revisions, Rodriguez’s position as both primary sponsor and Senate Majority Leader was critical to advancing the bill through contentious negotiations. Further statutory changes seem unlikely without similarly positioned leadership, though the AG’s rulemaking process may determine implementation details and enforcement approaches that could significantly affect CADMA’s real-world impact.

Colorado’s journey from comprehensive governance to an approach centered on transparency will continue to offer critical data for the debate on whether consequential algorithmic systems require specialized governance frameworks or can be adequately governed through transparency and existing law.

The EU Commission’s Approach to Age Verification: Mobile Apps, DSA Enforcement, and Challenging National Social Media Bans

On 29 April 2026, the European Commission published its Recommendation for a common approach for EU-wide age verification technologies, a non-binding policy document with the aim of harmonizing future measures for the protection of children online. 

This blog post outlines the Commission’s emerging strategic approach to the implementation of EU-wide age verification measures, provides an analysis of the legal framework envisioned for their deployment, and includes notes on the Commission’s thinking with regard to possible social media bans in individual Member States. A number of key takeaways emerge:

• In response to growing tensions surrounding the possibility of social media bans in a number of EU countries, the Commission is accelerating its attempts to enable the roll-out of age verification solutions, urging Member States to implement these by 31 December 2026;
• An analysis of the applicable legal framework, and primarily the Digital Services Act (DSA), shows that since none of its Articles include specific mention of minimum age requirements or of age verification measures, it is still unclear whether age verification solutions will be voluntary or mandatory – it is worth noting here, however, that this does not mean that age assurance methods should not be implemented, as shown by emerging DSA enforcement on the topic;  
• While the Commission’s 2025 Guidelines on the protection of minors under the DSA focus on a variety of age assurance methods, this Recommendation aims to advance the EU’s strategic approach to age verification in particular, contributing to a growing global trend focused on age verification for service access or limitations; 
• The Commission aims to develop an EU age verification blueprint – a publicly available technical specification comprising the architecture, protocols, and interfaces to be used by Member States and providers to roll out national age verification measures;
• An EU age verification scheme will also be developed by the Commission to establish the framework for “proof of age attestations,” including a list of trusted EU-based providers for such attestations; 
• While significant references are made to privacy and to ensuring that age verification measures are “privacy-preserving,” there is no reference to the GDPR and little detail regarding the technical parameters that will be expected;
  • This gap is surprising, taking into account that DPAs have started to enforce GDPR in the context of age verification solutions in recent months, after the EDPB adopted a Statement on age assurance in February 2025. 

• Invoking Directive 2015/1535 on technical regulations and two CJEU cases from 1996 and 2000, the Commission aims to make it procedurally challenging for any individual EU Member State to implement a social media ban. 

1. Applicable legal framework – From the Digital Services Act to the (not-yet-published) Digital Fairness Act 

Article 28(1) DSA states that “providers of online platforms accessible to minors shall put in place appropriate and proportionate measures to ensure a high level of privacy, safety, and security of minors, on their service.” While the remainder of the Article covers advertising based on profiling and the further processing of personal data for the purpose of proving whether the user is a minor, it does not include mention of age verification measures. 

The Commission’s Recommendation, in paragraph 3, also makes reference to the July 2025 Guidelines for the protection of minors under the DSA, also issued by the Commission, which specifies general guidance on the application of age assurance measures. It is worth noting that, while in the 2025 DSA Guidelines the Commission focuses on self-declaration, age estimation, and age verification as tools to ensure the protection of minors online, the 2026 Recommendation aims to advance the EU’s strategic approach to age verification in particular, recognizing the higher degree of accuracy of the latter. 

The Recommendation additionally references Articles 34 and 35(1) of the Digital Markets Act (DMA) in which Very Large Online Platforms and Online Search Engines are required to “assess and mitigate actual or foreseeable risks that their service may pose to the protection of minors.” It also references Article 44(1)(j) DSA which enables the Commission to develop voluntary targeted standards to protect minors online, and recognizes that no such standards have been developed yet. 

The Audiovisual Media Services Directive, through which video-sharing platforms have an obligation to protect minors from accessing harmful audiovisual content, and the Unfair Commercial Practices Directive which recognizes minors as vulnerable users that must be protected, similarly form the basis of the applicable legal framework for age verification in the EU. Finally, the upcoming Digital Fairness Act is expected to fill any gaps left unaddressed, though the Recommendation does not specify which ones. 

Two notes are particularly relevant when considering the applicable legal framework:

• Mandatory or voluntary? – While the requirement to implement age verification tools is not explicitly included in any of the abovementioned laws as a legally binding obligation for digital services providers, both the Commission’s DSA Guidelines and the Recommendation may be taken into consideration by national Courts when interpreting existing, binding EU law.
  • Lessons from emerging enforcement under the DSA is, however, showing the inadequacy of age assurance methods currently being implemented for compliance which are, so far, largely based on self declaration and age estimation (rather than age verification) – for example, the Commission preliminarily finds (April 2026) Meta in breach of the DSA for failing to prevent minors under 13 from accessing Facebook and Instagram; and the Commission opens an investigation into Snapchat (March 2026) for not preventing users under 13 from accessing the app, and not adequately assessing whether users are under 17, which it deems necessary in order to ensure an age-appropriate experience.
• Enforcement also shows inconsistencies in EU harmonization regarding the age of a minor – While there is no consistent and agreed upon age of the child under EU law, the Recommendation defines a “minor” as anyone under the age of 18 – however, across individual Member States the age of the minor can range from 13 to 18.
  • Under the GDPR, which is not referenced by the Recommendation, the processing of personal data of a child in relation to the offer of information society services directly to them is lawful where that child is at least 16 years old (Article 8(1)), though Member State law may provide for a lower age (which must not be under 13). 
  • Since Member States have discretion in defining the age of a minor within their national territory, “EU-wide” age verification measures may become fragmented depending on this definition. 

2. Age verification blueprint and age verification scheme 

When it comes to operationalizing EU-wide age verification tools, the Commission will develop a blueprint consisting of the technical specifications that such tools should follow and an open source implementation as a mobile app that can be customized to national contexts. This will be consistent with the EU Digital Identity Wallet, acting as an additional “age verification functionality”, which Member States are expected to operationalize by the end of 2026. It is worth noting that the EU Digital Identity Wallet is also voluntary for citizens and businesses, although Member States have the obligation to make the option available. 

The Commission will additionally develop an age verification scheme, with requirements for providers of proof of age attestations and age verification solutions to meet, and including a list of EU-based trusted providers of such attestations. The role of the attestation is to ensure conformity with the criteria of effectiveness of the age verification solution, namely accuracy, reliability, robustness, non-intrusiveness, and non-discrimination (these criteria are outlined in the Commission’s 2025 DSA Guidelines, mentioned above). 

Two notes are particularly relevant here:

• While the Recommendation does not include significant details regarding the proof of age attestations, its reference to conformity is reminiscent of the Conformity Assessment required under the EU AI Act, hinting at the further expansion of a product safety approach across the EU digital regulatory ecosystem; 
• The Recommendation specifically notes that the trusted providers of such attestations, which can be public or private entities, must be EU-based, recalling the Commission’s broader strategic goals in the area of EU digital sovereignty. 

From a global perspective, the Commission’s age verification scheme may be comparable to recent age assurance developments in other jurisdictions—such as the ongoing rulemaking efforts by the New York Attorney General’s Office to establish age assurance standards and accuracy benchmarking requirements under the SAFE for Kids Act, and Australia’s Age Assurance Technology Trial which assessed a variety of age assurance solutions and vendors but sought only to determine the feasibility of age assurance mechanisms from participating vendors rather than assess provider conformity with legal requirements. Notably, the Commission’s efforts seemingly go beyond both New York’s and Australia’s since it aims to establish requirements for conformity supplemented by a list of EU-vetted, trusted providers for use in legal compliance.

3. “Privacy-preserving” age verification?

Notable references are made throughout the Recommendation to the importance of privacy. Through this Recommendation, the Commission aims to facilitate the development of “harmonised, privacy-preserving, cybersecure, data protection compliant and robust EU age verification solutions.” Without reference to the GDPR, the Recommendation nonetheless relies on key data protection principles and requirements, interpreting “privacy-preserving” as preventing unnecessary data collection, unauthorized access or misuse of personal information.  

To be privacy-preserving, the age verification solution should, by default, limit the information shared to the relying party to a true or false response regarding the age of the individual, without providing any further information about them. Additionally, the Recommendation states that verification methods “should include technical safeguards to protect citizens from privacy and data protection risks, such as tracking of their online activity, including the use of zero knowledge proofs.” 

While there is no further elaboration of the expected technical safeguards or the privacy-enhancing technologies that could be deployed, it is likely that there will be significant interest in these attributes, particularly following the security flaws found in the EU “age checking app” launched by the Commission in early April. 

4. On social media bans: From political debate to procedural impossibility 

The Commission’s Recommendation is timely in that it comes as some individual EU Member States, such as France (for under 15s), Spain (for under 16s), and Germany (for under 14s, with stricter rules for under 17s), consider social media bans. 

With a view to harmonization and the prevention of barriers within the internal market, the Recommendation invokes an administrative requirement found in Directive 2015/1535 laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services. On this basis, where Member States consider introducing technical measures restricting minors’ access to online platforms, they have an obligation to report such measures to the Commission before they are adopted. This notification triggers a 3-month (extendable) standstill period during which the Member State is prevented from adopting the restriction, and a series of dialogues both with the Commission and with other Member States through the Digital Services Expert Group. Digital Services Coordinators, on the basis of the DSA, can also bring the issue for consideration to the European Board for Digital Services, a forum for cooperation for ensuring the coherent enforcement of the DSA.

Should a Member State fail to notify the Commission of the draft technical measure they are considering for restricting minors’ access to online platforms, it would be considered “a procedural defect that renders the measure unenforceable against individuals in national court proceedings”, and would be inapplicable to individuals. The Recommendation cites CJEU Case C-194/94, CIA-Security and Case C-443/98, Unilever in its reasoning. Furthermore, the Commission could initiate proceedings against a Member State should the proposed national measures regarding restricting minors’ access to online platforms be found to be incompatible with the DSA. 

As regulators globally continue to navigate the intensifying youth online safety space, the Commission’s Recommendation adds another thread to the global patchwork of proposals aimed at restricting or banning social media access for minors. Several countries outside the EU are considering bans for minors, such as Australia and Indonesia which both recently started implementing social media bans (for under 16s), or targeted restrictions on social media access, such as in Brazil (which requires that accounts of minors under 16 are linked to a parent account in the recently effective Digital ECA) and the US (where legislation is pending that would ban minors under 13 from holding accounts and restrict use of certain platform features within teen accounts).

5. Concluding Notes 

It is still uncertain how the age verification landscape will develop across the EU. As enforcement shows that the currently implemented lower-accuracy age assurance measures are increasingly deemed incompatible with the DSA, and political pressure grows within and across Member States to more adequately protect minors online, the Commission is attempting to set the tone for a harmonized approach.

 While the Recommendation is a non-binding, soft law instrument, it shows the Commission’s strategic direction and positioning regarding age verification measures. Nevertheless, specific details regarding the technical specifications, protocols, interface, the interoperable and privacy-preserving features of such tools, as well as how (and when) each individual Member State will operationalize them, remain open questions. 

Taking stock: The Impact of the India AI Impact Summit 2026

India’s hosting of the AI Impact Summit 2026 was an ambitious undertaking. With 600,000 attendees and 92 signatories to the New Delhi Declaration, the Summit was a showcase of a Global South country taking a leading role in shaping the AI governance agenda. The Summit’s official framing centered on infrastructure, compute, and equitable access to AI. What emerged across the week, and across FPF’s engagements in New Delhi before and during the Summit, was a global AI governance conversation defined by the tension between ambitious multilateral declarations and the slower, harder work of building the institutions and tools needed to make them real.

Now that the dust has settled, this blog post takes stock of the impact the Summit has had on the global AI governance conversation, drawing takeaways from FPF’s participation in events across Pre-Summit and the Summit itself. The threads that emerged from our engagements with the programming in New Delhi and now continue to manifest in various ways are: (1) the growing role of sandboxes as governance infrastructure; (2) whether global AI policy conversations can hold together in the face of geopolitical divergence; and (3) the sharpening focus on children’s safety and agentic AI as specific governance challenges that are moving faster than the frameworks designed to address them.

Theme 1: For AI governance to scale, it needs the right testing environments, and sandboxes are emerging as an answer

FPF participated in two events tied to India’s AI Impact Summit 2026, both co-organized with Nasscom. On 20 January 2026, FPF and Nasscom co-hosted a Pre-Summit Event in New Delhi titled “Building Safe Spaces for AI Impact: Regulatory and Private Sandboxes,” bringing together senior government leaders, regulators, global industry representatives, and policy experts. From 16–21 February 2026, Jules Polonetsky, CEO of FPF, Josh Lee Kok Thong, Managing Director for APAC, and Bilal Mohamed, Policy Manager for India, represented FPF at the Summit itself, co-organizing a high-level panel with Nasscom, hosting an FPF Salon Dinner on 17 February, and participating in bilateral engagements throughout the week.

The FPF delegation at the India AI Impact Summit 2026. From L-R: Josh Lee Kok Thong, Managing Director (APAC); Jules Polonetsky, CEO; Bilal Mohamed, Policy Manager for India Photo credit: Josh Lee

One of the clearest messages from the Pre-Summit Event was that the global AI governance conversation has moved decisively beyond the question of what principles should govern AI toward the more difficult question of how to build the regulatory infrastructure needed to put those principles into practice. Sandboxes (whether in their regulatory and private organizational forms), are emerging as one possible lever to achieving this.

The Pre-Summit Event’s first panel, moderated by Josh, brought together regulators from India, Singapore, and Brazil alongside industry experts to examine the evolution of regulatory sandboxing. Two key insights emerged:

• First, sandboxes have seen global uptake as a mechanism for translating governance principles into practice. Over 200 regulatory sandboxes are now in operation globally, 70 of which are focused on AI. More importantly, their function is changing. Where early sandboxes primarily granted permission for testing, well-designed sandboxes today generate the real-world evidence regulators need to write better-calibrated rules. Singapore’s Infocomm Media Development Authority (IMDA) has pioneered a phased methodology moving from case studies to guidelines to formal standards, offering a model of prospective enforcement grounded in observed technical reality.
  
• Second, sandboxes are becoming interoperable by necessity. AI-driven products cut across sectors in ways that engage multiple regulators simultaneously. The Reserve Bank of India’s Interoperable Regulatory Sandbox mechanism, introduced in 2022, was designed to test products that trigger obligations across jurisdictional lines. Similarly, Brazil’s Agencia Nacional de Proteção de Dados (ANPD) deliberately involves other regulators, technical experts, and civil society from the outset, recognizing that the questions sandboxes address are rarely confined to a single institution’s mandate.

The second panel examined how organizations are building private sandboxes for AI governance. The discussion, featuring representatives from Coforge, PayPal, Salesforce, Palo Alto Networks, and European Data Protection Supervisor (EDPS) AI Unit, highlighted two practical insights:

• First, private sandboxes help organizations build trust with both consumers and regulators. Sudheer described Salesforce’s “Customer Zero” approach: before any AI product reaches customers, it is deployed internally across Salesforce’s 80,000-person workforce. The Salesforce philosophy of “build it, use it, fix it, scale it, and then sell it” surfaces real-world failures that may be limited by laboratory testing and allows governance guardrails to be refined before external rollout. Sam described how Palo Alto Networks used isolated “dirty lab” environments to subject models to curated malicious prompts, simulating prompt injection, data leakage, and adversarial manipulation, to establish a behavioural baseline before deployment. For companies navigating frameworks like India’s Digital Personal Data Protection Act, 2023 (DPDP Act), internal sandboxes serve as a signal of due diligence to regulators, demonstrating structured processes throughout the product lifecycle.
• Second, unlike generative AI systems (whose failure modes are at least probabilistically characterized), agentic systems take autonomous actions, which means sandboxing must simulate intent rather than just behavior. More broadly, governance frameworks must be built to outlast the specific technologies they regulate. As Christian Lau of Dynamo AI described during the first panel, organizations must “separate the governance layer from the tech layer,” building accountability mechanisms that remain intact as models evolve.

Theme 2: Geopolitical divergence is exposing the limits of international AI governance

As the first Global South host of the AI Summits, India played an important bridging role, keeping the focus on how AI can drive economic development across Africa, South America, and Asia. The adoption of the New Delhi Declaration, signed by 92 countries and international organizations – including the US, China, and G7 nations – reflected genuine multilateral ambition, even as its voluntary and non-binding character also revealed the limits of that ambition.

The Summit provided a platform for different philosophies on AI governance and oversight to be articulated, with geopolitics in the backdrop. Michael Kratsios, Director of the White House Office of Science and Technology Policy, argued that AI policy must remain national and local, and that international fora risk creating centralized oversight that could stifle innovation under the guise of safety. Implementing this vision, the US outlined a set of parallel initiatives: an American AI Exports Program, new development finance instruments, a Tech Corps initiative embedding US technical experts with partner governments, and an AI Agent Standards Initiative through the Department of Commerce.

On the other hand, the President of France, Emannuel Macron, who hosted the previous edition of the AI Summit in Paris, promoted the EU AI Act in his speech as evidence that responsible and competitive AI are not in opposition, and argued for an approach that treats oversight as foundational to AI development rather than an obstacle to it. 

India, as host, articulated its own approach. During the fireside chat concluding the Pre-Summit Event, S. Krishnan, Secretary, Ministry of Electronics and Information Technology (MeitY), outlined a philosophy of regulation “only when necessary,” explaining that India’s constitutional framework allows sectoral regulators such as Securities and Exchange Board of India (SEBI) and the Royal Bank of India (RBI) to oversee AI within their respective domains, rather than relying on a single, prescriptive national law. This middle path eyed by India relies heavily on the kind of regulatory infrastructure discussed in Theme 1.

FPF’s Managing Director for APAC Josh Lee Kok Thong engaging MeitY Secretary S. Krishnan during the fireside chat at the FPF-Nasscom Pre-Summit Event. Photo credit: Nasscom

FPF’s own Summit panel, titled “From Policy to Practice: Governing AI for Global Impact“, co-organized with Nasscom and moderated by Ashish Aggarwal (Nasscom), brought this tension into sharper relief. The panel featured Carina Prunkl (INRIA), Jules Polonetsky (FPF), Gail Kent (Google), Ivana Bartoletti (Wipro), and Wifredo Fernandez (xAI). Three insights from the discussion stood out.

First, it was highlighted that a critical question for the adoption of responsible AI practices is whether emerging baselines are clear and accessible enough to prevent a race to the bottom on safety. As Jules Polonetsky noted, weak or expensive compliance infrastructure creates competitive pressure to cut corners, a particular risk for startups and smaller players. 

Second, governance frameworks must be built for specific contexts rather than transplanted from elsewhere. As Gail Kent noted, Indian users rely heavily on voice, video, and image-based inputs rather than text, which fundamentally changes the safety and privacy challenges that need local attention. Third, as Ivana Bartoletti argued, India’s “techno-legal” approach positions it to be an architect of governance solutions rather than a recipient of frameworks designed elsewhere.

These observations point to something important that focusing on divergent regulatory philosophies can obscure. The real risk in global AI governance may lie less in countries choosing different regulatory models, and more in those models being either ineffective overall or inaccessible to smaller actors that a shared floor on safety ceases to exist. 

A packed full house at FPF’s and Nasscom’s official session at the India AI Impact Summit.
Photo credit: Josh Lee

Theme 3: There is a cross-border consensus to regulate for children’s safety, but approaches vary

Despite differences in AI regulatory philosophies exposed during the Summit, child safety emerged as a point of cross-border consensus. Prime Minister of India, Narendra Modi, called for AI to be child-safe and family-guided, and for mandatory authenticity labels on AI-generated content. President Macron urged India to join a coalition restricting social media access for children.

Prime Minister Modi’s remarks were also grounded in a domestic regulatory development that had unfolded days before the Summit. On 10 February 2026, MeitY notified the IT (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2026, introducing India’s first formal framework for synthetically generated content. The amendments require intermediaries to label AI-generated content, block the creation and dissemination of child sexual abuse material and non-consensual intimate imagery, and comply with a three-hour takedown window for prohibited content. 

In India, the momentum has not been limited to the federal government. On 6 March 2026, the state government of Karnataka announced in its 2026–27 State Budget a proposed ban on social media use for children under 16, citing concerns over digital addiction, mental health, and declining academic performance. On the same day, the Chief Minister of Andhra Pradesh, Chandrababu Naidu, announced that the state would implement a ban on social media for children under 13 within 90 days. At the federal level, the DPDP Act already requires parental consent for the processing of personal data of children below the age of 18.

India’s actions sit within a broader global trend. In July 2025, the EU adopted guidelines on the protection of minors under the DSA; Australia implemented a social media age ban for under-16s in December 2025; and Singapore’s IMDA introduced age assurance requirements for app stores. In the weeks since the Summit, that response has accelerated. The White House’s National Policy Framework for AI placed children’s safety at the center of its legislative recommendations. Dozens of chatbot safety bills are under consideration in state legislatures across the US, and the US Congress. In the UK, Prime Minister Keir Starmer announced that AI chatbots will be brought under the Online Safety Act. The World Economic Forum’s Global Risks Report 2026 ranked online harms among the top risks of the next decade. 

Taken together, this activity signals that child safety in the age of AI has become the rare governance issue that commands cross-jurisdictional political consensus, even as the jurisdictions diverge on almost every other dimension of AI oversight. The harder question is whether frameworks across jurisdictions, which share the same underlying concerns but differ in their approaches to age assurance, parental consent, and platform liability, can converge enough to hold platforms to consistent and effective standards. It is a question that India, with its large minor population and newly enacted synthetic media rules, has a significant stake in helping to answer.

Conclusion

The vivid debates at the Summit showed that AI governance approaches will be shaped by the economic, political, and legal contexts in which different nations operate. The real question is whether enough common ground can be built to prevent a race to the bottom on safety and responsible AI, as was highlighted by the FPF-Nasscom panel.

India’s hosting of the Summit was an important signal that this work is genuinely global in its participants and ambitions. The governance gaps that came into focus in New Delhi, from agentic AI accountability to the protection of children in AI-mediated spaces, to the question of whether voluntary multilateral declarations can be turned into durable commitments, represent the agenda for the conversations ahead.

The New(ish) Architecture of Consumer Health and Artificial Intelligence

The rise of AI-powered health tools is prompting new thinking about how, where, and when sensitive health information receives legal protection. According to media reports, consumers are now using general-purpose AI tools to upload or query health information, including medical records, and several companies have recently released large language model (LLM)-based tools customized for consumer health uses. While such records are protected by the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Rule when collected by healthcare providers and health plans, they largely fall outside HIPAA’s protections once uploaded to consumer-facing AI platforms.

Using online tools to seek health information is not new and consumers have long used health and wellness wearables and apps to share medical information for holistic health experiences, often with beneficial outcomes. Where downloading medical records is still a frustrating or limited experience, policy and technical architectures have  emerged to facilitate consumer-directed health information-seeking. What is new is the underlying health data architecture utilized by AI tools and LLMs. This new architecture is a combination of policy shifts, product features, and public privacy commitments – setting new consumer expectations for how consumer health data should be handled based on old frameworks like HIPAA.

This blog post examines the emerging architecture of AI-powered health tools and its implications for privacy, governance, and consumer protection. We explore:

• A New(ish) Health Data Architecture: Under mandatory patient access policies, patients are transferring HIPAA-protected data out of covered environments—effectively stripping it of its HIPAA status—where it is commingled with consumer health information in AI and LLM-based tools. Novel data and privacy protection practices and policies are emerging that seek to meet patient-consumer expectations for protection and may establish new industry standards around health data architecture.
• Key Implications: This evolving architecture raises critical questions about regulatory applicability when medical records move outside HIPAA’s scope, how platforms should handle inferred health information about non-users, whether AI can adequately account for clinical nuance and medical judgment, and how to measure the effectiveness of voluntary privacy safeguards. 

Traditional Health Data Architectures: Client-Server

A fundamental challenge in consumer health technology has been navigating the governance practices and technical architecture needed to handle two categories of health information regulated by distinct legal frameworks. Medical Records or Protected Health Information (PHI) held by healthcare providers, health plans, and their business associates are protected by  HIPAA—a highly regulated, entity-based framework that attaches protections based on who holds the data and in what context it was collected. Consumer Health Data or Information, by contrast, collected by commercial entities like health and wellness apps that fall outside HIPAA’s scope, is governed by a variety of state consumer privacy and protection laws—which are data-based frameworks where protections depend on the type of information collected and where the individual lives. This divide is not new: even before AI, online symptom checkers and wellness tools required personal health information to function while operating outside HIPAA’s regulatory perimeter.

Until recently, patient portals which siloed HIPAA-protected data in authorized environments and consumer informational websites used a similar technical architecture of client-server. In a client-server architecture, users would input information into a web-based form (client), which would then send this data to a central server that would store the data according to protection requirements. Servers would run a pre-programmed, rules-based logic engine to organize, analyze, and respond to user requests or queries. The process was largely deterministic and relied on the explicit technical rules encoded by human experts. 

Patient/Consumers as the New(ish) Arbiters of Data and Privacy

Another architectural shift in policy is the enforcement of the individual patient’s power to access and move their electronic health records (EHRs) between systems and protection frameworks. Individuals have historically had tacit but inconsistent access to their electronic health information (EHI) as facilitated by the HIPAA covered entity. Federal law penalizes Information blocking where medical information is not accessible to individuals who are entitled to access. The 21st Century Cures Act (Cures Act) defines information blocking as “a practice by an individual or entity that is likely to interfere with, prevent, or materially discourage the access, exchange, or use of electronic health information except as required by law or as specified in an information blocking exception.” As of February 2026, the Information Blocking Complaint Portal has been open and actively used, with over 1,600 complaints submitted and some predicting enforcement in the future.

The requirement for HIPAA-covered entities to facilitate access and transfer of EHI, per the Cures Act, allows individuals to control that version of their information and upload or transfer it as they want or need. This policy transformation is facilitated by an associated technical shift under the Cures Act where healthcare entities must maintain standardized APIs allowing data to be interoperationalized and more easily moved between systems. This interoperability and access is the essential precursor to the consumer health AI that may include previously HIPAA-protected information. Without this first step, many individuals may not have had easy access or transferability of EHI, whereas now, individuals may largely access, download, and upload their EHI at will with few barriers. Simply put, individuals are, now more formally, the arbiters of their own data and privacy protections regarding their EHI and will choose which systems to move their medical records into or out of. Individuals, however, may or may not be aware of what protections apply, meaning that at least in regards to data and privacy protections, individuals may not always be making informed decisions when moving their EHI. 

LLMs can integrate patient-accessed and -uploaded medical records with non-HIPAA consumer health data; these systems go far beyond existing querying tools familiar to stakeholders and into longitudinal, pattern-aware platforms. This convergence creates a centralized point of sensitive and variably-regulated health data, fundamentally shifting privacy obligations and trade-offs for all stakeholders throughout the data lifecycle.

The New Architecture for Health Data Protection 

The confluence of shifting from deterministic client-server to AI architectures and the evolution of individuals’ access to the information in their medical records changes health data systems. This technological and regulatory evolution redefines how organizations handle consumer health data, creating new data ecosystem practices and expectations.

Key examples of the practices starting to emerge in response to this evolved ecosystem center on public promises to maintain HIPAA level data and privacy protections for consumer data. Simultaneously, governance frameworks beyond traditional regulations—such as voluntary public commitments and AI ethics boards—proactively manage AI risks. These technical and policy changes, coupled with heightened privacy commitments that exceed legal requirements, establish new expectations for handling consumer health data (regardless of HIPAA status). This new architecture—involving technology, policy, and design— merits careful evaluation, introducing challenges in explainability, bias, and control that require innovative policy and technical responses.

Examples of Revised Architectural Approaches

Some entities have explored mechanisms for revising this traditional architecture. For example:  Health Data Segmentation and Expanded Protection Promises: While traditional consumer health tools may have had the option to upload health records from various sources, the health records would not remain separate or receive additional protections. Once a user had voluntarily shared health data, regardless of source, with a non-HIPAA entity, the data was protected in the same way as other health or wellness data. Some AI companies are now purporting to implement “purpose-built isolation, separate memories, and compartmentalized storage” – continuing the practice of allowing individuals to upload their medical records but offering separate digital space for centralization that also encompassed health and wellness data.  Data Minimization, Necessity Requirements, and AI Training Policies: Another growing piece of policy architecture emerges around how AI platforms and downstream entities handle user data, which can be understood through two distinct regulatory developments with potentially overlapping impacts. First, new laws and regulations are increasingly imposing substantive data minimization requirements that tie the collection or processing of personal data strictly to what is “necessary” to provide a requested product or service. If these necessity requirements are interpreted narrowly, or if they fail to include exceptions for routine activities such as product improvement and development, they may effectively prohibit companies from training AI models on uploaded or shared consumer health data, regardless of company’s promises to not train on the data. Second, distinct from general data minimization rules, new AI-specific laws and regulations may take a more direct approach by outright banning the training of AI models on some or all user input data. Together, these legal frameworks aim to limit the potential for secondary uses and unintentional data leakage, fundamentally shifting the responsibility for data protection upstream to foundational AI providers. This proactive and multi-pronged approach underscores that restricting data use is likely an essential aspect of data governance as consumer health data increasingly intersects with powerful, continuously learning AI systems.

Critical Implications This Architecture Raises

Regulatory Fragmentation Meets Novel Architecture in Health Data and Privacy Protections 

The architectural convergence of patient-controlled and interoperable HIPAA-protected data with non-HIPAA health data creates unique regulatory compliance challenges. When individuals upload medical records to AI platforms that aren’t HIPAA-covered entities, that data may lose HIPAA protection and become subject to a fragmented patchwork of state and federal laws—with protections varying significantly based on the user’s location and the nature of the data. 

What makes this particularly complex for LLM-based health tools is that the same system may be simultaneously subject to multiple, sometimes conflicting, regulatory frameworks. A single platform might need to comply with:

• FTC prohibitions on unfair and deceptive practices and the Health Breach Notification Rule
• State restrictions on AI use in mental health contexts (e.g., Illinois’ Wellness and Oversight for Psychological Resources Act)
• State health privacy laws that exceed HIPAA protections (e.g., California’s Confidentiality of Medical Information Act)
• Comprehensive state privacy laws and health-focused privacy laws (e.g., Washington’s My Health My Data Act and Virginia SB 754)
• Genetic privacy laws when records contain genomic information (e.g., Texas HB 2545 and the Texas Genomic Act) 
• Youth protection laws, when known minors share health information that contains or signals their age and with verifiable-parental consent (VPC.)

The bottom line: both standard general purpose LLMs and health-focused LLMs will be subject to similar standards of consumer protection, privacy, and AI laws. Furthermore, where companies publicly state a health-focused LLM will have increased protections due to the sensitive nature of the health information uploaded to the LLM, regulators may enforce those public statements.

Multi-Party Consent for Auxiliary Data in Single-User Systems

Though the conversation around consumer health AI often remains focused exclusively on the data of the individual user who is sharing, medical records and health conversations often contain information about people who didn’t consent to share their data with an AI platform. Although a platform may not retain the medical record itself, a range of information and inferences may be drawn from the information it contains. This auxiliary data can include:

• Group Data: Information pertaining to third parties, such as children, older adults, or family members, whose data may be present in a shared record (including separately regulated genetic information), regardless of the user’s purpose for uploading it (which could range from well-intentioned care coordination to malicious use).
• Provider Data: Identifiers, tax numbers, notes, or references concerning healthcare providers and potentially medical facility staff, raising privacy concerns for these employees.
• Intellectual Property: Data that may be subject to copyright, trade protections, or clinical secrecy (e.g., specific internal protocols, proprietary clinical methodologies, or copyrighted educational materials found within a medical record).

Because traditional consent frameworks often assume a single data subject, this architecture reveals the limitations of that assumption.

​​Clinical Judgment Meets Algorithmic Interpretation

Medical practice routinely involves judgment calls that fall outside standard protocols but serve patients well. Off-label prescribing (e.g. using FDA-approved drugs for conditions they weren’t officially approved to treat) is one common example. This practice is evidence-based and widespread in clinical medicine, but general-purpose LLMs may flag it as incorrect or potentially dangerous, creating questions around liability.

The implication extends beyond off-label prescribing to any clinical decision involving nuance: evolving treatment guidelines, patient-specific contraindications, or the expert reasoning that experienced practitioners apply to complex cases. When AI systems interpret these decisions as errors rather than judgment calls, they risk undermining the patient-provider relationship and creating confusion about appropriate treatment. The challenge is designing systems that can acknowledge uncertainty and defer to clinical expertise rather than treating medicine as a domain with algorithmic certainty.

Conclusion

The integration of AI into health data introduces a new challenge by centralizing highly-regulated medical records with less-regulated consumer health information, often outside of HIPAA protections. This shift raises critical questions about the practical implementation of technical privacy safeguards, the management of sensitive “auxiliary data” (like information about family members or providers) within uploaded records, and the ability of AI models to interpret complex clinical nuances, such as off-label prescribing. Moving forward, clarity in protections and applicable state and federal regulations are crucial to ensure the benefits of these changing technologies going forward.

Celebrating Another Year of Privacy and AI Governance: FPF at the 2026 IAPP Global Summit

Authored by FPF Communications Intern Celeste Valentino

FPF experts participated in the 2026 IAPP Global Summit and hosted FPF privacy executive convenings in Washington, D.C. from March 31 to April 2. As a major gathering for privacy professionals, the event featured a heavy schedule of workshops and panels focused on the intersection of U.S. and global governance with shifting technology and policy. From exploring high-stakes AI regulation and youth-centered design to discussing the future of the privacy workforce, FPF experts joined industry pioneers and global regulators to provide expert analysis on the most pressing issues in privacy and AI governance.

Through member meet-ups, vibrant networking at our annual Spring Social, and engaging discussions at our Exhibition Hall Booth, FPF spent the week equipping practitioners with the frameworks and foresight needed to navigate a rapidly shifting digital landscape.

We kicked off our member convenings with a Privacy Executives Network (PEN) breakfast on March 30 at the Marriott Marquis Anthem. Attendees discussed data mapping and minimization, AI vendor deployment, agentic AI controls, and more.

Later on, FPF Senior Fellow, Tanya Richardson, spoke on a panel titled “In AI We Trust? Governing High-Stakes AI Before Regulators Step In.” Appearing alongside Hope Anderson (Partner, Data, Privacy and Cybersecurity, White & Case), Taylor Galusha, (Lead Privacy and AI Counsel, Chime),  and Marisha Pareek (Senior Privacy Counsel, DoorDash), the panel provided a comprehensive toolkit and actionable framework designed to help organizations navigate the rapidly tightening landscape of AI regulation and enforcement.

As the first day of the conference came to a close, FPF welcomed visiting DPAs, VIPs, and industry leaders into our Washington, D.C. office for our annual Spring Social. The evening featured fantastic networking, stimulating conversation, and fresh introductions as we toasted to another exciting year in privacy and data protection. A special thank you to our sponsors FTI Consulting, RadarFirst, and TrustArc!

The next morning, FPF held a Global PEN breakfast roundtable. CEO Jules Polonetsky and V.P. of Global Policy, Gabriela Zanfir-Fortuna facilitated a conversation centered around global privacy and AI regulation. Members and special guests discussed global anonymization frameworks, synthetic data, digital sovereignty, and tools to help scale AI and privacy governance. 

In the afternoon, FPF hosted a PEN lunch with Mike Macko, Deputy Director of Enforcement at the California Privacy Protection Agency. Macko discussed the CPPA’s enforcement strategy and 2026 priorities, including the critical role of internal privacy teams for organizational risk management, the agency’s interpretation of data minimization in enforcement actions, expectations for user interfaces handling consumer preferences, and coordination with state Attorneys General on cross-jurisdictional enforcement.

FPF CEO Jules Polonetsky joined Joe Jones (IAPP), Julie Brill (Harvard Law School and Innovation Labs), and Nicole Wong (NWong Strategies) at “(De)coding for (de)regulation”. The group examined how the global push for technological sovereignty and data-driven growth is fundamentally transforming traditional regulatory compliance into a strategic driver for innovation.

At the same time, FPF Director for Youth Policy, Holly Hawkins, spoke on the panel “Personal, Private, Protected: The Future of Youth Personalization.” This discussion featured Emily Kirstein (Google), Morgan Reed (ACT | The App Association), and Yalda Uhls (Center for Scholars & Storytellers, University of California, Los Angeles); where they challenged the idea that AI-driven personalization must come at the expense of youth safety, arguing instead for a “youth-centered by design” framework. 

Next door, FPF Senior Fellow Doug Miller was part of the panel “Beyond Automation: Growing the Next Generation of AI-ready Professionals,” with industry leaders including, Noga Rosenthal (Ampersand), Andrew Dale (OpenAP), and Katherine Fick (IBM), where Doug shared practical strategies for mentoring the next generation, focusing on fostering human judgment and evolving skillsets to ensure leadership remains resilient in an AI-augmented workplace.

Closing out the conference, two FPF experts led immersive training sessions, sharing their deep expertise and insights with fellow practitioners. 

In the morning, FPF Senior Director for U.S. Legislation, Tatiana Rice helped lead “U.S. State Privacy Crash Course — What is New and What is Next?”, guiding participants to understand the commonalities in U.S. legal requirements. In the afternoon, Tanya Richardson took over to co-lead “Adtech, Marketing and the Future of Consent in the Era of AI”, a workshop intended to examine how shifting AI regulations are reshaping legal and technical decision-making in adtech. 

Throughout the week, the FPF booth served as a central hub for IAPP GS attendees, attracting a diverse crowd of policymakers, industry executives, and privacy scholars. Visitors engaged with our staff to explore FPF membership and discuss pressing initiatives such as the regulation of AI agents and the everchanging landscape of U.S. privacy regulation while picking up infographics, and other resources. 

We hope you enjoyed this year’s IAPP Global Summit as much as we did! If you missed us at our booth, visit FPF.org for all our reports, publications, and infographics. Follow us on X, LinkedIn, Instagram, and YouTube, and subscribe to our newsletter for the latest.

Adapting the Privacy Profession to Changing Times

As spring comes into full bloom, the changing of the seasons offers an opportunity for privacy teams to start thinking about how they can be more effective in their workplaces. Privacy work needs to evolve in a couple of important ways, and the value of that work for the organization may have its highest manifestation as a strategic partner helping the organization itself re-invent its work.

One path is through alliance. It is true that many new issues are coming up that, to some organizations, may seem to be a higher priority than privacy. These issues of course include AI but also youth online safety, age assurance, and cybersecurity. There is a growing basket of privacy and compliance issues: governance risk and compliance, data protection, trust and safety, content moderation, AI governance, cybersecurity, and in advertising, debates around the appropriate role of generative AI in creating ads. We might previously have thought of these issues as “privacy adjacent” but increasingly we can think of them as “data governance gateways.” The organization prioritizes these issues because they must, and yet each one is a gateway back to privacy concerns. Leading with these other issues can create a path back to the key data governance issue on the agenda of the privacy team.

Managing these data governance gateways means building alliances with the other people at the organization integral to concerns. Some privacy teams have felt stretched as their work on  AI privacy and governance has grown, but these issues can be reframed as a gift to the privacy team because it is something that the organization deems important and a high priority. Leading on governance in a strategically critical area allows privacy teams to get the attention of the C-Suite and other key stakeholders and make the case for why resources are needed to fulfill it.  The organization probably already is prioritizing cybersecurity, so a good relationship with the CISO team is vitally important: it may have budget resources that the privacy team does not. These other issues and teams offer the potential for networks of alliances.  On an organization chart, these developments might look like a diminution of privacy team influence.  But real influence is shaped by productive interactions, effective communication of a clear message, and the finesse and persistence entailed in effective leadership across different teams of stakeholders. The skill and mindset for privacy executives of leading across teams has never been more important.

It’s also possible for privacy teams to continue to evolve. In their early stages, the privacy team was the “Lonely Voice,” an appendage to the legal department or the marketing team that tried desperately to get attention to its issues but was often a low priority voice. We certainly hope that no privacy teams are still stuck there. Many of them advanced to a higher evolution, establishing effective partnerships in the organization with other key stakeholders, including marketing teams, sales teams, product teams, and privacy engineers. Successful teams positioned themselves to be the “Pathfinder”  helping guide the organization through the minefield of increasing regulation and law and enabling the organization to execute its goals.  

Over the past few years, we have started seeing the next evolution of the privacy team’s role, initially to a broader data governance role and now to a position more readily perceived as a strategic partner, helping the organization compete in the age of AI. More than ever legal regulatory and enforcement trends demand consideration of data stewardship, accuracy, bias, transparency, and safety in the business planning and strategy processes. Cybersecurity, always a major risk, is deeply stressed by the new threats enabled by AI. Beyond regulatory and enforcement trends, AI is reshaping how every business plans and operates and data protection and governance issues are increasingly strategic, if AI enablement is to advance.

The alliances across various compliance or data governance gateway stakeholders that the privacy executive builds now become of strategic importance not just for the privacy team but for the organization itself.  It’s helpful to think of “data governance” not just as the small basket of privacy issues but as a larger basket of “data governance gateway” or “privacy adjacent” issues for which there is a cohort of allies  – a “compliance alliance” – with significant influence across the organization.  This new compliance cohort now must be the strategic partner helping the organization succeed. These executives, whether Chief Privacy Officer, Data Governance Leader, Responsible AI executive or other, are well positioned to lead this effort as they work across teams and silos. 

Consider cybersecurity, where substantial investment is required in core technology and resources, but equally important are cultural changes that need to be made to reduce risk from avoidable human mistakes made by employees. Focusing on cultural change with deeper business awareness across all teams, not just the cybersecurity team, will ultimately help the organization protect itself.  The cybersecurity team benefits from this compliance alliance.

In advertising and ad tech, AI drives a substantial strategic imperative for companies to think about how to incorporate AI into their offerings. The challenge of offering opt outs from targeting, sharing, selling, across many state regimes is trending toward more comprehensive, perhaps browser-based approaches that likely will increase opt out rates. Some companies may benefit from reducing their emphasis on ID-based targeting and shift resources toward a strategic approach that includes building audiences using AI and more multichannel pathways to finding people to buy products. Digital advertising still has a future, but so do many other forms of marketing. Advertisers not thinking more holistically about the various ways that they could connect to consumers are going to miss out. Publishers can be thinking more clearly about adopting AI and being able to interact with the likely growth in standardized agentic AI. Advertisers need to get their arms around generative AI that creates the ads at a far greater speed but needs to also deepen connection to actual humans, because many consumers may respond better to more meaningful human connection. Publishers and advertisers have a strategic interest in finding more creative ways of connecting to actual consumers in a way that actually matters for those consumers, rather than responding to the various measurement techniques that might be counting clicks or traffic or eyeballs without really focusing on what’s actually moving products.  Given the dependence on new uses of data, continual engagement with data governance teams on these issues is paramount. 

New laws that promise protections to people who are under 18 (beyond COPPA’s 12 and under consent requirement) are an increasingly urgent area of focus for companies. These laws are generating serious strategic conversations about whether under-eighteens should be part of their business at all, and if so, how they can provide age-appropriate experiences for that cohort. Privacy leaders, as part of the larger “compliance alliance,” are well positioned to tee up that discussion.

In what parts or regions of the world will the organization compete, given the diversity and changing nature of digital rules outside the United States? Companies might well think about what other regions they operate in, balancing that with the various state laws in the United States, and reflect on how to plan and design systems to efficiently address regulatory and enforcement trends. We have probably passed the point where ad hoc adaptation suffices.  Once again, the privacy team brings strategic value.

For the privacy team that is facing expanded work with limited resources, there is opportunity to build alliances and to reframe this work in a way that is more germane and central to the organization’s mission. Becoming a genuine strategic partner that helps the business rethink how it profits in the face of new regulations and new technologies builds the case of expanded resources. 

Unquestionably, this approach raises the degree of difficulty and level of effort for privacy teams and data governance executives. A strategic executive needs to develop the skills of connection, leadership without authority, and leading across teams. Performing at this level requires highly effective communication – and what makes communication most effective is persistent and consistent messaging. It will require advancing pragmatic solutions focused more on cost and revenue opportunity and much less on risk and fear. It will require motivating privacy teams that may feel demotivated with clarity, purpose, and in-the-trenches support so that they know someone is looking out for them.

One note of caution: A commitment to collaboration and saying, “Yes, and . . . “ to business initiatives cannot mean that privacy teams or the “compliance alliance” never say no. They obviously can’t be perceived as a blocker by default, but they have to earn trust to effectively encourage responsible design decisions that consumers and other business partners trust.  This is a key part of the partnership: Honest guidance that builds a successful business, not enablement that ignores the fact that success is not when the ship sails, but when it arrives safely in port, having delivered the goods.

Dwight Eisenhower is credited with saying that if a problem seems unsolvable, make it bigger. What this gets at is that often we try to solve problems by breaking them into smaller pieces, but sometimes the solution is found by reframing, up-leveling, and finding new pathways into the problem.  That is going to be the pathway for privacy teams to show their value to organizations now: They’ve got to make the compliance problem – and the business opportunity – bigger. Making the business challenge bigger makes it more relevant and facilitates development of alliances with influential stakeholders in the organization. It also elevates privacy professionals as strategic partners at a moment in which the business has little choice but to rethink how it grows in a time of rapid change. It is seizing a propitious moment. It is embracing the uncertainty of moving forward with the promise of success and growth rather than being diminished.  It embraces hope, not fear.  It centers the idea that technology is part of how the organization will progress and yet it still preserves the fundamental truth that it will be humans working together, communicating effectively, and uniting around a common purpose of helping the organization succeed that will make privacy teams continue to be relevant in 2026 and beyond.

FPF has launched a project which I lead to help senior privacy and data governance executives more effectively frame their value to senior management and boards. While full participation is limited to our members, please reach out with any useful ideas. If you would benefit from participating and want to learn more about FPF membership, contact [email protected].

More Parties, More Risks, More Opportunity? Evolving Governance to Support Cyber Resilience Amidst Evolving Policy and Technological Change

*Special thanks to Jim Siegl and Jocelyn Aqua for their advice and expertise.

Summary: Artificial Intelligence (AI) presents fundamental opportunities and challenges for defense of increasingly complex digital ecosystems amid rising attack costs, fragmented regulation, and evolving industry practices. A coordinated response across the public and private sectors, including smart deployment of AI tools for risk detection and defense, is critical to building resilient AI systems and securing supply chains. This article describes emerging risks, identifies regulations and governance frameworks relevant to addressing them, and proposes governance steps that organizations can take to improve supply chain resilience. 

In recent years, third-party and supply chain cybersecurity attacks have become one of the most significant risks to national and organizational security. The 2020 SolarWinds breach demonstrated how integrated environments built on shared code, automated updates, and implicit trust in upstream vendors can allow a single vendor breach to cascade across agencies and enterprises. That incident granted foreign adversaries unauthorized access to more than 200 public and private organizations, including the Departments of Homeland Security, Treasury, and Commerce. Although the U.S. Securities and Exchange Commission (SEC) ultimately dismissed the SEC’s civil enforcement action against SolarWinds, this incident illustrates how an attack on one trusted software provider can lead to system-wide failures. In 2023, PyTorch, an open-source artificial intelligence/machine learning (AI/ML) framework, was injected with malware following a supply chain attack. In 2024, the XZ Utils backdoor illustrated how a single vulnerability in a trusted open-source library can compromise the build process and enable remote code execution across countless systems.

The threat became more pronounced in 2025. Approximately 30% of cybersecurity breaches last year originated from third-party relationships – double the percentage from just two years earlier. This rise tracks closely with increased reliance on external vendors, cloud platforms, model providers, and open-source components. While the growth of these interconnected supply chains can yield efficiencies and service improvements and accelerate innovation, they can also multiply the number of attack surfaces that bad actors can exploit.

Over several years, FPF has been exploring the ways that AI can accentuate security risks, while also creating new detection and defense capabilities. The recent announcement of Project Glasswing put a spotlight on the presence of both opportunity and risk as AI technologies rapidly evolve. Autonomous and agentic systems, add new layers of complexity and risk – as well as opportunities to more effectively detect, combat and mitigate those risks. Unlike traditional software, agentic AI systems may ingest external data, reuse pretrained models, and act across organizational boundaries with limited human intervention, which introduces or exacerbates distinct vulnerabilities. These risks intersect with traditional cybersecurity concerns but require new or expanded governance mechanisms around data provenance, model integrity, and automated decision-making. 

Emerging Risks in AI-Enabled Supply Chains

Organizations must navigate an evolving industry landscape while managing an interconnected network of vendors, cloud services, and open-source components, creating systemic risk from a single compromised dependency that can cascade across operations. 

Risks and Opportunities from Third-Party Components and Systems

Third-party software libraries, datasets, and cloud infrastructure can yield enormous value for organizations, including for risk management and cyber defense. At the same time, these tools can introduce vulnerabilities that are difficult to detect or control. In AI ecosystems, dependency chains are often deeper and less transparent than in traditional software systems, encompassing not just code, but models, training data and pre-trained weights. The proliferation of new AI-driven technologies and services, particularly those that involve agents, amplifies these risks. Once deployed, these agentic AI systems can act independently and potentially bypass traditional security controls.

Amplified Risk by AI Systems

AI systems and plugins can introduce new or exacerbate established cyber attack methods. These techniques exploit the model’s reliance on data and user input to manipulate system behavior or extract sensitive information. Specific examples include:

• Data and model poisoning through compromised training data or dependency libraries that alter model behavior at scale; 
• Prompt injection attacks where malicious inputs manipulate model outputs or downstream actions without altering underlying infrastructure; 
• Model supply chain hijacking via malicious model weights or corrupted open-source components;
• Autonomous agent exploits, where AI agents interact with external systems or application programming interfaces (APIs) using delegated credentials, tool access, or persistent permissions without sufficient guardrails; or 
• Cross-system interdependency, when a compromise in one model, tool, or plugin spreads across an entire interconnected ecosystem. 

Agentic AI systems introduce a distinct risk profile characterized by autonomy, multi-step decision-making, and the ability to take actions in external environments. Rather than producing static outputs in response to bounded inputs, these systems can plan, iterate, and take actions across external environments using delegated tools and credentials. This shift effectively extends the operational boundary of the system to include external services, APIs, and data sources in real time. As a result, risk is no longer confined to model performance or data integrity, but includes the downstream effects of autonomous decision-making and execution across interconnected systems.

These risks are amplified in environments where agents operate with persistent credentials or broad API access. In such contexts, a single compromised interaction can propagate across systems, particularly when agents are designed to optimize for task completion without sufficiently robust constraints on permissible actions. The resulting behavior may be difficult to predict or audit, as it emerges from the interaction between model outputs, tool responses, and external system states rather than from a single deterministic process.

As organizations deploy agentic AI, institutional decisionmaking can risk becoming more distributed and opaque. Agents may interact autonomously with external systems, exacerbating cybersecurity risks such as propagation of incorrect or malicious instructions across the supply chain, extraction of confidential data, and escalation-of-privilege scenarios (if access controls are misconfigured). The autonomy of agents may require new or evolved forms of oversight, logging, and training.

AI Governance and Accountability

Technical controls alone are insufficient to mitigate AI-specific supply chain risks. Effective enterprise cybersecurity requires active leadership oversight and a culture of accountability. Executives must move beyond a “baseline understanding” and toward a risk-aware mindset where cybersecurity training is tailored to AI specific industry roles and threat models. Company policies and protocols should incorporate this understanding. Human governance is essential to assess and enforce organizational standards.

Applicable Regulations and Governance Frameworks

In the absence of a single  statutory framework that governs the intersection of AI and cybersecurity, federal and state agencies have developed a range of guidelines, voluntary frameworks, certifications, and procurement requirements that seek to address growing cyber and AI governance risks.

Security Guidance from the Federal Government

Several federal frameworks provide relevant guidance for companies around third-party and supply chain cyber risk:

• National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and NIST Special Publications (SPs) 800-171 and 800-161: Offers detailed technical guidance for supply chain risk management (SCRM), with emphasis risk assessments, dependency mapping, continuous monitoring, and vendor due diligence.
  • The NIST Cybersecurity Framework is a voluntary and scalable cybersecurity risk guidance. The updated CSF 2.0 includes “govern” as a key function, which embeds cybersecurity governance into enterprise risk management, aligning strategy, policy, and oversight with business objectives.
  • NIST SP 800-161 provides comprehensive guidance for enterprise SCRM. It recommends a multidisciplinary governance structure, emphasizes iterative risk assessment and monitoring, and integrates risk management into procurement processes. 
• Cybersecurity and Infrastructure Security Agency (CISA) Secure by Demand Guide: Provides buyers a checklist of questions to assess software manufacturers’ supply chain security practices, such as establishing secure authentication defaults, reporting vulnerabilities, and providing security logs and a software bill of materials (SBOMs). 
• CISA Tabletop Exercise Packages (CTEPs) and Tips: Supports agencies and vendors in evaluating their cloud and procurement-related cybersecurity frameworks.
  • CISA also offers best practices for cloud security and third-party risk management that emphasize shared responsibility models, continuous monitoring, and secure integration of AI services.
• Department of Defense’s Cybersecurity Maturity Model Certification (CMMC): Sets standards for federal contractors, including vendors supplying AI services or model components to defense agencies.
• Federal Risk and Authorization Management Program (FedRAMP): Establishes security requirements for cloud service providers, and its procurement standards now extend to AI services deployed within federal environments.

AI Guidance from the Federal Government

Federal guidance on AI-related cybersecurity continues to evolve, offering several guides for how to approach AI-related risks in supply chains:

• NIST AI Risk Management Framework (AI RMF): Provides a structured approach for assessing AI-related risks, encouraging transparency and accountability across the AI lifecycle.
• The White House AI Action Plan sets out high-level policy principles around safety, transparency, and procurement/vendor accountability, calling for stronger oversight mechanisms to ensure that AI tools integrated into supply chains are trustworthy and secure.

State Governance

States are taking an increasingly active role in regulating AI and related cybersecurity risks. In particular, California has a number of strong AI procurement and cyber requirements. 

• New York Department of Financial Services (NYDFS) – 2025 Industry Guidance: Highlights the importance of incorporating AI governance into cybersecurity compliance (and noted that automation can amplify existing vulnerabilities), requiring financial institutions to evaluate AI model risks, confirm training data provenance, and assess vendor-level AI controls.
• California Privacy Protection Agency (CPPA) – 2025 Regulations: One of the first comprehensive state-level efforts to regulate AI systems and third-party data handling practices. Applicable provisions govern automated decision-making technologies (ADMT), mandatory cybersecurity audits for parties meeting certain thresholds associated with business volume and the selling and sharing of data; and and vendor accountability.

Industry Guidance 

In addition to regulatory guidance and frameworks from federal and state government agencies, there are a number of industry standards and best practices that may address AI- and agent-related third-party and supply chain cybersecurity risks. Examples include: 

• Open Worldwide Application Security Project (OWASP) GenAI Security Project – CheatSheet – A Practical Guide for Securely Using Third-Party MCP Servers 1.0: Provides a framework for companies and developers using a third-party Model Context Protocol (MCP). Along with mapping out common threat types, this cheat sheet provides actionable controls and workflows, such as strong authentication processes, sandboxed environments, and validation measures (e.g., establishing a “trusted MCP registry” and instituting periodic audits). 
• SysAdmin, Audit, Network, and Security (SANS) Institute – Critical AI Security Guidelines: Provides a practitioner-oriented framework to help organizations build, deploy, and operate secure AI systems. Recommends developing strict access or authentication controls, safe deployment strategies (e.g., sandboxing or red-teaming), risk-based deployment, and regular data sanitization and validation.
• Snowflake – AI Security Framework: Develops a threat taxonomy of security and privacy risks specific to AI systems to help cross-discipline teams evaluate AI risk in a systematic way. The framework also provides mitigation strategies to address listed risks, though specific implementation would depend on the architecture, environment, and threat model. 
• Massachusetts Institute of Technology (MIT) AI Risk Initiative – Mapping Frameworks at the Intersection of AI Safety and Traditional Risk Management: Although this analysis does not provide specific risk mitigation strategies, it provides an overview of almost a dozen AI risk management frameworks that sit “at the intersection of traditional risk management and AI safety” (with a particular emphasis on frontier, general-purpose, or “high-risk” AI systems). The MIT initiative could serve as a starting point for companies who want to ground their AI risk-management in proven safety or risk frameworks.

Across the public and the private sector, guidance on third-party and AI-related cyber risk is converging around core principles of transparency, accountability, and continuous oversight and governance. Federal frameworks have established baseline expectations for secure procurement and vendor management, while states are advancing more specific AI governance requirements. Industry standards can complement these efforts by offering practical controls and methodologies for implementing secure and responsible AI practices. Collectively, these frameworks underscore the need for organizations to adopt an integrated, risk-based approach to managing third-party and AI supply-chain security.

Recommendations and Next Steps

To strengthen AI-driven supply chain resilience, organizations should prioritize:

• AI Models and Agents Monitoring: Establish passive AI agent monitoring, then consider moving toward active “guardrails” to intercept and block anomalous agent actions, cross-system API calls, or unauthorized data exfiltration in real-time.
• Provenance for Third-Party AI Models Requirements: Consider creating AI Bills of Materials (AI-BOM), which would mandate vendors to provide a standardized AI-BOM that inventories code libraries (a “Software Bill of Materials” or SBOM), model provenance, training dataset origins, and cryptographic signatures of model weights to prevent tampering.
• AI-Specific Vendor Risk Assessments: Evaluate not only traditional cybersecurity controls but also model lineage, dataset provenance, and plugin dependencies. Consider AI-specific adversarial red-teaming (i.e., updating vendor risk assessments to include results from adversarial testing such as prompt injection and data poisoning resilience).
• Contracts and Procurement Controls: Include model security obligations, and update notification requirements and audit rights. Consider updating vendor contracts to ensure that no high-impact decision is made without a clear path for human intervention.
• Organizational Literacy: Ensure boards and executives understand AI-specific supply chain risks to enable informed oversight decisions. Elevate AI literacy beyond the IT department. Form a committee of legal, security, and business leaders to define the organization’s risk appetite for third-party AI dependencies and agentic autonomy.

Conclusion

The accelerating convergence of AI adoption, complex vendor ecosystems, and increasingly sophisticated cyber threats has elevated third-party and supply-chain security to a critical strategic priority for industry leadership. Recent incidents and rising breach rates demonstrate that traditional governance models must evolve for environments characterized by autonomous systems, complex dependency chains, and cross-system interdependencies. Both the private and public sector are responding with increasingly aligned expectations that emphasize transparency, accountability, and continuous monitoring across the AI lifecycle and vendor ecosystem.

For organizations, the imperative is to move beyond fragmented or compliance-only approaches and adopt an integrated, risk-based governance model that unifies traditional cybersecurity controls with AI-specific safeguards and robust oversight. Businesses that strengthen vendor accountability, implement continuous model monitoring, and invest in organizational education will be best positioned to mitigate systemic risks, realize new opportunities to strengthen defenses, maintain operational resilience, and meet evolving regulatory obligations.

For questions about FPF membership or our ongoing work related to the topics discussed in this blog, please contact [email protected].

Contextualizing the Proposed SECURE Data Act in the State Privacy Landscape

Special thanks to FPF’s Dr. Gabriela Zanfir-Fortuna, VP of Global Policy, for her contributions to this analysis.

The House Committee on Energy and Commerce’s Republican data privacy working group released their long-awaited comprehensive consumer privacy bill on April 22, titled the “Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act” (SECURE Data Act) (H.R. 8413). Compared to prior federal efforts, the SECURE Data Act closely resembles many of the existing state comprehensive privacy laws—particularly those based on the Washington Privacy Act (WPA) framework—in terms of its structure, terminology, consumer rights, and business obligations. 

This blog post provides a detailed overview of the SECURE Data Act, including its scope, provisions, and how it compares to the other state laws based on the WPA framework.

1.  Scope

Applicability: The bill would apply to businesses subject to the FTC Act or a common carrier subject to title II of the Communications Act of 1934 that, excluding personal data controlled or processed solely for completing a payment transactions, either (1) have gross annual revenue in excess of $25 million and collect or process the personal data of at least 200K consumers annually or (2) collect and process personal data of at least 100K consumers and derive at least 25% of their annual gross revenue from selling such personal data.

These default and data sale thresholds are structurally similar to how most state comprehensive privacy laws are scoped, but the figures themselves are higher than in any of the states. 

Nonetheless, direct comparison is difficult since these thresholds are comparing state laws applicability at 100,000 consumers per state, while the federal bill applies at 200,000 consumers nationally. Thus, for businesses operating across multiple states, the federal threshold may be easier to meet despite the higher absolute number, while the bill’s additional revenue requirement ($25M) could exclude smaller data-intensive entities within scope of many state laws. 

Exemptions: Consistent with most of the state laws, this bill includes a variety of entity-level exemptions, such as: federal, state, or local governmental entities (or any entities acting as a processor on behalf of a federal or state governmental entity); financial institutions subject to the Gramm-Leach-Bliley Act (GLBA); HIPAA-covered entities or business associates; nonprofits; and institutions of higher education.

Notable data-level exemptions include: HIPAA-protected health information; health records; personal data that may impact the creditworthiness, credit standing, character, or general reputation of a consumer and is collected or disclosed by a consumer reporting agency or a furnisher engaged in activities subject to the Fair Credit Reporting Act (FCRA); and information subject to other laws such as the Drivers Privacy Protection Act (DPPA), the Family Educational Rights and Privacy Act (FERPA), and GLBA. As mentioned above, the bill also broadly exempts “publicly available information.” This is defined consistently with many state privacy laws as information that (1) is lawfully made available through government records or (2) “information that a business has reason to believe is lawfully made available to the public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information, unless the consumer has restricted the information to a specific audience.” There are also exceptions for deidentified and pseudonymous data, both of which are defined in the bill. 

One point of comparison with the state legislative landscape is the distinction between entity- and data-level exemptions. The newer and recently amended state laws have tended to eschew entity-level exemptions, particularly under GLBA and HIPAA, in favor of data-level exemptions. This bill opts for the broader entity-level exemptions. Although financial institutions would be broadly exempted from the bill, Congress is working on financial privacy as well. The SECURE Data Act was jointly released alongside the House Committee on Financial Services’ GUARD Financial Data Act, which would update GLBA to strengthen financial privacy protections.

In addition to the entity- and data-level exemptions, the bill also includes a variety of exceptions for common business activities, such as cooperation with law enforcement, providing a product or service specifically requested by a consumer or a parent of a consumer, preventing security incidents, engaging in public or peer-reviewed scientific or statistical research in the public interest (subject to safeguards), conducting internal research for product development and improvement, performing internal operations reasonably aligned with consumers’ expectations, and more. These exceptions are common in state privacy laws.

Key Definitions: The definitions in this bill are generally consistent with the majority of state comprehensive privacy laws, including common core definitions such as  “consumer” (an individual acting in their individual or household capacity and not in a commercial or employment context), “personal data” (any information that is linked or reasonably linkable to an identified or identifiable natural person, excluding deidentified data or publicly available information); and “sensitive data” (includes sensitive characteristics [such as race and ethnicity, religious belief, sexual orientation, citizenship], genetic and biometric data, and personal data from a child). As discussed below, the bill includes a novel extension of sensitive data to also include teens, defined as individuals aged 13 or over but under 16.  

There are a few definitions that, while consistent with some state laws, are among the narrowest versions of those definitions. “Biometric data,” for example, does not include data generated from photographs or video or audio recordings, even if such data is used to identify an individual. The “sale of personal data” is also defined narrowly as the exchange of personal data for “monetary consideration,” whereas many states have extended this to include exchanges “for other valuable consideration.” 

2.  Consumer Rights

Similar to much of the bill, the consumer rights most closely resemble the narrower iterations of the WPA framework. This bill includes the standard consumer rights to: confirm whether the controller is processing one’s personal data and to access that data; correct inaccuracies in one’s personal data, taking into account the nature of the personal data and the purpose of the processing; delete one’s personal data provided by, or obtained from, the consumer; obtain a copy of one’s personal data in a portable format (if technically feasible); and to opt-out of the processing of one’s personal data for targeted advertising, the sale of personal data, and profiling in furtherance of a solely automated decision that has a legal or similarly significant effect on the consumer. The bill also includes the requirement to obtain consent prior to processing a consumer’s sensitive data as a consumer right rather than a controller obligation. 

Although the standard rights are all present, this bill lacks some of the newer rights that have been included in a few of the state laws. For example, Oregon, Delaware, Maryland, and Minnesota all provide a right to know third party recipients of one’s personal data. Minnesota and Connecticut include rights to contest certain adverse profiling decisions. Neither of those rights are in this bill. 

Another significant aspect of these rights is the pseudonymous data exemption. Consistent with a few of the state privacy laws, this bill provides that the consumer rights do not apply to pseudonymous data. This arguably narrows the right to opt-out of targeted advertising, if a controller is able to demonstrate that “any information necessary to identify  the consumer is kept separately and is subject to appropriate administrative and technical measures to ensure that the personal data is not attributed to an identified or identifiable natural person.” Because the requirement to obtain consent before processing a consumer’s sensitive data is included in the same section as the consumer rights, this also arguably brings pseudonymous data outside the scope of that opt-in consent requirement, which is something that none of the state comprehensive privacy laws have done. However, that is debatable. The pseudonymous data exception provides that “[a]n assertion of any consumer right under section 2 does not apply to pseudonymous data” provided additional protections are met. The word “assertion” implies an affirmative action on the part of the consumer, which may limit the exception to only the consumer rights and not the consent requirement. Furthermore, Section 2, although labeled “Consumer privacy rights,” has distinct subheadings for “(a) Consumer Privacy Rights” and “(b) Consent Required for Processing Sensitive Data.” Although the exception says “any consumer right under section 2,” it could be interpreted to apply only to the rights in subsection 2(a). Nevertheless, pseudonymous data is still subject to a number of protections under the bill, such as data minimization and data security obligations. 

Finally, it is notable that this bill does not impose a requirement for controllers to recognize and comply with opt-out preference signals (OOPS) / a universal opt-out mechanism (UOOM). Privacy scholars and advocacy groups have long criticized the control-based model of American privacy law for requiring consumers to affirmatively exercise data rights, which is difficult for consumers to do at scale. A growing number of states—including California, Colorado, Connecticut, Delaware, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, and Texas—have added the ability for consumers to exercise their opt-out rights on a default basis via a UOOM, such as the Global Privacy Control. While this bill does not require controllers to comply with such signals, it does direct the Secretary of Commerce to conduct a study on the feasibility and efficacy of such tools. 

3.  Business Obligations

The duties for controllers and processors under this bill largely align with those commonly found in state comprehensive privacy laws. For example, controllers are subject to procedural data minimization and purpose limitation requirements that tie data collection and processing to what is disclosed in a controller’s privacy notice. This is consistent with the approach taken in most of the state privacy laws. A controller must—

• Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer; and
• Obtain the consumer’s consent to process personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which such data is processed, as disclosed to the consumer. 

Data security is another requirement that closely tracks the language adopted in almost every state comprehensive privacy law. A controller is required to establish, implement, and maintain reasonable data security practices to protect the confidentiality, integrity, and accessibility of personal data, and such practices must be appropriate to the volume and nature of the personal data at issue. While this is consistent with the language commonly seen in the state laws, the bill deviates slightly by adding a rebuttable presumption that a controller has taken appropriate security measures if the controller (1) complies with a relevant code of conduct (see below) or (2) has data security practices that are “state-of-the-art . . . including such a practice demonstrated by adherence to a widely-accepted technical specification or through a third-party attestation” and its security program “reasonably conforms to a relevant Federal or widely-accepted international risk management framework.” 

Controllers are also subject to familiar requirements, such as providing a privacy notice that meets enumerated criteria (including a more novel requirement that the privacy notice disclose if personal data has been transferred to, processed in, stored in, or sold to North Korea, China, Russia, or Iran), a prohibition on processing personal data in violation of civil rights law, and oversight/contractual requirements with respect to their processors. 

Notably absent from the bill is a requirement to conduct data protection impact assessments (DPIAs). All of the state comprehensive privacy laws except those in Alabama, Iowa, and Utah require some form of assessment for processing activities that present a heightened risk of harm to consumers. DPIAs are also a core component of most industry best practices.  

4.  Youth Privacy

As is commonly the case in comprehensive privacy laws, the bill classifies personal data of children (under 13)  as sensitive data. However, the bill extends this classification to all teens’ data (aged 13 through 15), requires parental consent for teen data processing and consumer rights, and omits a defined knowledge standard—representing a meaningful departure from typical state (and federal) approaches. Additionally, this bill does not include a duty of care or heightened privacy protections and risk assessment requirements, such as those adopted in Connecticut, Colorado, and Montana.

As discussed above, controllers would be prohibited from processing a consumer’s sensitive data without consent. Consistent with the state laws, there is a clarification that processing the sensitive data of a child (although this is normally restricted to a “known child”) must be done in accordance with the Children’s Online Privacy Protection Act (COPPA). This bill goes further, however, by also requiring the verifiable consent of a parent to process the sensitive data of a teen. In turn, VPC, under the bill, would require direct notice to the parent and unambiguous pre-collection authorization for both initial and subsequent personal data processing or use. Note that “sensitive data of a child” or “sensitive data of a teen” means any personal data of either category because sensitive data includes “personal data collected from a child or teen.” 

Furthermore, consumer rights requests on behalf of children and teens would only be exercised by a parent, defined broadly to include natural parents, adoptive parents, legal guardians, and those with legal custody. This is arguably narrower than under the state laws, which often provide that a parent or guardian “may” invoke rights on behalf of the child. Similar to state laws that aim to deconflict consumer rights requests with COPPA requirements, controllers who comply with consumer rights processes under COPPA for children’s data requests would be deemed compliant with consumer rights requirements under this bill. These parental rights with respect to processing teens’ sensitive data and invoking teens’ data rights are a contrast to the state privacy laws. While a growing number of states envision some layer of heightened protections for teens, these laws typically do not require parental consent for processing the data of minors above the age of 12, broadly maintaining teen autonomy over data collection and processing decisions. 

The bill notably omits a knowledge standard for child and teen requirements—arguably creating ambiguity regarding when controllers should be on notice to implement age-specific protections and obligations. In contrast, state privacy laws commonly utilize either “actual knowledge” or “actual knowledge or wilful disregards” standards. Note that Congress is concurrently considering several other youth privacy and online safety legislative proposals—including COPPA 2.0 and the App Store Accountability Act—which could inform the future trajectory of this bill’s minor-specific protections and age-based knowledge triggers among related frameworks.

5.  Novel Requirements: Data Brokers, Cross-Border Data Transfers, and Codes of Conduct

While the majority of this bill borrows heavily from existing laws in states like Kentucky and Tennessee, it includes a few requirements that are either atypical or completely novel: data broker registration, explicit authority for the Secretary of Commerce to advise on cross-border data transfers, and Codes of Conduct under the law. 

First, the bill requires data brokers to register with the FTC, which would then publish a searchable registry. Similar requirements are seen in standalone data broker registry laws in Vermont, California, Nevada, Texas, and Oregon, though each varies in definitions and specific obligations. California’s Delete Act goes the furthest by creating an accessible deletion mechanism that allows a consumer to submit a deletion request to all registered data brokers. Compared to most state data broker laws, however, the bill’s definition of “data broker” is fairly narrow, covering a controller that (i) collects and processes personal data of a consumer who is not a customer or client of the controller or a user, reader, or subscriber of a product or service by the controller and (ii) derives at least 50% of its annual gross revenue from selling personal data. “Data broker” does not include a person acting as a processor. 

A novel addition to this bill compared to past iterations of a federal privacy framework are provisions concerning international data flows and the protection of personal data in international commerce. Notably, though, the bill does not propose any restrictions for the transfer of personal data of US persons across borders. On the contrary, the provisions seem to converge towards supporting the international flow of personal data. 

The bill would designate the Secretary of Commerce as the President’s principal advisor on international personal data flows and empower the Secretary to: assess foreign governments’ data protection frameworks for alignment with the bill’s protections; develop policy recommendations addressing topics such as the impact of international data flows on consumer rights, economic competitiveness, and U.S. security interests, including mitigation of risks posed to the international flow of personal data by “covered nations” (i.e., North Korea, China, Russia, and Iran); and negotiate international agreements with foreign governments, forums, or political and economic unions to promote cross-border data flows. The latter provision would seemingly cover agreements such as the existing EU/UK/Switzerland – U.S. Data Privacy Framework, opening the possibility for such agreements with other nations or political unions as well (more ambiguous is how the provision would relate to coverage of cross-border data transfers in international trade agreements, like the US-Mexico-Canada Agreement and the US-Japan Digital Trade Agreement). The concept of “assessing” foreign governments’ data protection frameworks for “alignment” with the protections in the bill is reminiscent of “adequacy assessments” in global international data transfers legal regimes. A data protection regime found adequate usually means that personal data can flow with no restrictions to that foreign nation. However, it is not clear to what end the assessment proposed in the bill would be conducted. 

Finally, one of the more interesting additions to the bill is codes of conduct. Any controller or processor (or group thereof) would be able to submit an application to the Secretary of Commerce for “approval of a code of conduct that meets or exceeds the requirements . . . under this Act.” Such a code of conduct must include an independent organization to administer the code, assess compliance, and refer would-be violators to the FTC or a state attorney general. There would be a  public comment period prior to approval, and the Secretary could later withdraw approval. Controllers or processors in compliance with an approved code of conduct would be entitled to a rebuttable presumption that they are in compliance with the relevant requirements of the Act. These codes of conduct appear loosely comparable to the safe harbor program provided in the COPPA Rule. Notably, a certification by the controller pursuant to the Global Cross Border Privacy Rules system (or any successor system) or a a processor pursuant to the Global Cross Border Privacy Rules System Privacy Recognition for Processors (or any successor system) would be treated as participation in an approved code of conduct. This appears to be inspired by similar provisions in Tennessee’s law and is consistent with efforts across successive U.S. administrations to promote the Global CBPR system. 

6. Preemption

With respect to state law, the bill includes broad preemption language that would prohibit any state, or political subdivision of a state, from prescribing, maintaining, or enforcing any law, rule, regulation, or other provision if it “relates to the provisions of this Act.” This broad “relates to” standard could preempt:

• State comprehensive privacy laws;
• Sectoral privacy laws including Illinois BIPA, Washington My Health My Data Act, and kids’ privacy laws; and 
• Data broker laws, including the California Delete Act and state data broker registration requirements.

Nonetheless, if this law passed, preemption would not be automatic. State laws would need to be challenged individually in court to determine whether specific provisions conflict with or “relate to” the federal law. For example, the CCPA/CPRA may be more difficult to fully preempt because it covers employee data, B2B data, and applicant data—categories the federal bill exempts. 

With respect to federal law, the bill explicitly preserves a number of federal privacy laws and regulations, including COPPA, GLBA, HIPAA, FCRA, and FERPA (to the extent a controller or processor is an educational agency or institution). The Communications Act of 1934 and any FCC regulations promulgated under that law would not apply to a controller or processor with respect to the collection, use, processing, transferring, or security of personal data. This bill would repeal the Video Privacy Protection Act (VPPA), 18 U.S.C. § 2710. 

7.  Enforcement

Enforcement authority for violations of the bill would be given exclusively to the FTC and state attorneys general. This approach is consistent with all of the state comprehensive privacy laws—but for California’s narrow private right of action (PRA) with respect to data breaches, none of the state comprehensive privacy laws include a PRA. 

The FTC would enforce violations of the bill as a violation of a trade regulation rule regarding unfair or deceptive acts or practices under the FTC Act. The FTC would also be authorized to enforce the bill against common carriers under the Communications Act of 1934. Notably, the FTC would be prohibited from enforcing any violation of section 3(c) of the bill, which prohibits a controller from processing personal data in violation of a federal law that prohibits unlawful discrimination against a consumer. Rather, the FTC would be directed to transmit any information indicating a violation of that provision to any agency with authority to initiate an enforcement action concerning it. 

The bill also empowers state attorneys general as parens patriae to bring civil actions seeking injunctive relief, damages, restitution, and other legal and equitable relief. Prior to filing an action, a state AG must provide the FTC with written notice of the action, allowing the FTC to intervene in the matter. A state AG would be prohibited from bringing an action against any defendant named in an ongoing civil action under the bill instituted by the FTC or the Attorney General of the United States (note: this is the only reference to the Attorney General of the United States under the bill). Overall, this enforcement structure is conceptually similar to that under COPPA, under which the FTC is the federal enforcement authority but state attorneys general are empowered to pursue actions providing that they notify the FTC, which has the right to intervene. It is notable that the state enforcement authority is limited solely to attorneys general whereas prior efforts such as the ADPPA and the APRA included carve-outs for a “State Privacy Authority of a State” or “an officer or office of a State authorized to enforce privacy or data security laws.” Without a comparable exception, CalPrivacy would not be able to enforce this bill. 

The bill includes a right to cure, requiring the FTC or a state AG to provide notice of an alleged violation and allowing 45 days for the controller or processor to cure the violation and promise that no such further violation shall occur. The state privacy laws are split as to whether they include a right to cure—some include no right to cure, some include a permissive cure option at the AG’s discretion, some have a right to cure that will sunset after a set date, and some have a mandatory right to cure with no sunset provision. An additional source of flexibility is the addition of codes of conduct (discussed below) which can entitle a participating controller or processor to a rebuttable presumption of compliance with this bill.

8. Conclusion

It’s a running joke in the privacy community that important bills always drop on Friday afternoons or holidays, so it was no surprise that this bill was released on everyone’s favorite spring holiday—Earth Day. Humor aside, a federal comprehensive privacy law is long overdue, and it is encouraging to see Congress renewing its attention to this topic. It remains to be seen whether the SECURE Data Act will fare better than prior efforts such as the ADPPA and the APRA. Although it appears that significant partisan consensus building has already gone into this process, which could ease the bill’s passage through committee, time is running out for the 119th United States Congress. 

What is already evident, however, is how much influence the state comprehensive privacy landscape exerted on this bill as compared to prior efforts. The bill’s key terms, rights, obligations, and overall structure closely resemble that of most of the state comprehensive privacy laws, based on the flexible WPA framework, even if the specific provisions selected hew more closely to the narrower iterations of that framework. We note that a number of the exclusions or omissions in the bill are likely intended to create a margin for negotiations with other members and stakeholders in order to garner support. Although the time frame is uncertain, this bill is the first significant proposal drafted to reflect the current landscape of state laws that already protect a majority of U.S. residents and may reflect a first draft of a framework that eventually becomes law. 

FPF will continue to monitor how this bill evolves as it progresses through committee and a broad set of stakeholders across industry, civil society, and academia provide their feedback.