Click here to access the full podcast episode.

• Predicting the evolution of data privacy regulations in the AI era
• Emerging AI technologies and their impact on data privacy
• Proactive strategies for future-proofing data privacy in AI applications

Greenberg Traurig will sponsor the conference, which is designed for legal professionals, IP specialists, data privacy experts, compliance officers, and business leaders. The summit will offer practical solutions on how to leverage AI to drive innovation and productivity while ensuring compliance with regulations. Sessions will provide in-depth exploration of the multidisciplinary approach required to navigate the complexities of AI, including the management of IP, the safeguarding of data privacy, adherence to compliance standards, and the protection of trade secrets.

Register here.

Continue reading the full GT Alert.

Whether your company uses influencers, you are an influencer, or you just need someone to explain what an influencer is, this program is for you. The presenters will discuss requirements for sponsored posts, influencer agreements and their critical provisions, influencer intellectual property considerations, combating faked engagement, and morality clauses. 

Click here to register.

Click here to read the full article, published by Legaltech News May 16, 2024. (subscription)

To whom does SB205 apply?

SB205 applies to any person doing business in Colorado who develops an “AI system” or deploys a “high-risk AI system” (each are discussed further below).[2] The law defines “deploy” as “use,”[3] meaning that SB205 applies to any company using a high-risk AI system, whether or not that system is consumer-facing. Developing an AI system as defined in the law will also include actions that “intentionally and substantially modify” an existing AI system.[4]

How is the law enforced?

SB205 explicitly excludes a private right of action, leaving enforcement solely with the Colorado Attorney General.[5] Additionally, SB205 provides that if the Attorney General brings an enforcement action relating to high-risk AI systems, there is a rebuttable presumption that a company used “reasonable care” under the law if the company complied with the provisions of the applicable section setting forth the respective obligations (§1702 for a developer, §1703 for a deployer), along with any additional requirements that the Attorney General may promulgate.[6] For example, if a developer faced an enforcement action related to the development of a high-risk AI system, and could demonstrate it had the requisite processes and documentation in place as required by Section 6-1-1702, it may benefit from a rebuttable presumption that the developer exercised reasonable care to protect consumers from risks of algorithmic discrimination. The law also provides companies with an affirmative defense against actions by the Attorney General if the company discovers the violation and takes corrective actions, in addition to maintaining a compliance program that meets certain criteria.[7]

How does the law work? Key Definitions

SB205 contains key definitions that determine what specific steps companies must take to be in compliance with the law. Companies must be aware of what constitutes “algorithmic discrimination,” be able to assess whether their AI systems are “high risk,” and determine whether they are a developer, a deployer, or both.

“Algorithmic Discrimination” is defined as “any condition in which the use of an artificial intelligence system results in an unlawful differential treatment or impact that disfavors any individual or group of individuals on the basis of their actual or perceived age, color, disability, ethnicity, genetic information, limited proficiency in the English language, national origin, race, religion, reproductive health, sex, veteran status, or other classification protected under the laws of this state or federal law.”[8]

Further, the law’s main obligations attach to different AI systems based on their capabilities and uses. “High-Risk AI System” means “any artificial intelligence system that, when deployed, makes, or is a substantial factor in making, a consequential decision.”[9] The law also defines “consequential decision” as “any decision that has a material legal or similarly significant effect on the provision or denial to any consumer of, or the cost or terms of, (a) education enrollment or an education opportunity, (b) employment or an employment opportunity, (c) a financial or lending service, (d) an essential government service, (e) health-care services, (f) housing, (g) insurance, or (h) a legal service.”[10] Note that the definition is subject to a series of exclusions, including use of AI in critical cybersecurity and Information Technology functions (e.g., firewalls, networking, spam filtering) or in providing information to consumers, provided the usage does not serve as a substantial factor in making a consequential decision relating to a consumer.[11]

Finally, companies will need to distinguish whether they are developers, deployers, or both:

• Developers are “a person doing business in [Colorado] that develops, or intentionally and substantially modifies, an artificial intelligence system.”[12]
• Deployers are “any person doing business in [Colorado] that deploys a high-risk artificial intelligence system.”[13] As mentioned above, “deploys” means “use.”[14]

Whether a company meets the criteria of either or both will be context-dependent and will influence both statutory and contractual considerations.

5 initial considerations to prepare for SB205’s Feb. 1, 2026, effective date

SB205’s provisions take effect Feb. 1, 2026.[15] All companies must implement a notice within consumer-facing AI systems that alerts consumers to the presence of AI by Feb. 1, 2026, whether the system is high-risk or not, unless the fact that the consumer is interacting with the AI system would be “obvious” to a reasonable consumer.[16]

If you or your customers do business in the state of Colorado, there are five key actions you should consider taking to prepare before February 2026:

1. Determine whether you are a developer, deployer, or both. This may depend on the various types of and ways that your company uses AI.
2. Determine if you have a high-risk AI system as defined by the law. Because most of SB205’s substantive provisions only apply to high-risk systems, having a clear idea as to whether your AI systems are covered will be crucial. You should also consider future use-cases for AI systems that are not yet high-risk but may become high-risk depending on how they are deployed.
3. Review SB205’s notice requirements. As mentioned above, certain consumer-facing AI systems must contain a notice within the system to the consumer that AI is present, effective Feb. 1, 2026, with limited exception.[17] In addition, there are multiple other required notices, some of which must be publicly available.[18]
4. Review SB205’s impact assessment requirements. The law requires impact assessments in particular contexts that differ somewhat from data processing impact assessments that companies may already be conducting to comply with privacy laws.[19]
5. Determine whether you need to implement a risk-management policy and program. SB205 requires deployers using high-risk AI systems to implement risk-management policies and programs pursuant to the law’s requirements.[20] Additionally, any company wishing to benefit from the affirmative defense provided by SB205 will need to have a satisfactory compliance program in place.[21]

[1] See S.B. 24-205, 74th Gen. Assemb., Reg. Sess. (Colo. 2024). Other states have regulated specific uses of AI or associated technologies, such as California, which regulates interaction with bots, and Colorado, giving consumers opt-out rights from profiling. At the time of this blog, the law has not yet been signed by Colorado’s governor.

[2] S.B. 24-205, Secs. 6-1-1701(6) & (7).

[3] S.B. 24-205, Sec. 6-1-1701(5).

[4] See S.B. 24-205, Secs. 6-1-1701(7) & (10)(a).

[5] S.B. 24-205, Sec. 6-1-1706(6).

[6] See, e.g., S.B. 24-205, Secs. 6-1-1702(1) & 6-1-1703(1).

[7] S.B. 24-205, Sec. 6-1-1706(3)(a).

[8] S.B. 24-205, Sec. 6-1-1701(1)(a). The definition also clarifies that “algorithmic discrimination” does not include uses related to testing AI systems for discrimination, “expanding applicant, customer, or participant” pools to increase diversity, or acts or omissions of private clubs as covered by 42 U.S.C. 2000a(e). Id.

[9] S.B. 24-205, Sec. 6-1-1601(9)(a).

[10] S.B. 24-205, Sec. 6-1-1701(3).

[11] S.B. 24-205, Sec. 6-1-1701(9)(b).

[12] S.B. 24-205, Sec. 6-1-1701(7). The law also defines “intentional and substantial modification.” S.B. 24-205, Sec. 6-1-1701(10).

[13] S.B. 24-205, Sec. 6-1-1701(6).

[14] S.B. 24-205, Sec. 6-1-1701(5).

[15] See generally S.B. 24-205.

[16] S.B. 24-205, Sec. 6-1-1704(2).

[17] S.B. 24-205, Sec. 6-1-1704(2).

[18] See S.B. 24-205, Sec. 6-1-1702(5), 1703(4),(5),(7), 1704.

[19] See, e.g., S.B. 24-205, Sec. 6-1-103(3)(a) (making impact assessments a requirement for deployers). Note that the law also implies scenarios in which a developer would also conduct impact assessments. S.B. 24-205, Sec. 6-1-1702(3)(a).

[20] S.B. 24-205, Sec. 6-1-1703.

[21] S.B. 24-205, Sec. 6-1-106(3)(b).

On May 10, Greenberg Traurig Shareholder Ian C. Ballon, co-chair of the Global Intellectual Property & Technology Practice, will present the session “Advanced Data Privacy, Cybersecurity Breach and AI Class Action Litigation Defense Strategies and Compliance Lessons.” This panel will outline the latest trends in data privacy, cybersecurity breach, AdTech and AI class action litigation, and defense strategies developed over a period of years in defending dozens of class action suits and an even greater number of mass arbitration claims. The panel will also outline unique transactional strategies to mitigate the risks associated with class action litigation and mass arbitration that compliance lawyers who have not spent extensive time defending litigation otherwise may miss.

Also on May 10, Greenberg Traurig Shareholder Darren Abernethy will be a panelist during the “Data Broker Developments and Action Items in 2024 and Beyond” session. In the absence of a federal law that comprehensively targets “data brokers,” a growing number of states have begun filling the void and passing or enhancing legislation to regulate data broker activities. This increase in legislative attention and enforcement has begun to change the thinking and risk analyses for businesses that knowingly collect, sell, or license to third parties the personal information of consumers with whom they did not have a direct relationship. These laws also potentially impact certain participants in the AdTech ecosystem and others who build consumer profiles based on online and offline behavior. The session will evaluate the following: 

• The current legal framework at the federal and state level in relation to data brokers, including the California Delete Act, new laws in Texas and Oregon, and the CFPB’s inquiry into data broker practices
• Digestible takeaways from recent FTC enforcement actions against data brokers, including in relation to the sale of location data, data minimization, and data retention
• The latest on definitions, registry requirements, opt-out/deletion mechanisms, reporting, and more
• Practical action items for companies that may be data brokers or that may purchase or license data from data brokers

May 8-10, 2024

George Washington University
800 21st St NW
Washington, DC 20052

Click here to register.

Continue reading the full GT Alert.

Arbitration provisions in terms of use and similar consumer-facing agreements can be a valuable tool to reduce legal costs and nuisance suit demands. However, the rise of mass arbitration increases the importance of choosing the right provider to fit the company’s goals.

This post is part of a continuing series of Greenberg Traurig’s study of the website practices of the Fortune 500. Click here to read the previous post.

The CFPB’s report explains that gaming platforms facilitate the storage and exchange of valuable assets while collecting large amounts of data from their users. According to the CFPB, the gaming marketplaces and infrastructure that facilitate the exchange of assets increasingly resemble traditional banking and payment systems, while the underlying asset exchanges increasingly resemble traditional financial products, like loans. 

Continue reading the full GT Alert.

This webinar will guide participants through the regulatory landscape of the recently enacted EU Data Act and how it impacts digital business models across all industry sectors within and outside Europe. The webinar will cover key provisions relating to sharing IoT product data, international data transfers, cloud switching, and interoperability, as well as highlight the EU Data Act’s interplay with other EU laws such as the AI Act, the Digital Services Act (DSA), and the General Data Protection Regulation (GDPR).

Click here to register.

A popular web browser has been threatening for years to turn off support for third party cookies—the technology that most websites use for behavioral advertising. That threat is now a reality. In January, support for third party cookies was turned off for 1% of website users—with the same result expected for all of the browser’s users by the end of 2024. Marketing departments are racing to find alternatives. This program will provide the technological background an attorney needs in order to understand online tracking technologies and CRM-based advertising, and it will discuss the impact of new legislation on both browser-based and CRM-based advertising. 

Key topics will include: 

• What is happening to third-party cookies?
• Alternatives that marketing departments are considering to replace revenue generated by cookies (server-side technologies, CRM-side technologies, Topics API, etc.)
• Legal implications for each technology and, specifically, what in-house counsel and privacy professionals should be doing to coordinate with their marketing departments
• Overview of recent cookie and tracking-technology-related litigation trends, the application of cookies/trackers to new standards such as Washington State’s My Health My Data Act, and a summary of options companies may consider in adjusting their compliance strategies

Click here to register, and use code GreenbergTraurig24CLE at checkout for complimentary access to the program.

1. The APRA would contain broad preemption rights, which are stronger than those under the ADPPA and would seemingly preempt the more than dozen comprehensive state privacy laws that have been passed in recent years. The California Privacy Protection Agency (CPPA) has stated that “Americans shouldn’t have to settle for a federal privacy law that limits states’ ability to advance strong protections in response to rapid changes in technology and emerging threats in policy...”
2. The APRA would exclude human resources (HR) data. Therefore, not only would the APRA not cover HR data, but it would also not preempt state laws (i.e., the CCPA) that do cover HR data. In other words, CCPA would become an HR data privacy law only.
3. The wording of the proposed law is currently unclear, but small businesses appear to be excluded. Small businesses are defined as any business with revenue less than $40 million, with data on fewer than 200,000 data subjects, and that does not “transfer” covered data “in exchange for revenue or anything of value.” It is unclear whether the third factor includes ad tech. If it does not, a lot of companies would qualify as small businesses and would thus be out of the APRA’s scope.
4. The APRA would provide for a private right of action. As currently drafted, this right could be read broadly to apply to violations of most privacy provisions. This is a departure from most state privacy laws, which do not permit a private litigant to sue except in cases of data security breach in California under the CCPA and violations of the Washington My Health My Data Act. In addition, the APRA would prohibit the use of pre-dispute arbitration clauses for violations that resulted in substantial privacy harm. While the APRA does not provide for statutory damages, the likely effect of both these provisions would be a substantial increase in litigation.

Continue reading the full GT Alert.

Greenberg Traurig Data Privacy & Cybersecurity Shareholder Reena R. Bajowala will moderate the session, “From Policy to Practice: Privacy Compliance in the Shifting Regulatory Landscape,” on April 16. With big privacy changes emerging, the landscape of data privacy will continue to evolve, making it even more essential for in-house teams to be prepared and build a robust privacy program. This session will review existing privacy laws and share insights into navigating the upcoming risks and changes expected in the privacy space.

April 16-17, 2024

Swissotel
323 E Wacker Drive
Chicago 60601

Click here to register.

Continue reading the full GT Alert.

Continue reading the full GT Alert.

On April 3, 2024, Greenberg Traurig Shareholder David A. Zetoony, co-chair of the firm’s U.S. Data Privacy & Cybersecurity Practice, will be a panelist during “Getting the Board on Board: How to Effectively Communicate Privacy to the Board.” The session will offer perspectives on the top 10 ways to provide information to the board of directors, and discussions will include guidance on the content, organization, and presentation of privacy topics to the board of directors.

April 2-3, 2024

Walter E. Washington Convention Center
801 Allen Y. Lew Place NW
Washington, D.C. 20001

Click here to register.

Click here to read the full article, published by Bloomberg Law March 28, 2024.

Continue reading the full GT Alert.

Continue reading the full GT Alert.

Data is critical to the burgeoning autonomous and unmanned vehicle spaces. Whether by land, sea, or air, data is both the fuel and the mission for many of these technologies. This webinar will delve into the critical legal issues surrounding that data and will explore the management of data used for and gathered by these technologies and their associated algorithms, personal information concerns, regulatory approvals, and data contracting with customers and partners. 

Topics discussed during this webinar will include the latest on:

• Data management
• Personal Information concerns
• Protecting data
• Regulatory approvals
• Contracting with customers and partners

March 13, 2024
9:00 a.m. – 10:00 a.m. PT / 12:00 p.m. – 1:00 p.m. ET

Click here to register.

On March 5 the National Security Division of the Department of Justice (DOJ) published an advanced notice of proposed rulemaking (ANPRM) to regulate “U.S. government-related data or bulk U.S. sensitive personal data.” (89 Fed. Reg. 15780 – 15802.) The proposed rule has a relatively short comment period ending on April 19.

Congress has also been considering legislation to regulate data brokerage transactions, which have been accelerating at a rapid pace. On March 7 the U.S. House Energy and Commerce Committee reported the Protecting Americans’ Data from Foreign Adversaries Act (H.R. 7520) by a vote of 50 to 0. The legislation could be debated on the House floor in the weeks ahead.

The DOJ regulation and H.R. 7520 differ in several key respects, including the following:

Regulator: DOJ (ANPRM) v. the Federal Trade Commission (H.R. 7520).

Data Categories: The ANPRM sets forth six categories of covered data; H.R. 7520 includes 16 categories.

Prohibitions: The ANPRM defines data brokerage, vendor, employment, and investment agreements. It bans transfers under any of these four types of agreements of any volume of data relating to certain government facilities and personnel, or bulk volumes of human genomic data. It also bans transfers by data brokers (but not under the other three types of agreements) of bulk volumes in five other sensitive personal data areas. H.R. 7520 focuses on data brokerage agreements. It bans transfers by data brokers of any volume of sensitive personal data in any of the 16 data categories.

Additional Restrictions: The ANPRM contains restrictions on transfers of bulk sensitive personal data under vendor, employment, or investment agreements by requiring that certain security requirements to be in place. It also contemplates the creation of “general or specific licenses” to create exceptions for the transfer of certain data. H.R. 7520 has no comparable provisions.

Countries of Concern: The ANPRM covers individuals and entities related to six countries; H.R. 7520 covers data recipients in four countries.

Click here for a detailed side-by-side comparison of the two proposals

The companies with the most successful privacy compliance programs are not the ones with the most privacy law knowledge, technical expertise, or even budget. Instead, successful privacy programs are structured for consistent, high-level execution of privacy tasks that align with legal requirements. This program will focus on practical considerations for running a top-notch privacy program. In-house counsel will learn how to structure a privacy team, leverage outside counsel, utilize privacy frameworks, track metrics, and document requirements to comply with privacy laws.

March 19, 2024
11:30 a.m. PT / 2:30 p.m. ET

Click here to register.

Harding helps clients protect and responsibly commercialize their data assets. She is licensed to practice in Colorado and the United Kingdom and focuses her cross-border practice on advising organizations on their enterprise-wide privacy compliance obligations, with a focus on advising U.S. companies on their European and UK obligations, and British companies on their U.S. privacy compliance obligations. Harding’s work also rests at the intersection of data privacy and Artificial Intelligence (AI); the European Union Parliament is expected to pass a risk-based AI framework soon.

“With the strategic addition of Liz to the firm’s bench, we can offer clients sophisticated legal counsel as they contend with increased European enforcement activity and multiple new EU data privacy laws expected later this year,” said Dr. Viola Bensinger and Gretchen A. Ramos, global co-chairs of the firm’s Data Privacy & Cybersecurity Practice, and David A. Zetoony, co-chair of the firm’s U.S. Data Privacy and Cybersecurity Practice, in a joint statement. “We have a truly global firm with attorneys who collaborate across continents to meet the needs of our clients.”

An additional facet of Harding’s practice is her work in the media industry, where she assists clients on transactional and operational matters relating to their advertising and media sales business. Prior to Greenberg Traurig, Harding was a shareholder at Polsinelli, LLP.

Click here to read full GT press release.

Companies in every industry are considering how to integrate AI into their business processes. As they navigate the legal, ethical, and contractual issues, a larger question is arising – who within the organization should be responsible for making decisions about the use of artificial intelligence and which stakeholders should have the opportunity to weigh in? This program will discuss the pros and cons of different structures for governing AI within an organization, as well as discussing documenting an AI governance program.

March 5, 2024
12:15 p.m. – 1:15 p.m. PT / 3:15 p.m. – 4:15 p.m. ET

Click here to register.

Click here to read the full article, published by Dark Reading Feb. 23 2024.

Another result of the appellate court’s decision appears to be that the precedent for the CPPA having to wait one-year before enforcing new regulations is vacated. As the appellate court notes:

In any event, because there is no “explicit and forceful language” mandating that the Agency is prohibited from enforcing the Act until (at least) one year after the Agency approves final regulations, the trial court erred in concluding otherwise. [...] The Chamber was simply not entitled to the relief granted by the trial court. Accordingly, we will grant the Agency’s petition for extraordinary writ relief and allow the trial court to consider any remaining issues concerning the propriety of compelling more prompt development of regulations.

In a statement released by the CPPA, the agency’s Deputy Director of Enforcement noted, “This decision should serve as an important reminder to the regulated community: now would be a good time to review your privacy practices to ensure full compliance with all of our regulations.”

It is unclear at this time whether the petitioners, the California Chamber of Commerce, will seek to petition for a rehearing or a review as part of further appellate process.

This CLE webinar will provide an overview of the key features of:

• Washington’s My Health My Data Act—clarifying the types of non-HIPAA entities covered by the law and the operational updates likely required of them;
• Similar provisions under Connecticut and Nevada law;
• The FTC’s Health Breach Notification Rule; and
• The interplay of these laws with HIPAA, and related developments in the consumer health data space.

Click here to register.