On Monday, President Biden signed an Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. This Executive Order follows several other AI-related government initiatives, including the Blueprint for an AI Bill of Rights, the National Institute of Standards and Technology AI Risk Management Framework, the National AI R&D Strategic Plan, and the National AI Research Resource Roadmap.

Over the past few years, states have launched various legislative expansion efforts to enhance the protection of children on social media and generally online. For example, this summer, Texas Gov. Greg Abbott (R) signed into law the Securing Children Online through Parental Empowerment Act (SCOPE Act), which goes into effect September 2024. By doing so, Texas joins a multitude of other states that have passed similar legislation, including Arkansas, California, Connecticut, Minnesota, Ohio, and Utah. In part one of this two-part series, we discuss the child data protection laws in Texas, California, and Ohio.

California Gov. Gavin Newsom (D) has signed AB 947 and AB 1194 into law.

The United Kingdom has announced its decision to establish the UK-U.S. Data Bridge. The UK-U.S. Data Bridge will allow UK businesses and organizations to transfer personal data to organizations in the United States that have certified compliance with the UK Extension to the EU-U.S. Data Privacy Framework.

On May 22, 2022, Minnesota Gov. Tim Walz (D) signed the Student Data Privacy Act (the “Act”), H.F. No. 2353, into law which amends Minnesota’s Government Data Practices Act. The Act went into effect beginning with the 2022-2023 school year. 

Texas recently amended its breach notification statute to shorten the time businesses have to notify the state Attorney General after a data breach affecting 250 or more Texas residents. As of September 1, businesses must notify the Attorney General within 30 days from when they determine that a breach has occurred. Previously, businesses had up to 60 days.

On September 11^th, Gov. John Carney (D) signed the Delaware Personal Data Privacy Act into law. The Act will take effect January 1, 2025. With the DPDPA on the books, the number of states with comprehensive privacy laws increases to twelve.

The new Swiss Federal Act on Data Protection, known by the acronym “nFADP,” took effect on September 1. The law was enacted by the Swiss parliament in 2020.

The law introduces new rights for Swiss citizens, but also corresponding obligations for businesses that process personal data subject to the law. The law is intended to be more closely aligned to the European Union’s General Data Protection Regulation and allows for a free flow of information between EU and Swiss companies.

This summer, Gov. Joe Lombardo (R) signed the Consumer Health Data Privacy Act into law. The Act, which will take effect March 31, 2024, provides protections for consumer health data collected and maintained by regulated entities.

As a former Special Agent for the Federal Bureau of Investigation who investigated cybercrimes involving children, I know from experience that the topic of increasing online protections for minors provoked intense debates among law enforcement, social services, parents, and the civil rights communities.

Often the discussions focused on how to preserve the positive impact of the internet while addressing the negative aspects, such as the facilitation of cyber bullying, narcotics trafficking, and various forms of exploitation. While others continue the discussion, Texas has stepped beyond the debate and enacted a new regulatory regime intended to shield certain materials from being viewed by minors, and to limit the collection and usage of their data.