Staying abreast of all the new and upcoming regulations that affect your organization’s retention schedule can be a full-time job by itself. With this quarterly legal and information governance update, you can quickly become informed of new laws and regulations from across the globe and empower yourself with the information you need to do your job as efficiently and confidently as possible.

In the United States, we’re seeing significant movement in privacy legislation and a first for the country regarding artificial intelligence legislation. Across the pond, Ireland is introducing new safety, health, and welfare at work regulations. Continue reading for more details on these critical updates.

Throughout the update, we’ve included notations in italics, where applicable, if the regulatory updates have been added to our IG and retention management software, Virgo™, as a courtesy to active clients.

United States Consumer & Data Privacy

Kentucky, Maryland, and Minnesota signed consumer and data privacy legislation in the second quarter of this year. They share many common traits with each other and with legislation passed in other states. The structure includes:

  • Ensuring consumers’ rights to access, correct, delete, opt-out of processing, portability, opt-out of sales of information, and opt-in for sensitive data processing.
  • Providing for a right against automated decision-making, specifically profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.
  • Lacking the right of private action for violations of the law prevents consumers from bringing action against companies for violations. Instead, the states reserve the right to enforce the legislation.

This is not unexpected, as certain elements of each state’s legislation mirror or mimic the legislation that came before it. Consensus on a United States formula concerning consumer data privacy is predictably growing with a minimal number of deviations in each new piece of legislation.

The three new laws differ the most in the language about which parties are regulated by each piece of legislation. The significant variations are reflected in the number of consumers (35k to 100K), and the percentage of gross revenue derived from the sale of personal data (20%, 25%, and 50%). Each unique applicability is available below.

Kentucky Consumer Data Protection Act

Signed 4/4/2024 and going into effect 1/1/2026.

The legislation applies to persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that, during a calendar year, control or process personal data of at least:

  1. One hundred thousand (100,000) consumers; or
  2. Twenty-five thousand (25,000) consumers and derive over fifty percent (50%) of gross revenue from the sale of personal data.

Virgo citations will be available when the final text is published in the Kentucky Revised Statutes

Maryland Online Data Privacy Act

Signed 5/9/2024 and going into effect 10/1/2025.

The legislation applies to the person who conducts business in the state or provides products or services that are targeted to residents of the state and that, during the preceding calendar year, did any of the following:

  1. Controlled or processed the personal data of at least 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
  2. Controlled or processed the personal data of at least 10,000 consumers and derived more than 20% of its gross revenue from the sale of personal data.

Privacy requirements cited in Virgo as,

“MD. CODE ANN., COM. LAW § 14-4605”

“MD. CODE ANN., COM. LAW § 14-4607”

“MD. CODE ANN., COM. LAW § 14-4610”

“MD. CODE ANN., COM. LAW § 14-4612”

Minnesota Consumer Data Privacy Act

Signed 5/19/2024 and going into effect 7/31/2025.

The legislation applies to legal entities that conduct business in Minnesota or produce products or services that are targeted to residents of Minnesota, and that satisfy one or more of the following thresholds:

  1. During a calendar year, controls or processes personal data of 100,000 consumers or more, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
  2. Derives over 25% of gross revenue from the sale of personal data and processes or controls personal data of 25,000 consumers or more.

Privacy requirements cited in Virgo as,

“MINN. STAT. § 325O.05”

“MINN. STAT. § 325O.07”

“MINN. STAT. § 325O.08”

What’s Coming Next?

As three new pieces of legislation have been signed, an equal number of consumer and data privacy laws are about to take effect in other states in the back half of the year. Three more states will have consumer and data privacy legislation go into effect on or after July 1, and they will be covered in more detail in future updates. See the approaching dates below, including citations already available in Virgo.

Oregon Consumer Privacy Act – Signed 6/23/2023 with an effective date of 7/1/2024

  1. REV. STAT. ANN. § 646A.606 – through – OR. REV. STAT. ANN. § 646A.620

Texas Data Privacy and Security Act – Signed 6/18/2023 with an effective date of 7/1/2024

TEX. BUS. & COM. CODE ANN. § 541.005 – through – TEX. BUS. & COM. CODE ANN. § 541.204

Montana Consumer Data Privacy Act – Signed 5/19/2023 with an effective date of 10/1/2024

MONT. CODE ANN. § 30-14-2808 – through – MONT. CODE ANN. § 30-14-2816

Colorado Artificial Intelligence Act

On May 17, 2024, Colorado signed into law Senate Bill SB24-205 “Concerning Consumer Protections in Interactions with Artificial Intelligence Systems;” now known as “Colorado Artificial Intelligence (AI) Act.” The AI Act targets “developers of a high-risk artificial intelligence system that, when deployed, makes, or is a substantial factor in making, a consequential decision.”

The focus of the law is on preventing AI’s impact on certain markets and enabling opportunities for residents of Colorado to include education, employment, financial services and lending, government and healthcare services, housing, insurance, and legal services. The goal of the legislature is reflected in some of the use cases specifically recognized as AI, but not high-risk, including anti-malware, anti-virus, calculators, cybersecurity, firewalls, spam- and robocall-filtering, spell-checking, and natural language communications with consumers to provide users information, recommendations, and answering questions.

The records management implications for deployers of the AI are significant, contain many elements, and each of the many elements will be required to be maintained as part of the “impact assessments.” The assessments will include disclosures of the purpose of the AI, how it will be deployed, the benefits of the AI, analysis of foreseeable risks of discrimination, the data inputs and outputs, types of data used, performance metrics, transparency measures, and a description of post-deployment monitoring and safeguards.

Each of the impact assessments will be required to be maintained by the deployer for 3 years beginning in February of 2026.

Cited in Virgo as, “COLO. REV. STAT. § 6-1-1703(3)(b) and (3)(f)”

Each deployer will also be required to maintain a website to provide a summary statement of types of high-risk AI being deployed by them, how the deployers manage discrimination risks, and the nature, source, and extent of the information collected and used.

Cited in Virgo as, “COLO. REV. STAT. § 6-1-1703(5)(a)”

Colorado Privacy Act – Biometric Data Expansion

Colorado passed House Bill (HB) 24-1130 on May 31, 2024, to expand the Colorado Privacy Act by adding §1314 about biometric data and biometric identifiers, controllers, duties, and requirements. When the legislation takes effect on July 1, 2025, the new section will place requirements on controllers or processers of any amount of biometric identifiers or biometric data.

The legislation will require data controllers to delete biometric data at the earliest of:

the date upon which the initial purpose for collecting the biometric identifier has been satisfied;

twenty-four months after the consumer last interacted with the controller; or

the earliest reasonably feasible date, which date must be no more than forty-five days after a controller determines that storage of the biometric identifier is no longer necessary, adequate, or relevant to the express processing purpose identified by a review conducted by the controller at least once annually.

Cited in Virgo as, “COLO. REV. STAT. § 6-1-1314(2)(a)”

Ireland – Safety, Health and Welfare at Work (Carcinogens, Mutagens and Reprotoxic Substances) Regulations, 2024

Ireland published S.I. No. 122 of 2024 in March this year. The regulation revokes the Safety, Health and Welfare at Work (Carcinogens) Regulations, 2001, the Safety, Health and Welfare at Work (Carcinogens) (Amendment) Regulations 2015, and the Safety, Health and Welfare at Work (Carcinogens) (Amendment) Regulations 2019 to consolidate the legislation into a single regulation, that also adopts requirements from EU Directive 2022/431.

The new regulation continues the retention requirements related to exposure from the previous regulations and adds an additional retention period to support an unacknowledged area of exposure in the previous regulations.

The regulation requires employers to maintain an up-to-date list of the employees engaged in activities that are a risk to employees’ health and safety and any information on the exposure to which they have been subjected for 40 years following the end of the relevant exposure to carcinogens and mutagens, and 5 years following the end of the relevant exposure to reprotoxic substances. The regulation also requires the medical practitioner who provides health surveillance to an employee to confidentially maintain the individual’s medical record for the same 40-year and 5-year periods.

The regulations also lay out who is permitted access to these documents and what to do with them in certain cases. Employers will be expected to grant access to information about exposure to each employee on the list that pertains to them personally, as well as ensure that anonymous collective information is made available to all employees and representatives. Documentation is also required to be transferred to the government authority should the employer cease to be an employer.

Cited in Virgo as,

“S.I. No. 122/2024, Reg. 9”

“S.I. No. 122/2024, Reg. 11 “

“S.I. No. 122/2024, Reg. 12”

To learn more about how to address records retention, data privacy and security requirements more efficiently, request a call with an Access expert, or request a product demonstration of Virgo.