Don’t miss this upcoming webinar, co-hosted by ARMA and Access, designed to give you the tools and insights you need to elevate your Information Governance (IG) program.
Reflecting on 2024, it’s been a busy year in terms of Privacy legislation expansion in the United States. Additionally, 2024 saw the world’s first framework artificial intelligence legislation from the European Union, followed closely by the United States’ first copycat legislation from the state of Colorado. All signs point to these legislative trends continuing in the year ahead.
In this quarter’s legal and information governance update, we’ll review consumer and data privacy, provide our thoughts on what to expect next year, and give insights into developing AI legislation globally and this quarter’s new legislation. Continue reading to stay informed of the newest laws and regulations impacting record-keeping requirements.
Throughout the update, we’ve included notations in italics, where applicable, if the regulatory updates have been added to our IG and retention management software, Virgo™, as a courtesy to active clients.
Data control and privacy had yet another big year. Since 2017, twenty bills introduced in U.S. legislatures have become laws and gone into effect. Eight of those pieces of legislation went into effect in 2023 and 2024, and eleven more are scheduled to go into effect in 2025 and 2026.
Next year is expected to be just as active in consumer and personal data privacy as the past two years. The twenty pieces of legislation passed since 2017 averaged 165 days to be signed into law from the day they were introduced and an average of 708 days to go into effect from their introduction.
The newest pieces of legislation are getting signed and going into effect even faster. Bills introduced in 2024 were signed on average 93 days after introduction, and the average time for a law to go into effect is down to 572 days after initial introduction. This quickening of legislative timelines is due to the state’s ability to quickly and easily duplicate legislation from other states with minor changes.
Fifteen states have introduced thirty-eight pieces of comprehensive or complimentary consumer or personal data privacy legislation in the last 2 years that have yet to be signed into law. New York and Massachusetts are leading the other states, with seven or more pieces of legislation being considered in each state. These numbers do not even include legislative activity around the protection of personal health information, electronic health records, financial information, or biometric data.
Privacy legislation in the United States is going to keep expanding state by state, following the same format as earlier laws and the impact on data management will continue to drive interest from the records management world. However, it’s important to remember that many of the laws already passed are very similar to each other and address the common principles of the right to access, delete, correct, or opt out of the sale of personal data by the data owner, with a few exceptions.
Artificial Intelligence (AI) has quickly become a revolutionary force in the business world. AI is transforming how companies operate, from automating routine tasks to providing deep insights through data analysis. Businesses are utilizing AI for a wide range of applications, such as customer service, cybersecurity, fraud management, content production, supply chain operations, and more. The potential benefits are enormous: increased efficiency, cost savings, and enhanced customer experiences. Unfortunately, the dangers of AI carry plenty of potential adverse impacts.
As AI technology continues to advance, the need for regulatory frameworks to ensure its responsible use becomes increasingly important. In the United States, various legislative efforts are underway to address the potential risks associated with AI.
Similar to the approach of the European Union, the United States has introduced legislation in the Senate mirroring the goals of the EU AI Act. For example, the Artificial Intelligence Civil Rights Act of 2024 (S.5152) has similar records management requirements to those in the EU AI Act and focuses similarly on regulating high-risk AI with the potential to harm an individual’s health, safety or fundamental rights through automated decision-making.
The U.S. Congress has introduced over 100 bills since 2023 directly addressing some elements of AI’s use or development in private sector R&D, military integration, and consumer protection in high-risk areas like health care, employment, and finance. One of the many bills before the 118th Congress prohibits certain uses of automated decision systems by employers and goes by the name No Robot Bosses Act (S.2419). There are many others like it that didn’t see much if any, activity in the past 2 years, but none of them had quite the same ring to the name. Suffice it to say that the United States made little progress on national legislation for an Artificial Intelligence regulatory framework, but some states have begun gaining traction.
Several states have enacted specific laws, such as the Artificial Intelligence in Health Care Services Act (AB-3030) in California, (SB24-205) Consumer Protections for Artificial Intelligence in Colorado, and the Artificial Intelligence Policy Act (S.B. 149) in Utah. As a result, there are only small impacts to the records management landscape. Of the three notable regulations, only Colorado adds a requirement to retain a new record mirroring the EU AI Act, which is the impact assessment for a high-risk artificial intelligence system.
[COLO. REV. STAT. § 6-1-1703(3)(b)]
[COLO. REV. STAT. § 6-1-1703(3)(f)]
Internationally, the appetite for AI regulation is growing. Except for the European Union, jurisdictions meaningfully addressing Artificial Intelligence are still in the beginning stages, writing non-binding guidelines, action plans, national policies, and codes of practice.
Recent AI policy changes have been amending personal data laws to address AI-collected data for internal analytics without tackling its use in decision-making. Several countries have begun introducing and debating comprehensive AI legislation, and much like the quickening pace of privacy legislation in the United States, it won’t be long before these countries begin enacting AI legislation similar to the European Union. If the EU model holds as the standard for global legislation, records management needs will focus on monitoring AI system logs and tracking the development, sale, and use of all AI with a potential risk to health, safety, or fundamental rights through automated decision making.
Don’t miss this upcoming webinar, co-hosted by ARMA and Access, designed to give you the tools and insights you need to elevate your Information Governance (IG) program.
On September 28, 2024, California signed into law Senate Bill SB988 “Freelance Worker Protection Act” (FWPA). The FWPA strengthens protections for freelance workers by mandating that private companies employing independent contractors must provide written agreements detailing terms and set payment deadlines.
The FWPA mandates (i) written contracts; (ii) detailed contract terms including itemization of services, their value, compensation method, and date of payment; (iii) thirty-day or less payment of compensation in the absence of specified payment deadlines. The legislation also includes anti-discrimination, anti-retaliation, and double damages provisions.
The FWPA requires employers of freelance workers to retain the contract for a period of 4 years.
[CAL. BUS. & PROF. CODE § 18103]
The FWPA goes into effect on January 1, 2025.
On September 28, 2024, California signed Assembly Bill No. 2013 on generative artificial intelligence and training data transparency.
The bill mandates that developers post detailed documentation about the data used to train the AI by January 1, 2026, and for any generative AI system or significant update released on or after January 1, 2022. This includes a high-level summary of the data sets used. This requirement applies regardless of whether the AI is offered for free or for a fee.
The legislation requires:
[CAL. CIV. CODE § 3111(a)]
AB-2013 goes into effect on January 1, 2025.
On October 9, 2024, Illinois signed SB3208, amending the Wage Payment and Collection Act.
The amendments include a change to the text in 115/10 where a single paragraph is deconstructed into multiple subsections that make requirements easier to locate, but also adds three new retention requirements including a new retention period for pay stubs.
The amendments require employers to:
[820 ILL. COMP. STAT. ANN. 115/10(c)]
[820 ILL. COMP. STAT. ANN. 115/10(d)(2)]
[820 ILL. COMP. STAT. ANN. 115/10(d)(3)]
IWPCA Amendments go into effect on January 1, 2025.
On September 9, 2024, California signed AB2499, amending several codes and sections of California law related to employment, the unlawful discrimination of victims of violence, and the use of paid sick days.
The amendments and additions extend the time-off provisions for jury duty, court appearances, and similar activities to encompass situations where an employee’s family member is a victim of a qualifying act of violence. Additionally, it permits employees to use paid sick leave if they or one of their family members are victims. A new section of the California Government Code carries a requirement for confidentiality regarding knowledge or documentation of a victim-based request for accommodation.
The new section requires:
Any verbal or written statement, police or court record, or other documentation provided to an employer identifying an employee or the employee’s family member as a victim shall be maintained as confidential by the employer and shall not be disclosed by the employer.
[CAL. GOV’T. CODE § 12945.8]
Victims of violence protections go into effect January 1, 2025.
On October 23, 2024, the European Union signed the Cyber Resilience Act with the aim of enhancing the security and resilience of connected devices within the European Union. It introduces mandatory cybersecurity requirements for manufacturers to ensure that products are designed and produced with substantial security measures. The goal is to significantly reduce the risk of cyberattacks on devices, thereby protecting consumers and businesses.
The Cyber Resilience Act leans heavily into the 10-year retention requirement common to technical documentation, declarations of conformity, and other documents for the manufacture or sale of products in the European Union. The only unique requirement belongs to the 5-year requirement extended to cybersecurity risk assessments through language about the support period of goods.
The Cyber Resilience Act requires:
Retention of all documentation listed in the regulations for 10 years, with the only exception being the cyber security risk assessments retained for 5 years.
[Regulation (EU) 2024/2847, Art. 13]
[Regulation (EU) 2024/2847, Art. 18]
[Regulation (EU) 2024/2847, Art. 19]
[Regulation (EU) 2024/2847, Art. 23]
[Regulation (EU) 2024/2847, Annex VIII Part I]
[Regulation (EU) 2024/2847, Annex VIII Part II]
[Regulation (EU) 2024/2847, Annex VIII Part III]
[Regulation (EU) 2024/2847, Annex VIII Part IV]
Cyber Resilience Acts retention provisions go into effect fall of 2027.
To learn more about how to address records retention, data privacy and security requirements more efficiently, request a call with an Access expert, or request a product demonstration of Virgo.
Virgo is a cloud-based legal solution that informs your privacy and retention policies by providing continuously updated legal research in 220+ jurisdictions around the world.
Share