New AI and Privacy Laws in Colorado, Vermont, Minnesota, and Maryland

By‎ Adv. Dotan Hammer

Partner at the Cyber, Privacy & Copyright Group, Pearl Cohen Zedek Latzer Baratz

Reading time: 3 minutes
Save to "My Content"

The Governor of Colorado recently signed into law AI bill SB 205, titled “CONSUMER PROTECTIONS IN INTERACTIONS WITH ARTIFICIAL INTELLIGENCE SYSTEMS”. The law takes effect on February 1, 2026. It focuses on “high-risk” AI systems involved in making consequential decisions, imposing a duty on developers and deployers to prevent algorithmic discrimination. Developers and deployers of high-risk AI systems must use reasonable care to protect consumers from discrimination risks. The attorney general has exclusive authority to enforce this law.

Developers must disclose information about the high-risk system to deployers, provide necessary documentation for impact assessments, and publish summaries of their high-risk systems and risk management strategies. Similarly, deployers are required to implement a risk management policy, complete impact assessments, conduct annual reviews to prevent discrimination, notify consumers of consequential decisions, offer opportunities to correct data or appeal decisions, and publish summaries of their deployed high-risk systems.

Meanwhile, the Vermont legislature passed a data privacy bill, which for the first time in state privacy laws would allow residents to sue large data brokers for misusing their information. Governor Phil Scott (Republican) may veto the bill, particularly because of the bill’s private right of action. If enacted, the bill will take effect in July 2025. It would apply to businesses in Vermont or those outside Vermont that target Vermont residents if the business annually handles the personal information of at least 25,000 residents of Vermont, or if the business annually handles the personal information of at least 12,500 residents of Vermont and derives over 25% of revenue from the sale of personal information. Like other state privacy laws in the U.S., the Vermont privacy bill gives consumers rights to access, correct, delete, and port data, and to opt out of targeted advertising, sale of data, and certain profiling.

The Governor of Maryland signed into law the Maryland Online Data Privacy Act (MODPA), imposing data protection rules on data controllers and processors and enhancing consumer protections. MODPA takes effect on October 1, 2025, but won’t impact personal data processing until April 1, 2026. It applies to any entity conducting business in Maryland or providing products or services to Maryland residents if, in the previous year, they controlled or processed personal data of 35,000 or more Maryland residents, or controlled or processed personal data of 10,000 or more Maryland residents while deriving at least 20% of gross revenue from the sale of personal information.

Under MODPA, consumers have the right to inquire if their data is being processed, access and correct inaccuracies, request deletion, obtain a copy of processed data, receive a list of third parties with access to their data, and opt out of targeted ads, sale of personal data, and profiling. Controllers must collect, process, and share data only to the minimum extent necessary, not sell sensitive data or data of individuals under 18.

The Maryland Attorney General’s Consumer Protection Division will enforce MODPA, issuing notices of violation with a 60-day cure period.

Minnesota also joined the growing number of states in the U.S. with a general data protection law, when the Governor of Minnesota signed into law the Minnesota Consumer Data Privacy Act (MNCDPA), as part of a broader omnibus bill. Taking an approach similar to other state privacy laws, the MNCDPA will apply to companies that conduct business in Minnesota or produce products or services targeted to Minnesota residents that meet one of two thresholds. The first threshold is companies that during a calendar year, control or process the personal data of at least 100,000 Minnesota residents. The second, alternative, threshold is companies that during a calendar year derive over 25% of gross revenue from the sale of personal data and process the personal data of at least 25,000 Minnesota residents.

The MNCDPA follows the blueprint of other state laws and provides similar data protection rights to Minnesota residents. It also restricts a business’s data processing to the scope and extent adequate, relevant, and reasonably necessary for the purposes for which the data are processed. The MNCDPA takes effect on July 31, 2025.

Click here to read the text of the Colorado Consumer Protections for Artificial Intelligence.

Click here to read the text of the Vermont bill VT H0121, relating to enhancing consumer privacy and the age-appropriate design code.

Click here to read the text of the Maryland Online Data Privacy Act of 2024.

Click here to read the text of the Minnesota Consumer Data Privacy Act (Article 5, Page 155).