The Plot Thickens: Three New State Privacy And AI Laws

While the feds can’t seem to agree on much, states continue to wrangle how to regulate privacy and AI. In March alone, Oklahoma, Colorado and California brought three significant developments that every marketer, advertiser, brand manager, and privacy professional should be watching closely.

Oklahoma Joins In.  Oklahoma recently became the 20th U.S. state to enact a comprehensive privacy law that sets limits on how companies collect, use, and disclose consumers’ personal data, when the state’s governor signed Senate Bill 546 into law on March 20. The Oklahoma bill is the first new consumer data privacy statute to be put on the books since Minnesota joined the fray in May 2024. Similar to many other state laws, Oklahoma’s law doesn’t apply to all businesses: it covers businesses that control or process the personal data of at least 100,000 consumers, or the data of at least 25,000 consumers while deriving at least 50% of gross revenue from data sales. Under the law, Oklahomans would have the right to access, correct, delete, and obtain a portable copy of their personal data, and to opt out of processing for targeted advertising, the sale of personal data, and certain automated profiling that has legal or similarly significant effects, among other duties and obligations. Oklahoma’s law is very similar to Virginia’s and Tennessee’s privacy laws in that it takes a more “business-friendly” approach in many aspects.

Businesses that have already implemented procedures to comply with existing state privacy laws such as Virginia will be well-positioned to comply with the Oklahoma Act.

But note that the opt-out right for targeted advertising should be taken seriously. The bill lets Oklahomans ask companies for copies of the information stored about them, request that data be deleted, and opt out of both targeted advertising and the sale of their personal details. Advertisers who rely on behavioral targeting, retargeting, and data-driven audience segmentation must now adhere to a new state’s laws and a new set of folks who can raise their hands to exercise these rights.

On the plus side, Oklahoma limits “sale” of personal data to exchanges for monetary consideration only. Data sharing arrangements where data flows in exchange for services, analytics, or other non-cash value may not trigger opt-out rights the way they would under California law. That is a meaningful distinction for programmatic advertising networks, demand-side platforms, and data cooperatives.

Colorado’s AI Act 2.0.  Colorado passed the nation’s first comprehensive AI governance law in May 2024, but its governor immediately expressed reservations. After a failed special session last August to revise it, Colorado’s Democratic governor, Jared Polis, floated a draft bill on March 17 that would substantially overhaul the existing law by shifting its emphasis more toward increased transparency, recordkeeping, and consumer notice requirements related to the use of AI and automated decision-making systems.

Under the draft proposal, Colorado residents would receive up-front notice when covered automated technology is being used to influence important decisions that affect their lives. If that decision is adverse, they would then be given access to more information about the decision, an opportunity to correct wrong information, and the ability to request that a human review the ultimate determination. The proposal would make several upgrades to the existing AI Act, including cleaning up some key definitions and providing more clarity on what is considered a “consequential decision” as defined in the Act.

Of course, these state developments are playing out in real time as President Trump, on March 20, released an executive order directing Congress to preempt the growing patchwork of state AI legislation that impedes the implementation of a “minimally burdensome national standard” developed by his administration.

What This Means for Advertising and Marketing. Colorado’s law has the most sweeping long-term implications for marketers. Why? Because AI is part of every layer of advertising these days from programmatic bidding algorithms to personalization engines. Colorado’s revised framework would treat many of these as “automated decision-making systems” touching “consequential decisions”, as those terms are defined in the law.

The fact that the revised proposal imposes stricter obligations on brands, agencies, platforms and other deployers of AI (rather than on the vendors) is a structural issue that the advertising industry must engage on actively. A brand that deploys a third-party AI tool for audience targeting or content personalization could face disclosure and audit obligations that the AI vendor who built the model does not. Colorado’s revised AI Act is the most ambitious state-level AI governance framework in the country.

California Creates Privacy Whistleblowers. California state Assembly member Pilar Schiavo introduced legislation last month to establish comprehensive protections for employees and other tipsters to report potential violations of the California Consumer Privacy Act, which requires companies to ensure that both consumers and employees are aware of and able to exercise their rights to access, correct, delete, and opt out of certain disclosures of their personal data. Known as the Whistleblower Protection and Privacy Act (AB 2021), it would create an award program to incentivize those with information to speak up about potential data privacy violations and would establish anti-retaliation provisions to protect those individuals once they come forward. As with similar laws in the financial services and anti-fraud contexts, the proposal would enable whistleblowers to share in a portion of an enforcement award. Employers would also be barred from retaliating against these individuals for their reports.

Insider Knowledge Matters. The California Privacy Protection Agency pointed to the vital role of whistleblowers in exposing misconduct that stems from complex business practices that are often cloaked from the public to maintain a competitive advantage. The backers of the law point out that whistleblowers have played vital roles in exposing major events in this area, including a former Cambridge Analytica employee bringing to light the political consulting firm’s harvesting of Facebook users’ data.

What This Means for Advertising and Marketing. This development is potentially the most consequential for day-to-day marketing operations. The advertising and marketing industry runs on data: consumer purchase histories, behavioral profiles, email open rates, device IDs, location signals, and more. Much of that data collection, sharing, and monetization happens deep inside technical systems that regulators have historically had difficulty accessing or understanding. California’s whistleblower bill is specifically designed to solve that problem. Individuals would have both financial incentive and legal protection to report what they know.

Today, many companies treat privacy compliance as a reputational and regulatory risk that is primarily enforced from the outside through consumer complaints and agency investigations. This law would create enforcement pressure from inside the organization and companies would face not only an aggressive regulator but a disgruntled employee. Here’s what this means in practice for marketers and advertisers:

• Privacy compliance must be taken seriously. A privacy notice that says one thing while the backroom does something else will expose you to legal liability. Compliance is not just the risk of legal exposure, but also an employee retention and culture risk.
• Consent management infrastructure must be auditable and functional. This means that you must have opt out procedures that work. If your opt-out mechanism is broken, an employee probably knows.
• Mind your T’s and C’s. Training and Culture. Employees who understand that privacy compliance is taken seriously are less likely to be incentivized to become whistleblowers.

What does this trifecta of regulations signal?

First, states aren’t waiting for the federal government to lead the way on a privacy or AI regulation framework. AI governance is becoming an obligation and Colorado’s revised AI Act creates a model that other states are watching. Watch for these concepts to spread to other states.

Second, enforcement is extending beyond just regulators as seen in the California Whistleblower act. When financial incentives exist for insiders to report violations, compliance becomes a matter of organizational culture, not just legal filings.

And finally, the message is clear for the advertising and marketing industry – data-driven marketing is not going away, but the conditions under which the industry operates are tightening. Companies that treat compliance as a priority and not a check-the-box will not just survive but thrive.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.