Kelsey Fayer

Subscribe to Kelsey Fayer's Posts
Contact:Read more about Kelsey Fayer

After attempting to amend its first-in-the-nation AI law for two years and three legislative sessions, on May 9, 2026, the Colorado legislature passed SB 26-189. It now awaits the governor’s signature and is expected to be signed into law, which will go into effect January 1, 2027.

SB 26-189 replaces the original law’s broad “high-risk artificial intelligence system” and “algorithmic discrimination” framework with a narrower regime focused on “automated decision-making technology” (ADMT) that processes personal data used to “materially influence” a “consequential decision.”… Continue Reading

On November 12, 2024, the Consumer Financial Protection Bureau (CFPB) released a report examining the carve outs and limitations contained in comprehensive state privacy laws relating to financial institutions.  In an accompanying press release, the CFPB stated that in its assessment, “privacy protections for financial information now lag behind safeguards in other sectors of the economy.”… Continue Reading

The CFPB has launched the process for independent standard-setting bodies to receive formal recognition, as part of its efforts to shift towards open banking in the United States.

On June 5, 2024, the CFPB finalized a rule outlining the minimum attributes that standard-setting bodies must exhibit to issue standards in compliance with CFPB’s proposed Personal Financial Data Rights Rule.… Continue Reading

Colorado has become the first state to pass legislation (SB24-205) regulating the use of artificial intelligence (AI) within the United States.  This legislation is designed to address the influence and implications, ethically, legally, and socially, of AI technology across various sectors.

Any person doing business in Colorado, including developers or deployers of high-risk AI systems that are intended to interact with consumers. … Continue Reading

The FTC published guidance warning companies that “[i]t may be unfair or deceptive for a company to adopt more permissive data practices—for example, to start sharing consumers’ data with third parties or using that data for artificial intelligence (AI) training—and only inform consumers of this change through a surreptitious, retroactive amendment to its terms of service or privacy policy.” … Continue Reading

On February 8, the Federal Communications Commission (FCC) finalized its plan to ban robocalls that feature voices generated by artificial intelligence, aiming to stem the tide of AI-generated scams and misinformation campaigns. 

The FCC’s declaratory ruling formalized its position that the Telephone Consumer Protection Act (TCPA)—specifically, the provision prohibiting the initiation of calls “using an artificial prerecorded voice to deliver a message without the prior express consent of the called party”—applies to the use of AI-generated voices. … Continue Reading

In early November, Pennsylvania amended its data breach notification law broadening the definition of personal information.  The amendment adds “health insurance information” and “medical information” as data elements that could trigger breach notification requirements.  Coupled with this addition is a breach notification exception for businesses that are (1) subject to and (2) in compliance with HIPAA’s privacy and security standards. … Continue Reading

In a recent enforcement action against online alcohol delivery service Drizly and its CEO, James Rellas, the Federal Trade Commission (FTC) made clear its focus on data minimization and limitations on the secondary uses of data.  Although the action arose out of a common security failure—the sort that has been the subject of numerous prior FTC consent decrees—the enforcement requirements extend beyond the standard implementation of an information security program.… Continue Reading

The August 31 closing of the California legislative session likely marked the end of hopes for an extension of the limited exemptions for employee and business-to-business (B2B) data that have existed for the California Consumer Privacy Act (“CCPA”) since its inception.  As a result, when the the California Privacy Rights Act (CPRA) goes into effect on January 1, 2023, employee and B2B data will be treated the same as consumer data. … Continue Reading

Businesses with automatic renewal contracts—including subscriptions—should take note of Colorado’s new law that went into effect earlier this year on January 1, 2022.  While companies subject to other state’s auto-renewal laws and the Restore Online Shoppers’ Confidence Act (“ROSCA”) will be familiar with the three-prong approach of upfront clear disclosure, simple cancellation, and ongoing reminders, the Colorado law goes a step further by imposing notice obligations on month-to-month renewals.

Continue Reading