Gregory P. Szewczyk

Subscribe to Gregory P. Szewczyk's Posts
Contact:Read more about Gregory P. Szewczyk

After attempting to amend its first-in-the-nation AI law for two years and three legislative sessions, on May 9, 2026, the Colorado legislature passed SB 26-189. It now awaits the governor’s signature and is expected to be signed into law, which will go into effect January 1, 2027.

SB 26-189 replaces the original law’s broad “high-risk artificial intelligence system” and “algorithmic discrimination” framework with a narrower regime focused on “automated decision-making technology” (ADMT) that processes personal data used to “materially influence” a “consequential decision.”… Continue Reading

On April 22, 2026, the House Energy & Commerce Committee released the “Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act” (the “SECURE Data Act”). The SECURE Data Act seeks to establish a comprehensive federal framework for consumer privacy rights and the protection of personal data. Subject to certain exemptions, the SECURE Data Act applies to businesses subject to the FTC Act or common carriers subject to title II of the Communications Act of 1934 that either (a) collect and process personal data of more than 200,000 consumers annually and have an annual gross revenue of $25 million or more, or (b) collect and process personal data of 100,000 consumers annually and “derive[] 25 percent or more of the[ir] annual gross revenue .… Continue Reading

The quality of the CFPB’s information security program “has decreased since last year, leading us to conclude the program no longer is effective,” the bureau’s Inspector General (IG), said in a report.

The bureau’s overall security program has decreased from “manageable and measurable” to “defined,” the IG said in an annual audit conducted between April 2025 and October 2025, which is only one step above the lowest security rating.… Continue Reading

On December 3, 2024, the Consumer Financial Protection Bureau (CFPB) published its long-anticipated proposed rule aimed at regulating data brokers under the Fair Credit Reporting Act (FCRA).  Although the CFPB’s future is uncertain under the upcoming administration, if implemented, the rule would significantly expand the reach of the FCRA. 

In the accompanying press release, the CFPB stated that its “proposal would ensure data brokers comply with federal law and address critical threats from current data broker practices, including” national security and surveillance risks; criminal exploitation; and violence, stalking, and personal safety threats to law enforcement personnel and domestic violence survivors. … Continue Reading

On November 12, 2024, the Consumer Financial Protection Bureau (CFPB) released a report examining the carve outs and limitations contained in comprehensive state privacy laws relating to financial institutions.  In an accompanying press release, the CFPB stated that in its assessment, “privacy protections for financial information now lag behind safeguards in other sectors of the economy.”… Continue Reading

On October 22, 2024, the Consumer Financial Protection Bureau (“CFPB”) issued its final rule implementing Section 1033 of the Dodd-Frank Act (the “Final Rule” or the “Open Banking Rule”), granting consumers greater access rights to the data their financial institutions hold. Although there are some differences, the Final Rule largely tracks the Proposed Rule announced by the CFPB last year on October 19, 2023, with the largest concession coming in the form of the extended effective date.… Continue Reading

The CFPB has launched the process for independent standard-setting bodies to receive formal recognition, as part of its efforts to shift towards open banking in the United States.

On June 5, 2024, the CFPB finalized a rule outlining the minimum attributes that standard-setting bodies must exhibit to issue standards in compliance with CFPB’s proposed Personal Financial Data Rights Rule.… Continue Reading

Minnesota becomes the latest state to move to pass legislation regulating the processing and controlling of personal data (HF 4757 / SF 4782). If signed into law by Governor Tim Walz, the Minnesota Consumer Data Privacy Act, or MCDPA, would go into effect on July 31, 2025 and provide various consumer data privacy rights and impose obligations on entities that control or process Minnesota residents’ personal data.… Continue Reading

Colorado has become the first state to pass legislation (SB24-205) regulating the use of artificial intelligence (AI) within the United States.  This legislation is designed to address the influence and implications, ethically, legally, and socially, of AI technology across various sectors.

Any person doing business in Colorado, including developers or deployers of high-risk AI systems that are intended to interact with consumers. … Continue Reading

The FTC published guidance warning companies that “[i]t may be unfair or deceptive for a company to adopt more permissive data practices—for example, to start sharing consumers’ data with third parties or using that data for artificial intelligence (AI) training—and only inform consumers of this change through a surreptitious, retroactive amendment to its terms of service or privacy policy.” … Continue Reading