Nearly a year after Washington passed the My Health My Data Act (MHMDA), a state resident filed a lawsuit against Amazon. The lawsuit, which leverages the law’s controversial private right of action, alleges that Amazon unlawfully collected location data from consumers’ phones without obtaining consent.

The location data at issue is not expressly health-related. However, the complaint argues that it falls under the MHMDA’s protections because it tracks individuals' locations precisely enough to "indicate a consumer’s attempt to acquire or receive health services or supplies." Even though the law is meant to cover only health-related data, its broad scope suggests it could apply as widely as any U.S. consumer privacy law to date. See this SixFifty blog post for more details on the MHMDA and the type of data it covers.

The lawsuit is still in its early stages, so it remains unclear how far it will go or if it will result in significant fines or sanctions against Amazon. However, it serves as a reminder that the MHMDA is enforceable and allows consumers to sue organizations that fail to follow proper notice and consent procedures. Organizations that have not yet created MHMDA-compliant documentation can use SixFifty’s State Health Privacy products. Not sure if your organization must comply? Take our Health Privacy Law Applicability Quiz to find out.

The first set of restrictions in the European Union’s AI Act took effect earlier this month. The Act's provisions roll out in stages, beginning with rules around prohibited AI uses and AI literacy requirements, which became effective on February 2. Additional regulations will continue rolling out through 2030.

This first wave of rules primarily restricts businesses from using AI for certain potentially harmful purposes and requires AI system employees to understand how these systems impact consumers and how to operate them safely.

Prohibited AI uses include:

Organizations that create or deploy AI in the EU should ensure compliance with the new rules to avoid regulatory scrutiny.

The next phase of the AI Act’s rollout will take effect on August 2, 2025, when:

Stay tuned for future monthly updates on these developments.

The 119th US Congress is gearing up to take yet another crack at passing some kind of comprehensive federal privacy law. On February 12, the Chairman of the House Committee on Energy and Commerce created a working group of nine congressional Republicans that he tasked with developing a new framework for a privacy bill “that can get across the finish line.”

It’s unclear whether creating such a bill is possible in the current political climate given the Republican’s razor-thin majority in the House and the lack of any Democratic representation in the working group, but the Committee has nonetheless begun the process by issuing a Request for Information (“RFI”) seeking input from businesses and other stakeholders about what they think a federal privacy law should look like.

Organizations that want to give their input can do so by submitting written responses to the questions contained in the RFI to PrivacyWorkingGroup@mail.house.gov no later than April 7, 2025.

Any potential federal privacy bill faces a long road before becoming law. The Committee must review RFI responses, draft legislation, hold hearings, and secure majority approval before the bill even reaches the House floor. Still, growing pressure from state privacy laws may push Congress to act faster than in previous years. SixFifty will continue monitoring these developments.

On February 26, the California Privacy Protection Agency (CPPA) released its first annual report on CCPA enforcement. The report provides valuable insights into consumer complaints about alleged CCPA violations.

Since July 2023, the CPPA has received 3,797 consumer complaints. The majority of complaints involve businesses failing to process consumer requests under the CCPA:

Top complaint areas:

Complaint volume has steadily increased since mid-2023. The CPPA received 883 complaints in its first six months, increasing to 1,306 in early 2024 and 1,625 in the latter half of 2024.

This report shows that California’s consumer education efforts are working, with more residents understanding their privacy rights and how to file complaints. Currently, the CPPA focuses on egregious violations due to limited resources. However, as it expands, enforcement may extend to smaller violations.

Organizations subject to the CCPA should review and refine their consumer rights request procedures to ensure compliance before facing potential enforcement actions.

Virginia’s legislature has approved a bill making it the second U.S. state to pass comprehensive legislation regulating "high-risk" artificial intelligence (AI) systems.

What qualifies as high-risk AI?

A system designed to make—or assist in making—decisions that significantly impact Virginia residents.

Modeled after the EU’s AI Act and Colorado’s AI law, Virginia’s bill focuses on consumer protection rather than employment-related AI. This approach allows businesses to continue developing AI while setting guardrails to prevent consumer harm.

The bill is not law yet; it still requires Governor Glenn Youngkin’s signature. No veto is expected, so it will likely take effect in July 2026.

Businesses operating in Virginia that develop or use AI should review the bill's requirements to ensure compliance by the effective date.