June 2025 Privacy Update

As we approach the halfway point of 2025, SixFifty is gearing up for the string of new US state-level privacy laws that will go into effect between July 1, 2025, and January 1, 2026.

We will have six new privacy laws in place by the start of next year, on top of two significant amendments to Colorado’s existing law:

To help customers create privacy documentation that complies with the new laws, we have updated our US Privacy documents and request forms, and we've added a new tool - our Employee Biometric Data Handling Policy. This document lays out procedures for your organization to follow when handling biometric data you collect from employees. It's useful for any organizations that have employee biometric data, and it will be required for organizations that collect biometric data from employees in Colorado once the amendment takes effect on July 1.

When you log in to your account, you might see that the status of some of your documents has changed to “Needs Update.”

To update these documents and ensure compliance with the new laws, follow these steps:

Your privacy documentation will then be up-to-date and compliant with all six new laws, as well as Colorado’s amendments. If you have any questions, contact your CSM or use the chat feature in the bottom right corner of your dashboard.

In a somewhat surprising move, the California Privacy Protection Agency (the “CPPA”) voted to approve a modified draft of the pending regulations around automated decision-making technology at its most recent board meeting on May 1. As discussed in last month’s update, the previous draft of the regulations hit a snag when several members of the CPPA board voiced concerns over their breadth and the burden they would place on businesses. This latest draft addresses those concerns with several significant changes that significantly narrow the type of technology subject to regulation. Most notably, the new draft (1) removes the term “artificial intelligence” entirely, (2) limits the definition of “automateddecision-makingg technology” to technologies that are used to “replace . . . or substantially replace humandecision-makingg,” and (3) provides that businesses are only required to conduct risk assessments when automateddecision-makingg technology is used to make a “significant decision” about a consumer.

Because the changes are so significant, California law requires the CPPA to open a second public comment period for this latest draft. The CPPA board is set to meet again on June 2 (after the comment period closes), where it is expected to consider any amendments that are added as a result of public comment and hold a final vote on the draft. If it is approved, the draft will then be sent to California’s Office of Administrative Law to become law. Based on California’s regulatory calendar, the regulations are likely to take effect on October 1, which is good news for businesses that will have time to bring their privacy practices into compliance. We will update our California and US privacy tools to reflect the new regulations once they are finalized, and we will notify you of these changes in a future monthly update.

The House of Representatives passed a budget bill this month that would prohibit states from enforcing any laws that regulate “artificial intelligence models, artificial intelligence systems, or automated decision systems” for the next 10 years. It’s unclear how far this “moratorium” would reach. Still, it would likely prevent states with comprehensive privacy laws from enforcing the pieces of those laws that regulate “profiling” or “automated decision-making technology.” Broader AI-related regulations, like Colorado’s AI Act, would probably be put on pause as well. The bill faces significant opposition in the Senate (as well as from state governments, such as the 40 Attorneys General who wrote Congress a letter on the issue), so it’s far from certain that it will become law. If it does, businesses that use personal data for profiling will see their compliance burden become a bit lighter, rather than heavier, for a change. The Senate is expected to vote on the bill sometime in June or July, so keep an eye on this space for future updates.

The California Privacy Protection Agency (the “CPPA” or the “Agency”) continued ramping up its enforcement efforts this month, as it issued a $345,178 fine against Todd Snyder Incorporated (a clothing retailer based in New York) over allegations that the business was not correctly processing consumer requests to opt out of the sale or sharing of their personal data. According to the CPPA’s final order, Todd Snyder violated the CCPA by (1) failing to fix its online consumer request portal for 40 days, during which time consumers were unable to submit any requests, (2) requiring all consumers to verify their identity before processing requests to opt out of sale/sharing, and (3) requiring consumers to provide more information than necessary to verify their identity (e.g., a copy of their driver’s license) during the verification process. As a reminder, the CCPA requires businesses to request as little information as possible from consumers during the verification process, and it prohibits companies from requiring consumers to verify their identity when processing opt-out requests. It appears that the CPPA has begun focusing on businesses with improper opt-out procedures as targets for this most recent wave of enforcement. This is the second sizable fine the Agency has issued over this issue in as many months, and it’s likely more will come as enforcement continues to increase throughout 2025. This is a good opportunity to review the process your organization uses to handle privacy requests from California consumers to ensure it complies with these rules.

The European Commission (the “Commission”) published a formal proposal to amend specific record-keeping provisions of the GDPR this month, setting the stage for Europe’s landmark law to change for the first time in a long while. The proposal would expand an exemption in Article 30 that allows smaller businesses to forego keeping records of certain processing activities. Specifically, it would (1) expand the exemption to apply to businesses with 750 or fewer employees (instead of the 250 in the current law), and (2) require businesses that meet the new threshold to create records of any processing that “is likely to result in a high risk to the rights and freedoms of data subjects.” The proposal now enters the public consultation phase, during which the Commission will accept comments on its language and potential impact, and decide whether to make any amendments to the proposal before moving it forward. This consultation period is likely to extend at least into the fall, so it will be some time before any changes actually occur. SixFifty will be monitoring this issue as it develops, so keep an eye on this space for future updates.

On May 21, the Federal Trade Commission (the “FTC”) finalized an order against GoDaddy over allegations that the web host giant “misled consumers by failing to implement data security protections, which led to several data breaches.” The FTC found that GoDaddy failed to implement several industry-standard security practices, which allowed bad actors to gain access to customer data. There is no fine or penalty associated with the FTC’s order. Instead, it requires GoDaddy to (1) stop “making misrepresentations about its security and the extent to which it complies with any privacy or security program,” (2) “establish and implement a comprehensive information-security program,” and (3) “hire an independent third-party assessor to conduct reviews of its information-security program.”

On May 27, the Oregon state legislature passed House Bill 2008, a measure that makes minor amendments to the Oregon Consumer Privacy Act (the “OCPA”). Suppose Oregon Governor Tina Kotek signs it (which she is expected to do in the coming weeks). In that case, businesses will be prohibited from (1) using data from consumers under 16 for purposes of targeted advertising or profiling, (2) selling data from consumers under 16, and (3) selling any geolocation data that locates a consumer (or their device) within a radius of 1,750 feet. All other aspects of the OCPA, such as its notice and documentation requirements, will remain unaffected. Businesses currently engaging in conduct that would be prohibited under the new bill will have time to bring their privacy practices into compliance, as the bill will not take effect until January 1, 2026.