Katten's Privacy, Data and Cybersecurity Quick Clicks is a monthly newsletter highlighting the latest news and legal developments involving privacy, data and cybersecurity issues across the globe.
To read more issues of Katten's Privacy, Data and Cybersecurity Quick Clicks, please click here.
New Colorado AI Act Targeting 'Algorithmic Discrimination' Provides AI Compliance Lessons
By Michael Justus
Starting February 1, 2026, businesses must comply with requirements of the Colorado AI Act (the Act) (SB 205) if they use artificial intelligence (AI) tools to make "consequential" decisions about Colorado consumers' education, employment, financial or lending services, essential government services, health care, housing, insurance or legal services. The new law focuses on addressing "algorithmic discrimination" by high-risk AI systems but also requires that any AI system that interacts with consumers (even if not high-risk) must disclose to consumers that they are interacting with an AI system, unless that would be obvious to a reasonable person. Read more about duties imposed by the new law and its various exemptions.
Supervising FINfluencers' Social Media Spin: Don't Believe Everything You View on Your Phone
By Christopher Cole, Michael Justus, Susan Light and Nicholas Gervasi
In the all-encompassing age of social media, a new breed of influencers has emerged — FINfluencers, or financial influencers. These individuals leverage their significant number of followers on social media platforms such as Instagram, TikTok, YouTube and X (formerly Twitter) to make those followers aware of a broker-dealer and its services. While FINfluencers can make general financial literacy more accessible and reach an audience not traditionally targeted, broker-dealers need to consider the implications of these promotional communications. Read more about how social media streams can trigger certain regulatory obligations for firms and expose gaps in supervisory procedures.
New Rules for Investment Advisers and Brokers Relating to Cybersecurity Breaches
By David Dickstein and Richard Marshall
On May 16, the Securities and Exchange Commission unanimously approved amendments to Regulation S-P, which imposes new rules relating to cybersecurity breaches involving investment advisers and brokers. Larger entities must comply with the new rules by January 3, 2026, and smaller entities must comply with the new rule by June 3, 2026. Read more about Regulation S-P's three main components regarding an information safeguards rule, privacy rules and an information disposal rule.
NYDFS Releases Circular Letter on the Use of AI and Data in Insurance Underwriting and Pricing
By Trisha Sircar
On July 11, the New York Department of Financial Services (NYDFS) issued Circular No. 7 Re: Use of Artificial Intelligence Systems and External Consumer Data and Information Sources in Insurance Underwriting and Pricing (Circular Letter). The Circular Letter emerged from the initial draft circular letter issued by NYDFS on January 17, 2024, and sets forth the department's guidelines for insurers authorized to write insurance in New York that use artificial intelligence systems, external consumer data and information sources for underwriting, as well as pricing insurance policies and annuity contracts. Read more about the Circular Letter's scope, applicability and fairness principles.
EU AI Act Published in the Official Journal of the European Union
By Trisha Sircar
On July 12, the EU Artificial Intelligence Act, Regulation (EU) 2024/1689 (EU AI Act), was published in the Official Journal of the European Union. It is the first comprehensive legal framework for the regulation of AI systems across the European Union and will closely follow the prior versions of the text. The EU AI Act will enter into force across all EU Member States on August 1, 2024, and the enforcement of the majority of its provisions will apply from August 2, 2026. Read more about the EU AI Act's transition period and key dates.
The California Regulator Publishes New CCPA Regulations for Public Comment
By Trisha Sircar
On July 15, the California Privacy Protection Agency (CPPA) released official materials ahead of its July 16 Board meeting. The materials include draft regulations for automated decision-making technology, risk assessments and cybersecurity audits that will be discussed for potential rulemaking. The CPPA Board had previously voted to advance the draft regulations for official rulemaking on March 8, 2024. Read more about the draft regulations and adoption of the formal rulemaking process.