State Privacy & AI Laws Advance: Massachusetts & California Lead the Way
This week saw notable movement in state-level data privacy and artificial intelligence regulation, highlighting a growing trend of states taking the lead in these areas while federal action remains stalled. Both Massachusetts and California enacted key legislation, poised to reshape how businesses handle data and develop AI systems.
The Massachusetts Senate unanimously approved the Massachusetts Data Privacy Act (MDPA), Senate Bill 2608. This comprehensive bill grants Massachusetts residents robust rights over their personal data, including the ability to access, correct, delete, and port their details. It goes further than existing laws like the California Consumer Privacy Act by banning the sale of sensitive data and all personal data belonging to minors. The MDPA also restricts data transfers, provides opt-out rights for targeted advertising (with a complete ban for minors), and notably extends the prohibition on selling geolocation data to all visitors to the state, even those traveling for healthcare.While the bill doesn’t offer a private right of action, it empowers the Attorney General to enforce the law with penalties up to $5,000 per violation. The bill now moves to the House for consideration.
Meanwhile, California enacted the Openness in Frontier Artificial intelligence Act (TFAIA), Senate Bill 53. Unlike other AI-focused legislation concentrating on chatbots or child protection, SB 53 takes a broader approach, aiming to foster responsible AI innovation through transparency. Effective January 1, 2026, the law establishes “CalCompute,” a new consortium within the California Department of Technology, tasked with developing a framework for safe, ethical, equitable, and lasting AI advancement. Covered developers will be required to publish detailed documentation about their AI systems, including model cards and safety policies, disclose known limitations and risks, and report critical incidents. The Department of Technology will also provide annual recommendations based on evolving technology and international standards.
SB 53 establishes a dual enforcement mechanism, allowing both the California attorney General (with penalties up to $1 million per violation) and individuals reporting concerns – protected from retaliation as whistleblowers – to pursue action.
These developments underscore a clear message: in the absence of comprehensive federal legislation, states are actively shaping the landscape of data privacy and AI governance. Organizations operating in or interacting with residents of Massachusetts and California, and likely other states following suit, must proactively develop state-specific compliance strategies to navigate this evolving regulatory patchwork.
