Executive Summary: AI systems fundamentally rely on personal data for training, operation, and decision-making, creating complex intersections with data privacy laws worldwide. The EU's GDPR establishes comprehensive requirements for AI including lawful basis for processing, data minimization, purpose limitation, automated decision-making rights, and data protection by design. California's CPRA extends CCPA with automated decision-making opt-outs, profiling disclosures, and sensitive personal information restrictions. Other US state privacy laws (Virginia, Colorado, Connecticut, Utah) create a patchwork of compliance obligations. International frameworks in UK, Canada, Brazil, and emerging regulations in Asia add further complexity. Organizations deploying AI must navigate consent requirements for training data, transparency obligations for automated decisions, data subject rights (access, deletion, portability), cross-border transfer restrictions, and vendor accountability, with penalties ranging from administrative fines to class action liability reaching billions of dollars.
AI-Specific Privacy Challenges
AI creates unique privacy compliance challenges:
- Training data may include millions of individuals' personal data
- Purpose limitation conflicts with model reuse and transfer learning
- Right to deletion vs. inability to "untrain" models
- Explainability requirements for complex neural networks
- Profiling and automated decision-making trigger additional rights
- Vendor AI (third-party models) complicates data controller/processor roles
GDPR: Comprehensive EU Framework
Core Principles Applied to AI
Lawfulness, Fairness, and Transparency (Article 5):
- AI processing requires valid legal basis (consent, contract, legitimate interest, etc.)
- Individuals must understand AI's role in decisions affecting them
- Cannot use personal data for AI training without appropriate legal basis
Purpose Limitation (Article 5):
- Data collected for one purpose cannot be used for incompatible AI purposes
- Training general-purpose AI models may conflict with specific collection purposes
- Transfer learning and model reuse require careful purpose analysis
Data Minimization (Article 5):
- Collect only personal data necessary for AI training/operation
- Assess whether you truly need full-fidelity data or can use aggregation or synthetic data
- Aggregation, anonymization, and federated learning as minimization techniques
Accuracy (Article 5):
- Training data must be accurate and up-to-date
- Inaccurate training data leads to biased or incorrect AI decisions
- Obligation to correct inaccurate data can affect model retraining
Storage Limitation (Article 5):
- Retain personal data only as long as necessary
- Training data retention vs. model retention (model may memorize personal data)
- Decide whether to archive or delete data after model training completes
Integrity and Confidentiality (Article 5):
- Security measures for training datasets and AI models
- Prevent unauthorized access, model theft, adversarial attacks
- Encryption, access controls, and secure model deployment are essential
Lawful Basis for AI Processing
Consent (Article 6(1)(a)):
- Must be freely given, specific, informed, and unambiguous
- Granular consent for different AI purposes (training vs. inference vs. profiling)
- Right to withdraw consent raises the question of how to "untrain" a model
- Often impractical for large-scale AI training datasets
Contract Performance (Article 6(1)(b)):
- AI must be necessary to fulfill contractual obligations
- Example: Fraud detection AI for payment processing
- Limited to purposes strictly necessary for the contract
Legitimate Interest (Article 6(1)(f)):
- Most flexible basis for many B2B and some B2C AI use cases
- Requires balancing test: organization's interests vs. individual's rights
- Document legitimate interest assessment (LIA)
- Examples: Product recommendations, customer analytics, internal operations
- Not suitable for high-risk profiling or most special category data
Legal Obligation (Article 6(1)(c)):
- AI required to comply with legal requirements
- Example: AML/KYC AI for financial institutions
Special Category Data (Article 9):
- Biometric data (facial recognition, voice), health data, racial/ethnic origin require explicit consent or another Article 9 basis
- Higher bar than regular personal data
- AI using special category data faces stricter requirements and often DPIAs
Automated Decision-Making and Profiling (Articles 22, 13-15)
Article 22 - Right Not to Be Subject to Automated Decision:
Scope:
- Decisions based solely on automated processing (including AI)
- Producing legal effects or similarly significantly affecting the individual
- Examples: Credit denials, employment rejections, automated benefit determinations
Prohibitions and Exceptions:
- Generally prohibited unless:
- Necessary for contract performance
- Authorized by EU/Member State law
- Based on explicit consent
- Even when permitted, must implement safeguards:
- Right to human intervention
- Right to express views
- Right to contest the decision
- Meaningful information about logic involved
Practical Implementation:
- Human-in-the-loop for consequential AI decisions
- Humans must have genuine ability to override AI (not rubber-stamping)
- Explainability sufficient for individuals to understand decision factors
- Appeal mechanisms and human review processes
Transparency Obligations (Articles 13-15):
When using AI for automated decisions or profiling, organizations must inform individuals of:
- Existence of automated decision-making
- Logic involved (understandable explanation)
- Significance and envisaged consequences
- Categories of personal data used
- Right to human intervention and contest
Profiling (Recital 71):
- Any automated processing to evaluate personal aspects (behavior, interests, preferences)
- Even non-consequential profiling requires transparency
- Targeted advertising and content recommendations qualify as profiling
- Must disclose profiling in privacy notices
Data Subject Rights in AI Context
Right of Access (Article 15):
- Individuals can request a copy of their personal data
- In AI context: what data was used to train/operate models affecting them
- Practical approach: provide data about the individual, not entire datasets
Right to Rectification (Article 16):
- Correct inaccurate personal data
- In AI: may require model retraining if incorrect data significantly affects outputs
- Document processes for handling corrections
Right to Erasure / "Right to Be Forgotten" (Article 17):
- Delete personal data when no longer necessary, consent withdrawn, or unlawfully processed
- In AI: technical challenge—cannot easily "erase" an individual from a trained model
- Options:
- Stop using model and retrain from scratch
- Use emerging machine unlearning techniques
- Show data deleted from training dataset and excluded from future models
- Anonymization may eliminate erasure obligation
Right to Data Portability (Article 20):
- Receive personal data in structured, machine-readable format
- Transfer to another controller
- In AI: applies to data used for AI, not to the AI model itself
- Individual's profile created by AI may be portable
Right to Object (Article 21):
- Object to processing based on legitimate interest or for direct marketing
- In AI: object to profiling for marketing; harder to object to some legitimate interest AI
- Organization must demonstrate compelling legitimate grounds or stop processing
Data Protection by Design and Default (Article 25)
Privacy by Design for AI:
- Incorporate privacy safeguards at AI design stage
- Use privacy-enhancing technologies (PETs):
- Differential privacy
- Federated learning
- Synthetic data
- Homomorphic encryption
Privacy by Default:
- Default settings should be privacy-protective
- Limit personal data processing to what's necessary by default
- Example: default to non-personalized AI recommendations, opt-in for personalized
Data Protection Impact Assessment (DPIA) (Article 35)
When DPIA Is Required for AI:
- Systematic and extensive profiling with legal/significant effects
- Large-scale processing of special category data (biometric, health)
- Systematic monitoring of publicly accessible areas (e.g., facial recognition)
- Use of new technologies (novel AI applications)
DPIA Contents for AI:
- Description of AI processing and purposes
- Assessment of necessity and proportionality
- Risks to individuals' rights and freedoms
- Mitigation measures (technical and organizational)
- Bias, discrimination, and fairness analysis
- Consultation with data protection officer (if applicable)
When to Conduct:
- Before deploying high-risk AI
- Update when AI significantly changes
- Document and retain DPIA
Cross-Border Data Transfers
Challenge for Global AI:
- Training data, AI models, or inference may involve cross-border transfers
- GDPR restricts transfers outside EEA without adequate protection
Transfer Mechanisms:
Adequacy Decisions (Article 45):
- EU Commission recognizes certain countries as providing adequate protection
- Examples: UK, Switzerland, Japan, Canada (commercial), and others
- Transfers to adequate countries are freely allowed
Standard Contractual Clauses (SCCs) (Article 46):
- EU Commission-approved contracts between data exporter and importer
- Updated SCCs (2021) include transfer impact assessment requirement
- Must assess if destination country's laws undermine SCC protections
- Supplementary measures may be needed (encryption, data minimization)
Binding Corporate Rules (BCRs) (Article 47):
- Internal policies for multinational groups
- Approved by a lead data protection authority
- Complex and time-consuming approval process
US Transfers Post-Schrems II:
- EU-US Privacy Shield invalidated (2020)
- US surveillance laws create challenges for SCCs
- Options: SCCs with supplementary measures, minimize US transfers, or data localization
California Privacy Laws: CPRA and CCPA
California Privacy Rights Act (CPRA)
CPRA significantly amended CCPA with AI-relevant provisions.
Core Obligations:
Right to Know (§1798.100):
- Consumers can request categories and specific pieces of personal information collected
- In AI: must disclose data used for AI training/inference about the requesting consumer
Right to Delete (§1798.105):
- Consumers can request deletion of personal information
- Exceptions: complete transaction, detect fraud, exercise free speech, comply with legal obligation
- In AI: similar challenges as GDPR right to erasure
Right to Opt-Out of Sale/Sharing (§1798.120, §1798.135):
- "Sale" = disclosing personal information for monetary or other valuable consideration
- "Sharing" = disclosing for cross-context behavioral advertising
- In AI: sharing data with AI vendors or using AI for targeted ads may trigger opt-out
- Must provide "Do Not Sell or Share My Personal Information" link
Right to Correct (§1798.106):
- Consumers can request correction of inaccurate personal information
- In AI: may require retraining or updating models
Right to Limit Use of Sensitive Personal Information (§1798.121):
- Sensitive PI includes SSN, financial accounts, biometric data, precise geolocation, health, sex life, etc.
- Consumers can limit use to necessary purposes only
- In AI: cannot use sensitive PI for profiling or targeted advertising without appropriate consent
Automated Decision-Making Rights (§1798.185(a)(16)):
Access to Logic:
- Right to meaningful information about logic involved in automated decision-making
- Applies to decisions producing legal or similarly significant effects
Opt-Out of Profiling (§1798.135(b)(3)):
- Right to opt-out of automated decision-making technology, including profiling
- Applies when decisions produce legal or similarly significant effects
- Examples: credit, employment, housing, education, healthcare, insurance eligibility/pricing
Human Review Option:
- When automated decision has legal/significant effect, consumer is entitled to:
- Request review of the decision
- Appeal the decision
- Human review and explanation
Implementation Requirements:
- Provide opt-out mechanism (similar to "Do Not Sell" link)
- Implement human review process for consequential automated decisions
- Train staff on handling automated decision appeals
Enforcement:
- California Privacy Protection Agency (CPPA) enforces
- Administrative fines: up to $2,500 per violation, $7,500 per intentional violation
- Private right of action for certain data breaches: $100-$750 per consumer per incident
- Class actions can reach billions in exposure
CCPA vs. CPRA: Key Differences for AI
| Aspect | CCPA (2020-2022) | CPRA (2023+) |
|---|---|---|
| Automated Decisions | No specific provisions | Opt-out right, access to logic, human review |
| Sensitive Data | Not defined | Special category with use limitations |
| Risk Assessments | Not required | Annual cybersecurity audits for some high-risk processing |
| Enforcement | Attorney General only | New agency (CPPA) with rulemaking authority |
| Penalties | $2,500 / $7,500 per violation | Same, but more active enforcement |
Other US State Privacy Laws
Virginia Consumer Data Protection Act (VCDPA)
Effective: January 2023
AI-Relevant Provisions:
Profiling Opt-Out:
- Right to opt-out of profiling in furtherance of decisions with legal/significant effects
- Profiling = automated processing to evaluate personal aspects
Data Protection Assessments (DPAs):
- Required for:
- Profiling with legal/significant effect risks
- Sensitive data processing
- Targeted advertising and sale of personal data
- Must identify and weigh benefits vs. risks
- Submit to Attorney General upon request
Penalties:
- Attorney General enforcement
- Up to $7,500 per violation
- No private right of action
Colorado Privacy Act (CPA)
Effective: July 2023
AI-Relevant Provisions:
Algorithmic Decision-Making:
- Consumers can opt-out of profiling with legal/significant effects
- Must disclose profiling activities in privacy notices
Impact Assessments:
- Required for high-risk data processing including:
- Profiling with legal/significant effect risks
- Sensitive data, targeted advertising, data sales
- More detailed requirements than Virginia
- Document and retain for regulators
Penalties:
- Attorney General enforcement
- Monetary penalties per violation; cure periods may apply
Connecticut Data Privacy Act (CTDPA)
Effective: July 2023
Similar to Virginia:
- Profiling opt-out for legal/significant effect decisions
- Data protection assessments for high-risk processing
- Attorney General enforcement
- No private right of action
Utah Consumer Privacy Act (UCPA)
Effective: December 2023
Notable Differences:
- No automated decision-making specific provisions
- No risk assessment requirements
- More business-friendly than other state laws
Multi-State Compliance Strategy
Common Elements Across State Laws:
- Rights: access, deletion, correction, opt-out of targeted advertising/sale
- Transparency: privacy notices and disclosures about data practices
- Sensitive data: enhanced protections for biometric, health, precise location
- Profiling: opt-out rights when producing legal/significant effects
Harmonization Approach:
- Comply with strictest requirements (often California CPRA) to cover all states
- Implement opt-out for automated decisions producing legal/significant effects
- Conduct risk/impact assessments for high-risk AI
- Provide meaningful information about automated decision logic
- Enable human review for consequential automated decisions
International Privacy Frameworks
UK GDPR and Data Protection Act 2018
Post-Brexit UK GDPR:
- Substantially identical to EU GDPR
- UK Information Commissioner's Office (ICO) provides AI guidance
- ICO emphasizes fairness, transparency, and accountability for AI
Key Guidance Themes:
- Lawful basis for AI processing (same as EU)
- Transparency and explainability proportionate to risk
- Article 22 applies to solely automated decisions with legal/significant effects
- Data protection by design for AI
Enforcement:
- ICO can impose fines up to £17.5M or 4% of global turnover
Canada PIPEDA and Proposed AI Act
Current Framework (PIPEDA):
- Consent required for collection, use, disclosure of personal information
- Purpose specification and limitation
- Individuals can challenge accuracy of information
- Emerging expectations for meaningful explanations for automated decisions
Proposed Consumer Privacy Protection Act (Bill C-27):
- Modernizes PIPEDA with automated decision-making provisions
- Right to explanation of predictions, recommendations, decisions
- Right to request human review
- Algorithmic impact assessments for high-risk systems
Proposed Artificial Intelligence and Data Act (AIDA):
- Risk-based AI regulation (high-risk vs. general)
- Anonymization and bias mitigation requirements
- Significant administrative and potentially criminal penalties
Brazil LGPD (Lei Geral de Proteção de Dados)
Effective: September 2020
Similar to GDPR:
- Legal bases for processing (consent, legitimate interest, etc.)
- Data subject rights (access, correction, deletion, portability)
- Data protection by design
- Data protection impact assessments
Automated Decision-Making (Article 20):
- Right to request review of automated decisions
- Right to information about criteria and procedures
- ANPD (Data Protection Authority) to regulate further
Penalties:
- Up to 2% of revenue (capped per violation)
- Daily fines and potential suspension of processing
Practical Compliance Framework for AI
Phase 1: Data Mapping and Classification
Inventory AI Systems:
- List all AI/ML systems processing personal data
- Document data flows: collection, training, inference, storage
- Identify personal data categories (regular vs. special/sensitive)
Map Data Sources:
- First-party data (collected directly from individuals)
- Third-party data (purchased, scraped, public datasets)
- Synthetic or anonymized data
Classify by Risk:
- High-risk: automated decisions with legal/significant effects, special category data, large scale
- Medium-risk: profiling, targeted advertising, substantial processing
- Low-risk: internal analytics, anonymized data, no consequential decisions
Phase 2: Legal Basis and Transparency
Establish Legal Basis:
- GDPR: identify Article 6 basis for each AI system (consent, legitimate interest, contract, etc.)
- CPRA/State Laws: ensure compliance with purpose limitation and sensitive data rules
- Document legal basis in AI system records
Legitimate Interest Assessments (LIAs):
- Purpose: what is the AI trying to achieve?
- Necessity: is AI necessary to achieve the purpose?
- Balancing: organization's interest vs. individual's rights and expectations
- Safeguards: measures to mitigate risks
Privacy Notices:
- Disclose AI use, purposes, and data categories
- Explain automated decision-making and profiling
- Describe data subject rights (opt-out, access, deletion, human review)
- Provide contact information for privacy inquiries
Phase 3: Implement Data Subject Rights
Access Requests:
- Process for identifying an individual's data in training/operational datasets
- Provide meaningful information about AI decisions affecting them
- Explain logic, significance, and consequences of automated decisions
Deletion Requests:
- Remove individual from operational databases
- Document removal from training datasets
- For models already trained:
- Stop using model and retrain where feasible
- Or document technical infeasibility and implement safeguards
- Consider machine unlearning techniques
Opt-Out Mechanisms:
- "Do Not Sell or Share" for California (and similar state rights)
- Opt-out of profiling for legal/significant effect decisions
- Preference management tools
- Honor opt-outs in both AI training and inference where required
Human Review Process:
- Identify consequential automated decisions requiring human review options
- Train human reviewers on AI system operation and override procedures
- Document human review decisions and rationale
- Provide appeal mechanisms
Phase 4: Conduct Risk Assessments
DPIAs/Impact Assessments:
- Conduct before deploying high-risk AI
- Document:
- AI system description and purposes
- Personal data processed
- Necessity and proportionality analysis
- Risks to individuals (discrimination, errors, privacy intrusion)
- Mitigation measures (technical and organizational)
- Update when AI significantly changes
Regular Reviews:
- Annual or triggered by significant changes
- Monitor AI fairness, bias, and accuracy
- Update risk assessments based on lessons learned
Phase 5: Vendor Management
AI Vendor Due Diligence:
- Assess vendor data privacy and security practices
- Review vendor AI training data sources and legal basis
- Understand data flows and controller/processor roles
Data Processing Agreements (DPAs):
- GDPR Article 28 requires DPAs with processors
- Specify processing purposes, data types, and security measures
- Include audit rights and subprocessor approval
- Address cross-border transfers if applicable
Third-Party AI Models:
- Understand what personal data vendor models were trained on
- Contractual protections for your data used with vendor AI
- Allocate liability for privacy violations
Key Takeaways
- GDPR establishes a comprehensive AI data privacy framework, including lawful basis requirements, purpose limitation, data minimization, automated decision-making rights (Article 22), and data protection by design, with fines up to the greater of €20M or 4% of global turnover.
- California CPRA adds AI-specific rights, including opt-out of automated decision-making producing legal/significant effects, access to logic used in decisions, limits on sensitive personal information use, and mandatory human review options.
- The right to erasure creates technical challenges for AI, as "untraining" individual data from models is difficult, pushing organizations toward retraining, machine unlearning, or carefully documented technical infeasibility.
- Automated decisions with legal or similarly significant effects trigger heightened obligations across GDPR and US state laws, including rights to human intervention, opt-outs, meaningful explanations, and appeal mechanisms.
- Profiling for any purpose requires transparency; even non-consequential profiling such as recommendations and targeted ads must be disclosed in privacy notices under GDPR and several state privacy laws.
- Multi-state US compliance benefits from a harmonization strategy that aligns to the strictest requirements (often CPRA), while tracking nuances in definitions, exemptions, and enforcement.
- Risk and impact assessments (DPIAs, DPAs, algorithmic impact assessments) are becoming mandatory for high-risk AI and are central to robust AI governance.
Frequently Asked Questions
Can we use publicly available data to train AI without consent?
Public availability does not eliminate GDPR requirements. You still need a lawful basis (often legitimate interest), must comply with purpose limitation (data collected for one purpose cannot be used for incompatible AI training), and individuals retain data subject rights. Scraping personal data from websites may violate GDPR without adequate legal basis. Best practice: document a legitimate interest assessment for using public data in AI training.
Do we need consent to use customer data for AI product recommendations?
Not necessarily. Under GDPR, legitimate interest may suffice for product recommendations if they benefit customers and do not override their rights. However, this is profiling requiring transparency in privacy notices. Under CPRA, recommendations do not typically produce "legal or similarly significant effects," so automated decision opt-out may not apply, but sensitive personal information use restrictions may. Document your legal basis and ensure clear privacy notice disclosures.
How do we handle deletion requests when we've already trained an AI model on someone's data?
Options include: (1) stop using the model and retrain without the individual's data; (2) remove data from training datasets and document that future models will exclude it; (3) explore machine unlearning techniques to remove the individual's influence from the model; and (4) where truly infeasible, document technical impossibility and implement compensating controls, recognizing potential regulatory risk. Designing for deletion from the start (e.g., federated learning, modular models) reduces this tension.
Does GDPR Article 22 ban all automated decision-making?
No. Article 22 prohibits solely automated decisions with legal or similarly significant effects unless the decision is necessary for contract performance, authorized by law, or based on explicit consent. Even then, additional safeguards such as human intervention, the right to contest, and meaningful information about the logic are required. Most AI systems can comply through human-in-the-loop design and appropriate transparency.
What qualifies as a "legal or similarly significant effect" triggering heightened rights?
Guidance suggests this includes decisions about credit/loans, employment, insurance eligibility/pricing, access to healthcare or education, and government benefits. It generally does not include low-stakes personalization such as basic product recommendations or most targeted advertising, unless they have discriminatory or exclusionary effects. In gray areas (e.g., content moderation affecting speech or reach), many organizations choose to apply heightened protections.
Do we need separate privacy policies for each US state with a privacy law?
No. Most organizations create a single comprehensive privacy policy aligned to the strictest requirements (often CPRA) and apply it nationwide, sometimes with state-specific sections. This simplifies compliance and avoids consumer confusion. Some businesses geofence certain rights to residents of specific states, but universal application is often operationally simpler and better for trust.
How do cross-border data transfer restrictions affect global AI development?
They significantly affect where you can store and process training data and run inference. GDPR restricts transfers outside the EEA without an adequacy decision or appropriate safeguards (e.g., SCCs). This impacts training AI on EU user data in non-EEA regions, using non-EEA cloud infrastructure, and global support teams accessing EU data. Common mitigations include EU data localization, SCCs with transfer impact assessments and supplementary measures, minimizing transfers, and using techniques like federated learning or on-device AI.
Frequently Asked Questions
Public availability does not remove GDPR obligations. You still need a lawful basis (often legitimate interest), must respect purpose limitation, and individuals retain data subject rights. Scraping personal data from websites may be unlawful without adequate legal basis. Document a legitimate interest assessment and ensure transparency where feasible.
Under GDPR, legitimate interest can often justify product recommendations if they are expected by customers and do not override their rights. This is profiling and must be disclosed in privacy notices. Under CPRA, such recommendations usually do not trigger automated decision opt-out rights but may be constrained by sensitive personal information rules. Clearly document your legal basis and disclosures.
You can retrain models without the individual's data, remove their data from training sets for future models, explore machine unlearning, or, if truly infeasible, document technical impossibility and apply compensating controls. Building systems with deletion in mind (e.g., modular models, federated learning) reduces future conflicts between erasure rights and model persistence.
Article 22 restricts solely automated decisions with legal or similarly significant effects, such as credit decisions, unless they are necessary for a contract, authorized by law, or based on explicit consent. Even when allowed, you must provide human intervention, allow individuals to express their views and contest decisions, and give meaningful information about the logic used.
Typical examples include decisions about credit, employment, insurance, housing, education, healthcare, and government benefits. Low-stakes personalization like basic recommendations usually does not qualify, but edge cases such as content moderation or platform access decisions may. When in doubt, treat the decision as high-impact and apply heightened safeguards.
Yes. Many organizations adopt a single, global privacy notice aligned to the strictest standards (often GDPR and CPRA) and add state- or region-specific sections where needed. This approach simplifies operations and provides a consistent experience, while still honoring jurisdiction-specific rights and definitions.
GDPR limits transfers of personal data outside the EEA unless the destination has an adequacy decision or appropriate safeguards like SCCs are in place. This constrains hosting EU training data in some jurisdictions and may require EU-only data centers, SCCs plus transfer impact assessments, encryption, and data minimization, or architectures like federated learning to avoid transfers.
AI-Specific Privacy Challenges
AI amplifies traditional privacy risks because models depend on large, rich datasets and often make consequential decisions. Training data can include millions of individuals, purposes may drift as models are reused, and technical limits on explainability and untraining make it harder to fully honor rights like access, erasure, and objection. Third-party AI services further complicate controller/processor roles and accountability.
Maximum GDPR fine for serious violations, including unlawful AI processing
Source: General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679
"A well-executed DPIA is not just a compliance checkbox; it is the backbone of AI governance, surfacing risks early, informing design decisions, and providing evidence of due diligence to regulators and stakeholders."
— AI Governance & Privacy Practice
References
- General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679. European Union (2016). View source
- California Privacy Rights Act (CPRA) - California Civil Code §1798.100 et seq.. State of California (2020). View source
- Virginia Consumer Data Protection Act (VCDPA) - Va. Code Ann. §59.1-575 et seq.. Commonwealth of Virginia (2021). View source
- Colorado Privacy Act (CPA) - C.R.S. §6-1-1301 et seq.. State of Colorado (2021). View source
- Guidance on AI and Data Protection. UK Information Commissioner's Office (ICO) (2020). View source