This quarter’s legal and information governance update covers our regulatory outlook on consumer and data privacy for 2025, a comparative look at legislative activity surrounding artificial intelligence (AI) and its similarities to the history of cloning legislation, and this quarter’s new legislation.
Throughout the update, we’ve included notations in italics, where applicable, if the regulatory updates have been added to our IG and retention management software, Virgo™, as a courtesy to active clients.
Continue reading to become informed of the latest regulatory and provisional information you need to do your job as efficiently and confidently as possible!
In the last quarter, we reviewed the regulations each state signed on to their respective books and the anticipated timelines for the regulations to take effect and become law. This quarter’s update includes a closer look at the volume of bills needed to get the new legislation across the finish line.
Conventional logic would suggest the more bills before the legislature the greater the chance of passage, and the longer a state has been trying to pass legislation the more likely it is to succeed. This perspective is grounded in the common-sense expectation that introducing any bill, especially multiple times, reflects public interest in the legislation and that the representatives proposing it should benefit from understanding what is likely to advance beyond committees for a vote.
The expected result is confounded by outliers at both ends of the spectrum. In the case of states like Colorado, Delaware, Montana, Oregon and Tennessee, each state passed their only piece of comprehensive privacy legislation in the same year it was introduced. In the case of states like Kentucky, Maryland, Minnesota and New Jersey, it took eight to twelve bills across four or five years to finally find a winning legislative formula. Neither the number of years nor the number of bills are good indicators of the likelihood of success. It seems almost as likely to pass a bill in the first attempt as it is to languish in legislative purgatory for years.
As of the writing of this update, Arkansas is the only state making a first attempt at data privacy legislation, and there are six states working towards comprehensive data privacy for the sixth year since 2019; Massachusetts and New York appearing the most desperate among them. In the case of Massachusetts, prior to 2025, the state introduced nineteen bills across five years with seven of those introductions occurring last year. In the case of New York, the state introduced twenty-nine bills prior to 2025 with eighteen of those being split equally between the years of 2023 and 2024.
The number of attempts at passing legislation reveal nothing about the likelihood of success until the total number of representatives in each state’s general assembly is included as part of the analysis. States with less than 150 representatives in the state legislature had a higher average rate of success (61% vs. 32%), on average fewer years proposing bills (2.4 vs. 3.1), and fewer total bills proposed (38 vs. 40).
There are several states with bills in motion this quarter that approach the desired indicators; Alabama, Arkansas, New Mexico, Ohio and Oklahoma. If the rate of successful passage each year continues its steady increase from a low of 4% in 2020 to almost 15% in 2024, it seems likely that one or all the jurisdictions mentioned will successfully pass data and consumer privacy legislation this year. The growing desire for legislation in this space could add five new laws this year, and the initial first quarter rush to propose legislation is not over yet.
No crystal ball or math equation can tell us what the future holds, but it would be safe to assume that the deregulatory nature of the new U.S. administration will limit opportunities at a federal level to the data and consumer privacy landscape.
The frenzy over legislating the limits of cloning has largely faded from the memories of most Americans after nearly 30 years, as the nation’s focus shifted with the news cycle. The intense attention sparked by the announcement of Dolly the sheep was surprisingly short-lived, quickly overshadowed by scandals at the White House and impeachment, the aftermath of the Columbine incident, a presidential election decided by the Supreme Court, and the world-altering events of 9/11. While the moral and scientific implications of cloning initially held the interest of legislative bodies, even they eventually allowed that interest to fade.
Since the announcement of Dolly in 1997, the legislative activity at the federal level has stayed rather consistent, averaging five bills per year that address issues such as permission to research, the banning of cloning, or the limits on funding research through the federal government. Between 2005 and 2015, interest in legislating the subject at the federal level tapered off to less than one action every year with the only goal being to prohibit human cloning and to protect stem cell research. Ultimately, the United States never passed legislation about cloning, except at the state level, which is similar to the developing pattern around artificial intelligence.
Legislative activity around artificial intelligence started to gain traction at the federal level in the U.S. in 2017 with House and Senate bills to require the Secretary of Commerce to establish a committee around developing and implementing artificial intelligence. It took just three years for the idea of legislating artificial intelligence to become a significant interest of the federal government, leading to thirty-seven bills introduced between 2020 and 2021. After a short hiatus in 2022, the legislative interest was revived with 125 bills introduced between 2023 and 2024.
Despite all the activity in the last two years, and all the attention artificial intelligence receives in the media driving continued interest in legislating the subject, the pattern of the federal government being unable to reach consensus seems to be repeating itself.
In much of the U.S., the states are taking the lead in either introducing new bills or amending existing law to account for A.I. or algorithmic decision-making where it might be used in employment decisions, consumer and data privacy gathering or use, and other areas where protection of individual rights and prevention of discrimination might be necessary.
The outcomes closely mirror how the United States eventually addressed the question of cloning. Each state set its own rules for cloning research while the federal bodies opted to eventually let the states handle their own regulation. With statements from the new administration against regulating the A.I. market, it is clear the U.S. will continue to go without federal A.I. legislation for the foreseeable future.
In Illuminating the Path to Information Clarity: Reflections from 2025, we’ll revisit the pivotal moments, insights, and innovations that shaped the year and explore what’s on the horizon for records and information management professionals in 2026.
Much attention is paid to specific jurisdictions and their unique legislative landscapes and changes, and all too often the activities of multinational organizations working to normalize industries or economic regions are not given the attention they deserve.
Multinational entities—including commissions, societies, and organizations—work on developing economic agreements between nations, industry specific guidance, environmental insights, and many other interests. They play a crucial role by providing guidance where jurisdictions fail or refuse to legislate, offering essential support for legal researchers and records management teams.
Leading off today with the new legislation round up is the United Nations Economic Commission for Europe (UNECE) and the Agreement concerning the International Carriage of Dangerous Goods by Road (ADR) 2025.
Since 1968, new versions of the ADR have been released under ever changing names, but each iteration consistently highlighted the goals of the agreement to protect people and environments. The massive two-volume, 1,342-page, 2025 version has several requirements applicable across much of the northern hemisphere for manufacturers, transporters, and users of hazardous or dangerous goods. In some countries, the ADR is codified into law, but in others the regulations refer back to the ADR as the source for retention and other requirements.
Below is a short, but not comprehensive, list of the requirements found in the ADR. The agreement requires retention of:
[ADR, Annex A, 1.8.3]
[ADR, Annex A, 1.8.7.1]
[ADR, Annex A, 1.8.8.2]
[ADR, Annex A, 1.8.8.4]
[ADR, Annex A, 4.3.2.1]
[ADR, Annex A, 5.4.4]
The new ADR went into effect January 1, 2025.
A new Department of Transportation regulation will be going into effect soon that targets Electric Powered Vehicles.
On March 20, manufacturers of electric-powered vehicles designed for use on public streets, roads, and highways will be required to retain various records. Those records include documentation related to low temperature operation, visual warnings for malfunctions of vehicle controls that manage REESS operation, audio-visual warnings for a thermal event in the REESS, and single cell thermal runaway, and propagation safety risk mitigation.
The legislation requires the manufacturers to retain documentation related to these events for 5 years from the date the vehicle was manufactured.
[49 C.F.R. §§ 561.7 – 561.11]
Regulation goes into effect March 20, 2025.
On December 11, 2024, the United Kingdom signed The Producer Responsibility Obligations (Packaging and Packaging Waste) Regulations 2024, establishing a new Extended Producer Responsibility for Packaging Waste (pEPR) regime.
The regulation requires businesses in-scope to register, pay annual fees, collect and report data on their packaging, and assess their packaging’s recyclability, with the aim of incentivizing more sustainable packaging decisions. The regulation applies to producers established in the UK engaged as a brand owners, packers, fillers, importers or first UK owners, distributors, online marketplace operators, service providers, and sellers.
The regulation requires the retention of records for 7 years for various conditions:
[S.I. 2024/1332, Reg. 34]
[S.I. 2024/1332, Reg. 55]
[S.I. 2024/1332, Reg. 91
The Producer Responsibility Obligations (Packaging and Packaging Waste) Regulations 2024 went into effect January 1, 2025.
To learn more about how to address records retention, data privacy and security requirements more efficiently, request a call with an Access expert, or request a product demonstration of Virgo.
Share