What to Watch on US State Tech Policy in 2025

Audio of this conversation is available via your favorite podcast service.

Even as the new year ushers in a new administration and Congress in the US at the federal level, dozens of states are kicking off new legislative sessions and are expected to pursue various tech policy goals. Justin Hendrix spoke to three experts to get a sense of the trends unfolding across the states on the regulation of AI, privacy, child online safety, and related issues:

• Keir Lamont, senior director at the Future of Privacy Forum and author of The Patchwork Dispatch, a newsletter on state tech policy issues;
• Caitriona Fitzgerald, deputy director at the Electronic Privacy Information Center (EPIC), which runs a state privacy policy project and scores AI legislation;
• Scott Babwah Brennen, director of the Center on Technology Policy at New York University and an author of a recent report on trends in state tech policy.

Below is a lightly edited transcript of the discussion. This conversation is part of a series of posts examining US state tech policy issues in the year ahead.

Justin Hendrix:

Scott, I want to start with you. You've just put out at the end of last year a survey of state tech policy questions across the US. And one of the things that I think it does at the outset is give us a little bit of the lay of the land that you point out that we might've reached peak trifecta in 2024. 40 states had trifecta governments the highest number in generations. This year, looking ahead only 38 trifectas. But what else would you say characterizes the picture when it comes to the makeup of state governments across the country in 2025,

Scott Babwah Brennen:

I think this year, I think we called it the year of emboldened states. Certainly over the past few years, states have really been taking up technology policy aggressively, but this past year, every single state that had a legislative session passed some new piece of technology regulation. I think we counted up 238 new laws passed. And of course that stands in contrast to what happened at the federal level, which I think was maybe one, two. And so we really saw states running with the technology regulation across areas from AI to child safety and privacy.

Justin Hendrix:

You try to taxonomize the states. You talk about trailblazers, barometers, and then passengers. How would you characterize each of those examples?

Scott Babwah Brennen:

Yeah. Trailblazers, it's like leading the way in new regulation, especially as concerns federal government. So whether that's something like content moderation a few years ago or even age verification for adult content. Barometers. Waiting for guidance from the courts or the federal government waiting to follow their lead or waiting for additional guidance. Passengers really just following the lead of the federal government. And then we've added a fourth one this year, which we call a bulwarks. And that's really anticipating what might come in 2025 we think is very likely that a number of states will, especially left leaning or democrat controlled states, will try to prevent what they think the Trump administration will do in some areas of tech. So those are the four different rules that we see states playing.

Justin Hendrix:

Your report points out an explosion in state laws on AI central priority for state legislators, more than a hundred laws passed, things from limits on non-consensual sexual imagery, political deepfakes, copyright protections, but also comprehensive AI legislation. Keir, I want to come to you in your excellent Patchwork Dispatch, which I suppose folks can subscribe to as a newsletter and follow on LinkedIn if they wish. You regularly give us a little bit of insight into what's happening with this various AI legislation. Where do you want to start? I know Colorado is top of mind for you.

Keir Lamont:

Thanks for the question. I think Colorado is going to be top of mind for a lot of people. I think just at the outset when we talk about AI legislation, it can be very easy to wrap up many different types of proposals under the same umbrella. When we talk about artificial intelligence, are we talking about systems and technologies that have been with us for many years, maybe virtual recognition technology or automated decision-making technology, or are we talking about regulatory interventions that focus on more high-tech, high-complexity emerging types of systems such as foundation models? So we often throw around numbers like 700 AI bills considered in the last year of a hundred or so passed. But I think when we have these conversations, we really have to drill down and look at what are the specific risks and what are the specific regulatory interventions that lawmakers are focusing on.

And one key AI law that was enacted in 2024 was SB 205 in Colorado, which many people are calling the Colorado AI Act. And that is a law focused on the full life cycle of what is called high risk AI systems that are a very significant factor in making consequential decisions about individuals. Decisions affecting the ability to access critical life opportunities such as housing, health care, etc. And so I think it is interesting that one of these first major AI laws that was passed at the state level was focused on a potentially high-risk use case of artificial intelligence and took a very broad look at the full life cycle of the development of these AI systems from training data, to the distribution, to the actual deployment. And ultimately, how will individuals be impacted by these systems, and what rights might they have to object if there is an adverse consequence from one of these systems.

Justin Hendrix:

Caitriona, I know that EPIC put out a scorecard on state AI legislation about halfway through 2024. Are you preparing to do the same in 2025? Are you already assessing the various bills that are put forward this year?

Caitriona Fitzgerald:

Yeah. Thanks, Justin. As Keir alluded to, I think we'll see a lot of states follow Colorado's lead. I anticipate that we'll see similar bills introduced in many states. Our scorecard was geared toward analyzing bills like that. So, as those bills are introduced, we'll definitely be scoring and seeing where states fall. Colorado is also still a work in progress. It's a working group still working to update legislation. There'll be regulations. It will be interesting to see how those paths happen at the same time when states are copying Colorado while Colorado is still working on it.

Justin Hendrix:

Scott, looked like you wanted to come in here as well.

Scott Babwah Brennen:

I'll just say we're in a really interesting moment when there's this definitional effort around what will count as a comprehensive AI bill or comprehensive AI regulation. We're seeing a bunch of issue-specific bills in a whole lot of different areas and then what is the collection of those that gets grouped into a bill and I think just you teeing up happened in California with 10 47, which isn't usually characterized as a comprehensive AI bill, but also about at the same time it's expansive. It would've been a pretty expansive piece of regulation.

Keir Lamont:

Following on, I think California, very interesting this year… Scott alluded to the big existential risk style regulation of what were called frontier models in California. SB 10 47 was ultimately vetoed, I think by most people's counts. 17 AI bills were actually passed in California, many focusing on things like deepfakes in elections. Some of those bills have now actually been challenged and are being held up in the courts. I think two of the bills that California did pass and that we may see additional iterations of in other states in 2025 were two bills focused on systems that create synthetic content and try to create disclosure requirements about synthetic content. So disclosures about what types of data is used in the training set as well as disclosures within the synthetic content itself such as watermarking. So I think it'd be very interesting to see if other states follow California's lead on that.

But in California outside the legislature, I think one of the biggest tech policy developments in 2025 could very well be the California Privacy Protection Agency's ongoing rulemaking process to update the underlying privacy law in California. That includes aspects such as cybersecurity audits, risk assessments, but also opt-out and access rights with respect to automated decision-making technologies. And now these regulations are still in draft form. That's going to be what I'm sure is going to be very exciting for me at least hearing on January 14th where many stakeholders will weigh in. But the proposed opt-out rights with respect to automated decision-making technologies, at least as currently drafted, would seem to go a fair bit further than what we've seen in many other states, both in other states' consumer privacy laws as well as in some ways other states, artificial intelligence laws as well.

Justin Hendrix:

Triona, that's a good place to bring you in and also just to transition perhaps to talk about privacy. You last year proposed a model state data privacy Act modeled on, I assume some of the things that you've admired and different comprehensive privacy. Even I think got a chance to talk about it on Last Week Tonight week with John Oliver. I assume that was one of the highlights for you. They don't often get quite so nerdy but thanks to John Oliver for giving data minimization a shout-out in that venue. What are you watching in California and beyond?

Caitriona Fitzgerald:

Yeah. This was an exciting year on privacy legislation. As you mentioned at the beginning of last year, EPIC released a model bill for states that was based on the federal bill from a couple of years ago, the American Data Privacy and Protection Act. And we worked in a number of states to introduce the bill as a whole or introduce pieces of it including data minimization being a big piece of that and made progress. Maryland passed the Maryland Online Data Privacy Act last session. It'll go into effect later this year. And that includes a limitation on the amount of data the companies can collect. They're supposed to limit their collection of personal data to what's reasonably necessary for the product or service I'm asking for. So that is a huge shift. We saw bills with similar provisions almost get across the finish line in Maine and Vermont. Vermont even made to the governor's desk but was vetoed. So I expect that this session we will see a number of states follow Maryland's lead and include what we call real data minimization provisions that actually limit the amount of personal data that companies can collect in their bills.

Justin Hendrix:

Scott, your report says there are 23 states with trifectas in 2025 that have not yet passed comprehensive privacy protections. Anything you're looking for in any of those trifectas?

Scott Babwah Brennen:

Actually, I'd love to hear what the other guests think about the discussion, but to me, the more I learn about state policy, I realize how much depends on just the connections between individual lawmakers across states or just there being a really active policy organization in a particular state. And California I think is this really interesting example where I assumed for a long time that California would be this leader in all areas of tech policy and increasingly, I'm not sure I believe that anymore. Instead, it seems like California does its own thing and sometimes there's some influence across the country. But if anything in many other areas we don't see follow on from what California does. I'd love to hear what the others think about California's relationship to the other states. Maybe privacy is the perfect example of that. The CCPA and the CPRA are their own thing and then the rest of the country is doing something else it seems. But also child safety. Sure Maryland has now passed the Age-Appropriate Design ACT but yeah.

Caitriona Fitzgerald:

Yeah. Privacy, has historically been a bipartisan issue, right? So when I'm thinking about which states to target to work in, I'm not necessarily looking only at states that have trifectas because we work with legislators from both sides of the aisle and sometimes they're interested in privacy for different reasons, but consistently they're interested in privacy. That means we can work in any state. In terms of California and its relation to other states, I think they are often going to do their own thing because obviously they have a democratic trifecta, but they also have obviously huge tech presence in the state. So they're balancing the interests there. And then when other states are looking for legislation to copy in the tech deal, I feel like they don't often look to California because they know that they have so many more resources to enforce than a smaller state would. If you're thinking about a Vermont or Maine and AG's office there, what provisions can they enforce compared to a state like California that has its own standalone privacy protection agency. So I think they're often looking for maybe other states that are more similar in terms of resources and size of state government to mirror rather than California.

Keir Lamont:

Yeah. I do think we talk about the California effects all the time, not just in tech policy but in other issue areas as well. And I do think California is certainly a leader in many cases. You can look back at data breach notification statutes in this space. I do think when it comes to the comprehensive ... Although we know the caveats to that term “comprehensive.” The comprehensive consumer privacy laws in this space, California is something of a unique case. The California Consumer Privacy Act dates back to 2018. It is very much the product of two separate ballot initiatives, even though it ultimately was enacted by the legislature the first go-round. But because of that process that was somewhat outside the typical democratic process in many states, it was ultimately a very small group of people holding the pen. And as a result, the California law as drafted, I think had provisions that just looked a little different than what was emerging as the common international language of data privacy at that time.

So we've mostly seen the next 18 states to go forward generally share a similar underlying structure as a legislation that was worked on, ultimately never enacted in Washington state. The first version of that Washington State statute was quite narrow. It was improved over multiple sessions, a large in-state civil society community working there. And so that's where we landed with the next 18, 17 states. But now we have Maryland, and as Caitriona mentioned, depending on how you read some of these data minimization provisions inherent limitations on the ability to sell sensitive personal data, I would argue Maryland is potentially a new paradigm for protecting privacy in the United States, and I am very interested to see if other states look to Maryland as potentially a new model in 2025. Caitriona mentioned Maine and Vermont. Those are the two states I'm definitely paying closest attention to. I do think there are also open questions though about how that Maryland data minimization standard will work in practice. What is strictly necessary processing versus reasonably necessary processing. There is also language in that law about opt-in consent. What are the situations where an individual providing consent may override that data minimization standard? So I'm also interested to see if other states continue to tweak or work on that model and what that data minimization requirement will ultimately mean when this rule goes into effect as it's interpreted, implemented, and enforced.

Scott Babwah Brennen:

My understanding is that the Maryland law, it does do something pretty new, but it's still based on the same model. The WPA model. And as such, it might have these pretty exciting new data minimization components, but it still does not have a private right of action. It still doesn't have universal opt-ins, although it does I think have some universal opt-out, I think a piece to it. Yeah. How important is data minimization really? Does that piece outweigh those other provisions that are missing?

Keir Lamont:

I know Caitriona is going to want to weigh in on that and I will let you do so. I'll briefly say I think that may, based on the Washington Privacy Act model, I would say yes, the overarching framework, the structure, what order do you put the sections in, looks very similar. Definitions going up front. It's something a lot of these states have. It's not something California has. But when you actually look at these substantive requirements, I do think some of the substantive requirements in Maryland potentially go far further than the other states. I have called it potentially paradigm-shifting.

Caitriona Fitzgerald:

As I mentioned before when we released a model bill last year based on the federal bill, but when we talked to state legislators, we really found that given that so many states had already passed a bill similar to what was initially written in Washington state, they didn't want to stray that far from that model. So that's how you ended up with Maryland, which was based on that model, but inserted those key protections from the federal bill. And since that's been released, EPIC and Consumer Reports have released an updated model bill that takes the Connecticut Data Privacy Act and redlines it with those important protections that we've been pushing for. It's called State Data Privacy Act. You can find on EPIC's website, and we thought we wanted to give state legislators a model where they were familiar with it. Connecticut is the model that industry pushes in a lot of states and they could see provisions. Pick and choose which provisions they wanted to put in their states. And a lot of the provisions are pulled from states like Maryland, from Oregon. We called it a best of other privacy laws.

They're hopeful that states will move forward with that. Even the original sponsor in Connecticut, Senator James Maroney has been quoted saying that he's looking to update the Connecticut Data Privacy Act. So I think it'll be really interesting to see which states do that. And to answer your question about data minimization, I do think it is a big shift because it is the initial move towards taking the burden off the individual to protect their own privacy and on the company to make changes to their systems that are more privacy-protective by default. And I think that's the key. Some of the burden has to be on the companies collecting and processing this data.

Justin Hendrix:

Keir, I wanted to ask you a little bit about one of your predictions for 2025 – set of questions you posed in a recent piece was how will the new administration and congress impact the state privacy landscape? I'm talking to you on January 3rd, new congress has just entered the picture. We've apparently, within the last few minutes, seen Rep. Mike Johnson confirmed as House Speaker. What do you make of the impact of the federal picture on the state privacy landscape?

Keir Lamont:

Big question, difficult question. And I'm glad you caught yourself because I always say I will never make a prediction and then you can say then as a preface and then make a bunch of predictions and no one can hold them against you. One thing the new administration and congress could do ... So one party in the majorities now is pass a comprehensive law, maybe in privacy, maybe in AI that has a preemptive effect. And so maybe next year we wouldn't be back talking about all the different directions that the states may take. At the same time, we know no one has ever gone broke betting against congressional action on sweeping privacy legislation or the like. So one potential impact here, going back to something Caitriona mentioned, I think Scott mentioned too, is that in many cases many of these privacy laws have been passed on an overwhelmingly bipartisan basis. Very similar Connecticut style. We often say laws have been passed by overwhelming majorities and white democratic states, Connecticut, Oregon, as well as some quite deep red states. I think of Montana and Texas.

And I do think there's a possibility here that we see privacy legislation become increasingly politicized. Some of that may happen as a result of new voices and ideas being injected into the conversation. How will different parties respond to new data minimization provisions for example. But at the same time, I think as some democratic-leaning states may want to take steps to try to minimize or block certain aspects that the incoming administration may take. And I think we could see privacy get wrapped up in some of those issues.

And as an example, I often look to Michigan. Michigan has what is called a lame-duck session. The session runs after the November elections. In Michigan this year, the Democrats lost the House majority and moved very quickly to attempt to enact new protections for reproductive care data. And we saw concerns about the incoming administration's approach to that issue offered as one of the reasons why lawmakers were seeking to move so quickly on that bill. Ultimately, it didn't get over the finish line. However, I think that is an example of a concern that may animate more of the privacy debates in state legislatures in 2025.

Justin Hendrix:

Scott, the word 'Trump' appears 17 times in your report. What are you anticipating from the impact of Trump on state tech policy?

Scott Babwah Brennen:

Oh, wow. I wish I didn't know that actually. That's depressing. I don't know. It's hard. It's really hard to make predictions and yet we do in a report every year. In Trump I feel like the Trump administration, it's impossible to actually predict. I feel like it's something you can predict, but to really know what they're going to do. It does seem likely that the Trump administration will adopt a more deregulatory posture. They say they will, at least in areas like AI and crypto. Could see that maybe happening across the board. I think when that happens, I think it's likely that states, especially democratic led states, will pick up some of that slack again in areas like AI and crypto. I will definitely defer to the others on privacy as it's what they do. But we're in this really odd spot where I think the Trump administration will have a huge impact on what states do next year, but it's not totally clear what exactly that's going to be or what exactly he's going to do.

Caitriona Fitzgerald:

Yeah. I think states are going to keep on keeping on passing privacy legislation. Especially now that we have 19 states. Now I live in Massachusetts, we don't have a comprehensive privacy law. Over the holidays I was doing out of interest because this is what privacy advocates do for fun. I was trying to opt out of data broker selling of my personal information. And for some of them I got an email back saying, "Your state doesn't have a comprehensive privacy law, so this right doesn't apply to you." And I think as legislators become aware of those kinds of situations where residents now in 19 states have rights that their constituents don't have. I think you're going to see interest in moving forward.

Justin Hendrix:

I want to give a little bit of time just to speak about content moderation and some of those other types of concerns across states. Caitriona, your colleague Megan Iorio was updating us just a couple of days ago about, for instance, the California regulation on addictive feeds going into effect. It looks like a judge denied NetChoice's request to enjoin that law, although some of its provisions were put on hold. There's lots of other things happening across the country. I've seen a lot of folks pointing out that the number of states that are putting restrictions or age verification in place on pornography, of course, has reached a new high this year. We'll probably see more AADC-style bills. Scott, you point that out in your report. When it comes to content moderation, some of these questions around addiction perhaps limitations on adult content, the rest of that, what are each of you watching?

Caitriona Fitzgerald:

Yeah. I think we will see more states doing AADC-type laws. You saw Maryland passed an AADC-type law in addition to its privacy law last session, which hasn't been challenged yet. So you might see a number of states, I think, copying that. The harms from those practices are so much more tangible, I think, to legislators and that's why we're seeing those bills move faster than we did on privacy. I think it's something that legislators can really wrap their heads around the harms for.

Keir Lamont:

One thing that we saw in over several sessions now is a massive bipartisan focus and momentum at both the federal and state levels on shaping youth online experiences, keeping children safe online. I think it's one of the easiest issues out there to support. However, at the same time, there are many different values at play with many of these legislative proposals. Safety, privacy, design, content moderation, autonomy, and free speech. And these values are all important but can oftentimes be at tension with each other in some of these youth online safety-focused proposals. The data collection necessary for age verification to keep children off certain platforms will likely have a level of impact on privacy interests. Limiting access to certain platforms will impact autonomy and speech rights for everyone, not just child users. So, I think there's a complicated set of questions at play with this very important issue. It is a very bipartisan issue.

But if you dig a little deeper, you do see the two major political parties tend to take different approaches with Republican bills more often seeking to focus on empowering parents with the choice of what websites or platforms their children can visit. And this very frequently involves age verification of verifiable parental consent requirements. At the same time, Democratic Party led bills tend to have more of a focus on empowering the government to decide what types of designs and design choices are or are not appropriate for child users. And this is more frequently the age appropriate design code acts that we've been discussing.

And at present in many of the bills that have now passed into law, there have been legal challenges in many of these bills. So certainly not all have been enjoined in some capacity oftentimes on first amendment grounds. But one thing that I think is very interesting going into 2025 and I know that EPIC has written about is what impact may be from the Supreme Court's decision in NetChoice versus Moody. Which was in many ways a win for the trade association involving a couple of content moderation bills. But at the same time there was data suggesting that the courts may look less favorably on bringing pre-enforcement, pre-effective challenges to these laws, the so-called facial challenges and will that have the impact of shifting litigation from pre-enforcement litigation to litigation after some of these laws take effect. And I'm very interested in what the results of that may be. Will we see more laws start taking effect in something of a legal gray area? There would certainly be downsides to that if companies expect a law may ultimately be challenged. If regulators think so too, will they be less willing to attempt to enforce a new law to the full extent of its capabilities? So I do think that is one major plot point that I will be watching in the overall state tech policy landscape in the coming years.

Scott Babwah Brennen:

In the report that we put out, we make this distinction between content moderation bills and then child online safety bills. And admittedly that that distinction is somewhat artificial. But in the just pure content moderation space, to me, there's two big interesting things that I'm watching. One is after the Florida and Texas state laws basically that restricted platform's ability to moderate certain content was, as Keir just described, more or less overturned or at least returned to lower courts. That issue has dropped out. Now with the Trump administration and some of the folks coming in that have already signaled an interest in bringing back some of these discussions about what some on the right see is a government censorship of conservative voices. And I don't know how that's going to play out, but I do expect to see some return to that.

On the other hand, jawboning, I think it will continue to be an issue that, again, we had some legal clarity from the Supreme Court this past year on that. But I think what's interesting here is with the new administration, you may very well see a shifting of the battle lines on how each of the parties is going to think about jawboning. I expect to see that reflected in the states as well.

On the child online safety, I think we covered that, but to me the two things that I want to add are, one, I think there's going to be a big legal discussion about the permissibility of design restrictions on platforms. We're now seeing that not only in the AADC style bills but more on these bills that are in California and New York that tried to restrict algorithmic duration. I think it's an open question what the legal permissibility is, and there isn't a great deal of case law here. I'm not a lawyer, but that's at least my understanding. So y'all feel free to correct me on that. So I think we're going to really see some of that being debated.

The other thing is I think actually the child online safety thing, probably the biggest area we're going to see is school cell phone bans. That came in at the end of last year, but a bunch of states seem very interested in this. And you're right, child online safety is a bipartisan issue. There's a huge amount of disagreement about how best to approach that. Some of the ways that actually both the left and right leaning states are thinking about that have been joined by the courts. So while we await legal certainty, it does seem clear that banning cellphones in schools is something that there's a great deal of support for, and there's also different ways that states are actually trying to do that, but that's something that I'm going to be tracking very closely next year. This year.

Justin Hendrix:

We did some polling last year asking about the popularity of the idea of banning cellphones, smartphones in classrooms and found just really pretty overwhelming bipartisan support for bans at least through middle school. I think the majority begins to break down just a little bit when you get towards high school and you break it down by age. But extraordinary, the extent to which folks out there believe that bans in schools would be good.

I want to close this out by asking you all about a state to watch in 2025. It could be one that you've already mentioned. It could be one that we haven't brought in. Keir, you mentioned Texas for instance. I know that there's a lot going on in Texas and I'm always interested in the Texas effects just as much as the California effect. But is there a state in particular that each of you are watching or you think something interesting might happen in 2025 that Tech Policy Press listeners should be aware of? And maybe Keir, I'll start with you.

Keir Lamont:

I think you cued me up for Texas, so I will pick up the challenge there. One of the interesting things to watch in Texas is that over the past year, Texas has become one of the most active enforcers of many of these tech laws, particularly privacy laws that we've been speaking about. It's all well and good to talk about laws on the paper, but at some point they have to be implemented and have to be put into effect and enforced. And to date, Texas has really emerged as a leader. So looking at things like transfers of data in the automobile industry, development of AI systems that interact with individuals like chatbots, collection and sharing of youth data. There's multiple laws that Texas now has on the books, a comprehensive privacy law as well as a child-focused law. The Scope Act, which are largely survived the First Amendment challenge against it. And Texas has been very proactive in this space. Data broker legislation as well. So I'm very interested to see how that enforcement proceeds and where there's open cases under Texas, where that goes.

In terms of legislation, Texas is on an on-year off-year system. This is an on-year for Texas. One very interesting bill that was introduced in Texas, it was actually formally filed on December 23rd. Still a exciting new bill that everyone can read is the Texas Responsible AI Governance Act. I believe that's TRAIGA. It's being brought by the representative who actually passed the Texas underlying consumer privacy law. And we talk about is a AI bill comprehensive or not. This TRAIGA bill may actually be the closest to a comprehensive AI bill that we've seen in the states. It has provisions that do focus on things like automated decision-making technologies. However, it does have an additional list of inherently restricted use cases and that looks very much more like the European Union's AI Act. It also has a sandbox program to try to promote innovation in AI in the state. It would go back and in many cases amend and update the Texas underlying privacy law with respect to AI. And I think a lot of the actual regulation of building AI systems in this country is actually going to come down to the comprehensive privacy laws that have been passed over the last few years here. So Texas both on enforcement of existing laws and potential new legislation and updates to existing legislation is certainly a state to watch.

Justin Hendrix:

Always fun to watch the scrum around the Texas legislature, the craziness around the Austin Capitol in their short every-two-year cycle. Scott, how about you? Is there a state to watch in 2025 from your perspective?

Scott Babwah Brennen:

Texas absolutely is one I'm keeping an eye on. That comprehensive AI bill I think is also interesting because basically, it's coming out of the same multi-state AI working group that drafted both the Connecticut bill that ultimately failed and then the Colorado bill, which went. And has been positioned that Texas bill as a comprehensive AI for Republican-led states. To me, what's interesting about it is, I've already seen a decent amount of opposition from the right against that bill, and so I actually expect to see an interesting fight about it that will really give us a lot of information about how that multi-state working groups model, how successful it's going to be in becoming the new like WPA for AI, the model for the country.

For the left-leaning states, it's all the usual suspects. I'm keeping an eye on Maryland, Connecticut, Colorado. They've been super active doing a lot of interesting things across areas. But the big one that we haven't really talked about is Virginia in terms of data centers. This is an issue that we added for the first time to our report because it seems like there's a lot happening around regulation of data centers. Virginia is unequivocal the leader there because they have so many data centers and basically there were a bunch of bills that were introduced last year that basically were put on hold until 2025 barring this big report from the state government. I think it'll be really interesting to see what happens with these bills, which basically would limit some of the state tax incentives or at least require additional auditing or a review. And I think depending on how those go, other states might be interested in picking up some of that.

Justin Hendrix:

I am from a rural county in southern Virginia that is deep red and driving through the area over the holidays, it was extraordinary, the number of signs in people's front yards, opposing data centers. No data centers. They don't want the power, they don't want the facilities in that county. And really cuts across party lines. It seems to scramble the politics around these things. So very interesting phenomenon to watch. Caitriona, how about you from your perspective, is there a state to watch in 2025?

Caitriona Fitzgerald:

Yeah. On the privacy front, I'll be watching closely what Connecticut does because it's been a law that's been cited by industry many times in every state that they go to. Or at least blue states, they're asking states to mirror Connecticut. So if Connecticut ends up amending its law to match Maryland or even include other provisions, that will be a very interesting development in the state privacy legislation landscape. Obviously, we are also going to be closely watching Vermont, where it got so close last session, and Monique Priestley, the sponsor, is very interested in getting it across the finish line. This session's feeling hopeful that we can get a strong law passed there. Know there were concerns from small businesses last session, but I think that really, when you dig into it, you'll see that there's a lot of harms from targeted advertising for small businesses, and I think hopefully we can better communicate that this session and get that bill across the finish line. So, I guess a bit of a New England focus. Maine also got very close last session. They'll be, I hope, building on the many hours of work that the Judiciary committee up there put in last session. And then it gets embarrassing for Massachusetts. If all those states pass privacy laws, they've got to get in there, too. Lots of states to watch, but a bit of a New England focus for us next session.

Justin Hendrix:

I appreciate each of you joining me and providing our listeners with such a great survey of what to look for. Hopefully, everyone found something there that they can latch onto to follow in 2025, and hopefully, they'll follow each of you and your work. Keir's excellent Patchwork Dispatch. Caitriona, all your work at EPIC. Scott, the work out of the NYU Center on Tech Policy. I appreciate each of you joining us and sharing your insights today. Thank you so much, and happy New Year.

Caitriona Fitzgerald:

Thank you, Justin.

Scott Babwah Brennen:

Happy New Year.

Keir Lamont:

Thank you.