Pimloc’s latest overview: US privacy legislation and AI

Written By Pimloc

The United States finds itself at a unique juncture in the global conversation around data. Unlike the consolidated approach seen in the European Union's GDPR, the US privacy and AI policy landscape remains a fragmented yet rapidly evolving tapestry. For organizations heavily reliant on video and audio data—from public safety and healthcare to retail, transport, and insurance—understanding this complex interplay is no longer a legal nicety but a fundamental operational imperative. The legislative and policy shifts underway are profoundly reshaping how digital visual and auditory information can be collected, managed, and utilized.

A patchwork quilt of US privacy legislation

The absence of a single, overarching federal privacy law in the US has led to a dynamic, state-driven approach. Comprehensive privacy statutes have rapidly proliferated, with many becoming effective in recent years.

For instance, the California Consumer Privacy Act (CCPA), effective January 1, 2020, and expanded by the California Privacy Rights Act (CPRA) in 2023, broadly defines "personal information" to include visual, auditory, electronic, and similar data. This directly impacts any entity handling video or audio recordings of California residents.

Similarly, the Virginia Consumer Data Protection Act (VCDPA), effective January 1, 2023, and the Colorado Privacy Act (CPA), effective July 1, 2023, establish extensive consumer rights and organizational obligations for personal data. These laws, along with those now active in states like Utah (effective December 31, 2023), Iowa, Montana, Oregon, Tennessee, and Texas (most effective in 2024 or 2025), create a complex web of varying definitions, consent requirements, and data subject rights.

Beyond these burgeoning state-level comprehensive laws, crucial sector-specific federal regulations remain the bedrock. HIPAA (Health Insurance Portability and Accountability Act) continues its stringent oversight of Protected Health Information (PHI) in healthcare. This explicitly covers video recordings of patient consultations, patient monitoring systems, and any audio that contains identifiable PHI.

The Family Educational Rights and Privacy Act (FERPA) similarly dictates the handling of student education records, which unequivocally includes video footage of students captured in classrooms, on buses, or by security cameras. This intricate interplay necessitates that organizations operating across states or in regulated sectors must meticulously navigate multiple, sometimes overlapping, compliance requirements for video data privacy and audio data privacy.

The emergence of US AI policy and regulation

Complementing this evolving privacy landscape, the US is actively shaping its approach to AI. While a comprehensive federal AI statute is still coalescing, significant policy directives and pioneering state initiatives are setting crucial precedents:

  • Biden Administration's Executive Order (EO 14110): Issued in October 2023, this landmark order established a framework for AI safety and security, emphasizing principles such as privacy, civil rights, and equity. It directs federal agencies to develop standards and guidance for responsible AI use, particularly for high-risk applications. Crucially, it seeks to advance technology to identify, authenticate, and trace content produced by AI systems, a direct response to the threat of deepfakes and manipulated video/audio.

  • NIST AI Risk Management Framework (RMF): Released in early 2023, this voluntary framework (AI RMF 1.0) provides a structured, adaptable approach for organizations to identify, assess, and mitigate AI risks throughout their lifecycle. While voluntary, its influence is growing as a de facto standard for responsible AI deployment, guiding considerations around trustworthiness, bias, and transparency in systems processing vast amounts of video data and audio data.

  • State-Level AI Legislation: Beyond general privacy laws, certain states are enacting AI-specific statutes. Colorado's pioneering AI Act, enacted in May 2024 and effective in 2026, focuses on accountability and transparency for developers and deployers of "high-risk" AI systems, particularly those making "consequential decisions" that impact consumers. It specifically addresses concerns around bias and discrimination. Other states, like Utah with its Artificial Intelligence Policy Act, also require disclosure of generative AI use when interacting with consumers.

These nascent AI policies directly impact AI systems that process video and audio data, especially those leveraging facial recognition policy, behavioral analytics, or voice analysis. Concerns about algorithmic bias, the lack of transparency in AI decision-making, and the scope of AI-powered surveillance are potent drivers behind these regulatory interests. The FTC, for instance, has issued policy statements on biometric information, broadly defining it to include photographs, videos, and sound recordings, signaling increased scrutiny on the collection and use of such data.

Try our automated audio and video redaction solution today.

Start for free

The crucial intersection: Video, Audio, Privacy Laws, and AI Policies

The nexus of these legislative and policy streams presents distinct challenges and opportunities for video management systems and digital evidence management.

  • Data minimization and purpose limitation: Both state privacy laws and federal AI policy strongly advocate for collecting and retaining only necessary video and audio data, and using it solely for explicitly stated, legitimate purposes. The era of indefinite, broad "just-in-case" recording is facing increasing scrutiny.

  • Data subject rights: Individuals are increasingly empowered with rights to access, correct, or delete their visual or auditory data. This compels organizations to develop robust systems capable of efficiently identifying, retrieving, and processing specific segments of recordings to fulfil data redaction requests.

  • Bias mitigation in AI: AI policies demand that AI models trained on video or audio data (e.g., for facial recognition or behavioral prediction) are rigorously audited for and designed to mitigate inherent biases. This requires careful attention to training data, model evaluation, and ongoing monitoring to ensure equitable outcomes.

  • Transparency and notice: Organizations are increasingly obligated to provide clear, conspicuous notice when video or audio recording occurs, particularly if AI analysis is involved. This includes informing individuals about the types of data collected and how it will be used.

  • Redaction - the compliance enabler: This is where data redaction becomes a non-negotiable compliance strategy. Automated video anonymization and audio anonymization tools empower organizations to navigate these diverse mandates. By enabling the precise redaction of PII (e.g., blurring faces, muting voices, masking identifying objects), these tools allow entities to leverage the rich insights from video and audio while rigorously respecting privacy rights and mitigating AI-related risks.

Sectoral implications and trends

The impact of these converging legislative and policy trends is profound across various industries:

  • Public Safety: Law enforcement agencies managing bodycam video data privacy face immense scrutiny regarding facial recognition policy and surveillance. The push is towards explainable AI and privacy-preserving analysis, ensuring accountability and adherence to civil liberties.

  • Healthcare: Telehealth providers must ensure HIPAA compliance video for recorded consultations, while patient monitoring systems increasingly integrate AI, demanding ethical considerations beyond basic data security.

  • Education: Schools utilizing surveillance or classroom recordings must ensure FERPA compliance video, particularly when sharing footage for safety investigations or disciplinary actions, often requiring meticulous redaction of student images and voices.

  • Transport: Video analytics for traffic management or autonomous vehicles must contend with broad definitions of personal data and emerging AI regulations on safety, bias, and transparency.

  • Retail/Commercial: Businesses using video for customer analytics or employee monitoring face obligations under expanding state privacy laws regarding consent and transparency. The rise in "non-attack" data privacy class-action litigation, often tied to wrongful data collection or usage (like pixel tracking), highlights the financial risks of non-compliance, pushing insurers to scrutinize how their clients manage such data. For insurers themselves, processing claims videos (e.g., dashcam footage, property inspections) and recorded calls demands careful adherence to these varied state-level privacy laws, ensuring robust data security and responsible AI usage in insurance claim management and fraud detection.

Conclusion: Proactive preparedness in a dynamic landscape

The US privacy and AI policy landscape, though still evolving, is clearly trending towards greater accountability, transparency, and individual rights concerning digital data, especially video and audio. The confluence of state privacy laws and emerging federal AI policies creates an intricate compliance environment. For organizations to leverage the power of video and audio data in an ethical and legally sound manner, proactive preparedness is key. Investing in robust data redaction and video anonymization solutions, coupled with clear internal policies and ongoing training, will be indispensable. This strategic approach ensures not just compliance but also builds and maintains the trust essential for navigating the future of data-driven operations in the United States

Need to redact personal and sensitive data at scale?

Start for free
Pimloc
Previous

2025 DSAR trends: Navigating the surge in video and audio requests
Next

The maze of FOIA video redaction fees across US Law Enforcement