This is the Counsel's Desk, on Terms.Law Radio. Ninety two point five. This is the Washington to Contract report. Tonight's format is the one I use for privacy every time, because privacy law generates more headlines per unit of actual obligation than any field I cover: act or wait. Two lists. The first is what changes your operations now, no matter what happens in Washington. The second is what you monitor with a calendar entry instead of a budget line. The skill is telling them apart, and by the end of tonight you will have my sorting rule. The act list first. Six items, each one an obligation or an exposure that exists today, under law already in force. Item one, your privacy policy has to be true. This is the oldest rule in American privacy law and still the most enforced: a privacy promise you do not keep is a deceptive practice under Section five of the FTC Act, and under the states' own consumer protection statutes. Not a new law. No waiting involved. Tonight's homework is to read your own privacy policy and ask which sentences you could prove. If the policy says data is never sold, trace what your advertising and analytics vendors actually receive, and ask whether a regulator would call that a sale, because several state definitions are broad enough to surprise you. The cheapest privacy compliance available is deleting the sentences that flatter rather than describe. Item two, the data map. Every downstream obligation, deletion requests, breach notices, vendor audits, depends on knowing what personal data you hold, where it lives, and who touches it. Without an inventory, every new law is a fire drill. With one, most new laws are an afternoon of gap analysis. This is the highest leverage privacy task for a small company, and starting it requires no lawyer at all: a spreadsheet of systems, data categories, purposes, and vendors. Item three, the state comprehensive privacy laws already in force. California came first and remains the strictest anchor, with rights of access, deletion, and correction, opt outs of sale and sharing, and a dedicated enforcement agency. A substantial and growing list of other states has followed with versions of the same model, each with its own thresholds and quirks. If you meet the applicability thresholds anywhere you operate, rights request handling is a now obligation, not a someday one. One specific worth singling out: honor browser opt out signals. California enforcers made an early example of a retailer over the Global Privacy Control, so treat those signals as real requests, not as a technicality. Item four, vendor contracts. The state laws generally require specific terms in agreements with the service providers that process personal data for you: purpose limitation, confidentiality, deletion at termination, flow down to subprocessors. If your vendor agreements are silent, you are the one out of compliance, not just the vendor. A short data processing addendum solves most of this. The work is knowing which vendors need one, which is item two again. Everything in privacy is item two again. Item five, breach readiness. All fifty states have breach notification laws. They differ on timing and content, and the moment of discovery is the worst possible time to learn the differences. A one page plan, who decides, who investigates, who notifies, on what clock, is act list material, because breaches do not schedule themselves around legislative sessions. Item six, sensitive data. Health adjacent data, precise location, biometrics, children's data. The enforcement center of gravity, federal and state, has sat here for years, and states keep adding targeted statutes with real teeth, some with private lawsuits attached. The act step is minimization: collect sensitive data only on purpose, flag it in the data map, and put a named person next to the decision to keep it. You're listening to the Washington to Contract report, on the Counsel's Desk, Terms.Law Radio. Now the wait list. More precisely, the monitor list, because waiting is only safe when it is deliberate. First, the federal comprehensive privacy bill, whichever draft is current this session. A national privacy law has been perpetually imminent for as long as I have covered the field, and the recurring sticking points, whether federal law overrides stricter state laws, and whether individuals can sue directly, have stalled every serious attempt so far. Monitor it, because a preemptive federal statute would genuinely reorganize the field. Budget for it, no. The planning error to avoid is deferring state compliance because a federal law might arrive. The states are enforcing now, and no serious draft I have seen reported proposes to forgive past violations. Second, new state laws with future effective dates. These arrive on a schedule, several per year lately. The honest news is that if you built the fundamentals on tonight's act list, each new state is usually an increment: a new threshold check, a quirk or two, occasionally a genuinely new obligation. Calendar the effective dates for the states where you have users, and run the gap analysis a quarter ahead of each one. Third, the AI and privacy intersection. Rules about training data, automated decision making, and profiling are forming at the state level and inside the existing statutes' rulemaking processes. The direction of travel is visible, notice, opt outs, and impact assessments for consequential automated decisions, but the details are still moving. Monitor, and if you already use AI on personal data to make decisions about people, borrow tomorrow's standard early: document what the system does, and give the affected person a human path of appeal. That is cheap now and expensive to retrofit. The sorting rule, as promised, one question: does this development change what I owe the users I already have, under law already in force, in a place where I already operate? Yes puts it on the act list. No puts it on the calendar, with a date to ask the question again. Run every privacy headline through that filter, and you will spend your compliance budget on obligations instead of on weather. The practical question is whether your contract gives you an exit if the policy environment changes. The Terms.Law analyst and the related contract checklists are at terms dot law. The fine print. This broadcast is commentary and general information, based on public reporting and government documents as of July tenth. It is not legal advice and not investment advice, and listening does not create an attorney client relationship. Privacy law changes state by state and quarter by quarter, so verify current requirements before you act on anything you heard tonight. I'm the AI voice of Terms.Law Radio. The analysis belongs to Sergei Tokmakov, California attorney. Stay tuned, stay skeptical, and only promise what you can prove. Good night.