2022 AI Legislative Year in Review Part 1
Congress enacted no sweeping artificial intelligence legislation in 2022 or the first quarter of 2023. The two key bills introduced in 2022 failed. First, the Algorithmic Accountability Act of 2022, introduced in February 2022, would have covered very large businesses within FTC jurisdiction in terms of revenue, capital value, or the number of records.[1] The Act would have required, per FTC regulation, AI impact assessments on areas such as performance, accuracy, fairness, safety, harms of the technology, harm mitigation, consumer rights, privacy, security, and explainability. The bill died in committee.
Also, the general federal data protection bill introduced on June 21, 2022 to enact the American Data Privacy and Protection Act contained algorithmic accountability components.[2] The Act covers businesses within FTC jurisdiction and also carves out a category of “large data holders” with $250 million in revenues and five million individual records. The Act would have barred all covered entities from using personal information to discriminate. It would also have required large data holders to assess their algorithms annually and submit annual algorithmic impact assessments to the FTC. Each assessment would have described mitigating harms in critical areas such as housing, education, employment, healthcare, insurance, credit, or access to public accommodation, and would address disparate impacts on protected classes. Businesses would have conducted assessments during the design phase of AI systems, and audits would have included consultation with independent auditors. The last committee activity on the bill was in July 2022, and due to many pressing priorities during the lame duck session, the bill will have to be reintroduced in the new Congress.
One of the active areas of AI-related legislation concerns data protection. The California Consumer Privacy Act, as amended by the California Privacy Rights Act have encouraged the spread of state laws governing privacy around the country. CCPA and its progeny will likely continue to motivate other states to follow.
For any domestic companies doing business in California developing or deploying AI solutions involving the processing of personal information of California residents, moving towards compliance with the new California Privacy Rights Act (CPRA) is a key concern. CPRA, enacted by the voters in a November 2020 ballot initiative, amends the older California Consumer Privacy Act (CCPA).[3] CPRA, effective as of January 1, 2023, will be enforced starting on July 1, 2023. CPRA/CCPA will cover businesses with over $25 million in annual gross revenue, 100,000 or more consumer or household records, or activity that derives 50% or more of its revenue from selling or sharing (for purposes of cross-context behavioral advertising) personal information.
Under CPRA and forthcoming regulations, covered businesses will need to make changes to their privacy documentation and business practices. Examples include:
· Changes to privacy notice language, for example to include discussion of personal information retention periods or time frames.
· Changes to agreements with service providers that process personal information to include certain contractual requirements.
· Ensuring that personal information is protected by reasonable security practices.
· Changes to websites, for instance making online notices and data subject request submittal pages “reasonably accessible” for persons with disabilities.
· Changes to practices in responding to data subject requests to exercise CCPA/CPRA individual rights, such as requests for the deletion of personal information.
· Managing CPRA’s new category of “sensitive personal information.”
One key topic of CPRA and CCPA progeny in other states will be rights regarding automated data processing. California’s new data protection regulator, the California Privacy Protection Agency will update existing regulations and adapt new ones to implement CPRA. One of the regulations the agency will adopt will cover businesses’ use of automated decision-making technology, including the profiling of consumers to analyze behavior, interests, and other aspects of a person’s situation. Regulations will require a business using this technology to provide meaningful information about the logic of how it works as well as a description of the likely outcome of the technology’s process with respect to affected consumers.[4] The concept of automated decision making includes the use of AI.
In December 2022, the agency published draft questions about automated decision making which, when finalized, will be presented for public comment.[5] The agency is seeking information about the extent of algorithmic discrimination, gaps or weaknesses in the law, best practices concerning automated decision making, how to implement access and opt-out rights, and how businesses should provide meaningful information about automated decision making. Once the forthcoming regulations become final, AI solution developers and deployers doing business in California will need to comply with them when interacting with California residents.
Following CCPA, a number of states enacted similar general privacy laws to come into effect in 2023: Virginia,[6]Colorado,[7]Utah,[8]and Connecticut.[9] The Utah law does not address automated decision making. Nonetheless, the privacy laws in Virginia, Colorado, and Connecticut do. These laws cover automated decision making within the definition of “profiling.” AI solution developers and deployers conducting business in these states will need to comply with requirements to afford residents of these states a right to opt out of profiling using automated decision making that produces legal or similarly significant effects.
Next month, I will follow up on some specific state law developments.
[1] H.R. 6580, 117th Cong. (2022).
[2] H.R. 8152, 117th Cong. (2022).
[3] Cal. Civil Code § 1798.100 et seq.
[4] Cal. Civil Code § 1798.185(a)(16).
[5] Cal. Priv. Prot. Agency, New Rules Subcommittee, Sample Questions for Preliminary Rulemaking (Dec. 16, 2022), https://cppa.ca.gov/meetings/materials/20221216_item8.pdf.
[6] Va. Code Ann. § 59.1-571 et seq.
[7] Colo. Rev. Stat. § 6-1-1301 et seq.
[8] Utah Code Ann. § 13-16-101 et seq.
[9] Act Concerning Personal Data Privacy and Online Monitoring, Pub. Act No. 22-15 (2022).