Consumer Rights in Artificial Intelligence

This new white paper by Stanford Institute for Human-Centered Artificial Intelligence (HAI) titled "Rethinking Privacy in the AI Era" addresses the intersection of data privacy and AI development, highlighting the challenges and proposing solutions for mitigating privacy risks. It outlines the current data protection landscape, including the Fair Information Practice Principles, GDPR, and U.S. state privacy laws, and discusses the distinction and regulatory implications between predictive and generative AI. The paper argues that AI's reliance on extensive data collection presents unique privacy risks at both individual and societal levels, noting that existing laws are inadequate for the emerging challenges posed by AI systems, because they don't fully tackle the shortcomings of the Fair Information Practice Principles (FIPs) framework or concentrate adequately on the comprehensive data governance measures necessary for regulating data used in AI development. According to the paper, FIPs are outdated and not well-suited for modern data and AI complexities, because: - They do not address the power imbalance between data collectors and individuals. - FIPs fail to enforce data minimization and purpose limitation effectively. - The framework places too much responsibility on individuals for privacy management. - Allows for data collection by default, putting the onus on individuals to opt out. - Focuses on procedural rather than substantive protections. - Struggles with the concepts of consent and legitimate interest, complicating privacy management. It emphasizes the need for new regulatory approaches that go beyond current privacy legislation to effectively manage the risks associated with AI-driven data acquisition and processing. The paper suggests three key strategies to mitigate the privacy harms of AI: 1.) Denormalize Data Collection by Default: Shift from opt-out to opt-in data collection models to facilitate true data minimization. This approach emphasizes "privacy by default" and the need for technical standards and infrastructure that enable meaningful consent mechanisms. 2.) Focus on the AI Data Supply Chain: Enhance privacy and data protection by ensuring dataset transparency and accountability throughout the entire lifecycle of data. This includes a call for regulatory frameworks that address data privacy comprehensively across the data supply chain. 3.) Flip the Script on Personal Data Management: Encourage the development of new governance mechanisms and technical infrastructures, such as data intermediaries and data permissioning systems, to automate and support the exercise of individual data rights and preferences. This strategy aims to empower individuals by facilitating easier management and control of their personal data in the context of AI. by Dr. Jennifer King Caroline Meinhardt Link: https://lnkd.in/dniktn3V

Yesterday, Colorado’s Consumer Protections for #ArtificialIntelligence (SB24-205) was sent to the Governor for signature. If enacted, the law will be effective on Feb. 1, 2026, and Colorado would become the first U.S. state to pass broad restrictions on private companies using #AI. The bill requires both developer and deployer of a high-risk #AI system to use reasonable care to avoid algorithmic discrimination. A High-Risk AI System is defined as “any AI system that when deployed, makes, or is a substantial factor in making, a consequential decision.” Some computer software is exempted, such as AI-enabled video games, #cybersecurity software, and #chatbots that have a user policy prohibiting discrimination. There is a rebuttable presumption that a developer and a deployer used reasonable care if they each comply with certain requirements related to the high-risk system, including Developer: - Disclose and provide documentation to deployers regarding the high-risk system’s intended use, known or foreseeable #risks, a summary of data used to train it, possible biases, risk mitigation measures, and other information necessary for the deployer to complete an #impactassessment. - Make a publicly available statement summarizing the types of high-risk systems developed and available to a deployer. - Disclose, within 90 days, to the attorney general and known deployers when algorithmic discrimination is discovered, either through self-testing or deployer notice. Deployer: - Implement a #riskmanagement policy that governs high-risk AI use and specifies processes and personnel used to identify and mitigate algorithmic discrimination. - Complete an impact assessment to mitigate potential abuses before customers use their products. - Notify a consumer of specified items if the high-risk #AIsystem makes a consequential decision concerning a consumer. - If the deployer is a controller under the Colorado Privacy Act (#CPA), it must inform the consumer of the right to #optout of profiling in furtherance of solely #automateddecisions. - Provide a consumer with an opportunity to correct incorrect personal data that the system processed in making a consequential decision. - Provide a consumer with an opportunity to appeal, via human review if technically feasible, an adverse consequential decision concerning the consumer arising from the deployment of the system. - Ensure that users can detect any generated synthetic content and disclose to consumers that they are engaging with an AI system. The law contains a #safeharbor providing an affirmative defense (under CO law in a CO court) to a developer or deployer that: 1) discovers and cures a violation through internal testing or red-teaming, and 2) otherwise complies with the National Institute of Standards and Technology (NIST) AI Risk Management Framework or another nationally or internationally recognized risk management #framework.

Yesterday, the long-awaited Texas AI bill was released, titled "The Texas Responsible AI Governance Act." As with the Colorado AI Act, it's visible that the drafters read the EU AI Act (and not once) and took notes. The bill is focused on high-risk AI Systems (HRAIS) and sets a reasonable care standard for developers, distributors and deployers of HRAIS to prevent known or foreseeable risks of algorithmic discrimination. The Act excludes small businesses from its obligations. So in very short terms, key requirements under the Act are: -         Conduct semiannual HRAIS Impact Assessments -         Record keeping and Reporting requirements -         AI Literacy -         Intentional and substantial modification to a HRAIS triggers additional responsibilities -         Disclosing HRAIS to consumers and right to explanation for AI-driven decisions (consumer should know they interact with AI, purpose of AI system, nature of any consequential decision in which the system is or may be a contributing factor, factors used in making any consequential decision, deployer’s contact info, description of AI system components) -         Develop AI Risk Management Policy prior to deployment of HRAIS (NIST AI RMF to be used as the standard) Under the Act, any deployer, distributor or any third-party shall be considered as developer of HRAIS if they: -         Put their name or trademark on a HRAIS already placed in the market or put into service -         Modify HRAIS (placed in the market or put into service) in such a way that it remains a HRAIS -         Modify the intended purpose of an AI system in such a way that it becomes a HRAIS The Act does not apply to the development of an AI system used within a regulatory sandbox program, for research, training, testing or open-source AI systems (as long as it’s not high risk and model weights are public). Prohibited Uses and Unacceptable Risks: -         Manipulation of human behavior (subliminal techniques) -         Social scoring -         Biometric identification -         Categorization based on sensitive attributes -         Emotion recognition -         Sexually explicit videos, images, and child pornography Enforcement: As usual, no private right of action. Attorney general has enforcement authority. Violations may result in escalating fines. Online complaint mechanism. “A consumer may appeal a consequential decision made by a high-risk artificial intelligence system regardless of whether the decision was made with human oversight or not.” If consumer proves that developer/ deployer violated their rights under this Act, consumer is entitled to declaratory and injunctive relief.

The Oregon Department of Justice released new guidance on legal requirements when using AI. Here are the key privacy considerations, and four steps for companies to stay in-line with Oregon privacy law. ⤵️ The guidance details the AG's views of how uses of personal data in connection with AI or training AI models triggers obligations under the Oregon Consumer Privacy Act, including: 🔸Privacy Notices. Companies must disclose in their privacy notices when personal data is used to train AI systems. 🔸Consent. Updated privacy policies disclosing uses of personal data for AI training cannot justify the use of previously collected personal data for AI training; affirmative consent must be obtained. 🔸Revoking Consent. Where consent is provided to use personal data for AI training, there must be a way to withdraw consent and processing of that personal data must end within 15 days. 🔸Sensitive Data. Explicit consent must be obtained before sensitive personal data is used to develop or train AI systems. 🔸Training Datasets. Developers purchasing or using third-party personal data sets for model training may be personal data controllers, with all the required obligations that data controllers have under the law. 🔸Opt-Out Rights. Consumers have the right to opt-out of AI uses for certain decisions like housing, education, or lending. 🔸Deletion. Consumer #PersonalData deletion rights need to be respected when using AI models. 🔸Assessments. Using personal data in connection with AI models, or processing it in connection with AI models that involve profiling or other activities with heightened risk of harm, trigger data protection assessment requirements. The guidance also highlights a number of scenarios where sales practices using AI or misrepresentations due to AI use can violate the Unlawful Trade Practices Act. Here's a few steps to help stay on top of #privacy requirements under Oregon law and this guidance: 1️⃣ Confirm whether your organization or its vendors train #ArtificialIntelligence solutions on personal data.  2️⃣ Validate your organization's privacy notice discloses AI training practices. 3️⃣ Make sure organizational individual rights processes are scoped for personal data used in AI training. 4️⃣ Set assessment protocols where required to conduct and document data protection assessments that address the requirements under Oregon and other states' laws, and that are maintained in a format that can be provided to regulators.

Do not count out the states on #AIenforcement. New advisory out by the Massachusetts Attorney General's Office outlining specific #consumerprotection considerations when marketing, offering, or using #AI. From past experience, when you see a regulator put out a bulletin/advisory/press release focusing on a particular business practice, it's fairly common to see that office pursue enforcement actions afterwards for practices that conflict with the AG's notice outlining their concerns with practices they're seeing in the marketplace. Some highlights include: 1️⃣ Falsely advertising the quality, value, or usability of AI systems    2️⃣ Supplying an AI system that is defective, unusable, or impractical for the purpose advertised 3️⃣ Misrepresenting the reliability, manner of performance, safety, or condition of an AI system 4️⃣ Offering for sale or use an AI system in breach of warranty, in that the system is not fit for the ordinary purposes for which such systems are used, or that is unfit for the specific purpose for which it is sold where the supplier knows of such purpose 5️⃣ Misrepresenting audio or video content of a person for the purpose of deceiving another to engage in a business transaction or supply personal information as if to a trusted business partner as in the case of deepfakes, voice cloning, or chatbots used to engage in fraud  6️⃣ Failing to comply with Massachusetts statutes, rules, regulations or laws, meant for the protection of the public’s health, safety or welfare 7️⃣ Violating anti-discrimination laws (the advisory warns AI developers, suppliers, and users about using technology that relies on discriminatory inputs and/or produces discriminatory results that would violate the state’s civil rights laws) 8️⃣ Failing to safeguard personal data utilized by AI systems, underscoring the obligation to comply with the state’s data breach notification requirements, (statutory and regulatory requirements -- Note MA has very robust data security regulations). PSA: Can't hurt to confer with your counsel on how your practices stack up to these issues. That's less 💲 than responding to a subpoena. Kelley Drye Advertising Law Kelley Drye & Warren LLP https://lnkd.in/egxfdRZr

🛑 Only tracking new AI laws? You could be missing the bigger risk.🛑 State agencies and attorneys general (AGs) are issuing guidance on how existing laws apply to AI—often shaping enforcement more than headline legislation. 💡 Why Agency and AG Guidance Deserves Your Attention * Immediate Impact: These interpretations clarify how current consumer protection, anti-discrimination, and privacy laws already govern AI. * Enforcement is Here: Agencies use this guidance as their roadmap for investigations—sometimes before new statutes are active. * Industry Insights: Guidance often targets AI risks in specific sectors like healthcare and employment, where broad legislation may fall short. 🗺️ Recent Examples from Across the US * Massachusetts: Advisory confirms consumer protection and civil rights laws apply to AI tools. * New Jersey: Guidance warns of liability for algorithmic discrimination—even when unintentional. * Oregon: AG reminds companies AI is covered under existing privacy and equality acts. For a deeper dive, follow the link in the comments for the full post. #AI #ResponsibleAI #AIGovernance

Fresh AI guidance in California. California state Attorney General Rob Bonta says California has plenty of pre-AI laws that apply to AI, just like Oregon similarly concluded for Oregon law in December. Full advisory opinion attached and overview from GC AI below! PS - Bonta also put out guidance on AI and healthcare as its own report. ~~~ The opinion is from the California Department of Justice, Office of the Attorney General. It is titled "Legal Advisory - Application of Existing CA Laws to Artificial Intelligence" and provides guidance on how existing California laws apply to artificial intelligence (AI). The parties involved are the California Attorney General's Office, entities that develop, sell, and use AI, and consumers. Summary 1️⃣ The advisory emphasizes the potential benefits and risks of AI, encouraging ethical and lawful development and use. 2️⃣ It outlines the applicability of California's consumer protection, civil rights, competition, and data privacy laws to AI. 3️⃣ Reviews the new California laws effective January 1, 2025, and addressing AI use in business, elections, healthcare, and more. Interesting quotes "AI systems are proliferating at an exponential rate and already affect nearly all aspects of everyday life." "Entities that develop or use AI systems must ensure that they and their systems comply with California law." "California's Unfair Competition Law protects the state's residents against unlawful, unfair, or fraudulent business acts or practices." "The California Consumer Privacy Act (CCPA) broadly regulates the collection, use, sale, and sharing of consumers' personal information." Related email draft: Subject: Implications of CA Attorney General's AI Legal Advisory for Acme, Inc. Team, I've reviewed the recent legal advisory from the CA Attorney General on AI and its implications for our operations. Here are the key takeaways: • We must ensure our AI systems and practices comply with existing CA consumer protection, civil rights, competition, and data privacy laws. • New legislation, effective Jan 1, 2025, requires additional disclosures and compliance measures for AI systems. • Our use of AI in marketing, employment, and product development must be transparent, ethical, and lawful to avoid legal risks. We should review and possibly update our data privacy policies and AI system disclosures to align with the CCPA and upcoming legal changes. Let's discuss how we can proactively address these points to maintain compliance and leadership in ethical AI development. Best, [Your Name] #AIRegulation #ProductCounsel #AI

On Christmas Eve, the Oregon Attorney General issued guidance on how Oregon law applies to AI. It’s a laundry list of legal traps that both Data and One-Eyed Willie would love: * Failing to disclose that the developer will use personal data for model training, or retroactively modifying privacy policies to allow for training without getting affirmative consent (that last one is a biggie) * Failing to properly honor deletion rights (but no guidance on whether that requires model retraining) * Failing to do a DPIA for ANY model training (the AG’s position is that all model training likely poses heightened risks to consumers) * Not providing an opt-out for automated decisionmaking * Making misrepresentations about the use of customer data for training or about the AI system, or failing to disclose defects in the system * Using an AI system to make misrepresentations or to employ unconscionable sales tactics * Using AI to set prices for essential goods during an emergency, even if it’s based on market demand, if this results in unconscionably excessive prices * Not protecting user data from a breach (might be time to do some red teaming) * Not addressing potential discrimination in model outputs (bias testing, anyone?) Link to the guidance in the comments. #law #artificialintelligence #privacy