The rise of AI technology has prompted regulatory agencies to take action and protect consumers’ rights, as evidenced by the recent efforts of the Federal Trade Commission (FTC) and the California Privacy Protection Agency (CPPA).
On November 16, 2023, the FTC approved a resolution that authorizes its staff to issue civil investigative demands (CIDs) in cases involving AI or generative AI products and services. CIDs are legal requests for information or documents that the FTC uses to investigate potential consumer protection or antitrust law violations. The resolution aims to enhance the FTC’s ability to monitor and enforce compliance with existing laws and regulations that apply to AI, such as the Fair Credit Reporting Act, the Children’s Online Privacy Protection Act, and the FTC Act.
The resolution also signals the FTC’s interest in addressing emerging issues related to AI, such as bias, discrimination, privacy, security, and transparency. The FTC has previously issued guidance and reports on these topics and brought enforcement actions against companies that misused or misrepresented their AI capabilities. The resolution indicates that the FTC will continue scrutinizing AI practices and hold companies accountable for any harm they cause to consumers or competition.
On November 22, 2023, the CPPA released the first draft of its rulemaking on automated decision-making technology, which includes systems that use AI, machine learning, or data processing to help humans make decisions or profile individuals. The CPPA is a new agency created by the California Privacy Rights Act (CPRA), passed by voters in November 2020, and will take effect on January 1, 2023. The CPRA expands and strengthens the 2018 California Consumer Privacy Act which is one of the most comprehensive privacy laws in the country.
The draft rules aim to implement and clarify some of the CPRA provisions related to automated decision-making technology. Specifically, the draft rules address the following areas:
– Notice and opt-out rights: The draft rules require businesses that use personal information in their automated decision-making systems to provide clear notice to consumers about how the information is used, their rights to opt out of it, and how to access more information. Some exceptions exist for security, fraud prevention, consumer safety, or business necessity reasons.
– Access and appeal rights: The draft rules also allow consumers to ask businesses what automated decision-making technology is used for and how decisions affecting them were made. Companies must provide details on the system’s logic, the possible outcomes, and the extent of human involvement. Consumers can appeal the denial of access requests to the CPPA and the attorney general’s office.
– Children and profiling: The draft rules address the issue of profiling children under 16, requiring parental consent for children under 13, and providing opt-out rights for children between 13 and 16. Businesses operating in public places which profile consumers using wi-fi or facial recognition must also offer opt-out options.
The draft rules are open for public comment until December 27, 2023. The CPPA will review the comments and issue final regulations by July 1, 2024. Regulators recognize AI’s potential benefits and risks and try to safeguard consumers’ rights and interests. Accordingly, businesses involved in the development or use of AI will want to take note of these regulatory changes and be prepared to comply with them.