2023 - Volume 2 - Summer - Flipbook - Page 12
-Artificial Intelligence: Continued from page 11-
and regulations, allowing consumers (including employees) to exert control over the personal information
that businesses collect about them.
In California, data privacy is primarily regulated
by the California Consumer Privacy Act of 2018
(CCPA) which provided California consumers with
various new privacy rights, including: the right to
know, the right to delete, the right to opt-out, and the
right to non-discrimination for exercising privacy
rights. California voters adopted Proposition 24 (also
known as the California Privacy Rights Act) in 2020,
which amended the CCPA and added a handful of
new privacy protections. The CCPA (as amended by
the CPRA) is enforced by the newly created California Privacy Protection Agency (the CPPA or the
Agency), which is tasked with implementing and enforcing the CCPA. One the Agency’s most powerful
tools is its ability to adopt and enforce regulations related to the CCPA.
cision tool is defined as “a system or service that uses
artificial intelligence and has been specifically developed or marketed to, or specifically modified to, make,
or be a controlling factor in making, consequential decisions.” Consequential decisions, in turn, are those
that would affect certain enumerated individual rights
and opportunities—namely employment, education,
housing, healthcare, financial services, and criminal
justice. The bill focuses on the creators of these tools
(the “developers”) and those who use the tools to make
consequential decisions (the “deployers”). The bill
would place several new requirements on developers
and deployers, would add an enforcement mechanism,
and would also create a private right of action against
deployers for “algorithmic discrimination.” Each of
these will be discussed below.
Impact Assessments
A.B. 331 would require both developers and deployers to perform “impact assessments,” which is defined as “a documented risk-based evaluation of an automated decision tool” that meets certain disclosure or
analysis requirements. An impact assessment must include a disclosure of, for example: the purpose of the
tool including its intended use, a description of the
tool’s outputs and how they are used to make consequential decisions, and summaries of the types of data
collected and the outputs used to make consequential
decisions. The impact assessments must also analyze
potential adverse impacts on protected classifications,
as well as describe several key aspects of the development and monitoring of the tool such as how the tool
will be evaluated for validity or relevance.
The CCPA is not the only mechanism available in
California for regulation of data privacy, however.
Over the past few years, as implementation of the
CCPA has been cumbersome and confusing, some
legislative complements to the CCPA have slowly begun taking shape.
Recent activity by both the state legislature and
the CPPA reflect that California regulators are keenly
aware of the intertwining risks created by AI and data
privacy. Both bodies are attempting to quickly fill regulatory gaps created by AI’s ever-expanding reach.
Businesses that use AI tools, in ways both customerfacing and internal, should keep abreast of these developments and the risks that they pose.
A.B. 331
The legislative answer that is furthest along in addressing data privacy risks created by AI is a bill that
was introduced by California state representative Rebecca Bauer-Kahan on Jan. 30, 2023. The bill, A.B.
331, which would add a chapter to Division 8 of the
California Business and Professions Code, aims to
create a detailed framework for regulating the data
used to create and implement “automated decision
tools.” A.B. 331, Automated Decision Tools. Though
the bill was held under submission earlier this year, it
is likely to be reintroduced in largely the same form at
the next legislative session.
Each impact assessment is to be completed “[o]n or
before January 1, 2025, and annually thereafter,” and
the developer and deployer of the AI tool must provide
the assessment to the Civil Rights Department within
60 days of completion. If a developer or deployer fails
to do so, the Civil Rights Department may bring an administrative enforcement action and seek up to $10,000
“per violation.” This means that “[e]ach day on which
an automated decision tool is used for which an impact
assessment has not been submitted…shall give rise to a
distinct violation of this section.” Presumably completed assessments will be collected by the Civil Rights
Department, as the bill states that the Civil Rights Department is to share collected assessments with “other
state entities as appropriate,” potentially indicating that
the California Attorney General or other public attorneys could play an added enforcement role.
Under the proposed legislation, an automated de-
-Continued on page 1312
