Earlier this month, lawmakers released a discussion draft of a proposed federal privacy bill, the American Privacy Rights Act of 2024 (the “APRA”). While the draft aims to introduce a comprehensive federal privacy statute for the U.S., it contains some notable provisions that could potentially affect the development and use of artificial intelligence systems. These provisions include the following:
- Impact Assessments. Large data holders (defined as covered entities that meet certain size thresholds) that use an algorithm to collect, process, or transfer covered data “in a manner that poses consequential risk of harm” in certain categories and to certain groups (e.g., applications relating to minors; making or facilitating ads for healthcare, credit, and similar opportunities; determining access to public accommodations; disparate impacts based on protected categories) would be required to conduct an impact assessment. The impact assessment would have to include certain information prescribed by the statute, including a detailed description of design process and methodologies of the covered algorithm; detailed description of data used; a description of the outputs produced by the covered algorithm; an assessment of the necessity and proportionality of the algorithm in relation to its purpose; and a detailed description of the steps the large data holder has taken or will take to mitigate potential harms.
- Algorithm Design Evaluation. Covered entities or service providers that “knowingly develop[]” a covered algorithm would be required to conduct a design evaluation prior to deploying the covered algorithm in interstate commerce. Specifically, the bill would require covered entities and service providers to evaluate the design, structure, and inputs of the algorithm, including training data, prior to deploying that algorithm to reduce the risk of potential harm.
- FTC Rulemaking. The APRA contemplates that the FTC would promulgate rules to establish the processes by which large data holders submit impact assessments and by which covered entities may exclude from the bill’s requirements any low-risk algorithms.
We will continue to monitor this and similar developments across our blogs.