Earlier this month, lawmakers released a discussion draft of a proposed federal privacy bill, the American Privacy Rights Act of 2024 (the “APRA”).  While the draft aims to introduce a comprehensive federal privacy statute for the U.S., it contains some notable provisions that could potentially affect the development and use of artificial intelligence systems.  These provisions include the following:

  • Impact Assessments.  Large data holders (defined as covered entities that meet certain size thresholds) that use an algorithm to collect, process, or transfer covered data “in a manner that poses consequential risk of harm” in certain categories and to certain groups (e.g., applications relating to minors; making or facilitating ads for healthcare, credit, and similar opportunities; determining access to public accommodations; disparate impacts based on protected categories) would be required to conduct an impact assessment. The impact assessment would have to include certain information prescribed by the statute, including a detailed description of design process and methodologies of the covered algorithm; detailed description of data used; a description of the outputs produced by the covered algorithm; an assessment of the necessity and proportionality of the algorithm in relation to its purpose; and a detailed description of the steps the large data holder has taken or will take to mitigate potential harms.
  • Algorithm Design Evaluation.  Covered entities or service providers that “knowingly develop[]” a covered algorithm would be required to conduct a design evaluation prior to deploying the covered algorithm in interstate commerce.  Specifically, the bill would require covered entities and service providers to evaluate the design, structure, and inputs of the algorithm, including training data, prior to deploying that algorithm to reduce the risk of potential harm. 
  • FTC Rulemaking.  The APRA contemplates that the FTC would promulgate rules to establish the processes by which large data holders submit impact assessments and by which covered entities may exclude from the bill’s requirements any low-risk algorithms.

We will continue to monitor this and similar developments across our blogs.

Photo of Yaron Dori Yaron Dori

Yaron Dori is co-chair of the Communications & Media Practice Group. He practices primarily in the area of telecommunications, privacy and consumer protection law, with an emphasis on strategic planning, policy development, commercial transactions, investigations and enforcement, and overall regulatory compliance. Mr. Dori…

Yaron Dori is co-chair of the Communications & Media Practice Group. He practices primarily in the area of telecommunications, privacy and consumer protection law, with an emphasis on strategic planning, policy development, commercial transactions, investigations and enforcement, and overall regulatory compliance. Mr. Dori advises clients on, among other things, federal and state wiretap and electronic storage provisions, including the Electronic Communications Privacy Act (ECPA); regulations affecting new technologies such as online behavioral advertising; and the application of federal and state telemarketing, commercial fax, and other consumer protection laws to voice, text and video transmissions sent to wireless devices and alternative distribution platforms. Mr. Dori also has experience advising companies on state medical marketing privacy provisions, and, more broadly, on state attorney general investigations into a range of consumer protection issues.

Photo of Jayne Ponder Jayne Ponder

Jayne Ponder is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group. Jayne’s practice focuses on a broad range of privacy, data security, and technology issues. She provides ongoing privacy and data protection…

Jayne Ponder is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group. Jayne’s practice focuses on a broad range of privacy, data security, and technology issues. She provides ongoing privacy and data protection counsel to companies, including on topics related to privacy policies and data practices, the California Consumer Privacy Act, and cyber and data security incident response and preparedness.

Photo of Vanessa Lauber Vanessa Lauber

Vanessa Lauber is an associate in the firm’s New York office and a member of the Data Privacy and Cybersecurity Practice Group, counseling clients on data privacy and emerging technologies, including artificial intelligence.

Vanessa’s practice includes partnering with clients on compliance with federal…

Vanessa Lauber is an associate in the firm’s New York office and a member of the Data Privacy and Cybersecurity Practice Group, counseling clients on data privacy and emerging technologies, including artificial intelligence.

Vanessa’s practice includes partnering with clients on compliance with federal and state privacy laws and FTC and consumer protection laws and guidance. Additionally, Vanessa routinely counsels clients on drafting and developing privacy notices and policies. Vanessa also advises clients on trends in artificial intelligence regulations and helps design governance programs for the development and deployment of artificial intelligence technologies across a number of industries.