0

AI vendor management – human programming for machine learning

Machine learning and artificial intelligence (AI) have permeated the supply chain. The reasons are apparent. Low cost and efficiency are an easy sell in today’s economy, with rampant inflation in the supply chain and tight labor markets. Yet, the economic motivation for AI must be tempered by human (or human-programmed) review of AI systems. Rules are necessary to ensure that the fundamental privacy and moral rights of individuals are protected. From data input to disaster recovery, AI vendor management ensures both the protection of businesses and the broader society. In an Insight article written by Lily Li, Founder of Metaverse Law for Data Guidance, Lily discusses data minimization for AI vendors, algorithmic bias and disgorgement, considerations for AI terms and conditions, and business continuity and disaster recovery considerations for AI. Click here to continue reading.
0
Flag of California, depicting a large brown bear beside a red star, above the words "California Republic."

California Delete Act allows consumers to easily delete data from all data brokers in California

On October 10, 2023, California Governor Gavin Newsom announced that he had signed into law Senate Bill 362, which is otherwise known as the Delete Act.[1] The full text of the Delete Act can be found here. The Delete Act is a landmark law seeking to provide consumers with a one-stop-shop mechanism for deleting the consumer’s personal information from all data brokers covered by the law.[2] Under current provisions, consumers must submit individual deletion requests to each data broker, but the Delete Act intends to provide a universal opt-out mechanism that allows consumers to send a single deletion request to all data brokers. To do this, the law charges the California Privacy Protection Agency with developing the one-stop-shop mechanism by January 1, 2026. While the technical and operational specifics of the mechanism are unknown, the law provides broad guidelines for what the mechanism must achieve, which expressly includes allowing consumers to make a single request that “every data broker that maintains any personal information delete any personal information related to the consumer held by the data broker or associated service provider or contractor.”[3] In addition, the law shifts data broker registration in California from the California Department of Justice to the California Privacy Protection Agency – presumably to provide the Agency with a database for the purposes of facilitating the consumer’s deletion request.[4] Previously, failure to register as a data broker amounted to $100 penalty for each day the data broker failed to register; however, the Delete Act doubles the fine to $200 per day. The law also imposes new disclosure obligations on covered data brokers, requiring them to disclose to consumers whether the data broker collects consumers’ precise geolocation, reproductive health care data, or information of minors. Starting in 2029, the data broker must disclose whether it has undergone an audit pursuant to the law. At this time, it remains unclear how the Agency will satisfy the creation of a one-stop-shop deletion mechanism, but data brokers in California should be prepared to adapt to a new government-imposed deletion mechanism. We will continue monitoring the Agency’s progress as the deadline approaches.
[1] https://www.gov.ca.gov/2023/10/10/governor-newsom-signs-legislation-10-10-23/ [2] Sec. 1798.99.86(a). [3] Sec. 1798.99.86(a)(2). [4] Section 1798.99.82 of the Civil Code is amended to read: 1798.99.82. (a) On or before January 31 following each year in which a business meets the definition of data broker as provided in this title, the business shall register with the California Privacy Protection Agency pursuant to the requirements of this section.
0
Close-up photograph of a fingerprint.

An overview of biometrics laws in the U.S.

[Updated: September 27, 2023] In addition to state comprehensive privacy laws, state legislatures are increasingly interested in regulating the collection, use, and possession of biometric data. It is therefore imperative for startups and businesses to remain informed of the potential laws that may apply and when. Readers are encouraged to review the following enacted and enforceable biometric laws, and to reach out if concerned that one such law may apply. We will continue monitoring the biometric legislation landscape and will update this resource accordingly.

ILLINOIS

Law: Biometric Information Privacy Act (“BIPA”) Applies to: Any individual, partnership, corporation, limited liability company, association, or other group, however organized, that possesses, collects, captures, purchases, receives through trade, or otherwise obtains biometric identifiers or biometric information of Illinois residents. Covers:
  • Biometric identifiers: Retina or iris scans, fingerprints, voiceprints, and scans of hand or face geometry; or
  • Biometric information: Any information, regardless of how it is captured, converted, stored, or shared, based on an individual biometric identifier and used to identify an individual.
Enforcement: The law provides individuals with a private right of action, and violations can amount to $5,000 per collection, possession, etc., in violation of the law.

MARYLAND

Law: Labor and Employment Code § 3-717 Applies to: Maryland employers that use facial recognition services for purposes of creating a facial template during an applicant’s interview for employment. Covers:
  • Facial template: Machine-interpretable pattern of facial features that is extracted from one or more images of an individual by technology that analyzes facial features and is used for recognition or persistent tracking of individuals in still or video images.
Enforcement: Maryland Department of Labor.

MONTANA

Law: Facial Recognition for Government Use Act Applies to: Third-party vendors contracting with Montana state or local government agencies for the provision of facial recognition services. Covers:
  • Facial biometric data: Data derived from a measurement, pattern, contour, or other characteristic of an individual’s face, either directly or from an image.
Enforcement: Montana Attorney General can bring enforcement actions, with damages starting at $10,000. The law provides individuals with a private right of action, and violations can amount to $1,000 per violation.

NEW YORK

Law: N.Y. LAB. LAW § 201-aA Applies to: New York employers that fingerprint employees as a condition of securing employment or of continuing employment. Covers:
  • Fingerprints: The law does not define what constitutes a fingerprint, but New York State Department of Labor RO-10-0024 states: “instruments that measure the geometry of the hand are permissible under the Labor Law so long as they do not scan the surface details of the hand and fingers in a manner similar or comparable to the scanning of a fingerprint.”
Enforcement: New York State Department of Labor.
Law: NYC Admin Code §§ 22-1201-1205 Applies to: Places of entertainment, retail stores, or food or drink establishments in New York City that collect biometric identifier information from customers. Covers:
  • Biometric identifier information: Physiological or biological characteristics that are used by or on behalf of a place of entertainment, a retail store, or a food or drink establishment, singly or in combination, to identify, or assist in identifying, an individual.
Enforcement: The law provides individuals with a private right of action, and violations can amount to $5,000 per violation.

OREGON

Law: Portland City Code, Title 34- Digital Justice, Chapters 34.10.010-34.10-050 Applies to: Any individuals and non-government entities in the city of Portland, prohibiting them from using face recognition technologies in any place or service offering to the public accommodations, advantages, facilities, or privileges whether in the nature of goods, services, lodgings, amusements, transportation, or otherwise. Covers:
  • Face recognition: Automated searching for a reference image in an image repository by comparing the facial features of a probe image with the features of images contained in an image repository.
Enforcement: The law provides individuals with a private right of action , and violations can amount to $1,000 per day for each day of violation.

STATE COMPREHENSIVE PRIVACY LAWS

Laws: Applies to: Each state comprehensive privacy law features various thresholds of applicability. Please see our overview of state comprehensive privacy laws for more information on those thresholds. Covers:
  • Biometric data: Generally means an individual’s physiological, biological, or behavioral characteristics that is used or is intended to be used to establish or authenticate an individual’s identity.
Enforcement: Most state comprehensive privacy laws are enforced by the state’s respective attorney general, but California also authorizes the California Privacy Protection Agency to enforce California’s state comprehensive privacy law.

TEXAS

Law: Capture or Use of Biometric Identifier (“CUBI”) Applies to: Any individuals and non-government entities capturing biometric identifiers of Texas individuals for a commercial purpose. (The law does not define what constitutes a “commercial purpose,” but the Texas Attorney General has argued that capturing biometric identifiers to improve or develop products or services constitutes a commercial purpose.) Covers:
  • Biometric identifiers: Retina or iris scans, fingerprints, voiceprints, or records of hand or face geometry.
Enforcement: Texas Attorney General, which can seek fines of up to $25,000 per violation.

WASHINGTON

Law: Biometric Identifiers Law (“BIL”) Applies to: All individuals and non-government entities that collect, use, and retain biometric identifiers from Washington residents. Covers:
  • Biometric identifiers: Data generated by automatic measurements of an individual’s
    • biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or
    • other unique biological patterns or characteristics that is used to identify a specific individual.
Enforcement:  Washington Attorney General under the state’s consumer protection act.
Law: My Health, My Data Act (“MHMDA”) Applies to: All legal entities of any size that conduct business in Washington state or produce or provide products or services targeted to individuals in Washington, and alone or jointly collects, processes, shares, or sells consumer health information. Covers:
  • Consumer health information: Personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.
Enforcement: Washington Attorney General can bring enforcement actions under the state’s consumer protection act. In addition, the law provides individuals with a private right of action.
0
Flag of California, depicting a large brown bear beside a red star, above the words "California Republic."

CCPA + CPRA Timeline of Key Events

[Updated: August 30, 2023] As the first comprehensive state privacy law to provide broad consumer rights over personal information, the California Consumer Privacy Act of 2018 (“CCPA”) is a groundbreaking privacy law in the United States, and it paved the way for subsequent state comprehensive privacy laws. However, the road to progress is rarely smooth, and the CCPA has experienced a long and arduous journey toward changing how covered entities handle Californians’ personal information. To capture the breadth of this journey, we created the following timeline, which catalogues key events from the CCPA’s inception to its current state.
  October 12, 2017 – Alastair Mactaggart, Rick Arney, and Mary Stone Ross file a ballot initiative containing the preliminary language of the CCPA.[1] December 18, 2017 – The CCPA is proposed as a ballot proposition by Californians for Consumer Privacy. The California Attorney General approves the initiative’s language, allowing the group to begin collecting signatures to qualify the initiative for the November 2018 election.[2] February 13, 2018 – Assemblymember Ed Chau introduces SB 1121 to the California Senate Committee on Rules, a bill with language similar to the CCPA ballot initiative.[3] May 13, 2018 – Mactaggart’s group, now called Californians for Consumer Privacy, claim they have submitted over 600,000 signatures, surpassing the 366,000 minimum needed to qualify the initiative for the November 2018 ballot.[4] June 22, 2018 – California legislators negotiate an agreement with Californians for Consumer Privacy to pass a substantially similar version of the CCPA in exchange for the withdrawal of the ballot proposition.[5] June 25, 2018 – California Secretary of State Alex Padilla confirms receipt of the required signatures, and will certify the initiative as qualified for the November 2018 ballot.[6] June 28, 2018 – Californians for Consumer Privacy withdraws the ballot initiative.[7] The California legislature approves the CCPA, and California Governor Edmund Brown signs the bill into law.[8] September 13, 2018 – The California legislature passes amendments to the CCPA, clarifying the law’s private right of action and certain other provisions.[9] September 25, 2019 – Alastair Mactaggart, Board Chair and Founder of Californians for Consumer Privacy, files an initiative for the California Privacy Rights Act (“CPRA”) to appear on the November 2020 ballot.[10] Mactaggart hopes the CPRA will modify the CCPA’s statutory language, in part, by providing consumers with additional privacy rights and establishing a new authority dedicated to protecting these rights, the California Privacy Protection Agency (the “Agency”). October 11, 2019 – The California Attorney General releases a notice of proposed CCPA regulations, seeking to clarify the law’s obligations on businesses.[11] California Governor Gavin Newsom signs five CCPA amendments into law:
  • AB 25, which temporarily excludes employment information from many of the CCPA’s requirements until January 1, 2021.[12]
  • AB 874, which excludes “publicly available information” from the definition of personal information and clarifies that deidentified or aggregate information is not personal information.[13]
  • AB 1146, which exempts certain vehicle and vehicle ownership data from the law.[14]
  • AB 1355, which modifies how businesses make privacy rights disclosures to consumer and allows for differential treatment of consumers related to the value of the consumer’s information to the business.[15]
  • AB 1564, which modifies how covered businesses must allow consumers to submit privacy rights requests.[16]
November 13, 2019 – Californians for Consumer Privacy submit the final draft of the CPRA ballot initiative, which includes substantive changes to previous drafts.[17] December 6, 2019 – California Attorney General releases a 250-page document detailing public comments received regarding the CCPA and proposed CCPA regulations.[18] December 17, 2019 – California Attorney General Xavier Becerra releases the title and summary for the CPRA initiative that Mactaggart filed on September 25, 2019.[19] With this release, the Californians for Consumer Privacy group can begin collecting signatures to qualify the CPRA for the November 2020 ballot. January 1, 2020 – The CCPA takes effect.[20] Covered entities have until June before enforcement begins. February 3, 2020 – The first legal complaint citing the CCPA is filed in the Northern District of California. Plaintiffs sue Hanna Andersson and Salesforce.com over a data breach suffered by Hanna Andersson.[21] February 10, 2020 – California Attorney General issues a set of proposed modifications to the proposed CCPA regulations.[22] March 11, 2020 – California Attorney General issues another set of proposed modifications to the proposed CCPA regulations, which includes removing an opt-out icon requirement.[23] March 17, 2020 – A group of advertising companies sends the California Attorney General a letter requesting a delay in CCPA enforcement, citing the COVID-19 pandemic as the reason.[24] May 4, 2020 – Californians for Consumer Privacy announce that they have submitted over 900,000 signatures to qualify the CPRA for the November 2020 ballot.[25] June 1, 2020 – California Attorney General submits the proposed CCPA regulations to the California Office of Administrative Law.[26] June 8, 2020 – Californians for Consumer Privacy file a petition in state court, contending that the California Secretary of State failed to verify the signatures necessary to place the CPRA on the November 2020 ballot. The group requests that the court order the Secretary of State to direct local election officials to report the results of signature sampling and therefore allow the CPRA ballot initiative to be certified in time.[27] June 19, 2020 – A California judge grants Californians for Consumer Privacy’s petition, ordering counties to finish verifying signatures to qualify the CPRA for the November 2020 ballot.[28] June 25, 2020 – The CPRA qualifies for the November 2020 ballot as Proposition 24.[29] July 1, 2020 – The CCPA becomes enforceable by the California Attorney General.[30] August 14, 2020 – The CCPA regulations submitted by the California Attorney General on June 1, 2020, take effect.[31] September 25, 2020 – California Governor Gavin Newsom signs AB 713 into law, establishing new CCPA exemptions for certain types of medical and health information.[32] September 29, 2020 – California Governor Gavin Newsom signs AB 1281 into law, extending CCPA exemptions for employment data and business-to-business data until January 1, 2022, conditional upon the CPRA ballot initiative not being approved.[33] However, the ballot initiative is later approved, and the CPRA amends the CCPA by extending the exemptions to January 1, 2023.[34] November 3, 2020 – California voters approve Proposition 24, the CPRA.[35] The CPRA amends the statutory language of the CCPA, notably by providing consumers with additional privacy rights, establishing enhanced obligations for covered businesses, and establishing a new authority dedicated to protecting these rights, the Agency. [36] The CPRA’s amendments also empower the Agency to implement and enforce the amended CCPA statute, which includes calling on the Agency to adopt implementing regulations by July 1, 2022, with enforcement commencing a year later on July 1, 2023.[37]
NOTE: Regarding the CCPA’s dual enforcement The California Constitution establishes the Attorney General as the state’s chief law officer, vesting the position with broad powers to ensure the state’s laws are uniformly and adequately enforced.[38] This authority includes enforcing the CCPA, which expressly recognizes that the Attorney General may bring civil actions against violators.[39] Yet, in a legislative move that distinguishes California from other states with comprehensive privacy laws, the CCPA (via the CPRA amendments passed on November 3, 2020) also vests the Agency with authority to bring administrative actions against violators.[40] This creates a dual enforcement mechanism: the Attorney General can bring civil actions; the Agency, administrative actions. Both authorities are enforcing the same statutory text of the CCPA and its supplemental regulations, but each authority uses a different procedural means of achieving that enforcement. Furt6hermore, in accordance with its Constitutional authority as chief law officer, the Attorney General can request the Agency stay an administrative action or investigation to allow the Attorney General an opportunity to determine whether to pursue an investigation or action.[41] The Agency cannot do the same to the Attorney General.
January 1, 2021 – Had the CPRA not amended the CCPA’s statutory language, the CCPA’s employment data and business-to-business (“B2B”) data exemptions would have expired on this day. This would have obligated covered businesses to extend privacy rights to employees, contractors, and job applicants.[42] However, the CPRA amendments extended these exemptions to January 1, 2023.[43] March 15, 2021 – Amendments to the CCPA regulations, which had become operative on August 14, 2020, come into effect.[44] June 2021 – California Attorney General commences an enforcement sweep of large retailers to determine whether they violate the CCPA by continuing to sell personal information after a consumer signals an opt-out via Global Privacy Control (“GPC”).[45] October 4, 2021 – Ashkan Soltani is selected as the Executive Director of the Agency.[46] In this role, Soltani must carry out the day-to-day operations of the Agency, which includes building and leading the Agency, overseeing the Agency’s enforcement activities, and building public awareness. October 5, 2021 – California Governor Gavin Newsom signs AB 694 into law, which amends the CPRA’s statutory amendments by clarifying the Agency’s rulemaking authority and changing certain definitions and exemptions.[47] Governor Newsom also signs AB 825 into law, which amends the CCPA’s definition of personal information to include genetic data.[48] October 8, 2021 – California Governor Gavin Newsom signs AB 335 into law, which exempts certain vessel information from the CCPA’s right to opt out.[49] October 21, 2021 – The Agency notifies the California Attorney General that it is prepared to assume rulemaking responsibilities.[50] Rulemaking authority will transfer to the Agency six months after this notice. January 1, 2022 – The CPRA’s 12-month lookback period for collected personal information commences.[51] While the CPRA amendments to the CCPA will not take effect until January 1, 2023, the law provides consumers with the right to know what information a covered business has collected from them going back 12 months (i.e., January 1, 2022). May 5, 2022 – The California Office of Administrative Law (OAL), pursuant to Section 100 of OAL’s regulations, approves the transfer of the existing CCPA regulations to Title 11, Division 6, a new division of the California Code of Regulations that is under the jurisdiction of the Agency.[52] This transfer represents the beginning of the Agency’s rulemaking role.[53] July 1, 2022 – The Agency fails to meet the statutory deadline to finalize and adopt CPRA regulations. However, the CPRA’s statutory amendments to the CCPA become fully enforceable. July 8, 2022 – The Agency releases a notice of proposed CPRA regulations, which will update existing CCPA regulations to harmonize them with CPRA amendments to the CCPA, operationalize new privacy rights and obligations introduced by the CPRA, and consolidate requirements set forth in the law to make the regulations easier to follow and understand.[54] August 23, 2022 – California Attorney General Rob Bonta, based on findings from the June 2021 enforcement sweep, brings a complaint against Sephora, Inc., the French multinational retailer of personal care and beauty products, alleging Sephora violated the CCPA by failing to satisfy its notice obligations under the law, failing to provide a “Do Not Sell . . .” link on its website, and failing to honor opt-out signals sent by consumers using GPC.[55] August 24, 2022 – Sephora agrees to a settlement with the California Attorney General, resolving allegations that the company violated the CCPA.[56] The settlement requires Sephora to pay $1.2 million and, in part, to honor opt-out signals sent by consumers using GPC. August 31, 2022 – The California legislature adjourns without enacting Assembly Bill 1102,[57] which would have extended the CCPA’s employment data and business-to-business (“B2B”) data exemptions to January 1, 2025.[58] The exemptions are set to expire on January 1, 2023. October 27, 2022 – The Global Privacy Assembly votes to admit the Agency as a full voting member.[59] The Global Privacy Assembly is an international forum of over 130 data protection and privacy authorities, and the Agency joins the Federal Trade Commission as the second voting member from the United States. November 3, 2022 – The Agency releases a notice of proposed modifications to the proposed CPRA regulations.[60] January 1, 2023 – The CPRA amendments to the CCPA become fully operational. The CCPA’s employment data and B2B data exemptions expire, making the CCPA’s privacy rights applicable to employees, contractors, and job applicants.[61] February 3, 2023 – The Agency votes to adopt and approve the CPRA regulations.[62] February 10, 2023 – Pursuant to the CPRA amendments directing the Agency to issue regulations, the Agency issues an invitation for preliminary comments on proposed rulemaking on cybersecurity audits, risk assessments, and automated decision making.[63] February 14, 2023 – The Agency files the final CPRA regulations with the California Office of Administrative Law, initiating a 30-business day review period.[64] March 30, 2023 – The California Office of Administrative Law approves the CPRA regulations, making them effective immediately and leaving covered businesses with only three months to satisfy the requirements before the original July 1, 2023 enforcement date.[65] Later that day, the California Chamber of Commerce brings suit against the Agency, seeking a delay of enforcement of the CPRA regulations for a period of one year.[66] May 12, 2023 – The Asia Pacific Privacy Authorities (“APPA”) vote to admit the Agency as a member.[67] The APPA provides members with the opportunity to exchange best practices related to the management of privacy inquiries and complaints, and the Agency joins the Federal Trade Commission as the second member organization from the United States. June 30, 2023 – One day before the CPRA regulations would have become enforceable, the Sacramento County Superior Court grants the Chamber of Commerce’s request for an injunction and delays enforcement of the CPRA regulations until March 29, 2024.[68]
NOTE: Leveraging the delay to satisfy the CPRA regulations While the immediate enforcement date of the CPRA regulations remains uncertain due to the Agency’s appeal of the trial court’s injunction, businesses should not see this uncertainty as a reason to ignore the CPRA regulations. The delayed enforcement of the CPRA regulations is exactly that: a delay, not a termination. Businesses should use this time to ensure their practices and policies align with both current requirements and the delayed regulations looming on the temporal horizon. The Agency and the California Attorney General have signaled an eagerness to enforce the stayed regulations and will likely use this time to rev up its Enforcement Division in preparation for the inevitable day when the regulations become enforceable.
July 1, 2023 – Had the Sacramento County Superior Court not granted the Chamber of Commerce’s request for an injunction and delayed enforcement of the CPRA regulations until March 29, 2024, the CPRA regulations would have become enforceable on this day. July 14, 2023 – California Attorney General Rob Bonta announces an investigative sweep through inquiry letters sent to large California employers, requesting information on the companies’ compliance with the CCPA with respect to personal information of employees and job applicants.[69] Same day, the Agency holds a public board meeting at which Michael Macko, Deputy Director of Enforcement at the Agency, announces that, despite the Sacramento County Superior Court decision on June 30, 2023, the Agency expects to conduct “vigorous enforcement over the coming year.”[70]
NOTE: Regarding the Agency’s enforcement priorities. Macko added that the Agency will use its prosecutorial discretion to prioritize certain topics and areas. These include:
  • Privacy notices and policies. The statutory language of the CCPA, even before the CPRA amendments, expressly stated what a business must include in their privacy policy disclosures to consumers. As such, Macko said the Agency will focus its enforcement efforts on reviewing whether businesses satisfy the law’s foundational disclosure requirements.
  • Right to delete personal information. Again, even prior to the CPRA amendments, the CCPA required businesses to respect a consumer’s right to delete personal information. Macko described this right as “well established,” and the Agency will review whether and how businesses are complying with this “long-standing” right.
  • Implementation of consumer requests. For years now, businesses covered by the CCPA have had to operationalize both internal and a consumer-facing means of respecting consumer privacy rights requests. As such, the Agency will focus its efforts on reviewing how businesses have actually implemented means of respecting these requests. Specifically, the Agency will analyze whether a business has implemented “barriers” to prevent consumers from actualizing those rights.
July 31, 2023 – The Agency announces that it will review the data privacy practices of connected vehicle manufacturers and related connected vehicle technology.[71] August 4, 2023 – The Agency and California Attorney General Rob Bonta file a petition with California’s Third District Court of Appeal to overturn the Sacramento County Superior Court decision that imposed a 12-month delay on enforcement of the CPRA regulations.[72] August 9, 2023 – The Dubai International Financial Centre (“DIFC”) issues an adequacy determination establishing the CCPA’s equivalence with the DIFC’s data protection law.[73] Although the DIFC and its data protection law are limited in jurisdiction and applicability, this adequacy determination sets precedent of an international authority granting adequacy status to a state within the United States. August 29, 2023 – CPPA releases draft cybersecurity audit and risk assessment regulations, which will be discussed during their September 8 board meeting.[74] March 29, 2024 – Expected date when the Agency and the California Attorney General can enforce the CPRA regulations.  
[1] https://www.oag.ca.gov/system/files/initiatives/pdfs/17-0039%20%28Consumer%20Privacy%20V2%29.pdf. [2] https://www.sos.ca.gov/administration/news-releases-and-advisories/2017-news-releases-and-advisories/proposed-initiative-enters-circulation39. [3] https://leginfo.legislature.ca.gov/faces/billHistoryClient.xhtml?bill_id=201720180SB1121. [4] https://www.nytimes.com/2018/05/13/business/california-data-privacy-ballot-measure.html. [5] https://iapp.org/news/a/california-legislature-reaches-tentative-agreement-on-consumer-privacy-rules/. [6] https://www.sos.ca.gov/administration/news-releases-and-advisories/2018-news-releases-and-advisories/new-measure-eligible-californias-november-2018-ballot7/. [7] https://iapp.org/news/a/california-passes-landmark-privacy-legislation/. [8] https://leginfo.legislature.ca.gov/faces/billHistoryClient.xhtml?bill_id=201720180AB375. [9] https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB1121. [10] https://www.caprivacy.org/a-letter-from-alastair-mactaggart-board-chair-and-founder-of-californians-for-consumer-privacy/. [11] https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-nopa.pdf. [12] https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201920200AB25. [13] https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201920200AB874. [14] https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201920200AB1146. [15] https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201920200AB1355. [16] https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201920200AB1564. [17] https://oag.ca.gov/system/files/initiatives/pdfs/19-0021A1%20%28Consumer%20Privacy%20-%20Version%203%29_1.pdf. [18] https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-comments-45day-pt4.pdf. [19] https://www.caprivacy.org/ca-attorney-general-becerra-releases-the-title-and-summary-for-initiative-to-protect-consumer-privacy/. [20] https://www.theguardian.com/us-news/2019/dec/30/california-consumer-privacy-act-what-does-it-do. [21] https://www.law360.com/cases/5e39a9d5babd2503b3d79986. [22] https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-text-of-mod-redline-020720.pdf. [23] https://www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-text-of-second-set-mod-031120.pdf. [24] https://www.law360.com/articles/1255181/attachments/0. [25] https://www.caprivacy.org/californians-for-consumer-privacy-submits-signatures-to-qualify-the-california-privacy-rights-act-for-november-2020-ballot/. [26] https://oag.ca.gov/news/press-releases/attorney-general-becerra-reminds-consumers-data-privacy-rights-under-california. [27] https://media.mcguirewoods.com/publications/2020/Alastair-Mactaggart-complaint.pdf. [28] https://elections.cdn.sos.ca.gov/ballot-measures/pdf/1879-court-order.pdf. [29] https://www.caprivacy.org/california-privacy-rights-act-cpra-qualifies-for-the-november-2020-ballot/. [30] https://oag.ca.gov/privacy/ccpa/enforcement. [31] https://cppa.ca.gov/regulations/pdf/20220708_npr.pdf. [32] https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201920200AB713. [33] https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201920200AB1281. [34] https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.145. [35] https://www.vox.com/policy-and-politics/2020/11/3/21546835/california-proposition-24-live-results-data-privacy. [36] Cal. Civ. Code sec. 1798.199.10. [37] Cal. Civ. Code sec. 1798.185(d). [38] https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CONS&sectionNum=SEC.%2013.&article=V [39] https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.199.90. [40] https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.199.40. [41] https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.199.90. [42] CCPA (pre-CPRA amendments), sec. 1798.145(n)(3). [43] https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.145. [44] https://cppa.ca.gov/regulations/pdf/20220708_npr.pdf. [45] https://oag.ca.gov/system/files/attachments/press-docs/Complaint%20%288-23-22%20FINAL%29.pdf. [46] https://cppa.ca.gov/announcements/2021/20211004.html. [47] https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202120220AB694. [48] https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202120220AB825&search_keywords=privacy. [49] https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202120220AB335&search_keywords=privacy. [50] https://cppa.ca.gov/regulations/pdf/20220708_npr.pdf. [51] https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.130. [52] https://cppa.ca.gov/regulations/pdf/2022032_02nr_approval.pdf. [53] https://cppa.ca.gov/announcements/2022/20220525.html. [54] https://cppa.ca.gov/announcements/2022/20220708.html. [55] https://oag.ca.gov/system/files/attachments/press-docs/Complaint%20%288-23-22%20FINAL%29.pdf. [56] https://oag.ca.gov/system/files/attachments/press-docs/Filed%20Judgment.pdf.pdf. [57] https://image.uschamber.com/lib/fe3911727164047d731673/m/24/RN2220645_rn2220645_distprint.pdf?utm_source=sfmc&utm_medium=email&utm_campaign=&utm_term=Data+Privacy+WG+Note+8.26.22&utm_content=8/26/2022. [58] https://iapp.org/news/a/ccpa-cpra-grace-period-for-hr-and-b2b-ends-jan-1/. [59] https://cppa.ca.gov/announcements/2022/20221027.html. [60] https://cppa.ca.gov/regulations/pdf/20221102_15_day_notice.pdf. [61] https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.145. [62] https://cppa.ca.gov/announcements/2023/20230330.html. [63] https://cppa.ca.gov/regulations/pre_rulemaking_activities_pr_02-2023.html. [64] https://cppa.ca.gov/announcements/2023/20230330.html. [65] https://cppa.ca.gov/announcements/2023/20230330.html. [66] California Chamber of Commerce vs. California Privacy Protection Agency (March 30, 2023) 34-2023-80004106-CU-WM-GDS (complaint). [67] https://cppa.ca.gov/announcements/2023/20230512.html. [68] https://www.metaverse.law/wp-content/uploads/2023/08/CU_34-2023-80004106-CU-WM-GDS_a47a4e35-7157-4304-815c-de5b2bf90f308.pdf. [69] https://oag.ca.gov/news/press-releases/attorney-general-bonta-seeks-information-california-employers-compliance. [70] https://www.youtube.com/watch?v=jmcrOWAeLAI. [71] https://cppa.ca.gov/announcements/2023/20230731.html. [72] https://cppa.ca.gov/announcements/2023/20230804.html. [73] https://cppa.ca.gov/announcements/2023/20230809.html. [74]https://cppa.ca.gov/meetings/materials/20230908item8.pdf & https://cppa.ca.gov/meetings/materials/20230908item8part2.pdf.
0
Image of computer circuitry in a harsh red tint.

The Risks of LLMs and Generative AI

[Modified version originally published as International Insights Article: Privacy implications for organizations using generative AI, by Lily Li, on OneTrust DataGuidance, June 2023.] Well, the cat is out of the bag – or at least the chat is. Generative AI and large language models (“LLMs”) are here to stay. From philosophical conversations between the dead to Murakami-inspired artworks for downtown LA, the possibilities of user-friendly AI are limitless. Regulators are scrambling to enforce existing legislation and enact new legislation to contain this trend. But, like all enforcement, it will take time. As a result, many companies are moving quickly to adopt and deploy these tools, testing the legal and ethical boundaries of AI. To stay competitive, companies should not wait for data protection regulators to play cat-and-mouse games with these nascent technologies. Instead, companies need to be proactive and adopt strategies to implement transparent and trustworthy AI – not just to avoid lawsuits and regulatory fines – but to protect their data and their brands. Companies also need to be able to account for the data they input into their generative AI or LLM algorithms, or else risk destruction of these algorithms altogether. In this article, we’ll discuss the latest privacy and security risks from generative AI and LLMs, a few of the existing privacy laws that apply to these technologies, and the potential for algorithmic disgorgement or deletion in response to privacy violations.   Social Engineering and Identity Verification Generative AI has clearly passed the Turing test. From all outward appearances, companies and their employees cannot tell the difference between human-generated and AI-generated text. This makes it easier for traditional phishing emails and other scams to look legitimate to readers — making it far more likely for employees to click on malicious links and download malware. Going one step further, generative AI can create realistic identities. From resumes to cover letters, online social media profiles to sample work product, these tools can improve a threat actor’s ability to pass itself off as a well-rounded individual, bypassing normal screening tools and even HR processes. In this era of remote work, it is easy to imagine malicious actors getting onboarded and hired due to their made-up “skills” and turning into insider threats once they gain access to company systems. This risk increases for companies that rely on virtual assistants and employees, where there are even fewer external validations of identity. While companies often rely on phishing training and cyber insurance to mitigate traditional cyber-attacks, this is not enough going forward. Many cyber insurance policies exclude social engineering attacks, exclude activities involving managers or other high-level employees, or confine social engineering and phishing attacks to technological attacks and not traditional identity theft, crime, and fraud. Consequently, companies should consider AI-based email filtering systems and EDR/MDR systems to combat sophisticated phishing attacks. Security awareness training should extend beyond phishing training and include identification verification and reporting of suspicious activity across the organization. Companies should also consider HR and other vendor onboarding policies to include in-person vetting or other external validation for recruiting and outsourcing.   Privacy and DSAR Risks
  • Is Processing of Personal Data for Generative AI Lawful?
Large language models, and similar machine learning tools, have a privacy problem. All these systems rely on processing vast quantities of public and sometimes proprietary data to generate responses and analysis. Absent further safeguards, these inputs will likely contain personal data. Which then begs the question, where does this data come from and is the processing lawful? This question came to a head recently in Italy, where data protection authorities issued a temporary ban on ChatGPT,[1] citing OpenAI’s failure to provide transparent notices regarding how it processes the personal data of users and data subjects (required under Articles 12, 13, and 14 of the GDPR). More importantly, the authorities found no legal basis under Article 6 of the GDPR for the collection and processing of personal data to train OpenAI’s algorithms. Impacted data subjects did not consent to the processing and, reading between the lines, OpenAI’s legitimate interest was an insufficient basis for processing given the: (i) failure to provide notice; (ii) inability to correct and delete data; and (iii) heightened privacy risks for children due to the lack of age verification techniques. OpenAI subsequently addressed Italy’s concerns in sufficient detail to resume services,[2] but it remains unclear whether other data protection regulators in the EU will also confront OpenAI over the GDPR’s transparency and lawful bases requirements. If businesses utilize generative AI and LLMs, they should be prepared to provide compliant privacy notices to data subjects, and either obtain their explicit consent or conduct a legitimate interest analysis prior to submitting any personal data to AI or LLM platforms. These data privacy risks also exist in the United States. The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (“CPRA”), also requires businesses to provide transparent privacy notices and privacy rights to individuals. In addition, CPRA has imported the GDPR concepts of data minimization and proportionality. Personal data processing needs to be “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected.”[3] Consequently, companies should be wary of taking existing datasets containing personal information and running them through generative AI systems, if this use runs contrary to the expectations of data subjects when they originally submitted the data. Companies may need to re-evaluate their privacy notices and provide further notices regarding AI processing. Furthermore, both GDPR and the CPRA (and similar US state laws) require covered organizations to give individuals the right to opt out of automated processing or automated decision-making, including profiling.[4] While California lawmakers have yet to issue regulations concerning automated decision-making, it will likely align with GDPR concepts. This means that individuals will have the right to opt-out of AIs making decisions that have legal effects, such as those surrounding employment, housing, or access to services and benefits. So, for those who are wondering, you can’t have chatbots all the way down — eventually, there needs to be a human decisionmaker at the end of the line.  
  • Who Owns the Data? Privacy Rights to Correct and Delete
Generative AI and LLMs also call into question the ownership and control of personal data. GDPR, CCPA, HIPAA, and GLBA, among other regulations, require covered entities to obtain contractual commitments with vendors that process personal data, PHI, or NPI on their behalf.[5] By giving company personal data to an AI system absent formal review, companies may be in violating these laws, trading away the privacy of their customers, and giving up valuable IP to third parties. To combat this problem, companies should always read the terms and privacy policies of any new AI and LLM tools to confirm, as an initial step:
  • The company owns all content provided to the AI system and any output generated by the AI
  • The AI provider will provide appropriate technical and organizational measures to protect personal data
  • The AI provider will maintain the confidentiality of data and limit use of the data to those purposes disclosed by the AI provider (and similarly, disclosed by the company to the relevant data subjects)
  • The AI provider will assist the company in responding to privacy requests, including those that require correct and deletion of personal data
  • The AI provider has appropriate data transfer mechanisms in place if personal data will cross borders
Assuming the generative AI or LLM terms and privacy policies cover the items above, the company may need to negotiate additional clauses under GDPR, CCPA, HIPAA, and GLBA depending on whether regulated data is provided to these platforms. If these contractual commitments do not exist, then companies should consider policies prohibiting the disclosure of personal or proprietary data — or else risk unauthorized access or even public disclosure of this information. Even if the terms and privacy policies guarantee the confidentiality of data, companies should still validate whether the generative AI or LLM model appropriately de-identifies or anonymizes personal data or proprietary data when it improves its language models. One of the most concerning issues with generative AI is its inexplicability — often the programmers creating the model do not even understand how the AI is generating its output. Thus, even if a data subject submits a deletion or correction request, it is unclear whether this request will be propagated through the model to remove/amend information that was previously fed into the model. Consequently, companies should test any generative AI or LLM model to confirm whether identifiable data is output from the model, based on test inputs. Finally, even if a company does not input personal information into a generative AI or LLM platform, employees may be tempted to use these platforms to research or create media about a known individual. Unfortunately, generative AI regularly creates false information about individuals. At best, this may trigger notification to data subjects under Article 14 of the GDPR “from which source the personal data originate, and if applicable, whether it came from publicly accessible sources” — so they are aware of the processing and can exercise any privacy rights. At worst, publication of this personal data may be grounds for a defamation lawsuit. Once again, companies need to implement robust identity verification and external validation of AI output concerning personal data.  
  • Children’s Privacy
The impact of generative AI and LLM products on children will be tremendous, given the ease and accessibility of chatbots, and the vast potential for personalized education, gaming, and social services. Companies operating in this space should pay close attention to children’s privacy rules that may impact their use or provision of generative AI and LLM products and services. California’s Age-Appropriate Design Code, modeled after the UK’s Age appropriate design code, for instance, requires data protection impact assessment and a “high level” of privacy for online providers of services, products, or features that are “likely to be accessed by children.”[6] This law covers children under the age of 18. In addition, COPPA – a US federal privacy law – requires clear and conspicuous privacy notices and affirmative consent by parents prior to collection of personal information from children under 13. Companies that offer products and services that may be attractive to children will need to implement these heightened privacy requirements, or in the alternative, implement robust age-gating techniques.   Regulatory Enforcement and Algorithmic Disgorgement Once an AI system is trained on bad data, can it be saved? According to the U.S. Federal Trade Commission (FTC) – perhaps not. While there is currently no comprehensive federal legislation in the United States governing privacy or AI, the FTC does have the ability to regulate “unfair and deceptive acts or practices in or affecting commerce.”[7] The FTC has interpreted its enforcement power to include unfair and misleading practices regarding the collection and use of personal data – including, for example, actions against Cambridge Analytica for harvesting of Facebook user data, and against GoodRx Holdings for its unauthorized disclosures of consumers’ personal health information to Facebook, Google, and other companies.[8] The FTC’s scrutiny of privacy and security practices extends to AI. In January 2021, the FTC entered a settlement order with photo storage service, Everalbum, over allegations that it deceived consumers about its use of facial recognition technology.[9]  While Everalbum allegedly represented that it would not apply facial recognition to users’ content unless they opted-in, it applied facial recognition technology by default for most users without any ability to turn this feature off. As part of the settlement order, the FTC required Everalbum to delete all facial recognition models or algorithms developed with Everalbum users’ photos or videos. More recently, the FTC required algorithmic destruction in an action against WW International, Inc., formerly known as Weight Watchers, and a subsidiary called Kurbo, Inc.[10] According to FTC Chair Lina Khan, “Weight Watchers and Kurbo marketed weight management services for use by children as young as eight, and then illegally harvested their personal and sensitive health information….Our order against these companies requires them to delete their ill-gotten data, destroy any algorithms derived from it, and pay a penalty for their lawbreaking.” Thus, AI companies face potential deletion or disgorgement of their algorithms if they collect personal data in an unfair or deceptive manner. While it may be tempting to amass larger and larger datasets to build the best algorithms, companies that rely on improper collection of data may find themselves bereft of their most valuable intellectual property.   Move Deliberately and Create Things Generative AI and LLMs do not operate in a vacuum. They derive from the voices, both inspired and insipid, from all corners of the world wide web. And they create fabulous and fabulously weird content. We encourage companies to take advantage of generative AI and LLMs to create the next generation of personalized education, medicine, and creative exploration. At the same time, we encourage companies to be mindful of the existing rules that protect our privacy, so that transparent and trustworthy AI can be the foundation of these new creations.  
[1] https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9870847 [2] https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9881490#english [3] Cal. Civ. Code Section 1798.100(c) [4] GDPR, Article 22; Cal. Civ. Code Section 1798.185(a)(16) [5] See, e.g., GDPR, Article 28; Cal. Civ. Code Section 1798.140(ag)(1); 45 CFR Section 164.504(e)(Business Associate requirements under HIPAA) [6] Cal. Civ. Code Section 1798.99.31(a) [7] 15 U.S.C. Sec. 45(a)(1) [8] See https://www.ftc.gov/news-events/topics/protecting-consumer-privacy-security/privacy-security-enforcement for a list of FTC enforcement actions concerning privacy and cybersecurity [9] https://www.ftc.gov/news-events/news/press-releases/2021/01/california-company-settles-ftc-allegations-it-deceived-consumers-about-use-facial-recognition-photo [10] https://www.ftc.gov/news-events/news/press-releases/2022/03/ftc-takes-action-against-company-formerly-known-weight-watchers-illegally-collecting-kids-sensitive
1 8 9 10 11 12 28