Minnesota Lawmaker: Existing State Privacy Laws Cover AI Decisions
Almost all comprehensive state privacy laws include enforcement language against AI-related discrimination, so additional efforts to regulate automated decisions could be redundant, Minnesota Rep. Steve Elkins (D) told Privacy Daily in a recent interview.
Sign up for a free preview to unlock the rest of this article
Elkins wrote the Minnesota Consumer Data Privacy Act, which takes effect in July. Gov. Tim Walz (D) signed the bill into law in May. Elkins said almost all state privacy laws borrow language from the Washington Privacy Act, a bill crafted by now-retired Sen. Reuven Carlyle (D). Carlyle’s measure passed in the Senate but failed in the House four years in a row.
Legislators in states like California and Colorado are focused on regulating AI technology. Elkins believes language based on the Fair Credit Reporting Act (FCRA), included in state laws like those in Minnesota, serve consumer needs adequately on AI-related decisions.
“Almost all of us used [Carlyle] as a starting point,” said Elkins. He noted Virginia, Colorado and Connecticut passed versions of the Washington proposal. Legislators thought Carlyle’s was the “best one out there” because “he did an incredible job of vetting his bill.”
Several states are considering AI discrimination bills (see 2501100056). Under existing privacy frameworks around the country, consumers have a right to request and review data related to AI decisions and have it altered or deleted, said Elkins. It’s similar to FCRA language that applies to employment, insurance rates, housing, education or financial services, he said. Almost every state privacy law has the same definition for consumer profiling and consequential decisions, he said: “I don’t think we need to do anything more than that.”
Elkins said he was in a good position in Minnesota to “cherry-pick” bill language from nearly 20 state privacy laws on the books. He borrowed text from Oregon on limitations for Gramm-Leech-Bliley Act exemptions. He also used language from Oregon and Delaware on provisions related to disclosures for data-related companies when they sell. And he borrowed Small Business Administration (SBA) language for definitions of small businesses. Elkins said he followed the lead of Texas Rep. Giovanni Capriglione (R), who included SBA language in his comprehensive privacy bill. The Capriglione bill is “very similar” to what passed in Connecticut, in terms of privacy rights and company responsibilities, Elkins said. Most of the bills introduced and passed in the 2023-24 cycle used Connecticut as a model, he added.
Elkins is participating in the Multistate AI Policymaker Working Group, a coalition of more than 200 state legislators from 47 states led by Connecticut Sen. James Maroney (D) (see 2410310049). Elkins said there’s a surprising amount of uniformity across state privacy laws, and the multistate group is a way to find more common ground on AI regulation. “We’re making a conscientious effort to maintain consistency wherever we can.”