AI 'Not The Wild West' But Regulatory Uncertainty Reigns, Say Lawyers
NEW YORK CITY -- State lawmakers are following up on their comprehensive privacy laws with AI legislation that seeks to regulate consequential decisions, said AI and privacy legal experts at a Perrin Conferences event Wednesday at the New York City Bar Association. Amid general federal inaction, state lawmakers have proposed hundreds of AI bills on a plethora of subjects related to the growing technology, they noted.
Sign up for a free preview to unlock the rest of this article
“We’re at a moment where artificial intelligence is no longer theoretical or emerging -- it’s operational,” said Tatiana Rice, Future of Privacy Forum (FPF) director of U.S. AI legislation. “As regulators and lawmakers race to catch up … legal professionals have a unique role to play,” including advocating for "responsible innovation.”
Comprehensive privacy bills in about 20 states might address AI considering they all have a right to opt out of profiling, said privacy attorney David Stauss of Husch Blackwell. However, they also tend to exempt the types of organizations that make the most consequential decisions, he added.
For example, state privacy laws frequently include carve outs for healthcare and financial entities or data covered by federal laws like the Health Insurance Portability and Accountability Act or the Gramm-Leach-Bliley Act.
Stauss gave the example of Minnesota state Rep. Steve Elkins (D), who tried to insert language like the Colorado AI Act into the privacy law he authored. However, at the end of the day, “his bill still exempts all of the entities that engage in consequential decision-making,” the lawyer said.
However, comprehensive privacy bills generally “have to go first,” prior to a state passing a law like the Colorado AI Act, said Stauss. “You need to have that foundation of a privacy law to be able to pass an AI law.” It’s easy for the tech industry to argue that a state needs “to button up what your privacy law says because that’s the rules of the road … and then we can worry about AI,” said Stauss. Still, the privacy attorney said he could see a “a world five years from now when this has all been fought out and [states] are just passing a package bill.”
Rice agreed. The FPF official noted that many of the Colorado-like AI bills share the same authors as states’ comprehensive privacy laws. “They just end up having a more technical understanding of the technology generally” and the associated policy issues, she said.
Stauss said that many feel uncertain about the AI regulatory landscape, especially after President Donald Trump rescinded several executive orders. Meanwhile, Congress remains on the sidelines, the privacy attorney said. For people in the privacy space, "this is a very, very familiar tune, where the federal government does nothing … and the states are the ones that actually pass the regulation. And that leads to chaos.”
“AI is not the Wild West,” noted Rice. Existing laws still apply to AI, including federal privacy measures like the Federal Credit Reporting Act (FCRA) in the consumer finance space, she noted. And several government agencies have signaled that they will address AI by enforcing civil rights and consumer protection laws, she added.
Despite that, the Trump administration this year has been nixing much federal AI guidance, Rice said. “So there is again this level of ambiguity and gray area, which has almost increased the amount of state activity” to try to “fill that gap.”
The Colorado AI Act has become a framework for other states seeking to regulate high-risk AI processing that is used to make financial, healthcare or other consequential decisions, the speakers noted.
Rice said she’s seen “a focus on algorithmic discrimination that has really has been picking up,” taking the Colorado AI law as a model and “copy and pasting” it into blue and red states alike. Connecticut and Texas are states that, despite their political differences, are trying to pass such bills this year. Policymakers are attempting to marry AI regulation with pro-innovation policies that will attract AI investment to their states, she said.
Stauss noted that a legislative working group is considering changes to the Colorado law, highlighting the complexities of regulating AI. The group is considering questions like whether the law should apply broadly to AI or just machine learning and how much a human should be “in the loop” during the automated decision-making process, the attorney said.
However, bills like Colorado’s law are not the only type of AI legislations by a longshot, said Stauss. Their subjects are “all over the place,” though the top two state bills this year have been healthcare and elections, he said.
Stauss said he has counted 479 state AI bills introduced this year. Of those, 10 were enacted, while two more passed legislatures but still need a governor’s signature, he said. Meanwhile, governors have vetoed two AI bills and conditionally vetoed two others this year. In addition, 28 bills passed one legislative chamber and are still alive, while 90 bills are dead, he said.
Of the 10 AI laws enacted so far this year, eight are in red states and only one was in a solidly blue state, noted Stauss. The remaining law, about government AI usage, was in divided-government Kentucky. Stauss noted that the red state laws have tended to be much smaller in scope than the bills that blue states have tried to pass.
'Very Complex Landscape'
A big challenge for businesses using AI is that they want to “move fast” to adopt the emerging technology without fully thinking through the risks, Richard Lawne, a data protection lawyer at Fieldfisher, said on another panel.
“We haven't fully identified them, we haven't assessed them, we haven't fully evaluated the impact for the business and potential downstream issues,” Lawne said. “So there's this balance at the moment between driving for innovation and then taking the pause and considering the impact.”
Businesses must consider a variety of laws that might apply to AI, including privacy, employment, intellectual property and cybersecurity laws. That’s aside from AI-specific laws like the EU AI Act and various U.S. state privacy laws, which still lack a common approach, he said. Businesses must also consider non-binding principles and guidelines, plus voluntary frameworks and industry standards, he said. However, he said it’s a “false dichotomy” to say that regulation stifles innovation.
“It’s uncertain for everyone,” said Jamie VanDodick, IBM director-AI Ethics and Governance. Businesses are having conversations about has fast they can go, she said. “It’s a very complex landscape right now, both from a technology standpoint and also from a regulatory standpoint.”
It’s important to have a single person in an organization who is driving AI adoption, said Cozen O’Connor lawyer Nicholas Berenato: Maintaining “strong corporate ethics” and internal polices will help organizations move forward in a noisy environment.