USA LAW AND PRACTICE Contributed by: Nancy Libin, David Rice, Spencer Persson, Michael Borgia, Robert Stankey, Kara Trowell and Alexander Sisto, Davis Wright Tremaine LLP
AT&T were recently fined USD47 million and USD57 million respectively for violations of their obligation to protect the location information of their wireless customers. State regulators impose fines as well. In August 2022, the California Attorney General announced a USD1.2 million settlement with Sephora, a retailer of personal care and beauty products, resolving allegations that Sephora had not dis - closed that it was selling consumers’ personal information and that it had not recognised con - sumers’ opt-out preference signals regarding the sale of their personal information. In February 2024, the California Attorney Gen - eral entered into a USD375,000 settlement with DoorDash regarding DoorDash’s alleged sale of consumer personal information without provid - ing notice or an opt-out opportunity. 1.5 AI Regulation States have enacted several AI-specific laws. The Utah Artificial Intelligence Policy Act requires deployers of generative AI technology to provide notice that the consumer is interacting with gen - erative AI technology: • upon request from the consumer; • if the interaction involves activity regulated by the Utah Division of Consumer Protection; and • whenever the technology is engaged in an activity requiring a licence from the Utah Department of Commerce. The Colorado Artificial Intelligence Act (CAIA), effective on 1 February 2026, imposes notice, disclosure, risk mitigation and opt-out require - ments on deployers and developers of high-risk AI systems, and requires some disclosures for all
AI systems that engage with consumers. High- risk systems are those that interact with con - sumers and that make, or are a substantial fac - tor in making, consequential decisions regarding employment, insurance, housing, credit, educa - tion and healthcare. The California Generative Artificial Intelligence Training Data Transparency Act, effective on 1 January 2026, will require developers of genera - tive AI systems made publicly available to Cali - fornia consumers to publicly post disclosures regarding data used to train those systems, including whether the datasets include personal information. California’s “unlawful use of bots” law requires notice that a bot is being used to communi - cate or interact with another person in Califor - nia online in order to incentivise a purchase of goods or influence a vote in an election. Bots are defined as automatic online accounts where posts or actions are not “the result of a person”. 1.6 Interplay Between AI and Data Protection Regulations In addition to AI-specific regulations, the general consumer protections in federal and state gen - eral privacy laws as described in 1.1 Overview of Data and Privacy-Related Laws also regulate AI technology through their broad scope. FTC The FTC’s jurisdiction over unfair or deceptive acts or practices applies to AI technology just as it does to other services and industries. Exam - ples of FTC enforcement and priorities related to AI technology include: • requiring entities to implement measures to prevent harm before and after deploying AI technology;
535 CHAMBERS.COM
Powered by FlippingBook