Info@MetaverseLaw.com

2024 U.S. regulatory enforcement priorities for data & AI

In late 2023 and early 2024, federal and state regulators signaled their enforcement priorities regarding the use of data and AI. These enforcement priorities range from sweeping investigations into entire labor sectors to targeting specific uses of technology.


FEDERAL

FTC. The FTC continues bringing actions against companies over their improper use of AI, increasing the risks of LLMs and generative AI. On March 8, 2024, the Federal Trade Commission (FTC) entered a stipulated order with Rite Aid prohibiting the pharmacy chain from using any machine-based systems to analyze biometric information. A month before, the FTC announced proposed rules combating the use of AI to impersonate individuals, which includes potentially imposing a rule that would declare it unlawful for an AI platform to provide goods or services that the platform knows or has reason to know is being used to harm consumers through impersonation.

SEC. In a surprising regulatory move, the Securities and Exchange Commission (SEC) took action against two entities that made misleading disclosures regarding their use of AI. On March 18, 2024, the SEC announced a $400,000 settlement against two investment advisers for making false and misleading statements about their purported use of AI. The investors allegedly stated in its SEC filings, in press releases, and on their websites that they were harnessing AI tools in certain ways, when in fact they were not. The SEC published an AI and investment fraud alert, signaling that they will likely continue monitoring AI-related disclosures.


CALIFORNIA

Data Minimization. On April 2, 2024, the California Privacy Protection Agency (the Agency) released its first Enforcement Advisory notice, emphasizing that covered businesses must apply the principle of data minimization to every purpose for which they collect, use, retain, and share personal information. Specifically, the Agency focused on the principle of data minimization during two scenarios: (1) responding to a consumer’s request to opt-out of sale/sharing and (2) verifying a consumer’s identity. Failure to adhere to the principle of data minimization may constitute a violation of the California Consumer Privacy Act (CCPA) and its regulations.

Amended CCPA Regulations. On March 29, 2024, the amended CCPA regulations will take effect and be enforceable. These regulations were originally supposed to take effect on March 29, 2023, but the California Chamber of Commerce filed suit on March 30, 2023, arguing that the amended regulations could not enter into force until one year after finalization. The court agreed, thereby effectively pushing the enforcement date back to March 29, 2024. However, a California appellate court subsequently reversed that decision, thereby making the regulations effective immediately.

The Agency and the California Attorney General have indicated that they anticipate aggressively enforcing the new regulations, and since covered entities had nearly an extra year to comply with the new regulations, California regulators may not be lenient in providing cure periods for noncompliance with the new regulations.

Streaming Services. On January 26, 2024, the California Attorney General announced investigative sweeps into “popular streaming apps and devices,” and sending letters to businesses that fail to comply with the CCPA. Specifically, the AG’s sweep focuses on whether streaming services are complying with the CCPA’s opt-out requirements for selling or sharing consumer personal information. The sweep includes analyzing whether the streaming services “do not offer an easy mechanism for consumers who want to stop the sale of their data.” For example, consumers using a SmartTV should be able to easily enable a “Do Not Sell My Personal Information” setting in the streaming service and have that choice honored across different devices.

Connected Vehicles and Related Technologies. On July 31, 2023, the Agency announced investigative sweeps into the data privacy practices of connected vehicle manufacturers and related technologies. The Agency conducted the review under the CCPA and its regulations enforceable at the time, with a focus on whether connected vehicle manufacturers and the like provided consumers with rights under the law (e.g., right to know, right to delete, and right to opt out of sale/share). However, the Agency has not indicated whether the sweep will continue into 2024 as the new regulations take effect, so connected vehicle manufacturers and producers of related technologies should remain vigilant.


COLORADO

Global Privacy Control. In the fall of 2023, the Colorado Department of Law accepted applications for universal opt-out mechanisms (UOOMs) that, under the Colorado Privacy Act (CPA), covered businesses would need to respect as a means for consumers to opt out of the sale of personal data or the sharing of personal data for targeted advertising. In December of 2023, the Colorado Attorney General announced that it selected the Global Privacy Control (GPC) as the UOOM the AG considers valid under the CPA.

Beginning on July 1, 2024, organizations subject to the CPA must ensure they are able to accept consumer opt-out requests made using the GPC, and the AG has announced that it “will prioritize for enforcement” compliance with the Department’s list of acceptable UOOMs.


CONNECTICUT

General Enforcement. On February 2, 2024, the Connecticut Attorney General released a report on the Connecticut Data Privacy Act (CTDPA), which detailed the AG’s enforcement efforts and priorities. Since the CTDPA took effect, the AG has issued cure notices to covered entities in a wide range of industries, including retail, fitness, event services, career services, parenting technologies, and home improvement.

The cure notices identified the following deficiencies:

    • Lacking or inadequate disclosures (e.g., failure to inform consumers completely or sufficiently about their rights under the law);
    • Lacking rights mechanisms (e.g., failure to provide a webpage that enables consumers to opt out of targeted advertising or sale of data);
    • Burdensome rights mechanisms (e.g., rights mechanisms that did not take into account the ways consumers normally interact with the company); and,
    • Broken / inactive rights mechanisms (e.g., non-working links or dead-end mechanisms).

Taken together, the report indicates an interest in the AG to ensure covered entities (in a wide range of industries) provide sufficient privacy disclosures and compliant rights mechanisms.


BEST PRACTICES CHECKLIST

As we move through 2024, businesses should consider the following to lower their risk of enforcement actions:

  • Analyze State Privacy Thresholds. Each of the US state privacy laws feature their own thresholds of applicability that must be met before a business must comply with the law, so businesses must continually monitor whether they have satisfied any of these numerous thresholds. To help, we have compiled all of the state privacy law thresholds.
  • Create Data Maps. Because state and international privacy laws impose certain obligations on specific types of data (e.g., personal v. sensitive) and processing activities (e.g., using AI for significant decisions), businesses should create data maps to monitor and document their information practices.
  • Respect Opt-Out Signals. Where a state privacy law requires respecting opt-out preference signals, ensure that you have implemented a means for websites to recognize and respect such signals, and disclose to consumers that they have the right to use such opt-out mechanisms (e.g., Global Privacy Control).
  • Review Policies. While many of the disclosure requirements of US privacy laws and regulations overlap, there are intricate differences between them, so businesses should review external-facing policies to ensure the disclosures remain accurate and compliant.
  • Conduct DPIAs. Conduct a data protection impact assessment (DPIA) to the extent required by applicable state privacy laws or review existing DPIAs to ensure they remain compliant with applicable laws.
  • Analyze AI Tools. Understand and document how the business uses AI tools, which includes understanding the AI’s inputs and outputs, ensuring appropriate data minimization and IP safeguards are implemented, and analyzing disclosures regarding the use of the AI tools. This includes implementing an internal AI policy that covers whether and to what extent employees can use AI tools.