Many employers have begun using artificial intelligence (AI) tools supplied by third-party vendors. On May 18, 2023, the Equal Employment Opportunity Commission (EEOC) provided guidance indicating that, in its view, employers are generally liable for the outcomes of using selection tools to make employment decisions. 

The EEOC’s new technical guidance titled, “Assessing Adverse Impact in Software, Algorithms, and Artificial Intelligence Used in Employment Selection Procedures Under Title VII of the Civil Rights Act of 1964,” details how the EEOC understands Title VII to apply to the use of algorithmic decision-making tools in employment decisions.

Read the full Update here.

As detailed in Part 1 of this ongoing series, Washington Governor Jay Inslee signed the state’s My Health My Data Act into law on April 27, 2023. The act is a first-of-its-kind law that creates new privacy protections relating to the collection, sharing, and selling of “consumer health data.” Most of the provisions of the act take effect on March 31, 2024. However, small businesses have an additional three months to come into compliance. Importantly, some provisions of the law may take effect earlier, including the restrictions related to geofencing, which become effective on July 23, 2023.

In this installment, we provide an overview of the consumer rights bestowed by the act and the obligations it imposes upon regulated entities and small businesses. Additionally, we identify some of the more important ambiguities and uncertainties of the act and provide key takeaways for organizations seeking to comply.

Read the full Update here.

On Thursday, May 11, 2023, the Federal Trade Commission hosted a panel to discuss questions relating to the cloud computing industry. As we’ve previously covered, the FTC is currently seeking public comment as part of a Request for Information regarding cloud computing business practices. In part, the goal of the panel was to identify issues the FTC should explore in its RFI.

Continue Reading FTC Hosts Panel Regarding Cloud Computing Business Practices

The New York City Department of Consumer and Worker Protection (DCWP) adopted final rules for Local Law 144 on April 6, 2023. This landmark law prohibits employers from using automated employment decision tools (AEDTs) to evaluate job candidates or employees when making employment decisions, unless certain bias audit and notice requirements are met. Enforcement of the law will begin on July 5, 2023.

Click here to read entire Update.

As the hype about generative artificial intelligence (AI) has grown, the Federal Trade Commission (FTC) has made clear that it intends to be at the forefront of federal agencies working to ensure the responsible use of AI. In just the last few months, it has spoken repeatedly about AI, issuing multiple warnings about the risks of AI technology. In many respects, this is not new terrain for the FTC. Since at least 2016, the FTC has cautioned about the potential for machine learning and AI algorithms to lead to discrimination against protected classes. The FTC recently reiterated those concerns and cautioned businesses about the use of generative AI to spread manipulative, fraudulent, or unsubstantiated content.

Continue Reading The FTC Can’t Stop Talking about AI

On April 27, 2023, Washington Governor Jay Inslee signed into law House Bill 1155, also known as the My Health, My Data Act. Its stated purpose is to protect “consumer health data” collected by entities not already subject to the federal Health Insurance Portability and Accountability Act, but one less obvious consequence of the Act is that it may make Washington state a new hot spot for class-action litigation involving biometric privacy.

Read the full Update here.

The fast-developing innovations brought by generative artificial intelligence (AI) are hastening calls from industry and government to consider new regulatory frameworks. The EU was in the process of implementing its AI Act, first proposed on April 21, 2021 (as we previously summarized), before generative AI chatbots were widely released. While the EU’s AI Act was touted as the world’s first and most comprehensive regulatory framework, some observed that it risked being outdated before it was set to become legally effective. Since the initial proposal, the European Commission (the Commission), the Council of the European Union, and the European Parliament have been working on modifying and refining the initial draft, including most recently to consider the implications of generative AI.

Click here to read the full Update.

Indiana Governor Eric Holcomb signed Senate Bill 5 on May 1 (effective January 1, 2026), making Indiana the seventh state to offer comprehensive privacy protections. Indiana’s new law appears to closely track Virginia’s omnibus privacy law. The law will apply to a person that conducts business in Indiana or produces products or services targeted to Indiana residents, and that meets either of the following requirements in a calendar year: (1) controls or processes the personal data of 100,000 consumers (defined as residents of Indiana “acting only for a personal, family, or household purpose”); or (2) controls or processes personal data of at least 25,000 consumers with more than 50% of annual gross revenue derived from the sale of personal data.

Similarly, both Tennessee and Montana appear to be imminently close to enacting their own state comprehensive privacy bills. The Tennessee and Montana legislatures each passed their own state bills on April 21, 2023, and each bill is expected to be signed into law by the respective governor soon.

Below, we look at some of the key similarities and differences between the new Indiana privacy law compared with the other six state omnibus privacy laws. We also highlight the key provisions of the Tennessee and Montana bills that are expected to be signed into law soon.

Continue Reading Lucky Number 7…8 and 9?: Indiana Passes Privacy Law With Tennessee and Montana Hot on Its Heels

International, federal, and state privacy regulators highlighted their ambitious agendas at the 2023 IAPP Global Privacy Summit in Washington, D.C. They, along with speakers from an array of private organizations, underscored the following takeaways that should be top of mind for businesses:

Continue Reading Ten Takeaways From the 2023 IAPP Global Privacy Summit

The recent dramatic growth of artificial intelligence technologies continues to be a focus of the Biden administration. The National Telecommunications and Information Administration, a federal agency within the U.S. Department of Commerce, recently issued a Request for Comment that seeks public comment on system accountability measures and policies for AI systems, including (1) the definition and objectives of trustworthy AI, (2) the mechanisms, assessments, and other policy considerations for trustworthy AI, and (3) specific questions on AI accountability.

Comments are due on June 12, 2023.

Read more.