May 15, 2024

Automated Decisionmaking and Profiling (ADM) Requirements in U.S. State Privacy Laws, and Current State of Play in State AI Regulations

In this paper, we examine requirements regarding automated decisionmaking and profiling included in comprehensive state privacy laws. This report also explores notable state-level AI regulations. Our goal is to help state lawmakers and policymakers in the US advance the principles of privacy and data protection in a more consistent and manageable way.

Key recommendations include:

Lawmakers and regulators should avoid forcing organizations to create separate opt-out mechanisms for each state, resulting in inefficient use of resources and time that could be better allocated for implementing meaningful privacy protections.
Lawmakers and regulators should clarify whether and to what extent human intervention in the automated process will exempt the processing activity from falling within the scope of profiling rules, with the aim of greater consistency between global and domestic requirements.
Organizations need illustrative examples of profiling producing legal or similarly significant effects and parameters for the threshold to be reached. This will provide clarity and consistency to organizations, although they should also be able to rebut the presumption of those examples producing legal or similarly significant effects in practice.
States’ transparency and notice disclosure requirements should be principles-based, given that there are countless AI contexts and appropriate transparency may look very different for different AI applications.
Privacy rules should not be interpreted by state lawmakers and regulators in a way that requires organizations to provide “full transparency” of algorithms (i.e. disclosure of source code or extensive descriptions of the inner workings of algorithms, including scoring models) when responding to a consumer’s access request.
As additional states begin to pass AI regulations, organizations are proactively working to develop and implement a global AI baseline that considers emerging requirements, as well as leading regulations and standards such as the EU AI Act and the NIST Risk Management Framework. However, there is growing concern about the feasibility of managing such a strategy in the near future, particularly with signals of a forthcoming wave of state-level AI regulation, each with unique definitions, requirements, and standards.

Download Now

Automated Decisionmaking and Profiling (ADM) Requirements in U.S. State Privacy Laws, and Current State of Play in State AI Regulations

More like this

Comparison of US State Privacy Laws: Defining Covered and Sensitive Data

CIPL Response to the Proposed Rules for the New Jersey Data Privacy Act

CIPL Response to the US House Financial Services Committee on Current Federal Consumer Financial Data Privacy Law and Potential Legislative Proposals

CIPL Response to the NIST Privacy Framework 1.1 Initial Public Draft

CIPL Comments on the California Privacy Protection Agency’s Notice of Modifications to Text of Proposed Regulations and Additional Materials Relied Upon

Ten Principles for a U.S. Privacy Law

CIPL Response to House Data Privacy Working Group RFI Concerning Potential US Federal Privacy Law

CIPL Response to House Committee on Energy & Commerce Data Privacy Working Group RFI Concerning Potential US Federal Privacy Law

Interested in Joining CIPL?