Global Data and Cyber Handbook

United States

Select a Topic
Start Comparison
Artificial Intelligence, Profiling and Automated Decision Making
Jump to
Artificial Intelligence, Profiling and Automated Decision Making Start Comparison
Are there any restrictions or requirements related to creating profiles of data subjects or utilizing automated decision-making for decisions related to data subjects, including with respect to artificial intelligence?

Last review date: 31 December 2024

Yes.

The restrictions or requirements are as follows:

☒   qualified right not to be subject to a decision based solely on automated decision making, including profiling – for example, only applicable if the decision produces legal effects concerning them or similarly significantly affects them

☒   right to information / transparency requirement

☒   to request human review of the automated decision making

☒   other. 

In 2018, California enacted a "Bot Disclosure Law," effective from July 2019, under which online service providers must disclose the deployment of AI tools for online chats to prevent misleading consumers about whether they are communicating with a human or a machine. Utah enacted similar disclosure obligations in the Utah Artificial Intelligence Policy Act, which took effect in May 2024.

Under the CCPA, certain disclosures of personal information used to build consumer profiles must be disclosed and may be subject to a right to opt-out. The California Privacy Protection Agency is developing regulations on the processing of personal information for automated decision-making. Similarly, under some laws, such as the VCDPA and CPA, consumers have the right to opt-out of the use of their data for profiling purposes. Furthermore, under both of the same statutes, companies must carry out data protection impact assessments (DPIAs) on processes that involve processing data for the purpose of profiling consumers and other circumstances. As such, if AI is used in connection with targeted marketing, certain profiling, processing of sensitive personal data, or for purposes of making decisions with legal or substantially similar effects, there are obligations under these statutes to conduct and document a DPIA that meets local requirements.

Emerging AI laws include the right to request human review of automated decision making. For example, Colorado's Artificial Intelligence Act, due to take effect in February 2026, will require deployers using high-risk AI systems to make adverse consequential decisions concerning customers to provide such customers with a notice setting out the principal reason(s) for the consequential decision, information on how to correct any personal data inaccuracies that influenced the decision and how to appeal the decision, where the appeal must, if technically feasible, allow for human review.

If such restrictions or requirements exist, are they subject to any exceptions?

Last review date: 31 December 2024

Yes. For example, the CCPA contains numerous exceptions and exemptions in deference to federal laws and the VCDPA contains exceptions regarding the kinds of "profiling" of consumer data allowed under the statute. Certain exceptions also apply to Colorado's Artificial Intelligence Act notice appeal provisions, including those for technical feasibility and the best interest of the consumer.

Has the data privacy regulator issued guidance on data privacy and artificial intelligence, automated decision-making or profiling?

Last review date: 31 December 2024

Yes

If yes, please provide brief details and a link.

The FTC has issued guidance on AI. The California Privacy Protection Agency is currently soliciting public comment on its draft regulations that would, if enacted in their current form, impose transparency, opt-out, privacy impact assessment and other requirements on the use of AI and automated decision-making tools in certain circumstances. Read our most recent update here.

Has the data privacy regulator taken enforcement action in relation to artificial intelligence, including automated decision-making or profiling?

Last review date: 31 December 2024

☒  Enforcement activity against AI developer(s)

☒  Enforcement activity against AI user(s)/deployer(s)

☒  Enforcement activity under existing privacy, consumer protection or anti-discrimination law

☒  Enforcement activity by data or cyber regulator

☒  Enforcement activity by another regulator but relevant to AI, data or cyber compliance

Do other (non-personal data or cybersecurity) laws or regulations impose restrictions on use of artificial intelligence, automated decision-making or profiling?

Last review date: 31 December 2024

☒   Yes, laws in force

☒   Draft legislation in progress

☒   Proposal for legislation or regulation at an early stage

☒   Non-binding guidance or principles issued or in progress

If yes, please provide brief details and a link.

There are numerous laws, regulations, judicial orders, executive orders and regulatory guidance documents in the US governing or addressing AI-related privacy topics.

For example, California enacted more than a dozen new AI-specific laws on concrete topics, including AB 2013 (Generative artificial intelligence: training data transparency), requiring developers of generative AI systems to publicly disclose information about the datasets used to train their models; SB 942 (California AI Transparency Act), requiring large AI developers to include watermarks for AI-generated content as well as provide tools for users to identify such content; AB 3030 (Health care services: artificial intelligence) requiring healthcare providers to disclose AI-generated patient communications that involve clinic information; SB 1120 (Health care coverage: utilization review) prohibiting health plans and insurers from using AI or other algorithms to supplant health care provider decision-making.

{{ $store.state.loadingScreen.message }} ...