Status of AI- specific legislation

On September 12, 2023, the US Senate held public hearings regarding AI⁸, which laid out potential forthcoming AI regulations. Possible legislation could include requiring licensing and creating a new federal regulatory agency. Additionally, US lawmakers held closed-door listening sessions with AI developers, technology leaders and civil society groups on September 13, 2023 in a continued push to understand and address AI.⁹

There are several federal proposed laws related to AI. A non-exhaustive list of key examples includes:

• The SAFE Innovation AI Framework,¹⁰ which is a bipartisan set of guidelines for AI developers, companies and policymakers. This is not a law, but rather a set of principles to encourage federal law-making on AI
• The REAL Political Advertisements Act,¹¹ which aims to regulate generative AI in political advertisements
• The Stop Spying Bosses Act,¹² which aims to regulate employers surveilling employees with machine learning and AI techniques
• The Draft No FAKES Act,¹³ which would protect voice and visual likenesses of individuals from unauthorized recreations from Generative AI
• The AI Research Innovation and Accountability Act,¹⁴ which calls for greater transparency, accountability and security in AI, while establishing a framework for AI innovation. It would create an enforceable testing and evaluation standard for high-risk AI systems and require companies that use high-risk AI systems to produce transparency reports. It also empowers the National Institute of Standards and Technology to issue sector-specific recommendations to regulate them 

State legislatures have also introduced a substantial number of bills aimed at regulating AI, notably:

• On May 17, 2024, Colorado enacted the first comprehensive US AI legislation, the Colorado AI Act. The Act creates duties for developers and for those that deploy AI. The Act focuses on automated decision-making systems and defines a covered high-risk AI system as one that "when deployed, makes, or is a substantial factor in making a consequential decision." There is a specific focus on bias and discrimination, and developer and deployers must use reasonable care to avoid discrimination via AI systems that make, or are a substantial factor in making a consequential decision. The Act will go into effect in 2026 
• The California Consumer Privacy Act,¹⁵ which contains provisions on the use of automated decision-making tools. Additionally, the California Privacy Protection Agency released draft rules on these provisions¹⁶ governing consumer notice, access and opt-out rights with respect to automated decision-making technology, which the rules define broadly. The regulations are still being finalized but will likely cover expanded uses of AI. The draft rules, which are not expected to be formalized until sometime in 2024, would require significant disclosure about businesses’ implementation and use of ADMT
• More than 40 state AI bills were introduced in 2023, with Connecticut¹⁷ and Texas¹⁸ actually adopting statutes. Both of those enacted statutes establish state working groups to assess state agencies’ use of AI systems to ensure they do not result in unlawful discrimination

Other laws affecting AI

Existing legislation has been the primary way in which the US regulates AI as established law, including privacy and intellectual property laws, which are generally applicable to AI technologies. 

Notably, in April 2023, the Federal Trade Commission, Equal Employment Opportunity Commission, Consumer Financial Protection Bureau, and Department of Justice issued a joint statement noting that "existing legal authorities apply to the use of automated systems and innovative new technologies."¹⁹ As cited above, in February 2024, the Federal Communications Commission applied restrictions in the Telephone Consumer Protection Act on AI-generated voices.

Several states have enacted comprehensive privacy legislation that can also regulate AI. A non-exhaustive list of notable state legislation includes:

• The California Privacy Protection Act, which regulates automated decision-making²⁰
• The Biometric Information Privacy Act in Illinois,²¹ which is very broad and allows for extremely high damages for violations. There is currently pending litigation in the AI context 

Existing intellectual property laws also apply to AI, both with respect to the data AI technologies are trained upon and the outputs of such technologies. For example, with respect to outputs, the US District Court has held that human authorship is an essential part of a valid copyright claim, and the Copyright Office will refuse to register a work unless it was created by a human being."²² There are also numerous cases before the courts in the US alleging copyright infringement, among other things, with respect to training data.²³ 

Several states have also issued executive orders regarding AI. Notably, in California, the Executive Order on Generative AI²⁴ highlights the benefits of Generative AI, but also the need for safety instructing state agencies to examine how AI use for California residents may threaten privacy and security.

Definition of “AI” 

There is no single definition of AI. 

The National Artificial Intelligence Initiative and White House Executive Order on AI define AI as "a machine-based system that can, for a given set of human-defined objectives, make predictions, recommendations, or decisions influencing real or virtual environments. Artificial intelligence systems use machine- and human-based inputs to perceive real and virtual environments; abstract such perceptions into models through analysis in an automated manner; and use model inference to formulate options for information or action."²⁵

Many state privacy bills have different definitions of automated decision-making technology or "profiling":

• A recent Texas statute establishing an AI advisory council (HB 2060) defines an "automated decision system" as "an algorithm, including an algorithm incorporating machine learning or other artificial intelligence techniques, that uses data-based analytics to make or support governmental decisions, judgments or conclusions"²⁶ 
• Connecticut’s Public Act No. 22-15 defines "profiling" as "any form of automated processing performed on personal data to evaluate, analyze or predict personal aspects related to an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location or movements" ²⁷
• The California Privacy Protection Act defines "profiling" as "any form of automated processing of personal information, [...] to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements."²⁸

Territorial scope

As noted above, there are currently no comprehensive federal laws that have been enacted to specifically regulate AI. Accordingly, there is no specific territorial scope of federal legislation. However, many existing statutes regulate activities in which AI can be used, and those federal statutes typically apply nationally and, in some cases, extra-territorially. State legislation regulating AI generally has extra-territorial effect as its application typically extends to entities that target its residents from within or outside the state.

Sectoral scope

As noted above, there are currently no comprehensive federal laws that directly regulate AI. Accordingly, there is no specific federal sectoral scope at this stage. Nevertheless, there are certain sector-specific frameworks that have been implemented in the US to regulate the use of AI. A non-exhaustive list of key examples includes:

• In the insurance sector, the National Association of Insurance Commissioners issued a model bulletin²⁹ that focuses on governance frameworks, risk management protocols and testing methodologies that insurers should have in place to govern their use of AI systems that impact insurance consumers. Once adopted by the NAIC (expected early 2024), state insurance departments could use the bulletin at their discretion as the bulletin is not new law, but instead enforces the application of current laws to insurers’ use of AI and serves as guidance as to regulatory expectations
• In the employment sector, the City of New York enacted Local Law 144 of 2021³⁰ that "prohibits employers and employment agencies [in the city] from using an automated employment decision tool unless the tool has been subject to a bias audit within one year of the use of the tool, information about the bias audit is publicly available, and certain notices have been provided to employees or job candidates"³¹

Compliance roles

As noted above, there is currently no comprehensive federal legislation in the US that directly regulates AI. Accordingly, there are currently no specific or unique federal obligations imposed on developers, users, operators and/or deployers of AI systems. However, developers, users, operators and deployers of AI systems should anticipate that existing law will apply to any regulated activity that uses AI, and consult legal counsel about the potential liabilities that may arise. While potentially novel, the use of AI does not per se provide a shield from the application of existing law.

Core issues that the AI regulations seek to address

As noted above, there is currently no comprehensive legislation in the US that directly regulates AI. However, the White House Executive Order on AI and proposed legislation at the federal and state level generally seeks to address the following issues:

• Safety and security
• Responsible innovation and development
• Equity and unlawful discrimination
• Protection of privacy and civil liberties

Risk categorization

As noted above, there is currently no comprehensive legislation in the US that directly regulates AI. AI is also not generally classified according to risk in the relevant frameworks and principles.

Key compliance requirements

As noted above, there is currently no comprehensive federal legislation in the US that directly regulates AI. Nevertheless, the White House Executive Order on AI lists the following eight key principles and priorities to encourage the responsible development of AI technologies and safeguard against potential harms:

• AI must be safe and secure
• To lead in AI, the US must promote responsible innovation, competition and collaboration
• Responsible development and use of AI requires a commitment to supporting American workers
• AI policies must advance equity and civil rights
• The interests of Americans who increasingly use, interact with, or purchase AI and AI-enabled products in their daily lives must be protected
• Privacy and civil liberties must be protected
• The federal government must manage the risks of its own use of AI
• The federal government should exercise global leadership in societal, economic and technological progress³²

Regulators

Currently, there is no AI-specific federal regulator in the US. However, in April 2023, the Federal Trade Commission, Equal Employment Opportunity Commission, Consumer Financial Protection Bureau and Department of Justice issued a joint statement clarifying that their authority applies to "software and algorithmic processes, including AI."³³

Similarly, state regulators that regulate privacy legislation likely also have the authority to regulate AI vis-à-vis existing privacy provisions. The FTC has been active in this area, and we can expect to see more from them going forward; see discussion of Rite Aid below.

Enforcement powers and penalties

As noted above, there are currently no comprehensive federal laws or regulations in the US that have been enacted specifically to regulate AI. As such, enforcement and penalties relating to the creation, dissemination and/or use of AI are governed by application of existing law to situations involving AI, through regulatory or judicial application of non-AI-specific federal and state statutes or AI-specific state privacy legislation.

In addition, the Federal Trade Commission has evoked an interest in and focus on regulating AI through enforcement. On December 19, 2023, the FTC settled a significant action focused on artificial intelligence bias and discrimination against Rite Aid regarding the company’s use of facial recognition technology for retail theft deterrence.³⁴ This illustrative case provides guidance on the FTC’s enforcement on AI systems. For example, the proposed consent order³⁵ between Rite Aid and the FTC: 

• Prohibits Rite Aid from using AI facial recognition for five years
• Requires Rite Aid to delete all photos and videos of consumers used in its AI facial recognition 
• Specifies that after Rite Aid’s ban on using AI facial recognition expires, if Rite Aid operates AI facial recognition technology for surveillance, it must maintain a comprehensive automated biometric security or surveillance system monitoring program that identifies and addresses the risks of such operation and notifies consumers of its use of AI facial recognition. Rite Aid must also provide a means for consumers to lodge complaints, and investigate and respond to all complaints received, among other requirements

Further insights from White & Case:

• Dawn of the EU's AI Act: political agreement reached on world's first comprehensive horizontal AI regulation
• Processing personal data using AI Systems (Part 1)
• The EU AI Act’s extraterritorial scope (Part 2)

_{1 https://www.congress.gov/bill/115th-congress/house-bill/302
2 https://www.congress.gov/bill/115th-congress/house-bill/5515  
3 https://www.congress.gov/116/crpt/hrpt617/CRPT-116hrpt617.pdf#page=1210; https://trumpwhitehouse.archives.gov/briefings-statements/white-house-launches-national-artificial-intelligence-initiative-office/ 
4 https://www.federalregister.gov/documents/2023/11/01/2023-24283/safe-secure-and-trustworthy-development-and-use-of-artificial-intelligence 
5 https://www.whitehouse.gov/ostp/ai-bill-of-rights/ 
6 https://www.whitehouse.gov/briefing-room/statements-releases/2023/07/21/fact-sheet-biden-harris-administration-secures-voluntary-commitments-from-leading-artificial-intelligence-companies-to-manage-the-risks-posed-by-ai 
7 https://docs.fcc.gov/public/attachments/FCC-24-17A1.pdf 
8 https://www.commerce.senate.gov/2023/9/the-need-for-transparency-in-artificial-intelligence 
9 https://iapp.org/news/a/dual-us-senate-hearings-continue-work-toward-ai-regulation 
10 https://www.democrats.senate.gov/imo/media/doc/schumer_ai_framework.pdf 
11 https://www.congress.gov/bill/118th-congress/senate-bill/1596/text 
12 https://www.congress.gov/bill/118th-congress/senate-bill/262/text 
13 https://www.coons.senate.gov/imo/media/doc/no_fakes_act_one_pager.pdf ; and https://www.coons.senate.gov/imo/media/doc/no_fakes_act_draft_text.pdf 
14 https://www.congress.gov/bill/118th-congress/senate-bill/3312/text 
15 https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5 
16 https://cppa.ca.gov/meetings/materials/20231208_item2_draft.pdf 
17 https://www.cga.ct.gov/2023/act/Pa/pdf/2023PA-00016-R00SB-01103-PA.PDF 
18 https://capitol.texas.gov/tlodocs/88R/billtext/html/HB02060F.htm 
19 https://www.ftc.gov/system/files/ftc_gov/pdf/EEOC-CRT-FTC-CFPB-AI-Joint-Statement%28final%29.pdf 
20 https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5 
21 https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57 
22 https://cdn.patentlyo.com/media/2023/08/THALER-v.-PERLMUTTER-et-al-Docket-No.-1_22-cv-01564-D.D.C.-Jun-02-2022-Court-Docket-1.pdf 
23 https://www.bloomberglaw.com/document/X1Q6OLFCFC82 
24 https://www.gov.ca.gov/wp-content/uploads/2023/09/AI-EO-No.12-_-GGN-Signed.pdf 
25 https://www.govinfo.gov/content/pkg/USCODE-2022-title15/pdf/USCODE-2022-title15-chap119-sec9401.pdf ; and https://www.federalregister.gov/documents/2023/11/01/2023-24283/safe-secure-and-trustworthy-development-and-use-of-artificial-intelligence 
26 https://capitol.texas.gov/tlodocs/88R/billtext/html/HB02060F.htm} 

_{White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.}

_{This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.}

_{© 2024 White & Case LLP}