Generative Artificial Intelligence (AI) systems like ChatGPT and Google’s Bard have been widely successful and used in applications ranging from science, law, art, business, and even medicine. Generative AI has been called a transformative technology, much like the printing press and the automobile. One key reason for its success has been the lack of AI regulatory laws. Companies like OpenAI (maker of ChatGPT and image generator DALL-E) had free reign to train their Large Language Models (LLMs) and Diffusion Models by essentially feeding it the internet and all the public personal information that came with it. However, OpenAI has recently been hit with multiple lawsuits related to its training. That is because, although there are, as of yet, no AI regulatory laws, there are privacy laws and copyright laws that govern how data can be used. In this first of a two-part series, we look at how U.S. privacy laws govern Generative AI systems, and in a second article, we discuss the impact of European Union (EU) privacy laws on Generative AI.
U.S. Privacy Laws
Currently, the U.S. does not have a federal privacy law. However, other laws that deal with privacy apply to Generative AI, including the Gramm-Leach-Bliley Act (GLBA), the California Consumer Privacy Act (CCPA), the Health Insurance Portability and Accountability Act (HIPAA), the Federal Trade Commission Act (FTC Act), and the Electronic Communications Privacy Act (ECPA).
Under the GLBA, financial institutions must provide clear communication to customers regarding their data-sharing practices and ensures stringent protection of sensitive information. Accordingly, any AI tools used to process customer data – whether to personalize services or predict behavior – must comply with these standards of privacy and security. Furthermore, if a financial institution shares personal customer data with non-affiliated third parties (potentially including AI service providers), GLBA requires that customers be informed and given the opportunity to opt out.
Fair lending laws, such as the Equal Credit Opportunity Act (ECOA), may also apply to the use of AI. For instance, AI systems used in making financial decisions, such as credit scoring or loan approval, must be carefully designed and tested to prevent any algorithmic bias or discriminatory outcomes.
Under the CCPA, a state-level privacy law, California residents have the right to know about, delete, and opt out of the sale of their personal data. Businesses using AI systems often rely on copious amounts of data for AI-related training and operation, and pursuant to the CCPA, they must disclose what personal data is collected, its purpose, and any third-party recipients. These companies must also permit users to opt out of the sale of personal data and request its deletion. If AI systems are used to make decisions about or predict the behavior of consumers, companies must explain the underlying logic and the likely outcomes. Discrimination against consumers exercising their CCPA rights is prohibited, which pertains to AI systems if users who opt out of data-sharing receive diminished customer service. Moreover, given that AI systems usually process vast amounts of data, adherence to the CCPA’s data security provisions is critical since it opens the door for possible litigation in the event of data breaches.
Conclusion
The success of Generative AI hinges on navigating an increasingly complex legal landscape. Though there is currently a lack of AI-specific regulations, there are stringent privacy laws that apply. U.S. privacy laws – including GLBA, CCPA, HIPAA, FTC Act, and ECPA – each pose unique requirements for AI, from ensuring the protection of sensitive information to preventing algorithmic bias. In this article, we contrast the U.S. privacy laws with privacy laws of the European Union, including the General Data Protection Regulation, and explain how the EU laws challenge Generative AI with principles such as explicit consent, transparency, and data minimization.
[View source.]
