Managing AI Risk: 3 Laws Companies Using Consumer Data for AI Development Need to Know

2 minute read | May.16.2023

Artificial Intelligence (AI) is transforming financial services, from underwriting and trading securities to customizing financial products and services. These innovative modeling techniques may enhance the accuracy of models used to identify potential customers and assess their potential risks, expand access to credit by underserved populations, and reduce losses and other associated costs.

However, as highlighted by the Federal Trade Commission’s (FTC) article, The Luring Test: AI and the Engineering of Consumer Trust, AI may also carry significant consumer and commercial risks. As companies contemplate novel uses of AI, here’s what you need to know about the FTC’s focus on three “laws important to developers and users of AI” which may impact your business:

Fair Credit Reporting Act, including its implementing Regulation V. The FCRA comes into play in certain circumstances where an algorithm is used to deny people employment, housing, credit, insurance, or other benefits.
Equal Credit Opportunity Act, including its implementing Regulation B. The ECOA makes it illegal for a company to use a biased algorithm that results in credit discrimination based on race, color, religion, national origin, sex, marital status, age, or because a person receives public assistance; and
Section 5 of the FTC Act. The FTC Act prohibits unfair or deceptive practices. That would include the sale or use of – for example – racially biased algorithms.

The FTC, among other regulators, will likely continue to use its authority and expertise to exercise jurisdiction under these statutory regimes and focus on companies’ use of AI. Given the growing concerns about the use of new AI tools, the FTC provides several cautionary considerations for businesses operating in this space:

Firms building or deploying AI tools should staff personnel devoted to ethics and responsibility for AI and engineering.
A company’s risk assessment and mitigation programs should factor in foreseeable downstream uses and should incorporate training staff and contractors, among others.
Firms should monitor, document and address the actual use and impact of any AI tools eventually deployed, including an exit strategy if deployment does not go as planned.
If a company wants to convince the FTC that it adequately assessed risks and mitigated harms associated with use of AI, a reduction of personnel devoted to AI ethics may not be persuasive.

It’s clear that FTC staff and other regulators are focusing on how companies may choose to use AI technology, including new generative AI tools, in ways that can have actual and substantial impact on consumers. If you use or are contemplating using AI tools as part of your product or service offerings, now is the time to examine the three laws the FTC deems important to developers and users of AI.

Authors

Shannon Yavorsky パートナー, Cyber, Privacy & Data Innovation, Technology Transactions

サンフランシスコ; ロンドン

See my bio

D:+1 415 773 5731
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Global Compliance & Regulatory
政府による調査および強制措置
Environmental, Social & Corporate Governance (ESG)
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Shannon Yavorsky パートナー

サンフランシスコ; ロンドン

She advises public and private companies across several sectors, including life sciences and health technology, financial services, private equity, insurance, social media and technology on a range of EU and U.S. federal and state privacy laws. Shannon’s strategic counseling advice includes, but is not limited to:

Advertising and payment card processing self-regulatory frameworks
Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM)
Electronic Communications Privacy Act (ECPA)
EU Artificial Intelligence Act
EU e-Privacy Directive
EU General Data Protection Regulation (GDPR)
Fair Credit Reporting Act (FCRA)
Gramm–Leach–Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
National Institute of Standards and Technology (NIST) Artificial Intelligence Risk Management Framework
Telephone Consumer Protection Act (TCPA)
U.S. state breach notification laws
U.S. state privacy laws in California, Colorado, Connecticut, Utah and Virginia (CCPA, CPRA, CPA, CTDPA, UCPA, VCDPA)

Shannon also helps clients undertake comprehensive privacy, cybersecurity and artificial intelligence risk assessments, evaluates privacy, security and artificial intelligence risks in corporate transactions and drafts and negotiates data-related contracts. She advises clients on cross-border data transfers, data breaches and developing global privacy and artificial intelligence compliance programs.

Melissa Baal Guidorizzi パートナー, Financial & Fintech Advisory, Strategic Advisory & Government Enforcement (SAGE)

Washington, D.C.

See my bio

D:+1 202 339 8648
E: [email protected]

Practice:

Technology & Innovation Sector
Finance Sector
Financial & Fintech Advisory
Strategic Advisory & Government Enforcement (SAGE)
Fintech
Blockchain and Virtual Currency
Cyber, Privacy & Data Innovation
Global Compliance & Regulatory

vCard

See full bio

Melissa Baal Guidorizzi パートナー

Washington, D.C.

During Melissa's tenure at the CFPB's Office of Enforcement, she developed supervision and enforcement priorities, identifying subjects for examinations and investigations. She also shaped federal consumer financial laws that impact cryptocurrency markets, new payment technologies, and established financial institutions, including the Electronic Fund Transfer Act (EFTA), the Truth in Lending Act (TILA), Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) and the Fair Credit Reporting Act.

Melissa also spent nearly a decade in-house at a large multinational financial institution, where she was responsible for implementing regulatory compliance initiatives, defending enforcement actions and managing regulatory examinations.

Kyle Kessler シニア・アソシエイト, Cyber, Privacy & Data Innovation, Global Compliance & Regulatory

ロサンゼルス

See my bio

M:+1 310 251 5299
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Global Compliance & Regulatory
Technology Transactions
Technology & Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Kyle Kessler シニア・アソシエイト

ロサンゼルス

Kyle advises public and private companies across several sectors, including life sciences and health technology, financial services, private equity, social media and technology on a range of EU and U.S. federal and state privacy laws. Kyle’s strategic counseling advice includes, but is not limited to:

U.S. state privacy laws in California, Colorado, Connecticut, Utah and Virginia (CCPA, CPRA, CPA, CTDPA, UCPA, VCDPA)
Consumer health privacy laws, including Washington’s My Health My Data
US data broker laws, including California's Delete Act
Children's Online Privacy Protection Act (COPPA)
Computer Fraud and Abuse Act (CFAA)
Contest and Sweepstakes Laws
Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM)
Electronic Communications Privacy Act (ECPA)
Europe (EU) General Data Protection Regulation (GDPR)
EU e-Privacy Directive
UK's Age Appropriate Design Code (Children's Code)
False, Misleading, or Deceptive Acts or Practices
Federal Trade Commission Act (FTC)
Health Insurance Portability and Accountability Act (HIPAA)
Health Information Technology for Economic and Clinical Health Act (HITECH)
Restore Online Shoppers' Confidence Act (ROSCA)
Retail Sales Laws
Advertising and Payment Card Self-Regulatory Frameworks
State Breach Notification and Security Laws
Telephone Consumer Protection Act (TCPA)

Kyle works with clients to develop internal privacy and security compliance programs, including assisting with privacy audits and data mapping, valuating privacy and security risks in corporate transactions, advising companies through the full pre-IPO and post IPO diligence cycle, drafting and negotiating data-related vendor and arrangement contracts, meeting with teams to assist with privacy by design, developing internal and external privacy policies for employees, customers, and contractors, drafting and training on the implementation of consumer rights requests, and developing comprehensive security programs and policies.

She partners with her clients to provide practical business counsel, with an in-house and outside counsel perspective. She regularly counsels startups and tech companies through the funding life cycle, or in connection with the launch of innovative technology, products, or platforms. Kyle's background in marketing, publication relations and communications enhances the consumer protection support she provides clients. She drafts disclosure and consent frameworks in compliance with privacy and consumer protection regulations. Kyle also helps develop, implement, administer regulatory compliance programs for all aspects of promotional and customer-facing activities, including:

Contests and sweepstakes
Direct mail, email, in-store and online, social media and text messaging advertisements and marketing campaigns
Gift cards
Influencer and social media agreements and endorsements
Price comparisons
Print advertisements and product placements
Reward and loyalty programs

Kyle is active in the LGBTQ+ community and helps lead Orrick's LGBTQ+ Attorney Affinity Group. She was also selected to participate in the Leadership Council on Legal Diversity's (LCLD) 2022 Pathfinders Program.

Before joining Orrick, Kyle was an in-house attorney at a company named to Forbes' 100 Largest Private Companies list.