ATP Update on U.S. Privacy Laws and Regulation of AI

At ATP's recent Board meeting on March 24, ATP General Counsel Alan Thiemann gave an overview of developing privacy laws and artificial intelligence (AI) regulations that have the power to impact ATP Members worldwide.

Privacy Law Update 

Thiemann reported that ATP continues to track what he termed as a "patchwork quilt" of privacy laws across the U.S., with some of his "worst fears" coming true in that so many states are passing different laws that national organizations, including many ATP Members, will wind up needing to comply with 50 different laws.  He noted that Utah just passed a consumer privacy law, making it the fifth state to do so. "The only good news is that Utah and Virginia laws are weaker than California, and that the Utah law exempts quite a bit of data as non-personal data outside the scope of law," Thiemann pointed out.

He also reported that California has two new bills that could be problematic for testing organizations: (1) one creates a California version of the Illinois biometric law, where anyone using biometric data in California will probably have to deal with new restrictions; and (2) the other California proposal would give a private right of legal action to consumers who have their personal data used illegally during proctoring of tests.  On the proctoring legislation, Thiemann warned that the legislation is very vague, but the likelihood is that there will be some attention to what proctoring services are provided and how they directly affect test takers.

Update on Regulation of AI 

Thiemann repeated his report from December 2021 that the industry scored a “win” through language that was adopted by the EU Commission that clarifies the definition of AI by eliminating software that merely automates, such as automated scoring or item generation, and clarifying that such software is not AI. 

He also reported that the U.S. Chamber of Commerce has established an AI Commission which recently put out a request for information asking what the legal definition of AI should be. He noted that ATP was well positioned to respond, drawing upon ATP's formerly published White Paper on AI, as well as comments submitted earlier last year by ATP to the Organization for Economic Cooperation and Development (OECD) and the EU Privacy Commission. 

Thiemann then went on to caution that ATP Members will ultimately have to deal with the regulatory environment being created in the U.S., noting that Congress instructed the National Institute of Standards and Technology (NIST) to take a look at AI and draft a Risk Management Framework, which was recently released. "And though it is different from what the European Commission created with respect to risk, it will influence regulation in the U.S.," Thiemann noted.  He stated that ATP will be submitting its comments on the draft Risk Management Framework by April 29.  

Turning to international AI regulation, Thiemann called attention to the fact that there has not been any official final AI regulation adopted anywhere in the world except for China, which just adopted algorithmic regulation that forbids profiling, or changing what people are offered for goods and services based on AI, and requiring that consumers must be able to opt out of such AI solutions. He noted that, like other Chinese privacy and security laws, the algorithmic regulation leaves a lot up to interpretation.  Accordingly, Thiemann indicated that the assessment industry needs to gain a better understanding of the new AI regulations in China and their implications.