As much as AI has generated excitement about the efficiencies it is creating for businesses, AI is also presenting unique challenges in the area of data privacy and security. Although still in its infancy, AI privacy litigation continues to rise as the pool of defendants diversifies and regulation intensifies.
AI technology companies are facing increased scrutiny as class action lawsuits are filed against them alleging violations of state privacy and consumer protection laws. These complaints, which courts have begun to consolidate, generally claim that technology firms are collecting personal and private information from the Internet to train generative AI tools. See e.g., A.T. et al. v. OpenAI LP et al., 3:23-cv-04557 (N.D. Cal. 2023). However, that is not the only theory being pursued in these AI privacy cases. For example, plaintiffs in one such case alleged that a facial-recognition technology company had violated the Illinois Biometric Information Privacy Act by not obtaining their consent before collecting their biometric information. See ACLU v. Clearview AI, Inc., 2020 CH 04353 (Cir. Ct. Cook City., Ill.). In a similar case, an AI-based video creating and editing platform was sued for collecting biometric data without consent. Acaley v. Vimeo, Inc., 464 F. Supp. 3d 959 (N.D. Ill. 2020). Both cases resulted in settlement, but they provide helpful insights as to some of the more obvious risks of employing AI.
Technology firms are not the only companies increasingly subject to these litigations—retailers who employ AI are also facing scrutiny. For example, one plaintiff alleged that a retailer’s use of an AI chatbot resulted in illegal wiretapping by recording and storing conversations. See Licea v. Old Navy, LLC, 2023 WL 3012527 (C.D. Cal. Apr. 19, 2023). This suit serves as reminder that developers are not the only ones at risk. Other recent cases involve artists and authors suing AI companies under copyright laws regarding the use of their works to train AI models. See, e.g., Zhang v. Google, 24-cv-02531 (N.D. Cal. Apr. 26, 2024); Dubus v. NVIDIA Corp., 2024 cv 02655 (N.D. Cal. May 2, 2024); Makkai v. Databricks, Inc., 24-cv-02653 (N.D. Cal. July 22, 2024).
This past year saw a surge in state AI laws proposed across the United States. Ten states included AI regulations within larger consumer-privacy laws that were passed or went into effect in 2023, and even more states have proposed similar bills. Some states have focused on and passed laws to protect health-care and biometric data, and others have focused on protecting children.
The Colorado Act Concerning Consumer Protections in Interactions with Artificial Intelligence Systems (the “Colorado AI Act”), set to become effective on February 1, 2026, is the first comprehensive legislation of its kind in the United States. It introduces broad measures meant to protect consumers when they interact with AI systems. The Colorado AI Act requires developers and entities that deploy AI systems that are deemed high risk (systems that, when deployed, make “consequential decisions”) to use “reasonable care” to avoid algorithmic discrimination; it also specifies what constitutes reasonable care. If a regulated entity complies with the requirements of the Colorado AI Act, it will benefit from a rebuttable presumption that it used reasonable care to avoid algorithmic discrimination. While the law does not create a private right of action, it does provide the Colorado State Attorney General with enforcement authority and discretion to implement further rulemaking.
California’s state legislature passed a series of laws aimed at regulating AI in September 2024. These include California’s AB 2013, which mandates transparency in the development of generative AI systems, particularly the data used for training. California’s AI Transparency Act, SB 942, requires providers of generative AI systems with over 1 million monthly users to offer an “AI detection tool” that allow users to verify whether content was AI-generated. Both bills will become effective on January 1, 2026. President Biden issued an executive order aimed at promoting the development and adoption of AI in various sectors of the government. It comes as no surprise that the order regulates AI development by requiring companies to report and disclose safety testing reports. In addition, the executive order directs agencies to monitor and investigate complaints about AI-related discrimination. The FTC has also begun to revisit its rules and regulations to address increased AI privacy concerns.
While Congress has not yet passed any new privacy laws targeting AI, in April 2024 congressional leaders introduced a bicameral federal privacy bill called the American Privacy Rights Act (APRA). If adopted, APRA would broadly preempt many provisions of state-level data privacy laws. For example, APRA would impose obligations on “Covered Entities” (companies that collect and process large amounts of personal data) and “Service Providers” (third-party companies that process data on behalf of Covered Entities) to minimize processing of covered data and to apply reasonable data security measures. APRA also seeks to impose heightened obligations on high-impact social media companies and large data holders, such as by requiring express consent for any transfer of personal data. It also creates a private right of action, which would allow individuals to directly sue for alleged privacy violations. If passed, APRA would preempt a number of state laws. Ultimately, the goal of APRA is to create uniform data privacy rights for all U.S. residents. In June the bill was referred to the House Committee on Energy and Commerce, which has since postponed its plans to proceed with a formal markup.
Even before new regulations take effect, companies should carefully consider how existing laws may apply to these emerging technologies. A wave of new disputes have already arisen over how artificial intelligence absorbs and uses human likenesses and works.
How to address the risks that come with the rapid growth and capability advancements in AI is a challenge for businesses. The speed at which AI is growing can make it difficult to stay abreast of the risk areas, but companies can mitigate risks by monitoring changes in laws and policies in this area, bearing in mind that privacy regulations vary by state and by AI use.
In particular, companies should keep a close eye on what business practices potentially implicate which laws. This often begins with identifying the many uses of AI within a business. And in addition to establishing clear guidelines for leveraging AI—including obtaining consents from those whose data is collected—companies should regularly monitor its use to ensure compliance.
