State legislatures are taking the lead in regulating artificial intelligence after a quarter-century in which Congress has failed to come up with substantive laws governing tech.
The specter of AI and its wide-ranging potential impact on every aspect of life in the U.S. has lawmakers, stung by their failure to police social media and protect consumers’ data, scrambling to act.
“Consensus has yet to emerge, but Congress can look to state legislatures — often referred to as the laboratories of democracy — for inspiration regarding how to address the opportunities and challenges posed by AI,” the Brennan Center for Justice, a nonpartisan think tank focused on law and poverty, said in a statement.
More than two dozen states and territories have introduced bills, and a number have already enacted legislation. At least 12 —Alabama, California, Colorado, Connecticut, Illinois, Louisiana, New Jersey, New York, North Dakota, Texas, Vermont and Washington — have enacted laws that delegate research obligations to government or government-organized entities in order to increase institutional knowledge of AI and better understand its possible consequences.
At the same time, Florida and New Hampshire are among several states considering bills that would govern the use of AI in political advertising, especially “deepfake” technology that digitally manipulates a person’s likeness. Proposed legislation in South Carolina would limit the use of such technology within 90 days before an election and would require a disclaimer.
“There is a trend of regulators wanting to get on top of technology. In a way, the rush to regulate AI is very similar to what we have seen before: In the 1990s, it was the internet, [in the] early 2000s, smartphones and the internet of things,” Maneesha Mithal, a founding member of the AI group at Silicon Valley law firm Wilson Sonsini and a former Federal Trade Commission staffer, said in an interview.
“Lawmakers are trying to get ahead of an issue they don’t understand,” Appian Corp. APPN, +2.95% CEO Matt Calkins said in an interview. “But jumping forward can lead to wrong rules and hinder trade, cede too much influence to Big Tech and not [protect] property rights. We are steamrolling creators’ individual rights.”
But consumers say they want some kind of legislative action. Pew Research Center surveys show a majority of Americans are increasingly cautious about the growing role of AI in their lives, with 52% saying they are more concerned than excited, compared with 10% who say they are more excited than concerned.
‘The first dominos to fall’
Government use, algorithmic discrimination and deepfake election advertisements are among the top AI priorities for state lawmakers heading into the 2024 legislative season, James Maroney, a Democratic state senator in Connecticut, told attendees at the International Association of Privacy Professionals’ inaugural AI Governance Global conference in Boston last year.
“California’s new proposal for regulation on automated-decision-making technology and the EU agreement on the framework for the upcoming AI Act are just the first dominos to fall around AI regulation,” Gal Ringel, CEO of Mine, a global data-privacy-management firm, said in an email message.
The European Union is several steps ahead of the U.S. and has already provided a potential model for federal regulation with its AI Act, expected to be passed this year and to go into effect in 2026.
“We want national legislation, especially as it matches with international law,” said Peter Guagenti, the president of AI startup Tabnine, which has more than 1 million customers globally. “But if it takes the states to get the job done, so be it. We need clear guidelines on what constitutes copyright protection.”
Thirty states have passed more than 50 laws over the past five years to address AI in some capacity. In California, Colorado, Connecticut, Virginia and Utah, those have been tacked-on addendums to existing consumer-privacy laws.
Last year, Montana, Indiana, Oregon, Tennessee and Texas passed consumer-privacy laws that include provisions regulating AI. The laws typically give consumers the right to opt out of automated profiling and mandate data-protection assessments if the automated decision making poses a heightened risk of harm.
New York City’s first-in-the-nation Local Law 144, which went into effect on July 5, 2023, regulates the use of AI to minimize biases in hiring. California, Colorado, Connecticut, Massachusetts, New Jersey, Rhode Island and Washington, D.C., are also working to implement laws governing AI in hiring this year.
“You can’t let AI make the final decision. It cannot make the critical decisions,” Calkins said.
Cliff Jurkiewicz, vice president of global strategy at Phenom, a human-resources technology company, concurred, saying, “You have to keep humans in the loop” when making the final decision on a job hire. The fear is that bots, not humans, will make hires based purely on data. This can lead to discrimination.
‘A complex patchwork’ of laws
Meanwhile, at the federal level, things are quiet — again.
A national privacy bill, the American Data Protection and Privacy Act, sets out rules for assessing the risks of AI that directly affect companies developing and using the technology. However, the bill stalled during the last congressional session and is now — like most tech legislation before it — in limbo.
President Joe Biden’s executive order on AI has offered a blueprint for responsible AI use outside of government agencies. The order requires the tech industry to develop safety and security standards, introduces new consumer protections and eases barriers to immigration for highly skilled workers.
“Building on President Biden’s executive order on artificial intelligence, decision makers across governmental bodies will evaluate and put into place more concrete regulations to curb AI’s risks and harness its benefits,” predicts Hitesh Sheth, CEO of Vectra AI, a cybersecurity company.
Read more: Biden’s executive order on AI could reshape the technology’s impact on economy, national security
Yet the array of state laws — absent a unifying federal law — makes for a vexing fix, tech companies and their customers grumble. The proliferation of differing regulations, they say, will cause compliance headaches.
“Without [federal law], companies are likely to encounter a complex patchwork of regulations, leading to heightened risks of noncompliance, especially for those operating across state lines,” Volker Smid, CEO of software company Acrolinx, said in an email message.
“There needs to be some national legislation” around safeguarding data, adds Dan Schiappa, chief product officer of cybersecurity firm Arctic Wolf Networks. “The internet does not operate state by state.”