Will US AI regulation follow the same path as data privacy?

With federal legislation caught in a holding pattern, states are blazing ahead with new AI laws. The tech industry is lobbying against the specter of a patchwork of rules, while advocates worry a weaker federal law preempting states will erase hard-won gains.

All this might sound like a familiar story to anybody who’s followed data privacy policy in the US over the last several years. In fact, if you’re searching for an example of a fragmented state-by-state approach to regulation, look no further than data privacy law, experts said.

“We’re pretty much stuck with a patchwork state approach for the short to midterm future,” Jonathan Tam, a partner at Baker & McKenzie, told Tech Brew.

Now that the GenAI wave has thrust tech policy conversations into a brighter spotlight, lawmakers are revisiting some of these privacy issues—data privacy and AI overlap quite a bit, after all. And states are continuing to push forward with new laws; just this month, for instance, Maryland enacted protections that experts say are stronger than many other states’.

As part of Morning Brew’s Quarter Century Project, we looked back at the late 2010s push to regulate data privacy and how it led to our current moment in tech policy.

State of the states: In 2018, taking a cue from recently enacted European law, California passed the California Consumer Privacy Act (CCPA), giving state citizens more control over the data that companies collect about them. A wave of others followed suit, and 19 or 20 states now have comprehensive data privacy laws (Florida’s law is only sometimes counted due to its relative narrowness).

But not all of these laws were created equal. Privacy advocates at the Electronic Privacy Information Center (EPIC) and the Electronic Frontier Foundation (EFF) say that many of the laws that passed following California’s were co-written by industry trade groups to offer more leniency.

State laws vary in strength depending on which template they ended up copying and how much it’s been amended since, but the CCPA remains among the strongest, Hayley Tsukayama, associate director of legislative activism at the EFF, told us.

“When California passed its privacy law, there was some hope that it would be a model for other states,” Tsukayama said. “It was this sort of weird evolution of California and then a weaker Virginia model, and then we’ve sort of ended up somewhere in the middle [of those two]. And that’s what most of the states have enacted.”

While many of these laws are based on the same models, “there are nevertheless significant and nuanced differences among all of them,” Tam said.

Tyler Thompson, a partner at law firm Reed Smith, told us “we’re eventually going to have 50 state laws, and they’re all going to be at least slightly different from one another, and that’s just really complex for companies to deal with.”

A new bar: Some companies initially set a benchmark around the European Union’s General Data Protection Regulation (GDPR) when it was first enacted in 2018, according to Tam. But as more and more states pass differing laws, businesses are making more choices about what to offer in different states.

“It’s becoming harder and harder for a company to comply with all of these different requirements in all of the different states and then basically consolidate them into a single benchmark—like the high-water mark—and then use that in the country as a whole,” Tam said. “Because if they were to do that, they would probably alienate a lot of users; a lot of users would find the apps maybe harder to use or there’s a lot more friction in the user experience.”

Privacy advocates push for “floor” rather than “ceiling” exemptions, meaning that federal law would be a strong base on which states could build their own regimens rather than a weaker federal law that would invalidate stronger existing state laws.

Tsukayama said companies are generally safe hewing to the strongest law out there, but she’s heard the compliance complaints from the industry.

“If I had to, I could concede that point on state regulation. The main problem I have with state-by-state regulation, of course, is that you have a lot of people who have no policy protections,” Tsukayama told us.

Most states also lack a private right of action—the ability for citizens to sue to enforce—so they depend on attorneys general for enforcement. Despite cases like the Texas attorney general’s recent $1.4 billion settlement with Google, these offices generally lack “resources to adequately enforce these laws,” according to Caitriona Fitzgerald, deputy director and policy director at EPIC.

“Big companies…take the small risk of an AG taking action against them as a cost of doing business, and they’re not adequately complying with the laws,” Fitzgerald said.

The AI of it all: As with a big federal AI bill, nobody we talked with for this story seemed particularly hopeful about any federal legislation on data privacy at the moment.

But AI and privacy laws are now becoming more intertwined, experts said: Many AI laws now touch on privacy, while privacy laws are sometimes being applied to AI use cases.

“What we saw with privacy law, that’s the way AI law could go as well in the United States, and a lot of folks just don’t want that,” Thompson said. “Folks are [also] like, ‘Well, it doesn’t seem like we’re going to get specific AI legislation, at least in a comprehensive way, anytime soon. Can we use privacy law to go after some of these AI use cases that we’re worried about?’”