The unchecked spread of commercial surveillance over the past few decades has led to a data privacy crisis for consumers in the U.S. and has allowed abusive data practices to flourish. The ability to monitor, profile, and target consumers on a mass scale has created a persistent power imbalance that robs individuals of their autonomy and privacy, stifles competition, and undermines democratic systems. And now more than ever, emerging generative and non-generative AI systems are also causing harm.
With the support of the Rose Foundation for Communities and the Environment, EPIC is launching our latest project in this field: Assessing the Assessments: Maximizing the Effectiveness of Algorithmic & Privacy Risk Assessments. Through this project, EPIC will develop model privacy and algorithmic risk assessments and other materials to educate consumers and promote best practices for entities processing personal data.
California’s Consumer Privacy Act (CCPA) creates legal rights and obligations that can address many of these harms, including a requirement to perform assessments when personal information is being sold, when automated decision-making systems are being used in sensitive contexts, or when personal information is being used to train AI systems. EPIC’s work to disrupt these data abuses and ensure that entities can no longer extract value from personal data in ways that undermine the public good is more important than ever. It is crucial that the regulations implementing the CCPA provide for risk assessments that enable transparency and accountability of AI and other automated systems. Risk assessments are going to be required in California, and although regulations are not written in stone, they should provide instruments for accountability.
As a leading organization for consumer privacy rights, EPIC has spent nearly three decades creating educational resources to inform Americans about their privacy rights and advocating for strong privacy protections. Some recent highlights of this work include:
- In 2020, we published a resource to help California residents understand how to exercise their rights under the California Consumer Privacy Act (CCPA).
- EPIC also supported the California Privacy Protection Agency’s (CPPA) efforts to establish robust data privacy protections for Californians and, with a coalition of partner organizations, submitted comments to the agency on the development of further CCPA regulations.
- We also submitted comments to the Colorado Department of Law in support of the efforts of the Department to establish robust, pathbreaking privacy protections for Coloradans in reference to the Colorado Privacy Act.
- EPIC also recently presented testimony in Massachusetts in support of House Bill 64 and Senate Bill 33, (An Act establishing a commission on automated decision-making by government in the Commonwealth).
So, what is a risk assessment? A risk assessment is an analysis of how personal data will be collected, processed, stored, and transferred by an entity. The term “risk assessment” is context-dependent, and in the particular context of California’s privacy bill, they are made effective by being robust, publicly accessible requirements. When implemented properly, risk assessments force businesses to carefully evaluate and…