Old Dog, New Tricks: Connecticut’s Attorney General Uses Existing Privacy Law for AI Systems

Connecticut Attorney General William Tong issued a memorandum on February 25 making clear that his office intends to apply existing laws to artificial intelligence (AI) use cases. The memorandum points to a number of existing laws that Tong says are applicable to AI systems. With respect to privacy, the attorney general sets out the following guidelines for how the existing Connecticut Data Privacy Act will apply to AI:

1. Consumer Rights: Businesses must be able to honor consumers’ rights of access, deletion, opting out, etc. even if the data has been incorporated into AI systems.
2. Purpose Limitations: Businesses can only use the data for purposes that are adequate, relevant and reasonably necessary to the purposes that were disclosed through their privacy notices. The use of data in AI models may not be consistent with the purposes in those disclosures. If a business seeks to expand the uses disclosed in its privacy notices, consumers need to be notified of the change and given a mechanism to withdraw their consent.
3. Sensitive Data: Sensitive consumer data (consumer health, children’s data, biometric data, precise geolocation, etc.) cannot be processed by AI systems without consumers’ consent. In addition, companies need to conduct data protection assessments for this type of heightened risk processing.
4. Data Security: Companies must maintain reasonable data security and administrative safeguards to prevent “data leaks and errant outputs” from AI systems.

Companies are rapidly expanding the use of AI systems in countless ways. However, the memorandum is a good reminder that companies need to apply their existing privacy and cybersecurity compliance programs to these new AI systems.

Paul Hastings’ Data Privacy and Cybersecurity practice regularly advises clients on compliance with privacy and AI laws/regulations. If you have any questions regarding the new Connecticut guidance or other privacy/AI compliance issues, please do not hesitate to contact a member of our team.