Privacy update: AI Act & Children’s Privacy Bill


Data privacy laws are quickly evolving around the world. When a company has customers worldwide, that company can be subject to the privacy laws in each customer’s location.



Below are some of the recent privacy law changes which could affect your organization, along with some next steps to consider for each.




EU members of parliament debate Artificial Intelligence Act


EU lawmakers recently held their first debate on the Artificial Intelligence (AI) Act, which seeks to regulate AI by creating obligations that are comparative to the potential harm of the technologies. As the AI Act moves forward, organizations should consider the following:

  1. Understand the scope and regulatory requirements of the Act. It is essential to understand the requirements of the AI Act to determine applicability to your organization. The law defines three risk categories for AI: (1) systems that create unacceptable risk, such as social scoring systems; (2) high-risk systems such as those that use emotional and/or biometric recognition; and (3) low or minimal risk systems. The AI Act prohibits the use of AI systems that create unacceptable risk and establishes requirements for the use of high-risk systems. The requirements address risk management, data governance, technical documentation, record-keeping, transparency, oversight, accuracy, robustness, and cybersecurity.
  2. Conduct privacy risk assessments. Conduct privacy risk assessments for all AI systems in order to identify any potential privacy risk and to determine the appropriate risk category.
  3. Assess whether the benefits of using high-risk AI outweigh risks to consumer privacy.  Carefully consider the use of high-risk AI and potential impact to consumers. Organizations should perform a balancing test to determine whether the purpose and benefit of high-risk AI technologies will outweigh the risks to consumer privacy.
  4. Identify service providers of high-risk AI systems/applications.  The AI Act includes a requirement for providers of high-risk AI systems to register their high-risk AI system in an EU database to be managed by the European Commission. Validate any service providers used for AI services have completed the appropriate steps.



New York considers Children’s Privacy Bill


A New York lawmaker proposed legislation to regulate children’s online privacy just weeks after California’s governor signed into law children’s privacy legislation. If the bill passes, key actions for organizations will include:

  1. Identify current processing activities that should cease. Under the bill, organizations will no longer be able to collect personal data for the purposes of targeted digital advertising to children. Additionally, organizations cannot use personal data acquired from educational products to build advertising or marketing profiles about children.
  2. Obtain appropriate consent. An organization must obtain consent from both the child and the child’s parent or legal guardian. Organizations should review their policies and ensure appropriate language is in place to obtain required consent.
  3. Maintain a method to receive reports of emergencies. Organizations will need to have a real-time method to allow parents and legal guardians to report emergencies. Organizations should have a process in place that allows them to receive notice of emergencies, review them in a timely manner, and take applicable action where required.
  4. Provide access to accounts. Organizations will need to provide access to user accounts under certain circumstances. Organizations should develop a process to expedite warrants and subpoenas pertaining to crimes against children. Organization should also have a process in place to verify relationships and provide parents or legal guardians access to accounts in the case of death of their children. 



Other legislative updates


U.S. (California and Colorado): 

The California Privacy Protection Agency (CPPA) met at the end of October to advance its rulemaking package for CCPA/CPRA. A definitive timeline for finalization is still not set, however the CPPA outlined its goals for completing the package which includes formal publication of new draft rules, a 15 day “notice-and-comment” period, submitting the final package to California’s Office of Administrative Law (OAL) by end of year and awaiting the OAL’s 30-day review. The CPPA stated that they hope to conclude the process by late January or early February. Since the rulemaking process is already many months past the July 2023 deadline—and with January 2023 bringing an end to several key exemptions plus being the official date for enforcement to start—the CPPA continues to debate issues such as whether the rules package will only be partial or whether enforcement will be delayed (or partially enforced).


Colorado's own rulemaking is likely to be influenced by California's to some extent—the Colorado Attorney General has indicated that they are keeping a close eye on CPPA’s progress after the AG released its Colorado Privacy Act (CPA) draft rules in mid-October, with a public hearing scheduled for February 2023.

APAC (India):

After several years of proposed legislation and failed efforts, India appears closer than ever to achieving its goal of passing a new regulation—the Digital Personal Data Protection Bill—that will bring the country's privacy framework in closer alignment with other global laws like GDPR. The draft bill was introduced in mid-November, and Indian officials have stated their intent to push for passage by August 2023 at latest.


As data privacy laws and requirements continue to emerge and evolve, make sure that your organization has the structures and processes in place to meet new requirements and protect the customers who’ve entrusted you with their data.






More advisory insights