Senators Wyden (D-OR) and Booker (D-NJ) have proposed a Senate bill that would require big businesses and data brokers to conduct “impact assessments” for (1) “high-risk automated decision systems”; and (2) “high-risk information systems”.
The bill essentially gives the FTC power to promulgate regulations requiring companies with a lot of personal data to conduct studies of how their use of that data impacts people. Think of it as the equivalent of an environmental impact study for big data, or the US equivalent of GDPR’s Data Protection Impact Assessment process. In fact, it is very similar to the GDPR requirement.
Here’s a summary of the key terms:
Covered entities. The bill would apply to anyone that (a) receives more than $50M in revenue over the preceding three-year period; (b) possesses personal information on more than 1M consumers or consumer devices; or (c) is a “data broker,” defined as possessing personal information on individuals that are not customers or employees as a substantial part of business.
Definition of personal information. Broadly defined as any information “reasonably linkable to a specific consumer or consumer device.”
Impact assessments. At a minimum, requires a description of the system, design, training process, data, purpose, relative benefits and costs, data minimization practices, retention policies, access to data by consumers, ability of consumers to correct or object to the data, sharing of data, risks of inaccurate, biased, unfair, or discriminatory decisions, and safeguards to minimize risks.
Systems which must be evaluated. Must evaluate any system that “poses a significant risk” to the privacy and security of personal information or results in inaccurate, unfair, biased, or discriminatory decisions, especially if the system alters legal rights or profiles “sensitive aspects” of consumer lives such as protected class, criminal convictions, work performance, economic situation, health, personal preferences, interests, behavior, location, etc.
Enforcement. Enforced by the FTC or the Attorney General of any State upon notice to the FTC.