The Leading Edge on Legislation Governing Generative AI

I believe we are seeing the leading edge of proposed legislation about generative AI.  On January 20, 2023, a Massachusetts Senator introduced a bill to regulate generative AI.[1]  The act is entitled “An Act drafted with the help of ChatGPT to regulate generative artificial intelligence models like ChatGPT.”  The bill would bar discrimination or bias, require watermarking output, mandate reasonable security over personal data used for training the machine learning model, necessitate informed consent before collecting personal data, compel deletion or de-identification of personal data when it is no longer needed, and demand risk assessments to identify potential harms from usage.  Any company operating an LLM would need to register with the Attorney General.

While some of the provisions sound reasonable and innocuous, the bill appears to be somewhat of a publicity stunt showing that ChatGPT can spit out reasonable-sounding legislation.  The title of the bill emphasizes that ChatGPT helped to develop its language.  Accordingly, I give this little chance of passing, at least until legislators fine-tune it.[2]

On March 22, 2023, the Illinois House passed a bill to establish a Generative AI and Natural Language Processing Task Force to investigate and provide a report on the named topics.[3]  If passed, the bill would call for the task force to study generative AI subjects such as consumer data protection, model school policies, AI for assisting public services, protecting civil rights, use of AI in the workplace, and cybersecurity challenges.  The bill is now in the Illinois Senate for consideration.  Any resulting Task Force report may inspire future legislation on these topics.

Although the Massachusetts bill may start a trend in proposed legislation specific to generative AI, regulators can already regulate generative AI based on existing legislation, as shown by the recent FTC activity discussed above. In addition, on March 30, 2023, the Italian Data Protection Authority (Garante per la protezione dei dati personali) issued a temporary interim order immediately barring OpenAI from processing the personal data of Italian citizens under the European Union’s General Data Protection Regulation.[4] The Authority was concerned about the lack of notice to data subjects about OpenAI’s privacy practices, the absence of a legal basis under GDPR for processing users’ personal data, the inaccuracy of answers from ChatGPT, the processing of minors’ personal data without age verification and data filtering. OpenAI is required to respond to the Authority and explain its violations and how it will comply with GDPR. It remains to be seen whether other European supervisory authorities will take similar actions against OpenAI. The California Privacy Protection Agency may take a similar approach and find it necessary to provide oversight over generative AI to protect California residents under the authority of CPRA.

Watch these pages for information on new developments in the regulation of ChatGPT and other forms of generative artificial intelligence.

[1] Mass. S.B. 31, 2023 Reg. Sess. (2023).

[2] I am also skeptical how a usable chatbot can enforce a watermarking requirement since users will need to be able to cut and paste text from the output to make its use worthwhile.

[3] Ill. H.B. 3563, 103rd Gen. Assemb. (2023).

[4] It. Data Prot. Auth., Provision of 30 March 2023, Register of Measures No. 112 (Mar. 30, 2023), https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9870832.