The Need to Protect Americans’ Privacy and the AI Accelerant (U.S. Senate Committee on Commerce, Science, and Transportation)

Hearing	The Future of Broadband Affordability
Committee	U.S. Senate Committee on Commerce, Science, and Transportation
Date	July 11, 2024

 

Hearing Takeaways:

• Consumer Data Privacy: The hearing largely focused on the state of consumer privacy within the U.S. Committee Members and the hearing’s witnesses raised concerns over the U.S.’s current protections for consumer data and stated that these protections can be inconsistent or non-existent in many instances. They discussed how companies will collect large sums of consumer data to set more targeted prices, track consumers, sell collected data to third parties, train artificial intelligence (AI) models, and derive sensitive insights about customers. They commented that this use of consumer data enables companies to exploit consumers. They further raised concerns that the growth of AI technology poses additional consumer data privacy challenges that the U.S. must address.
  • Sharing of Consumer Data to Train AI Models: Committee Democrats, Mr. Calo, Ms. Kak, and Mr. Tiwari raised particular concerns regarding how consumer data is being used to train AI models. They noted how AI models require large amounts of consumer data to train and warned that the U.S.’s insufficient consumer data privacy protections create strong incentives for AI model developers to collect large amounts of consumer data (including both publicly available data and internal data on consumers). Full Committee Chairman Maria Cantwell (D-WA) lamented that this dynamic puts privacy-protective companies at a competitive disadvantage. Sen. Peter Welch (D-VT) and Ms. Kak further raised concerns that consumer data could be unnecessarily exposed within AI models. Sen. Welch mentioned how he had introduced the Artificial Intelligence Consumer Opt-in, Notification, Standards, and Ethical Norms for Training (AI CONSENT) Act, which would require online platforms to obtain expressed informed consent form consumers before using their personal data to train AI systems. Full Committee Chairman Cantwell and Sen. Marsha Blackburn (R-TN) also highlighted their work on the Content Origin Protection and Integrity from Edited and Deepfaked Media (COPIED) Act, which would require consent to use material with content provenance to train AI systems. Mr. Reed stated however that the U.S. must ensure that AI applications can use the private data of companies to help the companies.
  • Use of AI Technology to Derive Sensitive Information about Consumers: Committee Democrats, Mr. Calo, and Ms. Kak raised concerns over how AI technology provides the capacity to derive sensitive insights about individuals. They explained that AI models can often take seemingly benign consumer data (such as shopping data) to make hyper-personalized inferences about consumers (such as inferences about health status). They expressed concerns that this use of AI technology to derive sensitive information about consumers could result in surveillance advertising business models. Mr. Calo recommended that the U.S. define categories of sensitive information to include both sensitive information itself and sensitive inferences that are derived from AI applications. However, Mr. Reed raised concerns over proposals to restrict the ability of companies to make inferences on sensitive data using AI models. He stated that AI technology is needed to develop inferences about the health and well-being of Americans so that the U.S. can address social determinants of health (SDOH).
  • Current State Data Privacy Laws: Committee Members, Mr. Calo, and Mr. Reed discussed how various states have adopted their own consumer data privacy laws and attributed these state laws to federal inaction on the issue. They expressed concerns that these state consumer data privacy laws can vary significantly, which can create significant compliance challenges for businesses with customers in multiple states. Mr. Reed added that this variation in state consumer data privacy laws places larger businesses at an advantage over smaller business because larger businesses tend to have greater compliance resources.
  • Foreign Consumer Data Privacy Landscape: Sen. John Hickenlooper (D-CO), Mr. Calo, and Mr. Tiwari noted how many foreign jurisdictions maintain their own consumer data privacy policies and warned that the U.S.’s lack of consumer data privacy protections disadvantages the U.S. in the global marketplace. Mr. Calo noted how the European Union (EU) (which is among the U.S.’s largest trading partners) refuses to certify the U.S. as adequate on privacy and does not permit consumer data to flow freely between the EU and the U.S. He questioned the value of U.S. innovation if other countries ultimately do not trust it.
• Federal Data Privacy Legislation: Committee Members and the hearing’s witnesses expressed interest in having Congress develop bipartisan federal data privacy legislation. They stated that such legislation is needed to protect consumers from corporate exploitation, provide clear rules and expectations for businesses collecting and storing consumer data, and provide reassurances to the U.S.’s trading partners that consumer data privacy will be respected. They added that the growth of AI technology underscores the urgent need for such legislation.
  • The American Privacy Rights Act of 2024 (APRA): Full Committee Chairman Maria Cantwell mentioned how she has worked to propose APRA with U.S. House Committee on Energy and Commerce Chairman Cathy McMorris Rodgers (R-WA). This legislation seeks to protect consumer privacy and data through establishing consumer data privacy rights and setting standards for data security. Full Committee Ranking Member Ted Cruz (R-TX) raised concerns that the legislation delegates too much authority to the U.S. Federal Trade Commission (FTC), could enable the Executive Branch to police speech, and advantages large companies over smaller companies. He expressed his willingness to work on improving this legislation.
  • The Consumer Data Privacy and Security Act: Sen. Jerry Moran (R-KS) also mentioned how he had reintroduced the Consumer Data Privacy and Security Act in the current 118th Congress. He explained that this legislation would provide Americans with control over their own data, require covered entities to publish their privacy policies in easy-to-understand language, establish a single clear federal standard for data privacy, and provide for robust enforcement of data privacy protections that would not result in frivolous lawsuits.
  • Data Minimization Requirements: Committee Members and the hearing’s witnesses expressed interest in imposing data minimization requirements on companies to combat excessive collection of consumer data. Ms. Kak stated that the adoption of data minimization rules would ensure that companies make reasonable decisions regarding which data to collect, the purposes for which data may be used, and the length of time that data may be stored. She commented that these requirements would empower both lawmakers and the public to demand basic accountability from companies. Sen. John Hickenlooper (D-CO), Mr. Calo, Ms. Kak, and Mr. Tiwari also contended that it would be unreasonable to expect consumers to manage all of the parties that have permission to access their data and that data minimization requirements would provide assurances to consumers that their data is not being misused. Mr. Reed stated that consumers should be able to control their data with the party that they first interact with and that Congress should make clear that all parties within the data supply chain have a responsibility to protect consumer data. Mr. Calo further recommended that the U.S. define categories of sensitive information for the purposes of data minimization requirements to include both sensitive information itself and sensitive inferences that are derived from AI applications. 
  • Preemption of State Laws: Sen. Roger Wicker (R-MS) and Mr. Reed argued that federal consumer data privacy legislation must preempt state consumer data privacy laws to prevent confusion and regulatory burdens. They warned that a lack of preemption would force small businesses to comply with various state consumer data privacy laws, which would be very onerous.
  • Application to Small Businesses: Committee Republicans and Mr. Reed also asserted that federal data privacy legislation must apply to small businesses so that customers can trust that data is being protected when they engage in business with a company of any size. Mr. Reed criticized APRA’s non-inclusion of small businesses in the legislation’s definition of covered entities and asserted that this approach would deny small businesses of the benefits of the legislation’s preemption provisions. Mr. Calo stated that that the U.S. should maintain a tiered system for consumer privacy rules. He commented that large technology companies (such as Google, Meta, and Amazon) have the capacity to comply with far more rigorous data privacy rules than small businesses. Sen. Peter Welch (D-VT) suggested that a pilot program or a set of prescribed actions could help to ensure the protection of customer data.
  • Private Right of Action: Mr. Reed acknowledged that Congress will likely need to include a private right of action provision within federal data privacy legislation for the legislation to be bipartisan. He stated that Congress should ensure that any private right of action provision within federal data privacy legislation includes “numerous backstops” to guard against frivolous lawsuits. He commented that frivolous lawsuits particularly harm small businesses because small businesses are less equipped than large businesses to defend themselves from such lawsuits.
  • Investments in Privacy-Preserving Technologies: Mr. Tiwari remarked that the promotion of privacy-preserving technologies would help to guard against the misuse of consumer data. He stated that these privacy-preserving technologies reduce data collection, minimize risks to consumers, and reduce risk and liability for companies.
• AI Technology-Related Policies: Committee Members and the hearing’s witnesses also expressed interest in having the U.S. adopt policies to address AI technology. They stated that these policies would enable the U.S. to protect consumers while supporting the development of this technology. Committee Republicans and Mr. Reed cautioned however that the adoption of overly prescriptive AI technology-related policies could impede innovation and entrench the current market power of large incumbent technology companies. Mr. Reed stated that the proper use of AI technology could better enable small and medium-sized companies to better compete with larger companies.
  • The Artificial Intelligence Research, Innovation, and Accountability Act of 2023: Sen. Amy Klobuchar (D-MN) and Sen. John Thune (R-SD) mentioned how they had proposed the bipartisan Artificial Intelligence Research, Innovation, and Accountability Act of 2023 to increase transparency and accountability for the riskiest non-defense applications of AI technology. This legislation would direct the U.S. Department of Commerce to set minimum testing and evaluation standards for AI systems (such as critical infrastructure management systems) that pose the highest risks. This legislation would also require AI technology deployers to submit regular risk assessments and transparency reports to the U.S. Department of Commerce that include documentations of the AI data being used for training purposes. Mr. Reed asserted however that compressive federal data privacy legislation would be preferable to more targeted AI technology-focused legislation (such as the Artificial Intelligence Research, Innovation, and Accountability Act of 2023).
  • Legislative Proposals to Address the Creation of Deep Fakes Using AI Technology: Several Committee Members highlighted how they had developed legislative proposals to address the problem of AI technology-created deep fakes. Deep fakes are synthetic media designed to convincingly replicate or change a person’s likeness. Full Committee Ranking Member Ted Cruz (R-TX) mentioned how he had introduced the bipartisan Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks (TAKE IT DOWN) Act which targets bad actors that use AI technology to create and publish fake and life-like explicit images of real people. He noted how this legislation would require large technology companies to follow a notice and takedown process for these images. Sen. Marsha Blackburn (R-TN) also mentioned her work on the bipartisan Nurture Originals, Foster Art, and Keep Entertainment Safe (NO FAKES) Act of 2024, which would protect the voice and visual likeness of individuals from unauthorized use by generative AI applications
  • Use of Generative AI Technology to Enable Scams, Misinformation Campaigns, and Disinformation Campaigns: Committee Democrats, Mr. Calo, Ms. Kak, and Mr. Tiwari warned that the ability of generative AI technology applications to quickly create hyper-realistic scams, misinformation, and disinformation can pose significant threats to U.S. consumers and can potentially subvert U.S. elections. Mr. Calo stated that the U.S. should require platforms to take all possible actions to identify and disincentivize automated misinformation. Committee Republicans expressed concerns however that government officials may falsely claim that they are seeking to address scams, misinformation, and disinformation when these government officials are actually seeking to combat opposing political speech.
  • Transparency and Accountability for AI Systems: Sen. Klobuchar, Ms. Kak, and Mr. Tiwari remarked that the U.S. must ensure that AI systems are transparent and accountable with mechanisms in place to address privacy violations and provide recourse for impacted individuals. Mr. Tiwari stated that open approaches play a “vital role” in promoting innovation and preventing the concentration of power in a small number of companies. He also commented that open approaches enable the economic benefit of AI technology to be more widely shared among businesses of different sizes and capabilities.
  • Impact of the FTC’s Antitrust Policy on the AI Technology Sector: Sen. Ted Budd (R-NC) and Mr. Reed raised concerns over the FTC’s antitrust policy and commented that this policy appears to be focused against vertical integration. They warned that this policy may have a “chilling effect” on the ability of the App Association’s members to develop and deploy new and better AI services. Mr. Reed criticized FTC’s premerger notification proposed rule. He asserted that this proposed rule put small businesses at a “huge” disadvantage through establishing a floor for a potential acquisition. He commented that the FTC’s proposed rule would discourage venture capitalists from investing in AI companies because their returns would be capped.
  • Consideration of Sector in AI Regulation: Mr. Reed stated that policymakers must target AI regulation to situations where a substantial risk of concrete harm exists. He commented that the risks posed by AI applications focused on less sensitive sectors (such as farming) should not be treated the same as the risks posed by AI applications in the health care and wellness sectors.
  • AI Technology Standards: Ms. Kak asserted that regulators and public bodies (rather than the companies themselves) should set the metrics used to evaluate AI models. Mr. Reed also stated that the U.S. National Institute of Standards and Technology (NIST) must remain a supporter (rather than an arbiter) of voluntary industry-led standards.
  • Standard-Essential Patent (SEP) Abuse: Mr. Reed further stated that the Committee should be aware of how SEP abuse threatens small businesses. He noted how non-U.S.-based companies obtain the most U.S. patents every year and asserted that federal policy must combat abuse of patent licensing in standards through ensuring that licenses are available to any willing licensee “on fair, reasonable, and non-discriminatory terms.” He warned that the U.S.’s failure to address this issue would result in foreign companies with different perspectives on human rights owning and running the next generation of AI standards. Full Committee Chairman Cantwell commented that Congress has previously been overly partial to large companies on patent issues.
• Establishment of a New Federal Agency and Regime to Regulate and Oversee Data Privacy and AI Technology: Sen. Peter Welch (D-VT) mentioned how he had introduced the Digital Platform Commission Act of 2023. This legislation would establish an independent federal commission to regulate digital platforms (including the regulation of AI and data privacy concerns). He stated that the rationale for this legislation is that Congress cannot keep pace with technological innovations and that a dedicated body would be better equipped to respond to these innovations. However, Sen. Eric Schmitt (R-MO), Ms. Kak, Mr. Tiwari, and Mr. Reed contended that the U.S. should rely upon existing federal agencies to regulate and oversee data privacy and AI technology. They stated that federal agencies already have experience and expertise addressing these issues. Ms. Kak and Mr. Reed also stated that the U.S. must ensure that these existing federal agencies are properly resourced to police data privacy and AI technology.

Hearing Witnesses:

1. Mr. Ryan Calo, Professor, University of Washington School of Law; Co-Director, UW Tech Policy Lab
2. Ms. Amba Kak, Co-Executive Director, AI Now Institute
3. Mr. Udbhav Tiwari, Director, Global Product Policy, Mozilla
4. Mr. Morgan Reed, President, ACT | The App Association 

Member Opening Statements:

Full Committee Chairman Maria Cantwell (D-WA):

• She remarked that the hearing would focus on the need to protect the privacy of Americans and how AI technology necessitates the prompt passage of federal data privacy legislation.
• She stated that the privacy of Americans is under attack and commented that Americans are being surveilled and tracked through connected devices.
  • She warned that AI technology would only exacerbate these privacy concerns.
• She provided several real-world examples of AI technology being used to infringe upon the privacy of Americans.
  • She mentioned how a man in Seattle, Washington had his automobile insurance increase by 21 percent after his Chevrolet Bolt had collected detailed information about his driving habits and shared the information with the man’s automobile insurance company.
  • She also mentioned how data about U.S. military members (including contact information and health conditions) is already available for sale by data brokers.
  • She further mentioned how a non-profit suicide hotline had shared with its for-profit affiliates data from crisis communications that it was using to train its AI product.
  • She lastly mentioned how the FTC had recently sued a mobile application developer for tracking the precise locations of its users through software embedded in a grocery list and shopping rewards application.
• She reiterated her concerns that AI technology would only exacerbate existing consumer privacy concerns and contended that the growth of this technology necessitates prompt passage of federal data privacy legislation.
• She discussed how AI technology applications are built on data and stated that technology companies need a large amount of data to train their AI models.
  • She indicated that this data may relate to consumer shopping habits, favorite videos, and personal relationships.
• She further raised concerns over how AI technology provides the capacity to derive sensitive insights about individuals.
  • She commented that this situation could result in an “inference economy,” which would pose significant challenges.
• She remarked that a federal data privacy law would help to counterbalance the power of technology companies and called on Congress to pass such a law.
• She also stated that there exists a lack of transparency regarding AI application prompts and raised concerns that personal information is being used to train AI models.
  • She lamented that this dynamic puts privacy-protective companies at a competitive disadvantage.
• She noted that researchers project that companies training large language models (LLMs) may run out of new publicly available and high-quality data to train AI systems as early as 2026.
• She warned that the absence of a strong federal data privacy law would lead AI application developers to use private data to train their systems when public data sources are exhausted.
  • She expressed concerns that these AI applications could result in harms to consumers, such as enabling price and customer discrimination.
• She also discussed how bad actors can weaponize AI applications and noted how deep fake phone scams have plagued her state of Washington.
  • She indicated that AI systems can recreate a person’s voice within minutes and commented that this capability would exacerbate the problem of scams directed at the elderly.
• She mentioned how the U.S. Office of the Director of National Intelligence (ODNI) had recently reported that Russian influence actors are planning to covertly use social media to subvert U.S. elections.
  • She indicated that ODNI had called AI technology “maligned influence accelerant” and that this technology is being used to more convincingly tailor video and other content to influence voters ahead of the 2024 U.S. elections.
  • She further mentioned how the U.S. Department of Justice (DoJ) had recently reported that it had dismantled a Russian bot farm intended to foster discord within the U.S.
• She remarked that there exists broad bipartisan support for increased consumer privacy protections and cited a Pew Research Center polling indicating that most Americans across the political spectrum want to increase privacy regulations.
  • She asserted that private consumer data should not be bought or sold without the approval of individuals and that technology companies should work to protect consumer privacy.
• She mentioned how she has worked to develop federal data privacy legislation with U.S. House Committee on Energy and Commerce Chairman Cathy McMorris Rodgers (R-WA).
• She further indicated that she would be introducing the COPIED Act with Sen. Marsha Blackburn (R-TN).
  • She commented that this legislation would provide “much needed” transparency around AI-generated content and empower content creators with a watermark process for protecting their works.

Full Committee Ranking Member Ted Cruz (R-TX):

• He remarked that the current hearing on data privacy and AI technology is fundamentally about whether the U.S. would support entrepreneurship and technological innovation or adopt a stringent regulatory regime for data privacy and AI technology.
  • He warned that the adoption of a stringent regulatory regime would result in a marketplace where only large technology companies could exist.
• He stated that the U.S. had experienced significant growth in its technology sector because Congress and the Clinton administration had deliberately taken a “hands off” regulatory approach to the internet during the 1990s.
  • He commented that this approach had resulted in the creation of millions of jobs and a higher standard of living for Americans.
• He criticized the Biden administration and many Members of Congress for proposing that the U.S. take a more prescriptive regulatory approach toward AI technology.
  • He asserted that this proposed approach is based on “hysterical doomsday prophecies” and warned that this proposed approach would cause the U.S. to lose its technological advantage over China.
• He remarked that the Biden administration’s AI executive actions and many of the recent legislative proposals regarding AI call for a new regulatory order that would protect giant incumbent companies and discourage innovation.
• He stated that these AI policy proposals contain purportedly optional best practices and guidance that would be drafted by bureaucrats.
  • He expressed concerns that many of these bureaucrats either have recently been employed by the technology companies that they seek to regulate or seek to work for technology companies post-government service.
• He also disputed the assertion of AI regulation proponents that this regulation is needed to stop bias, misinformation, and discrimination in AI systems and algorithms.
  • He warned that this regulation would instead result in the government policing speech.
• He acknowledged that while AI technology could be used for nefarious purposes, he stated that Congress must craft “appropriate and targeted” responses to address specific harms and issues.
• He mentioned how he had introduced the TAKE IT DOWN Act with Sen. Amy Klobuchar (D-MN), which targets bad actors that use AI technology to create and publish fake and life-like explicit images of real people.
  • He noted how this legislation would require large technology companies to follow a notice and takedown process for these images.
  • He expressed hope that the Committee would consider and advance this legislation soon.
• He then remarked that Congress (rather than the FTC or another federal agency) should be the body to set a national data privacy standard.
  • He commented that such as standard would provide Americans with beneficial privacy protections and provide U.S. businesses with legal certainty given the “increasingly complex patchwork” of state privacy laws.
• He remarked however that a national data privacy standard must protect privacy without undermining U.S. technological innovation.
• He indicated that he had discussed APRA with U.S. House Committee on Energy and Commerce Chairman Cathy McMorris Rodgers (R-WA) and expressed his willingness to work with Chairman McMorris Rodgers on this legislation.
  • He asserted however that he cannot support the legislation in its current form and commented that the legislation delegates too much power to the FTC.
  • He also asserted that the legislation focuses on algorithmic regulations under the guise of civil rights, which would empower the Executive Branch to police speech.
  • He warned that the legislation would benefit large technology companies at the expense of small businesses.
• He remarked that Congress should work to empower individuals to control the privacy of their own data and provide individuals with transparency to make informed decisions within the marketplace.

Witness Opening Statements:

Mr. Ryan Calo (University of Washington School of Law; UW Tech Policy Lab):

• He remarked that Americans are not receiving the privacy protections that they demand or deserve.
  • He cited Cambridge Analytica’s ability to deceptively obtain personal information from Facebook users and the ability of automobile companies to non-consensually share driver data with automobile insurance providers as examples of existing consumer privacy violations.
• He stated that federal consumer privacy rules are “long overdue” and raised concerns that AI technology will exacerbate the U.S.’s consumer privacy problems.
• He asserted that AI fuels an “insatiable” demand for consumer data and discussed how this consumer data includes both publicly available data and a company’s internal data.
  • He commented that this demand leads companies to search for all publicly available data on consumers, to collect as much data as possible from consumers, and store consumer data indefinitely.
  • He warned that this demand for consumer data “deeply exacerbates” the U.S.’s consumer privacy problems.
• He also raised concerns over how AI systems are increasingly able to derive intimate insights into people based on available data.
  • He noted how many AI techniques involve recognizing patterns in large datasets and indicated that generative AI models employ this approach.
  • He mentioned how Target had reportedly used AI systems in 2012 to determine whether customers were pregnant through assessing subtle changes in their shopping patterns.
• He further stated that AI technologies deepen the asymmetries of information and power between consumers and companies and indicated that consumer protection laws are meant to arrest these asymmetries.
  • He discussed how U.S. consumers are mediated and stated that available choices are increasingly scripted and arranged in advance.
  • He commented that companies have an incentive to make use of insights into individuals and collective psychology and design strategies to extract as much money and attention from consumers based on these insights.
• He lamented that the U.S. currently lacks privacy rules and stated that few Americans believe that the internet, social media, and AI systems are ideal as currently configured.
  • He mentioned how a recent Pew Research Center survey had found that 81 percent of Americans assume that companies will use AI in ways that make them uncomfortable.
• He also noted how the EU (which is among the U.S.’s largest trading partners) refuses to certify the U.S. as adequate on privacy and does not permit consumer data to flow freely between the EU and the U.S.
  • He questioned the value of U.S. innovation if other countries ultimately do not trust it.
• He discussed how an increasing number of states (including California, Colorado, Texas, and Washington) are passing consumer data privacy or AI laws to address the concerns of their residents.
  • He asserted that Congress should look to these state laws as a model for federal data privacy and AI legislation and called it “unwise” for Congress to rely upon states to address these issues.
• He noted how the internet, social media, and AI technology are global phenomena that do not respect state boundaries and emphasized that millions of Americans reside in states without privacy protections.
• He remarked that Congress should pass comprehensive privacy legislation that protects American consumers, reassures its trading partners, and provides clear and achievable guidelines to industry.
  • He suggested that data minimization rules (that obligate companies to limit the data that they collect from and maintain about consumers) could help to address the “insatiable appetites” of AI systems for consumer data.
  • He also suggested that broader definitions of covered data could clarify that inferring sensitive information about consumers carries the same obligations as data collection.
  • He further suggested that rules against data misuse could help address consumer vulnerabilities in response to growing data asymmetries.

Ms. Amba Kak (AI Now Institute):

• She warned that the U.S.’s failure to set guardrails for AI technology would result in the continuation of extractive, invasive, and often predatory practices and business models.
  • She also warned that the failure to set guardrails would result in large technology companies transitioning from surveillance monopolies to AI monopolies.
• She stated that a federal data privacy law could end these problematic trends and specifically called for this law to include data minimization requirements.
  • She asserted that data minimization requirements would challenge the “culture of impunity and recklessness” within the AI industry.
• She remarked that Congress must pass federal data privacy legislation before the AI technology space advances further.
  • She commented that data privacy regulation provides many necessary tools for protecting the public.
• She stated that the adoption of data minimization rules would ensure that companies make reasonable decisions regarding which data to collect, the purposes for which data may be used, and the length of time that data may be stored.
  • She commented that these requirements would empower both lawmakers and the public to demand basic accountability from companies.
• She discussed how Microsoft is currently developing its Recall AI feature that takes continuous screenshots of all computer activities and asserted that Microsoft must address whether this feature’s utility outweighs the vulnerabilities it creates.
  • She mentioned how a security researcher had found that it is “scarily trivial” for an attacker to use malware to extract a record of everything ever viewed on a computer.
• She asserted that a strong data minimization mandate would have likely disincentivized Microsoft from ever developing its Recall AI feature, which she called “patently insecure.”
• She also stated that data minimization rules would provide transparency regarding corporate data collection decisions.
  • She noted how Meta and Google have recently announced updates to their terms of service that allow them to train AI systems using user data and indicated that this update had only been publicized because of disclosures to European users required under EU requirements.
  • She also noted how Reddit user content had recently been sold to Google to train the company’s AI systems.
• She further remarked that purpose limitation rules would prevent large technology companies from using AI technology as a “catch all justification” to use and combine data across all contexts and to store the collected data forever.
  • She mentioned how the FTC has already penalized Amazon for using AI technology as an excuse to store the voice data of children indefinitely.
• She asserted however that the U.S. cannot rely upon single case enforcement actions to protect consumer data and called for the U.S. to establish clear privacy rules.
  • She commented that privacy rules would safeguard consumer privacy and serve as a check on the data advantages of large technology companies seeking to prevent competition within the AI space.
• She then remarked that a data privacy mandate would force AI developers to make data choices that deliberately prevent discriminatory outcomes.
  • She noted how women see fewer advertisements in Google Ads for higher paying jobs and asserted that this situation is a feature of Google’s upstream data decisions.
• She stated that these discriminatory outcomes are avoidable and that federal data privacy legislation should prohibit discriminatory practices within AI systems.
• She lastly discussed how AI systems are very expensive to develop and operate and stated that viable business models for these AI systems do not yet exist.
  • She warned that this environment creates incentives for companies to develop predatory business models.
  • She noted how research indicates that LLM systems can make hyper-personalized inferences about consumers and expressed concerns that these systems may result in surveillance advertising business models.
• She concluded that the current trajectory of AI technology is not inevitable and that the U.S. has an opportunity to regulate AI technology in a manner that promotes the public interest.

Mr. Udbhav Tiwari (Mozilla):

• He remarked that his testimony would discuss the “urgent need” for comprehensive privacy legislation, the importance of data minimization, and the role of privacy-enhancing technologies in fostering responsible AI technology development.
• He discussed how his organization, Mozilla, builds the open-source Firefox web browser, Mozilla VPN, and Solo (which is an AI-powered website builder).
  • He noted how hundreds of millions of people around the world use these products and commented that Mozilla’s mission is to ensure that the internet is a global public resource that is open and accessible to all.
• He stated that comprehensive data privacy legislation is “foundational” to any AI policy framework and that U.S. leadership in AI technology requires the U.S. to lead on privacy and user rights.
• He asserted that privacy is a “critical component” of AI policy because AI systems can accelerate privacy-related harms and the drive to develop advanced AI models has intensified the demand for vast amounts of personal information.
  • He warned that this data collection (which is often performed without adequate consent or via deceptive practices) poses significant risks to individual privacy and security.
• He remarked that the U.S. should champion policies that promote innovation, create “clear rules of the road” for companies, and protect fundamental user rights.
  • He commented that this approach would support the creation of a competitive and a fair market for the U.S. AI technology industry and prepare domestic AI technology companies for global leadership in the AI technology space.
• He stated that data minimization should be a core element of federal data privacy legislation and explained that data minimization would ensure that only necessary data is collected and used for specific purposes.
  • He commented that data minimization in the context of AI can be achieved through several strategies, including informed consent and assurances that there will be “privacy by design.”
• He then remarked that technical advances must work in coordination with legislative solutions to create a safer and more private future.
  • He asserted that the U.S. requires a “significant investment” in privacy enhancing technologies to develop AI systems that respect and protect individual privacy.
• He argued that openness and open-source features are essential for improving verifiable and meaningful privacy in AI technologies.
  • He commented that open approaches play a “vital role” in promoting innovation and preventing the concentration of power in a small number of companies.
  • He also commented that open approaches enable the economic benefit of AI technology to be more widely shared among businesses of different sizes and capabilities, which will result in increased investment and job creation.
  • He further commented that open approaches allow for diverse input and collaboration, which fosters the development of privacy-preserving techniques that can benefit everyone (rather than relying upon security through obscurity).
• He then acknowledged that while online manipulation, targeted scams, and online surveillance are not new risks within the digital space, he warned that AI technologies can exacerbate these harms through enabling profiling, manipulation, bias, discrimination, deep fakes, and identity misuses.
• He asserted that comprehensive federal data privacy legislation is needed to mitigate the aforementioned risks.
  • He added that this legislation should be accompanied by strong regulatory oversight and continued investments in privacy enhancing technologies.
• He also stated that the U.S. must ensure that AI systems are transparent and accountable with mechanisms in place to address privacy violations and provide recourse for impacted individuals.
  • He commented that these systems should be underpinned by disclosure and accountability.
• He further remarked that the risk that AI technology poses to civil liberties cannot be understated and warned that large technology companies can use this technology to infringe upon the privacy of individuals.
• He asserted that principles that protect civil liberties should guide AI technology’s development and deployment.
  • He indicated that these principles include safeguarding freedom of expression, preventing unlawful surveillance, and ensuring that AI systems do not perpetuate discrimination or bias.
• He concluded comprehensive legislation is required to protect consumer privacy in the current AI landscape and that the U.S. must strike a balance between innovation and consumer protection.

Mr. Morgan Reed (ACT | The App Association):

• He remarked that the U.S. needs a federal data privacy law and mentioned how his trade association, the App Association, supports the creation of a balanced and bipartisan framework that would provide consumers with certain protections and businesses with clear rules.
• He lamented how there currently exists a “global array” of mismatched and conflicting laws governing data privacy.
  • He noted how this policy landscape includes almost two dozen state -level comprehensive data privacy laws with additional state laws being adopted every year.
• He remarked that a federal data privacy law must include strong preemption requirements without “vague” exceptions in order to prevent confusion and regulatory burdens.
• He also asserted that a federal data privacy law must apply to small businesses so that customers can trust that data is being protected when they engage in business with a company of any size.
  • He criticized APRA’s non-inclusion of small businesses in the legislation’s definition of covered entities and asserted that this approach would prevent the App Association’s members from benefiting from the legislation’s preemption provisions.
  • He noted that APRA would require small businesses to comply with state privacy laws (including future state privacy laws) and warned that this approach would expose his trade association’s members to costly state-by-state compliance and “unreasonably high” litigation costs.
• He discussed how all companies now use customer data and have customers from multiple states.
  • He warned that APRA’s small business exception would force small businesses to have a passing familiarity with all of the various state privacy laws that apply to their customers.
• He further raised concerns that APRA may incent small businesses to sell customer data in order to gain the benefit of federal preemption.
  • He asserted that Congress should instead move forward with a privacy framework that incorporates small businesses and that creates a pathway to compliance for these small businesses.
• He then discussed how small businesses have been faster adopters of AI technology as compared to larger businesses.
  • He testified that more than 90 percent of the App Association’s members currently use generative AI tools and indicated that these tools have resulted in an average increase in productivity of 80 percent.
• He further stated that the App Association’s members that develop AI solutions are nimbler than their larger rivals.
• He remarked that the experiences of App Association members should play a major role in informing policymakers on how any new laws should apply to AI technology’s development and use.
  • He highlighted how App Association member SwineTech is using AI technology to support the management of hog farms.
  • He also highlighted how App Association member Metric Mate uses a combination of off-the-shelf and custom fitness trackers to help individuals and physical therapists to track and refine fitness goals using AI technology.
• He stated that policymakers must target AI regulation to situations where a substantial risk of concrete harm exists.
  • He commented that the risks posed by AI applications focused on hog management should not be treated the same as the risks posed by AI applications in the health care and wellness sectors.
• He then remarked that standards are a valuable way for innovators to make interoperable products that can compete with the largest companies.
  • He asserted that the NIST must remain a supporter (rather than an arbiter) of voluntary industry-led standards.
• He also stated that the Committee should be aware of how SEP abuse threatens small businesses.
• He noted how non-U.S.-based companies obtain the most U.S. patents every year and asserted that federal policy must combat abuse of patent licensing in standards through ensuring that licenses are available to any willing licensee “on fair, reasonable, and non-discriminatory terms.”
  • He warned that the U.S.’s failure to address this issue would result in foreign companies with different perspectives on human rights owning and running the next generation of AI standards.

Congressional Question Period:

Full Committee Chairman Maria Cantwell (D-WA):

• Chairman Cantwell first expressed interest in having Mr. Reed elaborate on his concerns regarding SEP abuse for the hearing’s record. She commented that Congress has previously been overly partial to large companies on patent issues. She then discussed how online advertising revenue has been growing in recent years and indicated that online advertising now accounts for 68 percent of all U.S. advertising revenue. She added that online advertising revenue growth is likely to continue for the foreseeable future. She expressed concerns that this trend will impact the news media landscape and reduce checks against misinformation. She also discussed the large amount of information that is currently available on consumers and raised concerns that AI technology provides the capacity to derive sensitive insights about consumers using this information. She asked Mr. Calo to discuss the importance of protecting consumer privacy given the growth of online advertising and the new capabilities that AI technology provides.
  • Mr. Calo noted that while AI technology has many promising applications (such as breast cancer screening and treatment), he stated that AI technology is also allowing companies to derive sensitive insights in a manner that disadvantages consumers. He added that consumers are powerless to fight back against these corporate misuses of AI technologies. He remarked that AI technology could enable companies to set prices at a level that matches a customer’s maximum willingness to pay. He asserted that this capability is not far-fetched. He mentioned how Uber had once experimented to determine whether customers would be more willing to pay higher prices when the phones of these customers had low-charged batteries. He also mentioned how Amazon has previously charged returning customers higher prices. He raised concerns that companies will seek to use AI technology to extract additional consumer surplus. He stated that data minimization requirements could help to address this problem.

Sen. Roger Wicker (R-MS):

• Sen. Wicker asked Mr. Reed to identify which type of business creates the most jobs in the U.S.
  • Mr. Reed noted how small businesses are the single largest source of new jobs in the U.S.
• Sen. Wicker expressed interest in how potential federal data privacy legislation would impact small businesses. He asked Mr. Reed to indicate whether small businesses often sell their products online to people in multiple states.
  • Mr. Reed answered affirmatively. He highlighted how the App Association’s smallest members still engage in global commerce and noted how the internet enables small businesses to reach customers around the world. He called APRA’s small business carve out problematic because it would create compliance challenges for small businesses.
• Sen. Wicker interjected to comment that federal data privacy legislation should apply the same to all actors. He then asked Mr. Reed to address how a federal data privacy law with a preemption clause containing exceptions would impact small businesses.
  • Mr. Reed remarked that very large companies that hire large numbers of lawyers are the best-equipped companies to navigate complex compliance regimes. He asserted that the U.S. needs a data privacy compliance regime and preemption regime that is easy-to-understand. He emphasized that the App Association’s small business members generally lack dedicated compliance employees or lawyers.
• Sen. Wicker also asked Mr. Reed to address how a federal data privacy law containing a broad private right of action would impact small businesses.
  • Mr. Reed stated that while there might exist occasional privacy-related situations that necessitate a private right of action, he asserted that a private right of action should be limited in scope. He warned that a data privacy regime with a broad private right of action would make small businesses vulnerable to frivolous lawsuits. He elaborated that small businesses would be more prone than large businesses to settle these frivolous lawsuits because the cost of settlement would be much lower than the cost associated with defending against the lawsuits in court.
• Sen. Wicker then mentioned how Mr. Calo’s testimony had asserted that it would be unrealistic and wasteful to expect technology companies to comply with a “patchwork” of state data privacy laws based on where their users are located. He noted how some advocates for federal data privacy legislation have argued that such legislation should allow for states to maintain more robust data privacy standards. He asked Mr. Calo to address whether permitting states to maintain more robust data privacy standards would perpetuate the current “patchwork” of state data privacy laws.
  • Mr. Calo remarked that his ideal approach for data privacy would be to have the federal government set baseline data privacy standards and to permit states to enact enhanced data privacy standards. He stated however that it is very difficult to deploy large global systems in a manner that treats users differently based on their location.
• Sen. Wicker interjected to raise concerns that allowing states to maintain more robust data privacy standards would create compliance challenges for companies. He also asked Mr. Reed to address how the U.S. could determine whether state data privacy laws are more protective than federal data privacy laws.
  • Mr. Reed expressed agreement with Sen. Wicker’s concerns over proposals to permit states to maintain more robust data privacy standards.

Full Committee Chairman Maria Cantwell (D-WA):

• Chairman Cantwell interjected to comment that Mr. Calo’s testimony argues that it is not realistic to permit states to maintain their own data privacy policies and that federal preemption of state data privacy laws is needed.

Sen. Jacky Rosen (D-NV):

• Sen. Rosen discussed how Americans are generating an unprecedented amount of online data and raised concerns that bad actors will use AI technology to generate more effective scams. She highlighted how these AI technology-enabled scams often target senior citizens and veterans. She asked Ms. Kak and Mr. Calo to discuss how the enactment of a federal data privacy law would better protect individuals from AI technology-enabled cyberattacks and scams.
  • Ms. Kak remarked that many generative AI technologies are moving to market before the technologies are ready for commercial release. She commented that these AI technologies are resulting in diffuse harms, including the proliferation of deceptive and spam content. She asserted that a federal data privacy law would address these concerns through establishing rules governing AI technology (including data collection and training practices). She stated that these rules would ensure that companies do not create inaccurate and misleading AI tools that are integrated into sensitive social domains (such as banking, health care, and hiring). She further discussed how poor application outputs are largely attributable to poor application data inputs. She asserted that it is therefore important to address the data being used to train and develop AI models.
• Sen. Rosen interjected to note that her question period time is limited. She asked Mr. Calo to briefly respond to her previous question.
  • Mr. Calo remarked that the U.S. must empower federal regulators (such as the FTC) to pursue abuses involving AI technology (including AI technology-enabled scams).
• Sen. Rosen then expressed interest in exploring data ownership policies and noted how Americans currently lack the right to access, correct, or delete their data. She stated that the current supply chain of consumer data contains numerous “loopholes” that allow for third parties to sell consumer data to the highest bidder. She asked Mr. Tiwari to indicate whether transparent AI systems could exist without strong federal data privacy regulations (including consumer control over their own personal data).
  • Mr. Tiwari answered no. He called it impossible for users to effectively exercise their rights over their own data and social experiences without knowing the data that companies are collecting, how their data is being used, and their rights to respond to any potential real-world harms. He stated that the U.S.’s lack of effective and comprehensive federal data privacy legislation limits the U.S.’s ability to address potential harms caused by consumer data misuse.

Sen. Marsha Blackburn (R-TN):

• Sen. Blackburn recounted how she had introduced the first legislation to require businesses to protect the security of consumer data, to provide data breach notifications, and to allow for the FTC and state attorneys general to hold companies accountable for violations of consumer data while serving in the U.S. House of Representatives. She mentioned how she had worked on this effort with Sen. Peter Welch (D-VT)(who was also serving in the U.S. House of Representatives at the time). She called it important to know which parties own data on consumers and how these parties are using this data. She stated that the growth of AI technology increases the importance of passing federal data privacy legislation. She mentioned her work on the bipartisan NO FAKES Act of 2024, which would protect the voice and visual likeness of individuals from unauthorized use by generative AI applications. She also mentioned her work on the COPIED Act, which would require consent to use material with content provenance to train AI systems. She asked the witnesses to address how Congress would be limited in legislating if the U.S. does not have a data privacy standard. She also asked the witnesses to discuss how the U.S. should ensure that Americans have privacy and data security so that people can keep their information from being used by open-source applications and LLMs.
  • Mr. Calo noted how the Pew Research Center’s surveys suggest that “overwhelming” percentages of Americans are worried that their personal data will be used in concerning and surprising ways. He asserted that Americans will not feel comfortable and safe if Congress does not pass data privacy legislation that covers both sensitive data (such as health care data) and the inferences that can be derived from this data. He stated that data security and data privacy must be addressed together and highlighted how the U.S. has experienced numerous data breaches and ransomware attacks. He concluded that U.S. consumer data is vulnerable and that the U.S. must establish clear data privacy rules.
  • Ms. Gak remarked that the incentives for irresponsible consumer data surveillance have existed for the last decade. She stated that AI technology accelerates these incentives, which exacerbates the U.S.’s privacy and security harms and risks. She then remarked that privacy and security are interconnected in nature and noted how data that is never collected or deleted post-collection will not be at risk for a security breach. She contended that a strong data minimization mandate is essential, especially given how bad actors are increasingly using consumer data in nefarious ways.
  • Mr. Tiwari remarked that hundreds of millions of people use Mozilla’s products because of the privacy properties of the products. He warned that the U.S.’s failure to provide a consistent data privacy standard would prevent Congress from ensuring that Americans receive sufficient privacy rights and that U.S. companies will be globally competitive.
  • Mr. Reed remarked that data privacy laws should include a data security provision. He stated that while data hygiene is “critical,” he asserted that data hygiene is different from a prohibition on data processing. He commented that policymakers should be cognizant of this distinction.

Sen. John Hickenlooper (D-CO):

• Sen. Hickenlooper remarked that state data privacy laws and federal data privacy proposals both provide consumers with control over their personal data (including the right to have their data deleted). He stated however that consumers lack the time and expertise to manage all of their online data. He noted how APRA proposes to minimize the collection of personal data and to offer consumer-facing data controls (such as data deletion request capabilities). He asked Mr. Calo to address how these two approaches work in tandem to protect consumers.
  • Mr. Calo discussed how the U.S. provides consumers with information, choices, and substantive limits in other consumer protection contexts. He asserted that the U.S. should apply these principles to consumer data privacy. He stated that consumers should have control of their own data and be asked before their data is used in a separate context. He also stated that there should exist baseline rules for using consumer data because it is impractical for consumers to unilaterally police the use of their data.
• Sen. Hickenlooper then expressed interest in exploring the recent advances in generative and traditional AI technologies and stated that the use of data is driving these advances. He asserted however that AI system training cannot come at the expense of consumer privacy. He commented that data minimization requirements would reduce the likelihood that data privacy and data security harms could occur. He highlighted how the U.S. Senate Committee on Commerce, Science, and Transportation’s Subcommittee on Consumer Protection, Product Safety, and Data Security (for which he serves as Chairman) has considered data privacy and data security issues. He asked Ms. Kak to estimate how often consumer data is unnecessarily exposed within AI models. He also asked Ms. Kak to indicate whether data minimization requirements could help control these unnecessary consumer data exposures.
  • Ms. Kak first remarked that it remains unknown as to how often consumer data is unnecessarily exposed within AI models. She elaborated that there is no transparency around whether consumer data is being used in these AI models and how this data is being protected. She stated however that many large technology companies (such as Meta and Google) are changing their terms of service at will and have indicated that they are now using consumer data to train their AI models. She further noted that many chatbots are routinely leaking the personal data upon which they were trained. She remarked that technology companies are engaging in “irresponsible” data collection and data use. She stated that one benefit of the U.S.’s failure to enact federal data privacy legislation is that the U.S. can observe which foreign data privacy policies are not working and avoid adopting these policies. She asserted that consent-only-based data privacy regimes have not worked, which underscores the need for accountability. She also highlighted how Brazil had recently banned Meta from using user data to train its AI models because this data included children’s images that were being leaked. She commented that the U.S. could learn from these foreign experiences in developing its own federal data privacy law.
• Sen. Hickenlooper then discussed how the EU’s General Data Protection Regulation (GDPR) has been in effect for about half a decade. He noted how the EU has amended its GDPR in subsequent years. He asked Mr. Tiwari to address how the U.S. could resume its global leadership on data privacy issues without a federal data privacy law.
  • Mr. Tiwari noted how there are at least 140 countries that have national data privacy laws. He remarked that the U.S.’s lack of a national data privacy law prevents U.S. companies from effectively competing with foreign companies based in countries with such national data privacy laws. He asserted that data privacy has become a competitive differentiator. He stated that consumers seek out Mozilla’s Firefox product based on its privacy properties. He warned that the U.S.’s lack of baseline data privacy standards for companies will disadvantage small and medium-sized U.S. companies in competing with foreign companies.

Sen. Jerry Moran (R-KS):

• Sen. Moran called the passage of federal data privacy legislation “long overdue” and lamented how Congress has not yet passed such legislation. He mentioned how he had reintroduced the Consumer Data Privacy and Security Act in the current 118th Congress. He explained that this legislation would provide Americans with control over their own data, establish a single clear federal standard for data privacy, and provide for robust enforcement of data privacy protections that would not result in frivolous lawsuits. He expressed his willingness to work with any and all Committee Members to develop federal data privacy legislation. He then stated that any federal data privacy requirements should be shared by consumer-facing entities, service providers, and third parties that collect or process consumer data. He warned that exempting any of the aforementioned entities from these requirements or enforcement under federal data privacy legislation would impose an unfair burden on consumer-facing entities (particularly small businesses). He asked Mr. Reed to indicate whether all parties that collect or process data should have similar regulatory burdens.
  • Mr. Reed answered affirmatively. He remarked however that Congress should make clear that all parties have responsibility for protecting consumer data. He stated that consumers should be able to control their data with the entity that they have first contact with. He expressed concerns that an entity that collects or processes data might seek to shirk their responsibilities and pass consumer data requests along to another entity that is involved with their data. He reiterated that Congress must ensure that all parties that collect or process data have responsibilities for protecting consumer data.
• Sen. Moran asked Mr. Reed to address how Congress could avoid the shirking of responsibility for consumer data protection amongst entities that collect or process data.
  • Mr. Reed remarked that the shirking of responsibility for consumer data protection could be avoided through having a clear and concrete discussion with the customer when the customer provides data to a covered entity. He stated a federal data privacy law would help inform customers about their data rights and companies about their data responsibilities. He reiterated that all parties that collect or process data should have responsibilities for protecting consumer data.
• Sen. Moran then mentioned how 19 states have passed their own data privacy laws. He commented that this “patchwork” of state data privacy laws results in greater compliance costs for businesses. He mentioned how one estimate projects that compliance costs for businesses could reach $239 billion annually if Congress fails to enact a federal data privacy law. He noted that while his state of Kansas does not have its own data privacy law, he indicated that Kansas borders two states that do have such laws. He asked Mr. Reed to describe the challenges that small businesses face when working in states with different data privacy standards.
  • Mr. Reed noted how many Kansas businesses have mostly out-of-state customers, which can create data privacy compliance challenges for the businesses. He acknowledged that while some states do exempt small businesses from their data privacy laws, he indicated that the definitions of small businesses vary across these laws. He stated that it is very difficult for small businesses to collect customer residence information and adjust their data privacy standards to customers based on the residences of their customers. He commented that larger companies are much better equipped than small businesses to handle these compliance challenges.
• Sen. Moran then called it important for Americans to understand when companies collect and process their data. He mentioned how his data privacy legislation would require covered entities to publish their privacy policies in easy-to-understand language and to provide easy to use means to exercise their right to control their data. He asked Mr. Tiwari and Ms. Kak to address how a federal policy could ensure that consumers are aware that their data is being used, even as AI technology increases the complexity of how consumer data is processed.
  • Mr. Tiwari remarked that purely relying upon consumer consent for data privacy has been an ineffective approach for protecting consumer privacy. He stated that technology has become such a complex endeavor that it has become unreasonable to expect a consumer to understand everything that can happen when their data is collected. He contended that any effective federal privacy legislation must limit what covered entities can do with collected data, regardless of whether a consumer has consented to certain behaviors. He commented that this approach would ensure that consumer privacy is actually being protected.
  • Ms. Kak remarked that merely providing transparency for how consumer data is being used would be insufficient for protecting consumers. She highlighted how several federal data privacy legislative proposals under consideration would provide rules for consumer data privacy that would automatically apply, regardless of consumer consent.

Sen. Ted Budd (R-NC):

• Sen. Budd remarked that technological leadership is foundational to the U.S.’s dominance in the 21st century. He discussed how the U.S. provides a regulatory environment that protects the public interest and safety while providing entrepreneurs and specialists the freedom to experiment. He asserted that the U.S. should provide a similar regulatory environment for AI technology. He noted how Mr. Reed’s opening testimony had discussed how App Association members are creating and deploying AI tools and had indicated that 75 percent of the trade association’s surveyed members reported using generative AI applications. He asked Mr. Reed to indicate whether there currently exists a “healthy” amount of competition within the AI technology space.
  • Mr. Reed described the level of competition against larger companies within the AI technology space as “profound.” He stated that small and medium-sized companies are using AI applications more than larger companies. He then discussed how AI technology can enable small businesses to better write their contract bids, which will enable the small businesses to expand their businesses. He stated that the U.S. must ensure that AI applications can use the private data of companies to help the companies.
• Sen. Budd then raised concerns over the FTC’s antitrust policy and commented that this policy appears to be focused against vertical integration. He warned that this policy may have a “chilling effect” on the ability of the App Association’s members to develop and deploy new and better AI services. He asked Mr. Reed to opine on the FTC’s antitrust policy.
  • Mr. Reed described the FTC’s recent premerger notification proposed rule as “terrible.” He asserted that the FTC’s proposed rule would put small businesses at a “huge” disadvantage through establishing a floor for a potential acquisition. He discussed how venture capitalists tend to invest in a portfolio of companies with the expectation that most of these companies will fail. He stated that the FTC’s proposed rule would discourage venture capitalists from investing in AI companies because their returns could be capped. He also remarked that the FTC’s proposed rule would violate the Regulatory Flexibility (Reg Flex) Act because the FTC had not considered the proposed rule’s impact on small and medium-sized businesses. He expressed hope that the FTC will change or rescind this policy.
• Sen. Budd then asked Mr. Reed to address how the Committee should balance the need for companies to have the ability to use responsibly collected consumer data with consumer concerns that their sensitive data may be breached or improperly used.
  • Mr. Reed remarked that the Committee should pass comprehensive data privacy legislation that is bipartisan. He commented that such legislation would provide businesses with clear rules for handling consumer data. He stated that data hygiene and data minimization issues would need to be part of comprehensive data privacy legislation. He recommended that the Committee focus their work on data privacy legislation on the concept of harms. He elaborated that the Committee should identify harms being committed and ways to use existing law enforcement mechanisms to pursue these specific harms. He stated that it would be easier to base the U.S.’s data privacy framework on existing law enforcement mechanisms than to establish entirely new law enforcement mechanisms.

Sen. Amy Klobuchar (D-MN):

• Sen. Klobuchar remarked that while AI technology could support many potential benefits, she asserted that Congress must adopt guardrails for AI technology to ensure that potential harms do not exceed these benefits. She noted how Mr. Calo’s testimony had discussed how companies can collect large amounts of non-sensitive consumer information and use AI applications to make sophisticated inferences about the private health information of consumers with “alarming accuracy” based on this non-sensitive information. She asked Mr. Calo to discuss how data minimization requirements could ease the burden on consumers seeking to protect their privacy.
  • Mr. Calo noted how most data privacy laws differentiate between sensitive categories of information (such as health status) and less sensitive categories of information (including public information). He remarked that the problem with AI systems is their ability to make sensitive inferences based on non-sensitive information. He stated that data minimization requirements would restrict the overall amount of information that could be collected on consumers and the categories for which the information could be used. He recommended that the U.S. define categories of sensitive information to include both sensitive information itself and sensitive inferences that are derived from AI applications.
• Sen. Klobuchar interjected to ask Mr. Tiwari to respond to her previous question. She also asked Mr. Tiwari to address whether comprehensive data privacy legislation would influence AI technology developers and users to adopt more privacy-preserving systems.
  • Mr. Tiwari mentioned how Mozilla had recently acquired Anonym. He explained that Anonym takes privacy-preserving technologies and performs operations within trusted execution environments in a manner that no parties (including the entity providing the data, Anonym, and the entity using the data) can see the data. He stated that these privacy-preserving technologies reduce data collection, minimize risks to consumers, and reduce risk and liability for companies.
• Sen. Klobuchar then mentioned how she had proposed the bipartisan Artificial Intelligence Research, Innovation, and Accountability Act of 2023 to increase transparency and accountability for the riskiest non-defense applications of AI technology. She explained that the legislation would direct the U.S. Department of Commerce to set minimum testing and evaluation standards for AI systems that pose the highest risks (such as critical infrastructure management systems). She also noted how this legislation would require AI technology deployers to submit regular risk assessments and transparency reports to the U.S. Department of Commerce that include documentations of the AI data being used for training purposes. She asked Ms. Kak to indicate whether providing transparency on the datasets used to train commercially available models could improve the protection of consumer privacy and ensure more reliable AI systems.
  • Ms. Kak answered affirmatively. She noted how large technology companies have argued that policymakers should only focus on the output stage of their AI models and not focus on the training stage of these models. She disputed these arguments from the large technology companies. She remarked that the U.S. should ensure that AI models have transparency and that AI models are tested and evaluated throughout their lifecycles. She further asserted that regulators and public bodies (rather than the companies themselves) should set the metrics used to evaluate AI models.
• Sen. Klobuchar then indicated that she would submit questions on voice cloning scams and children’s privacy that she would submit for the hearing’s record.

Sen. J.D. Vance (R-OH):

• Sen. Vance discussed how AI technology poses certain safety concerns and stated that AI technology could support chatbots that enable predators to more easily prey on children online. He expressed concerns however that these legitimate concerns are being used to justify the over regulation of AI technology. He warned that this over regulation would entrench incumbent large technology companies and make it more difficult for new market entrants to create innovations. He asked Mr. Reed to opine on these concerns. He also mentioned how corporate executives (often from large technology companies) will argue that AI technology poses safety problems and that Congress must therefore swiftly regulate AI technology. He raised concerns that swift action from Congress to regulate AI technology would advantage incumbent large technology companies at the expense of U.S. consumers.
  • Mr. Reed expressed agreement with Sen. Vance’s concerns and commented that large technology companies are seeking to shape the U.S.’s regulatory environment for AI technology. He then discussed how AI technology is currently improving the capabilities of small businesses and highlighted AI technology’s ability to improve inventory management practices. He also raised concerns over proposals to restrict the ability of companies to make inferences on sensitive data using AI models. He stated that AI technology is needed to develop inferences about the health and well-being of Americans so that the U.S. can address SDOH. He asserted that the U.S. should not pursue blanket bans on the ability of AI models to make inferences on consumers. He remarked that Congress should focus on the potential harms of AI technologies as it develops a federal policy framework for AI technology.
• Sen. Vance then remarked that a key benefit of the U.S.’s federal system is that it allows states to experiment with policies. He commented that this dynamic can enable the federal government to pursue already tested policies and identify failed policies to avoid pursuing. He asked Mr. Reed to identify which states have adopted well-performing data privacy policies.
  • Mr. Reed remarked that the structural consumer data privacy model that has worked best so far is the model adopted by Virginia, Colorado, Connecticut, Delaware, Montana, and Oregon. He recommended that the federal government base their consumer data privacy framework on this model. He stated that the U.S. cannot maintain multiple consumer data privacy frameworks and that the U.S. must have a universal framework for consumer data privacy.

Sen. Eric Schmitt (R-MO):

• Sen. Schmitt remarked that AI technology has significant implications for the U.S. government, the U.S. economy, and Americans. He stated that AI technology has the potential to transform many commercial applications and is already playing a “pivotal” role in many aspects of the U.S.’s national security apparatus. He mentioned how his home city of St. Louis is helping to lead AI technology innovation through Scale AI. He stated that Scale AI has innovative data annotation and curation systems and an innovative advanced model testing and evaluating approach. He highlighted how Scale AI is partnering with important government entities (such as the U.S. National Geospatial-Intelligence Agency (NGA)) and commercial applications (such as OpenAI) to improve AI modeling. He mentioned how Axios had recently reported that U.S. private sector investments in AI technology outpace every other leading nation and more than double the investments in AI technology from China. He remarked that while targeted measures to address AI technology may be warranted where current gaps in law may exist, he cautioned the U.S. against an “over reactive” approach to AI technology. He asserted that any new laws must not hinder investments in private sector AI innovation. He raised concerns however that the Biden administration’s proposed approach to AI technology and proposed Congressional AI technology policies would threaten investments in AI technology. He stated that the U.S. requires both large and small companies to pursue AI technology innovations and cautioned that only large companies could comply with “sweeping” AI technology regulatory regimes. He commented that large technology companies support current AI policy proposals because they are uniquely situated to comply with them. He asserted that there exists an “unholy alliance” between the Biden administration and large technology companies to “crowd out” future competition within the AI technology space. He further raised concerns that the Biden administration’s AI technology policies constitute a “backdoor attempt” to use regulators to silence their political opponents. He mentioned how he had recently led a letter with Senate Minority Leader Mitch McConnell (R-KY), Senate Minority Whip John Thune (R-SD), and Full Committee Ranking Member Ted Cruz (R-TX) calling out the U.S. Federal Communications Commission (FCC) for seeking to police the contents of political advertising leading up to the 2024 elections through regulation of AI technology. He then remarked that the Committee should consider whether there are existing laws that can address current AI technology policy concerns. He stated that the U.S. maintains many existing laws that address conflicts involving AI technology. He noted how mail fraud is currently illegal and commented that it should not matter whether a person uses AI technology or a physical pen to commit mail fraud. He stated that other countries have prematurely attempted to overregulate AI technology and asserted that the U.S. should not take a similar approach. He remarked that Congress must focus on addressing the current gaps in the U.S.’s regulatory system for AI technology rather than establish an entirely new regulatory regime for AI technology. He asked Mr. Reed to indicate what purely new regulations are needed to address AI technology based on the current gaps in the U.S.’s regulatory system.
  • Mr. Reed remarked that federal data privacy legislation should clearly define the responsibilities for businesses in terms of how they communicate to consumers and how they use consumer data. He discussed how consumers are concerned that their data will be used in unexpected and harmful ways and commented that businesses are responsible for these concerns. He noted how current regulations prescribe different ways for businesses to communicate with their customers on their data use practices. He remarked that federal data privacy legislation should therefore prescribe communications practices for businesses regarding their use of customer data, require businesses to meet their consumer data use expectations, and make use of existing laws to pursue businesses that fail to satisfy their consumer data use expectations.
• Sen. Schmitt asked Mr. Tiwari to indicate whether he agrees with Mr. Reed’s previous response.
  • Mr. Tiwari expressed agreement with Mr. Reed’s previous response. He remarked that Americans understand the benefits of privacy legislation based on their experience with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Children’s Online Privacy Protection Act of 1998 (COPPA). He commented that these laws have been “remarkably effective” at preventing serious harms. He stated that comprehensive federal data privacy legislation would help to ensure that all Americans have their privacy protected.
• Sen. Schmitt then Mr. Reed to discuss how potential federal regulation of AI technology may disproportionately impact smaller entities that lack the same level of resources as larger technology companies.
  • Mr. Reed noted how there have been calls for the establishment of a federal agency that would license LLMs. He commented that the companies that would be best situated to obtain these licenses would be the very large technology companies. He remarked that data privacy legislative proposals with restrictive requirements would prevent small businesses from entering the AI technology space. He stated that highly vertically-integrated companies that possess a large amount of customer data are more accepting of regulations because they already have permission to use data from their customers.
• Sen. Schmitt asked Mr. Reed to discuss how a concentration of power among large technology companies within a highly regulated environment would impact privacy, competition, and consumer choice within the AI technology industry.
  • Mr. Reed remarked that a concentration of power among large technology companies within a highly regulated environment would impact consumer choice within the AI technology industry. He stated however that successful LLMs are important and that there should not be legislation banning large companies from building these models. He remarked that federal data privacy legislation should consider the existing law enforcement infrastructure to address harms within the AI technology space. He warned that the establishment of an entirely new regulatory regime for AI technology would prevent small companies from challenging current incumbents within the AI technology space.
• Sen. Schmitt asked Mr. Reed to indicate whether the establishment of an entirely new regulatory regime for AI technology could advantage U.S. adversaries who might develop or adopt a more lenient approach to AI technology regulation.
  • Mr. Reed answered affirmatively. He remarked that the AI technology ecosystem is global in nature and that the U.S. must compete within this ecosystem. He highlighted how the App Association’s members sell their products around the world. He warned that restricting access to AI technology would therefore undermine the U.S.’s global competitiveness.

Sen. Peter Welch (D-VT):

• Sen. Welch expressed interest in exploring the issues of meaningful consumer notification and consent for consumer data use and how consumer information is being used. He discussed how massive datasets that involve data scraped from across the internet are training LLMs and indicated that this data can include private information and personally identifiable information (PII). He mentioned how researchers have found that ChatGPT could be tricked into divulging training data, including user internet protocol (IP) addresses, emails, and passwords. He asserted that software patches are an insufficient solution for addressing this problem. He mentioned how he had introduced the AI CONSENT Act, which would require online platforms to obtain expressed informed consent form consumers before using their personal data to train AI systems. He asked Mr. Tiwari to indicate whether it is more effective to provide consumers with the ability to opt-in to providing permission to companies to use their data or the ability to opt-out of providing permission to companies once their data is already being used.
  • Mr. Tiwari mentioned how the Mozilla Foundation has run campaigns in recent months calling for companies to be transparent about whether they are using consumer data to train AI models and to ensure that users have complete control over the use of their data. He elaborated that this complete control entails providing users with the ability to consent to corporate usage of their data and the ability to withdraw this consent at will. He remarked that private information leakage risks would “drastically” decline if users are given the ability to understand what their data is being used for and the ability to choose whether companies could use their data.
• Sen. Welch then discussed how small businesses lack the same resources and infrastructure as large businesses to handle consumer data. He stated that the U.S. does not want to impose significant expenses on small businesses. He stated however that the U.S. also wants to ensure that the privacy of consumers is protected. He asked Mr. Calo to provide recommendations for how the U.S. could ensure that consumer privacy is protected without burdening small businesses. He suggested that a pilot program or a set of prescribed actions could help to ensure the protection of customer data.
  • Mr. Calo acknowledged that small businesses lack the capacity to comply with the same consumer data privacy requirements and at the same level as large businesses. He mentioned how his organization, the UW Tech Policy Lab, had hosted the Start with Security series with the FTC several years ago. He noted how the FTC had asserted that it would be unfair and deceptive for a business to lack security that is at a proportionate level to their data holdings. He noted how the FTC had used its Start with Security series to convey their expectations for smaller companies. He remarked the U.S. should support small businesses in complying with the U.S. government’s expectations for data privacy. He stated that the U.S. should maintain a tiered system for consumer privacy rules. He commented that large technology companies (such as Google, Meta, and Amazon) have the capacity to comply with far more rigorous data privacy rules than small businesses.
• Sen. Welch then mentioned how he had introduced the Digital Platform Commission Act of 2023. He explained that this legislation would establish an independent federal commission to regulate digital platforms (including the regulation of AI and data privacy concerns). He stated that the rationale for this legislation is that Congress cannot keep pace with technological innovations and cannot rely upon passing new bills to address these innovations. He commented that Congress had taken similar approaches to overseeing financial markets and the aviation industry when it had established the U.S. Securities and Exchange Commission (SEC) and the U.S. Federal Aviation Administration (FAA), respectively. He asked Ms. Kak to opine on the concept of establishing a digital platform commission.
  • Ms. Kak remarked that independent regulation and providing sufficient resources to these regulators should be a top priority. She stated however that existing federal enforcement agencies (such as the FTC) have been working on consumer data privacy issues for decades and possess the capacity and technical expertise to address these issues. She asserted that these enforcement agencies must be better resourced so they can respond to consumer data privacy issues. She also called for the enactment of federal data privacy legislation and commented that such legislation would empower federal enforcement agencies to enforce clear data privacy standards.

Sen. John Thune (R-SD):

• Sen. Thune remarked that the Committee should play a “significant role” in understanding how the most recent developments in AI technology will impact society and existing law. He commented that this involvement would include developing a “thoughtful” risk-based legislative framework for AI technology. He mentioned how he had introduced the bipartisan Artificial Intelligence Research, Innovation, and Accountability Act of 2023. He commented that this legislation would establish a regulatory framework for AI technology to bolster innovation while providing greater transparency, accountability, and security to the development and operation of AI applications. He explained that this legislation would establish basic safety and security guardrails for the highest risk AI applications without requiring a burdensome audit or approval from the federal government. He expressed hope that the Committee would advance this legislation soon. He then mentioned how there are several legislative proposals calling for a new AI technology oversight agency and a licensing regime that would require the federal government to approve certain AI systems prior to deployment. He asserted that the Artificial Intelligence Research, Innovation, and Accountability Act of 2023’s framework would take a more pragmatic approach to AI technology regulation. He commented that this legislation would provide necessary oversight for AI systems while also allowing for AI technology developers and researchers to innovate more quickly. He asked Mr. Reed to address how a licensing regime for AI technologies would impact the U.S.’s innovation ecosystem.
  • Mr. Reed remarked that a licensing regime for AI technologies would favor companies with significant compliance resources over companies with the best technologies and ideas. He commented that a licensing regime would result in a highly concentrated market. He then stated that while Sen. Thune’s proposal for a risk-based framework for AI systems is a good idea, he expressed hesitancy to fully support this proposal. He asserted that the U.S. needs comprehensive data privacy legislation to prevent a regulatory “patchwork.” He then remarked that there already exists expertise within the U.S. government regarding AI technology regulation. He noted how the U.S. Food and Drug Administration (FDA) has long been considering how to grant approvals to Software as a Medical Device (SaMD) products that include AI technologies and how to address transparency in AI models. He raised concerns over proposals to establish a new federal agency to regulate AI technology given how the U.S. has existing federal agencies with expertise on these topics. He also stated that the U.S. must ensure that these existing federal agencies are sufficiently resourced to enforce existing laws. He further cautioned that proposals to establish a new federal agency to regulate AI technology would force the U.S. to engage in significant amounts of hiring and rulemaking while AI technology is rapidly changing. He concluded that it would be more effective for the U.S. to have experts in existing federal agencies address AI technology policy issues than to establish a brand-new federal agency.
• Sen. Thune emphasized that the Artificial Intelligence Research, Innovation, and Accountability Act of 2023 would not establish a new federal agency and commented that the legislation would take a “light touch” approach to AI technology regulation. He then asked Mr. Reed to indicate whether the U.S. should have a single national standard for consumer data privacy.
  • Mr. Reed answered affirmatively.
• Sen. Thune also asked Mr. Reed to address what the practical effect of a private right of action provision in federal data privacy legislation would be on small businesses and startup companies.
  • Mr. Reed acknowledged that Congress will likely need to include a private right of action provision within federal data privacy legislation for the legislation to be bipartisan. He stated that Congress should ensure that any private right of action provision within federal data privacy legislation includes “numerous backstops” so that it does not foster “sue and settle” schemes. He elaborated that small businesses will often decide to settle frivolous lawsuits because the cost of settling these lawsuits is lower than the cost of contesting these lawsuits. He expressed concerns that a poorly written private right of action provision within federal data privacy legislation could result in one state becoming a preferred venue for frivolous lawsuits against small and medium-sized businesses. He stated that small businesses are most vulnerable to frivolous lawsuits because they have enough money to pay settlements and not enough money to contest lawsuits in court.
• Sen. Thune then remarked that transparency is key to ensuring that developers and deployers of AI systems are accountable to the consumers and businesses that they serve. He asked Mr. Calo to address what constitutes the difference between an AI system developer and an AI system deployer. He also asked Mr. Calo to discuss how the obligations for developers and deployers of AI systems differ with regard to transparency and accountability.
  • Mr. Calo discussed how many parties are involved in technologies. He noted how there exist foundational models and application programming interfaces (APIs) that are built upon these foundational models. He commented that effective legislation would make the responsibilities of these various parties clear. He remarked that his main concern involves parties within the technology ecosystem that leverage a tool in a way that harms consumers. He commented that this party could be the platform itself or a person using the platform.

Full Committee Chairman Maria Cantwell (D-WA):

• Chairman Cantwell mentioned how the DoJ had recently dismantled a Russian bot farm intended to foster discord within the U.S. She raised concerns that these bots intended to foster discord are being powered by large amounts of available consumer data. She stated that AI technology accelerates these bot problems and called it imperative for Congress to address the issue.
  • Mr. Calo expressed agreement with Chairman Cantwell’s concerns and comments. He stated that the ability of both domestic and foreign adversaries to create plausible looking and damaging misinformation campaigns has become “quite acute.” He recounted how there had been a deep fake created that gave the impression that a bomb had exploded at the Pentagon. He indicated that this deep fake had caused the stock market to temporarily decline. He called the ability to create a seemingly real catastrophic event very dangerous. He stated that AI technology enables bad actors to generate greater amounts of disinformation and make the various pieces of disinformation appear distinct. He remarked that while a federal data privacy law might help to address these bot concerns, he commented that the problem of misinformation and disinformation is much broader than data privacy.
• Chairman Cantwell asked Mr. Calo to indicate what the U.S. can do about bots from a regulatory perspective.
  • Mr. Calo noted how some states (such as California) maintain bot disclosure laws that require certain bot operators to identify themselves as fake. He indicated that these laws apply to bots meant for commercial and electioneering activities. He stated however that Russian disinformation bots are not going to comply with these laws. He asserted that the U.S. must respond to bots through political and economic means. He remarked that the federal government must address the issue of bots because states cannot develop global coalitions to address bots. He also stated that the U.S. should require platforms to take all possible actions to identify and disincentivize automated misinformation.