Navigating State AI and Automated Decision-Making Laws for Credit Union Compliance
Last month, I wrote a compliance blog discussing the gap between state AI laws and federal regulation, and how that could impact credit union compliance. The blog focused on a new California law passed by Governor Newsom, which enhances online safety when it comes to the use of “frontier developers”, i.e. highly advanced AI models. As I mentioned in the blog, California is not the only state creating AI safety frameworks. In fact, there are 18 states that have passed laws focused on protecting consumers when it comes to automated processing of personal data. Among other things, this includes the provision or denial of financial or lending services.
These 18 states with similar decision-making laws in place are: California, Colorado, Connecticut, Delaware, Florida, Indiana, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, and Virginia.
Across these laws, you will find many common features and key differences. The main commonality is the right to opt-out of automated processing. All of the states explicitly regulate the right for consumers to opt out of automated processing involving automated decision making when that processing is used to make decisions that have legal or similarly significant effects, for instance, providing or denying financial services.
Scope of Opt Out Provisions
However, the scope of opt outs do differ among the states. For example, Delaware’s law references “solely automated decisions”, while other states use more broad language. An example of a state using more broad language is Colorado’s law, which uses “automated processing” without the use of “solely”. This exclusion of “solely” could mean the scope may expand to include decisions with some human involvement, such as human review. Additionally, some of the states designate what the opt out consent must look like. For example, Connecticut requires “... a technology, including, but not limited to, an Internet link or a browser setting, browser extension or global device setting, indicating such consumer's intent to opt out of such processing.”
Penalties
While the opt out provision within the laws is the shining star, there are other key provisions to keep in mind, such as enforcement/penalties, requirements, and triggers. For instance, Connecticut’s law carries a penalty of up to $5,000 per violation, while the penalty in Florida could potentially be much higher at up to $50,000 per violation. Another example is California’s pre-notice requirement that informs consumers about the use of automated decision-making technology and how the business uses that technology.
Impact on Your Credit Union
As always, the burning question is, how could this impact my credit union? These laws will almost certainly impact credit unions who are using automated systems for a variety of uses such as loan underwriting, targeted marketing, and fraud detection, among other uses. Because most of these state laws apply to entities controlling or processing personal data of state residents, a credit union serving members in those states will likely be required to comply, even if the credit union is federally chartered. Ultimately, because of the variance and complexity of these state laws, we always recommend credit unions consult with their legal counsel to determine if and how they must comply with each of these states’ laws.
Additionally, as I discussed in the above-mentioned blog, the gap between state and federal law means credit unions should treat these ever-emerging state laws as an early sign of what may be to come at the federal level. Staying alert to evolving state and federal proposals and legislation will help ensure your credit union is prepared for broader, more uniform regulation that could develop sometime in the future.
