“To direct the Federal Trade Commission to require impact assessments of certain algorithms, and for other purposes.”
No CRS summary available for this bill.
This section defines 14 terms used in the Act, including "(1) covered algorithm," meaning a computational process using machine learning, natural language processing, artificial intelligence, or similar techniques that affects consequential actions such as creating products, ranking information, making decisions, or facilitating human decision-making; "(2) covered entity," meaning any entity subject to FTC jurisdiction under section 5(a)(2) of the Federal Trade Commission Act (15 U.S.C. 45(a)(2)) that deploys a covered algorithm and meets thresholds such as greater than $50 million in average annual gross receipts or $250 million in equity value (or, for smaller entities, greater than $5 million gross receipts or $25 million equity value when deploying for qualifying larger entities), handling identifying information on more than 1 million consumers, households, or devices, or having met such criteria within the prior three years (with dollar amounts adjusted annually for inflation); "(3) critical decision," meaning a decision with legal, material, or significant effect on a consumer's access to or the cost, terms, or availability of essential services such as education, employment, utilities, family planning, financial services, healthcare, housing, or legal services (or comparable services as determined by FTC rulemaking); and others such as "biometrics," "deploy," "develop," "identifying information," "impact assessment," "summary report," and "third-party decision recipient."
This section prohibits covered entities from violating regulations promulgated by the Federal Trade Commission (FTC) under the Federal Trade Commission Act (15 U.S.C. 45) that require impact assessments of covered algorithms and prohibits knowing substantial assistance to such violations, preempting contrary private contracts. It directs the FTC, in consultation with specified federal directors and stakeholders and within two years of enactment, to promulgate such regulations via notice-and-comment rulemaking that (1) require covered entities to assess impacts of covered algorithms—developed for or expected to be used by entities meeting specified size thresholds—both prior to and after deployment and to maintain related documentation for three years beyond deployment; (2) require covered entities to disclose their status to algorithm providers, submit annual summary reports on deployed algorithms and initial reports prior to new deployments, and mitigate timely any material negative impacts with legal or significant effects on consumers; (3) allow voluntary summary report submissions by non-covered entities under FTC jurisdiction; (4) mandate stakeholder consultations during assessments; (5) define key terms (e.g., "access to or the cost, terms, or availability of" critical decisions, "possession/management/modification/control" of identifying information, third-party decision recipient categories, and specified services/programs); (6) provide guidelines for calculating consumer numbers to determine covered entity status and prioritizing algorithms for assessment; and (7) specify accessible, machine-readable report formats. In promulgating regulations, the FTC must consider feasibility at development stages, reporting timelines and burdens, standardization benefits, and constraints from existing privacy laws.
This section establishes requirements for covered entities to include in any impact assessment of a covered algorithm required under section 3(b)(1), to the extent possible as determined by the Commission. Such requirements include, as applicable: (1) for new covered algorithms, evaluation of any prior critical decision-making process (including its known harms and the algorithm's intended benefits); (2) documentation of stakeholder consultations (including points of contact, dates, terms, and use of recommendations); (3) ongoing testing of privacy risks and measures (e.g., data minimization, security, privacy-enhancing technologies, and impacts on consumer privacy, safety, or security); (4) ongoing performance testing (including success metrics, test vs. deployed conditions, differential performance by protected characteristics such as race, sex, or age using available data or proxies like ZIP Codes, and subpopulation details); (5) ongoing training for relevant personnel on negative impacts and best practices; (6) assessment of guardrails or limitations on algorithm uses; and (7) documentation of input data (including sourcing, metadata, collection methods, labeling, and consumer consent where applicable).
This section specifies requirements for summary reports that covered entities must submit to the Commission under section 3(b)(1)(D) or (E) regarding any covered algorithm. To the extent possible, such reports must (1) contain specified information from the algorithm's impact assessment, including the covered entity's name and contact information; a description of the critical decision and its category; intended purpose; consulted stakeholders and related agreements; testing and evaluation details (i.e., methods, metrics, results under test and deployed conditions, and differential performance); publicly stated guardrails or limitations; data sourcing, selection rationale, and alternatives; transparency and explainability measures (i.e., third-party access and consumer contest/appeal/opt-out mechanisms); identified material negative consumer impacts and mitigation steps; infeasible impact assessment requirements and rationales; and any additional resources to improve assessments or algorithm development/deployment; (2) include any relevant additional information from section 4(a) that the covered entity elects to share; (3) follow any format or structure specified by the Commission; and (4) incorporate additional consumer-protection criteria determined essential by the Commission.
This section requires the Federal Trade Commission (FTC) to (1) publish an annual report on its website—not later than one year after the effective date specified in section 3(b)(3) and annually thereafter—summarizing information from summary reports submitted under section 3(b)(1)(D), (E), or (F); the report must be accessible and machine-readable in accordance with the 21st Century Integrated Digital Experience Act and describe broad trends, aggregated statistics, and anonymized lessons learned from impact assessments of covered algorithms to support guidance updates, oversight, and recommendations to other agencies; and (2) develop, within 180 days after promulgating regulations under section 3(b)(1), and make publicly accessible within 180 days after the section 3(b)(3) effective date, a quarterly-updated online repository of a limited subset of summary report information (e.g., covered entity identity and website link, critical decision and category, prohibited applications, data sources to the extent possible, performance metrics to the extent possible, and consumer contest/opt-out mechanisms) to inform consumers, enable research, and ensure compliance. The repository must be searchable/sortable by characteristics such as covered entity, report date, or critical decision category; downloadable in accordance with the Open, Public, Electronic, and Necessary Government Data Act; and compliant with user experience and accessibility best practices under the 21st Century Integrated Digital Experience Act. This section authorizes appropriations as necessary for the repository.
This section directs the Commission to (1) publish guidance, including documentation templates and guides for meaningful consultation, on complying with sections 4 and 5, developed after consulting the Directors of the National Institute of Standards and Technology (NIST), National Artificial Intelligence Initiative, Office of Science and Technology Policy (OSTP), and stakeholders such as standards bodies, private industry, academia, technology experts, and advocates for civil rights, consumers, and impacted communities; and (2) issue and regularly update guidance and training materials to assist entities in determining covered entity status based on stakeholder feedback. The section further (1) clarifies that covered entities may publicize impact assessment documentation beyond summary report requirements unless it violates consumer privacy; (2) requires the Commission to review and update regulations under section 3(b) at least every five years; and (3) requires the Commission to share submitted summary reports securely with the NIST Director, OSTP Director, and heads of relevant federal agencies to inform future standards or regulations.
This section establishes within the Commission the Bureau of Technology, headed by a Chief Technologist, to aid and advise on technological aspects of Commission functions (including studies, workshops, audits, and community participation), enforcement of the Act, and technical assistance to Commission enforcement bureaus. The Chair may appoint Bureau personnel with expertise in fields such as technology, digital design, information security, civil rights, technology policy, privacy policy, humanities, product management, software engineering, machine learning, and statistics, without regard to civil service laws; requires appointment of at least 50 such personnel within two years of enactment; and authorizes appropriations as necessary. This section further authorizes the Chair to appoint 25 additional personnel to the Division of Enforcement of the Bureau of Consumer Protection, without regard to civil service laws, and authorizes appropriations as necessary. Finally, this section directs the Commission to negotiate agreements with relevant federal agencies, as needed, for information sharing and coordinated enforcement actions regarding covered algorithms used by covered entities to make critical decisions, including procedures to determine which agency files a civil action and to provide prior notice where feasible.
This section establishes Federal Trade Commission (FTC) enforcement of the Act by treating violations of the Act or its regulations as unfair or deceptive acts or practices under section 18(a)(1)(B) of the FTC Act (15 U.S.C. 57a(a)(1)(B)), authorizes the FTC to enforce using the jurisdiction, powers, and duties of the FTC Act (15 U.S.C. 41 et seq.), subjects violators to FTC Act penalties while preserving applicable privileges and immunities, directs the FTC to promulgate necessary additional rules under informal notice-and-comment procedures (5 U.S.C. 553), and preserves the FTC's authority under other laws. This section authorizes state attorneys general to bring parens patriae civil actions in federal or state court on behalf of state residents to redress violations, after providing prior written notice to the FTC (including a copy of the complaint) or immediately upon filing if prior notice is not feasible; grants the FTC rights to intervene, be heard on all matters, and appeal decisions; preserves state attorneys general investigatory powers; specifies venue under 28 U.S.C. 1391 or in another court of competent jurisdiction and service of process nationwide; and extends these authorities to other state officials authorized by state law (without affecting ongoing state proceedings).