“A bill to establish protections for individual rights with respect to computational algorithms, and for other purposes.”
No CRS summary available for this bill.
This section designates the Act as the “Artificial Intelligence Civil Rights Act of 2025” and includes a table of contents.
This section defines terms used in the Act, including "(1) 'collect' and 'collection,' with respect to personal data, as buying, renting, gathering, obtaining, receiving, accessing, or otherwise acquiring such data; (2) 'commercial act,' with respect to a covered algorithm, as an act conducted for monetary or other valuable consideration; (3) 'Commission' as the Federal Trade Commission; (4) 'consequential action' as an act likely to materially affect employment, education, housing, essential utilities, health care, financial services, insurance, criminal justice, elections, government benefits, public accommodations, or other comparable services as determined by the Commission via notice-and-comment rulemaking under 5 U.S.C. §553; (5) 'covered algorithm' as a computational process derived from machine learning, natural language processing, or similar techniques used to create products, affect information display, make decisions, or facilitate decision-making for consequential actions (or as determined by the Commission via notice-and-comment rulemaking under 5 U.S.C. §553); (6) 'covered language' as the 10 languages with the most speakers in the United States per the latest Census Bureau data; and (7) 'de-identified data' as information not identifying or linkable to individuals or devices, with technical measures to prevent re-identification and public commitments to process and transfer it only in de-identified form."
This section prohibits a developer or deployer from offering, licensing, promoting, selling, or using a covered algorithm in a manner that (1) causes or contributes to a disparate impact preventing, (2) otherwise discriminates in a manner preventing, or (3) otherwise makes unavailable the equal enjoyment of goods, services, or other activities or opportunities related to a consequential action on the basis of a protected characteristic. Exceptions apply to (1) self-testing or independent auditing to identify, prevent, or mitigate discrimination or ensure compliance with federal law; expanding applicant, participant, or customer pools to increase diversity or redress historic discrimination; or good faith security research or non-commercial research; and (2) private clubs or other establishments not open to the public, as described in section 201(e) of the Civil Rights Act of 1964 (42 U.S.C. 2000a(e)).
This section requires developers and deployers of covered algorithms to conduct pre-deployment evaluations prior to deploying, licensing, or offering such algorithms (including material changes) for a consequential action. Developers and deployers must first perform a preliminary evaluation of the plausibility of harm from expected or intended uses; if no harm is plausible, they must record the finding—including the use description, evaluation method, and explanation—and submit it to the Commission, while limiting evaluations of material changes or new uses to those aspects; if harm is plausible, they must engage an independent auditor for a full evaluation. For developers, the full evaluation must detail the algorithm's design and methodology (including inputs/outputs), creation/training/testing (e.g., metrics, benchmarks, demographic representation, stakeholder consultations, protected characteristics used, precursor algorithms, data sources/authorization/representativeness, training process), potential for harm or disparate impact, mitigation recommendations, post-deployment monitoring, and other Commission-specified information. For deployers, the full evaluation must include a detailed review and description sufficient for an individual having ordinary skill in the art.
This section establishes standards for developers and deployers of covered algorithms, requiring them to (1) take reasonable measures to prevent and mitigate harms identified in pre-deployment evaluations or impact assessments under section 102; (2) ensure independent auditors have necessary information for such evaluations; (3) consult stakeholders, including impacted communities, prior to deployment, licensing, or offering; (4) certify, based on those evaluations, that the algorithm is not likely to cause harm, disparate impact, or deception and that benefits outweigh harms; (5) ensure reasonable performance consistent with advertised capabilities; (6) use relevant and appropriate data; and (7) ensure intended use complies with the Act. The section further prohibits deceptive marketing of covered algorithms and off-label use—i.e., developers offering or licensing for unevaluated consequential actions, or deployers using them as such unless assuming developer responsibilities.
This section establishes responsibilities for developers of covered algorithms toward deployers, requiring developers (1) upon reasonable request, to provide information and reports demonstrating deployer compliance with the Act (e.g., pre-deployment evaluations or annual reviews under §102) and enabling deployers to conduct their own evaluations or impact assessments; and (2) either to cooperate with deployer or auditor assessments or to provide an independent audit report of the developer's policies using an accepted control framework. The section further requires contracts for offering or licensing covered algorithms to specify data processing procedures and instructions (including for collection, use, transfer, and disposal), the nature, purpose, type, and duration of data processing, parties' rights and obligations (including notification of material algorithm changes), and prohibitions on combining data across parties or restricting reports to enforcement agencies—without relieving either party of Act liabilities—and requires developers to retain contracts for 10 years. It clarifies that these requirements apply to services provided to government entities.
This section directs the Commission to promulgate regulations, not later than two years after the date of enactment and in accordance with the Administrative Procedure Act (5 U.S.C. 553), (1) requiring deployers to provide individuals a means to opt out of covered algorithms for consequential actions and elect human review, considering factors such as notice clarity and conspicuousness, action magnitude and harm risk, public interest benefits, feasibility, and harm mitigation; and (2) requiring deployers to provide appeal mechanisms to human reviewers for consequential actions, considering factors such as accessibility for individuals with disabilities, proportionality, data correction, reviewer training, timeliness, and effectiveness. This section prohibits developers and deployers from conditioning, or attempting to condition, the exercise of individual rights under the Act through false or misleading statements or user interface designs that obscure, subvert, or impair individual autonomy and choice.
This section prohibits developers or deployers from discriminating or retaliating against individuals—including by denying or threatening to deny equal enjoyment of goods, services, or opportunities related to a consequential action—for exercising rights under the Act, refusing to waive such rights, raising concerns about consequential actions, or assisting in investigations or proceedings. It permits differentials in service, pricing, or quality if necessary and directly related to value provided to the developer or deployer by the covered algorithm (i.e., personalized service adjustments based on algorithmic value) and allows loyalty, rewards, premium features, discounts, or club card programs based on patronage frequency or spending amount. The section further prohibits developers or deployers from discharging, demoting, suspending, threatening, harassing, or otherwise discriminating against individuals for raising concerns, reporting or attempting to report violations, or cooperating in investigations or proceedings under the Act.
This section establishes public notice and disclosure requirements for developers and deployers of covered algorithms, including a detailed plain-language disclosure covering the entity's identity and contacts; links to required evaluations and assessments; categories of personal data collected or processed and their purposes; data transfers and recipients; individual rights under the Act; compliance practices; a specified audit disclaimer; and the disclosure's effective date. The disclosure must be provided in applicable languages, accessible to individuals with disabilities, and updated for material changes with prior individual notification, 10-year retention of prior versions, and a public log of changes. This section further requires deployers to provide a short-form notice (not exceeding 500 words) upon an individual's first interaction with a covered algorithm or on their website, and directs the Federal Trade Commission to promulgate regulations under 5 U.S.C. §553 specifying its minimum content and a model template.
This section directs the Commission to conduct a study, with notice and public comment, on the feasibility of requiring deployers to provide a clear, conspicuous, easy-to-use, no-cost mechanism—accessible to individuals with disabilities—for individuals to receive explanations of whether and how a covered algorithm used by the deployer affects or affected them. The study must assess (1) purposes and feasibility of such explanations; (2) methods to provide clear, accessible explanations calibrated to risk levels; (3) feasibility of deployers providing truthful, accurate explanations identifying significant factors and other relevant information; (4) information developers must provide deployers to enable explanations; (5) impacts of current technical capabilities; (6) deployer measures to verify requester identity and securely handle personal information; and (7) recommendations for Congress on related regulations. In conducting the study, the Commission must consult with the National Institute of Standards and Technology, National Telecommunications and Information Administration, Office of Science and Technology Policy, and other relevant agencies. Not later than 18 months after enactment, the Commission must submit a report with the study's findings and recommendations for legislation and administrative action to the Senate Committee on Commerce, Science, and Transportation and the House Committee on Energy and Commerce.
This section directs the Commission to (1) publish a webpage describing the Act's provisions, rights, obligations, remedies, exemptions, and protections—categorized by individuals, deployers, and developers—within 90 days of enactment, in plain language, covered languages, and an accessible format, with updates as needed; (2) publish annual reports beginning two years after enactment that summarize submitted pre-deployment evaluations, impact assessments, and developer reviews, describe trends and aggregated statistics on impact assessments, and comply with machine-readable accessibility standards under the 21st Century Integrated Digital Experience Act; and (3) establish a publicly accessible online repository for such submissions no later than 180 days after the first annual report, with search/sort/download capabilities, user accessibility features, and publication of new submissions within 30 days (absent good cause for delay), while redacting trade secrets (as defined in 18 U.S.C. § 1839), personal data, and other information permitted under FOIA (5 U.S.C. § 552).
This section authorizes the Federal Trade Commission (FTC) to enforce titles I, II, and III of this Act and related regulations by treating violations as unfair or deceptive acts or practices under section 18(a)(1)(B) of the FTC Act (15 U.S.C. 57a(a)(1)(B)). It grants the FTC the same enforcement manner, jurisdiction, powers, duties, penalties, privileges, and immunities as under the FTC Act (15 U.S.C. 41 et seq.), preserves the agency's other statutory authorities, and authorizes rulemaking under section 553 of title 5, United States Code. Notwithstanding FTC Act jurisdictional limits in sections 4, 5(a)(2), and 6 (15 U.S.C. 44, 45(a)(2), 46)—which generally exempt certain entities—the section applies this enforcement authority to (1) organizations not organized for profit; (2) common carriers subject to the Communications Act of 1934 (47 U.S.C. 151 et seq.); (3) banks, savings and loan institutions described in section 18(f)(3) of the FTC Act (15 U.S.C. 57a(f)(3)), and federal credit unions described in section 18(f)(4); (4) air carriers and foreign air carriers subject to the Federal Aviation Act of 1958; and (5) persons, partnerships, or corporations subject to the Packers and Stockyards Act of 1921 (7 U.S.C. 181 et seq.).
This section authorizes the attorney general of a state or a state data protection authority to bring a civil action in an appropriate U.S. district court (meeting venue requirements under 28 U.S.C. §1391) on behalf of state residents, as parens patriae, for violations of titles I, II, or III of the Act or related regulations. Available remedies include (1) injunctive relief to enjoin violations or enforce compliance; (2) civil penalties of $15,000 per violation or 4% of the defendant's average gross annual revenue over the preceding three years, whichever is greater; (3) damages, restitution, or other compensation; (4) reasonable attorneys' fees and costs; and (5) other appropriate relief. Prior to filing, the attorney general must notify the Commission (with a copy of the complaint), unless infeasible; the Commission may intervene within 180 days of notice and, if it does, participate fully and appeal. This section preserves state attorneys general's existing investigatory powers under state law and requires the Commission, within 180 days of enactment, to establish memoranda of understanding with relevant federal agencies for coordinating investigations, enforcement, information sharing, authority division, and complaint referrals.
This section establishes a private right of action allowing any individual or class alleging a violation of titles I, II, or III of the Act or related regulations to bring a civil action in any court of competent jurisdiction. Prevailing plaintiffs may be awarded treble damages or $15,000 per violation (whichever greater), nominal or punitive damages, reasonable attorney’s fees and litigation costs, and other appropriate relief, including equitable or declaratory relief. It requires such individuals to notify the Commission and the attorney general of their state of residence in writing, including a description of the allegations, prior to filing; within 60 days, the Commission and state attorney general may each or jointly determine whether to intervene, with a right to be heard on all matters and appeal any decision (state attorneys general limited to their residents’ interests if intervening). This notice requirement does not limit the Commission or state attorneys general from later commencing or intervening in an action. This section invalidates pre-dispute arbitration agreements and pre-dispute joint action waivers for disputes arising under the Act, with courts (rather than arbitrators) determining applicability.
This section establishes a severability clause for the Act.
This section provides that nothing in the Act (1) waives or limits National Labor Relations Act (NLRA) requirements for employers to bargain collectively over the deployment or effects of a covered algorithm; (2) absolves employers of obligations to ensure covered algorithms comply with health and safety laws; (3) permits covered algorithms that interfere with employee rights under Federal, State, or local law; or (4) eliminates any other duty or requirement under other law. It further specifies that no regulation or standard under the Act may lessen the stringency of otherwise applicable Federal or State agency requirements and that the Act does not divest any such agency of authority under other law.
This section directs the Director of the Office of Personnel Management, not later than 270 days after enactment, to exercise authority under 5 U.S.C. 5105 to establish a new occupational series and associated policies for federal positions in algorithm auditing—as described in GAO–21–519SP (June 30, 2021)—covering practices such as platform auditing, evaluation of artificial intelligence systems, computer security, independent computer system audits, data science, statistics, and auditing of anticompetitive practices. (Occupational series classify federal General Schedule positions by duties and qualifications to standardize pay, titles, and advancement.)
This section (1) authorizes the appropriation of such sums as necessary to the Commission and other federal agencies specified in the Act to carry out the Act, and (2) authorizes the Commission to hire not more than 500 additional personnel, notwithstanding other law, to address unfair or deceptive acts or practices relating to the development or deployment of covered algorithms.