ARTICLE
13 January 2025

Why Have One When Four Will Do? How Oregon's New Guidance On AI Compliance Bridges The AI Legal Gap

B
BakerHostetler

Contributor

Recognized as one of the top firms for client service, BakerHostetler is a leading national law firm that helps clients around the world address their most complex and critical business and regulatory issues. With five core national practice groups — Business, Labor and Employment, Intellectual Property, Litigation, and Tax — the firm has more than 970 lawyers located in 14 offices coast to coast. BakerHostetler is widely regarded as having one of the country’s top 10 tax practices, a nationally recognized litigation practice, an award-winning data privacy practice and an industry-leading business practice. The firm is also recognized internationally for its groundbreaking work recovering more than $13 billion in the Madoff Recovery Initiative, representing the SIPA Trustee for the liquidation of Bernard L. Madoff Investment Securities LLC. Visit bakerlaw.com
Christmas came early when on December 24, the Oregon Office of the Attorney General (OAG) delivered AI guidance wrapped in a bow.
United States Oregon Privacy

Christmas came early when on December 24, the Oregon Office of the Attorney General (OAG) delivered AI guidance wrapped in a bow. Titled "What you should know about how Oregon's laws may affect your company's use of Artificial Intelligence," the Oregon guidance emphasizes the importance of understanding the specific use cases of AI within an organization, as well as associated legal and business risks. It also highlights key principles (such as explainability, privacy, human accountability, transparency and fairness) that Oregon asserts are essential for the ethical deployment of AI systems.

In the absence of comprehensive state or federal AI-specific laws, the Oregon guidance attempts to bridge the gap by illustrating certain ways in which existing state law covers AI. This blog post considers the key points of these guidelines and explores how they can help organizations navigate the complexities of legally compliant AI processing.

Unlawful Trade Practices Act

The Oregon Unlawful Trade Practices Act (UTPA) prohibits misrepresentations in consumer transactions. This includes any assertions made through words or conduct, as well as failures to disclose facts. The Oregon guidance explicitly states that AI systems are covered by the UTPA and notes AI technologies like consumer chatbots specifically. Moreover, the guidance indicates that misrepresentations are actionable under the UTPA, even if not made directly to the consumer, and AI developers may be responsible for harm caused to downstream consumers.

The guidance then proceeds to give several use cases of UTPA violations using AI products or services, including:

  • Failure to disclose any known material defect or nonconformity at the time of delivery of an AI product. An AI developer or deployer may violate the UTPA if it knows its product generates false or misleading information and does not inform buyers and users.
  • Mispresenting an AI product's characteristics, uses, benefits or qualities. Examples include claiming an AI system has functionality it doesn't or using a chatbot while falsely representing it as human.
  • Using AI to falsely claim sponsorship, approval, or affiliation for real estate, goods or services. For instance, a business may breach the UTPA by publishing fake product reviews created by AI or using AI-generated videos to falsely imply celebrity endorsements.
  • Using AI to make false claims about price reductions. For instance, companies cannot use AI-generated ads for "limited time" sales when similar discounts are available year-round.
  • Using AI to set excessively high prices during an emergency. Even if a business uses AI to adjust prices based on demand, it cannot sell essential goods or services at unfairly high prices during a declared emergency.
  • Using an AI-generated voice in a robocall campaign to provide inaccurate information, including misleading details about the caller's identity and the purpose of the call.
  • Using AI to engage in unconscionable practices with regard to real estate, goods, services or debt collection. This includes exploiting consumer ignorance or allowing transactions without material benefit to the consumer, as well as any unfair or shocking tactics.

Oregon Consumer Privacy Act

The Oregon Consumer Privacy Act (OCPA) places certain requirements on data controllers and provides Oregon residents with rights over their personal data. The Oregon guidance specifically mentions generative AI, noting that these systems have used a large number of words, images and other content as training data, which frequently includes personal data from consumers.

  • Privacy Notice. The guidance requires that developers using personal data to train AI must disclose such activities in a clear privacy notice. If the data includes sensitive categories specified in the OCPA, explicit consent from consumers is required before use. Moreover, the guidance clarifies that developers who purchase or utilize another company's dataset for training may be deemed "controllers" under the OCPA and must adhere to the same standards as the original data collectors.

Like previous guidance from the Federal Trade Commission, the Oregon OAG's guidance explicitly prohibits "retroactive or passive" altering of privacy notices or terms of use to legitimize the use of previously collected personal data to train AI models. Rather, the guidance requires that such controllers obtain affirmative consent for any new or secondary uses of that data.

  • Consent. AI developers and AI users must provide a mechanism for consumers to withdraw previously given consent. When consent is revoked, the entity must stop processing the data within 15 days of receiving the revocation.
  • Consumer Rights. The OCPA requires that consumers be given the right to opt out, including to opt out of the use of their personal data by AI models for profiling in decisions that have legal or similarly significant impacts, like housing, education or lending. Consumers also have the right to request their personal data be deleted. Entities covered by the OCPA must consider how to respect rights to opt out and delete personal data when using AI models.
  • Data Protection Assessment (DPA). The guidance specifically states that "generative AI models and proprietary data and algorithms" are considered processing that "likely poses heightened risks to consumers" and that they therefore require a DPA.

Oregon Consumer Information Protection Act

AI developers (including their data suppliers and AI users) handling personal information must also comply with the Oregon Consumer Information Protection Act, including by safeguarding that information. In the event of a security breach, these parties may need to notify consumers and the OAG. Violations are enforceable under Oregon's UTPA.

Oregon Equality Act

The Oregon Equality Act prohibits discrimination based on protected classes (e.g., race, gender), including when applying for housing and public accommodations. For example, use by a rental management company of an AI mortgage approval system that consistently denies loans to qualified applicants from certain neighborhoods or ethnic backgrounds due to historically biased data used in training the AI system could be considered a violation of the Oregon Equality Act.

Conclusion

The guidance provided by the Oregon OAG provides additional insight on how to comply with existing Oregon state laws in the absence of a comprehensive state or federal AI law. Specifically, the guidance underscores the importance of understanding the specific use cases of AI within an organization and the associated legal and business risks. By adhering to these guidelines, organizations can navigate the complexities of AI implementation while maintaining compliance with relevant laws and regulations.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More