•  Summary 
  •  
  •  Actions 
  •  
  •  Committee Votes 
  •  
  •  Floor Votes 
  •  
  •  Memo 
  •  
  •  Text 
  •  
  •  LFIN 
  •  
  •  Chamber Video/Transcript 

A00768 Summary:

BILL NOA00768
 
SAME ASSAME AS S01962
 
SPONSORBores
 
COSPNSR
 
MLTSPNSR
 
Add Art 45-A §§1550 - 1556, Gen Bus L
 
Enacts the "New York artificial intelligence consumer protection act", in relation to preventing the use of artificial intelligence algorithms to discriminate against protected classes.
Go to top

A00768 Text:



 
                STATE OF NEW YORK
        ________________________________________________________________________
 
                                           768
 
                               2025-2026 Regular Sessions
 
                   IN ASSEMBLY
 
                                       (Prefiled)
 
                                     January 8, 2025
                                       ___________
 
        Introduced  by M. of A. BORES -- read once and referred to the Committee
          on Consumer Affairs and Protection
 
        AN ACT to amend the general business law, in relation to preventing  the
          use  of  artificial  intelligence  algorithms  to discriminate against
          protected classes

          The People of the State of New York, represented in Senate and  Assem-
        bly, do enact as follows:
 
     1    Section  1.  Short  title. This act shall be known and may be cited as
     2  the "New York artificial intelligence consumer protection act".
     3    § 2. The general business law is amended by adding a new article  45-A
     4  to read as follows:
     5                                ARTICLE 45-A
     6          NEW YORK ARTIFICIAL INTELLIGENCE CONSUMER PROTECTION ACT
     7  Section 1550. Definitions.
     8        1551. Required documentation.
     9        1552. Risk management.
    10        1553. Technical documentation.
    11        1554. Required disclosure.
    12        1555. Preemption.
    13        1556. Enforcement.
    14    §  1550.  Definitions. For the purposes of this article, the following
    15  terms shall have the following meanings:
    16    1. "Algorithmic discrimination":
    17    (a) shall mean any condition in which the use of an artificial  intel-
    18  ligence  decision  system results in any unlawful differential treatment
    19  or impact that disfavors any individual or group of individuals  on  the
    20  basis  of  their  actual or perceived age, color, disability, ethnicity,
    21  genetic information,  English  language  proficiency,  national  origin,
    22  race, religion, reproductive health, sex, veteran status, or other clas-
    23  sification protected pursuant to state or federal law; and
 
         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD01361-01-5

        A. 768                              2
 
     1    (b) shall not include:
     2    (i)  the offer, license, or use of a high-risk artificial intelligence
     3  decision system by a developer or deployer for the sole purpose of:
     4    (A) such developer's or deployer's self-testing to identify, mitigate,
     5  or prevent discrimination or otherwise ensure compliance with state  and
     6  federal law; or
     7    (B)  expanding an applicant, customer, or participant pool to increase
     8  diversity or redress historic discrimination; or
     9    (ii) an act or omission by or on behalf of a  private  club  or  other
    10  establishment  not  open to the general public, as set forth in title II
    11  of the Civil Rights Act of 1964, 42 U.S.C. § 2000a(e), as amended.
    12    2. "Artificial intelligence decision system" shall mean  any  computa-
    13  tional  process,  derived  from  machine learning, statistical modeling,
    14  data analytics,  or  artificial  intelligence,  that  issues  simplified
    15  output,  including any content, decision, prediction, or recommendation,
    16  that is used to substantially assist or replace  discretionary  decision
    17  making for making consequential decisions that impact consumers.
    18    3.  "Bias  and  governance  audit" means an impartial evaluation by an
    19  independent auditor, which shall include, at a minimum, the  testing  of
    20  an  artificial  intelligence  decision  system  to  assess such system's
    21  disparate impact on employees because  of  such  employee's  age,  race,
    22  creed,  color,  ethnicity,  national  origin, disability, citizenship or
    23  immigration status, marital or familial status, military  status,  reli-
    24  gion,  or  sex,  including  sexual  orientation, gender identity, gender
    25  expression, pregnancy, pregnancy outcomes, and  reproductive  healthcare
    26  choices.
    27    4. "Consequential decision" shall mean any decision that has a materi-
    28  al  legal  or similarly significant effect on the provision or denial to
    29  any consumer of, or the cost or terms of, any:
    30    (a) education enrollment or education opportunity;
    31    (b) employment or employment opportunity;
    32    (c) financial or lending service;
    33    (d) essential government service;
    34    (e) health care service, as defined in section 42 U.S.C. §  324(d)(2),
    35  as amended;
    36    (f) housing or housing opportunity;
    37    (g) insurance; or
    38    (h) legal service.
    39    5. "Consumer" shall mean any New York state resident.
    40    6.  "Deploy"  shall  mean  to  use a high-risk artificial intelligence
    41  decision system.
    42    7. "Deployer" shall mean any person doing business in this state  that
    43  deploys a high-risk artificial intelligence decision system.
    44    8. "Developer" shall mean any person doing business in this state that
    45  develops,  or  intentionally  and  substantially modifies, an artificial
    46  intelligence decision system.
    47    9. "General-purpose artificial intelligence model":
    48    (a) shall mean any form of  artificial  intelligence  decision  system
    49  that:
    50    (i) displays significant generality;
    51    (ii)  is  capable  of  competently performing a wide range of distinct
    52  tasks; and
    53    (iii) can be integrated into a variety of downstream  applications  or
    54  systems; and

        A. 768                              3
 
     1    (b)  shall  not include any artificial intelligence model that is used
     2  for development, prototyping, and research activities before such  arti-
     3  ficial intelligence model is released on the market.
     4    10. "High-risk artificial intelligence decision system":
     5    (a)  shall mean any artificial intelligence decision system that, when
     6  deployed, makes, or is a substantial factor in making,  a  consequential
     7  decision; and
     8    (b) shall not include:
     9    (i) any artificial intelligence decision system that is intended to:
    10    (A) perform any narrow procedural task; or
    11    (B)  detect decision-making patterns, or deviations from decision-mak-
    12  ing patterns, unless such artificial  intelligence  decision  system  is
    13  intended  to replace or influence any assessment previously completed by
    14  an individual without sufficient human review; or
    15    (ii) unless the technology, when deployed, makes, or is a  substantial
    16  factor in making, a consequential decision:
    17    (A)  any anti-fraud technology that does not make use of facial recog-
    18  nition technology;
    19    (B) any artificial intelligence-enabled video game technology;
    20    (C) any anti-malware, anti-virus, calculator, cybersecurity, database,
    21  data storage, firewall, Internet domain registration,  Internet-web-site
    22  loading,  networking, robocall-filtering, spam-filtering, spellchecking,
    23  spreadsheet, web-caching, web-hosting, or similar technology;
    24    (D) any technology that performs tasks exclusively related to an enti-
    25  ty's internal management affairs, including, but not limited to,  order-
    26  ing office supplies or processing payments; or
    27    (E)  any  technology  that  communicates  with  consumers  in  natural
    28  language for the purpose of providing consumers with information, making
    29  referrals or recommendations, and answering questions, and is subject to
    30  an accepted use policy that prohibits generating content that is discri-
    31  minatory or harmful.
    32    11. "Intentional and substantial modification":
    33    (a) shall mean any deliberate change made to:
    34    (i) an artificial intelligence decision system that results in any new
    35  reasonably foreseeable risk of algorithmic discrimination; or
    36    (ii) a general-purpose artificial intelligence model that:
    37    (A) affects compliance of the general-purpose artificial  intelligence
    38  model;
    39    (B)  materially  changes the purpose of the general-purpose artificial
    40  intelligence model; or
    41    (C) results in any new  reasonably  foreseeable  risk  of  algorithmic
    42  discrimination; and
    43    (b) shall not include any change made to a high-risk artificial intel-
    44  ligence  decision  system,  or the performance of a high-risk artificial
    45  intelligence decision system, if:
    46    (i) the high-risk artificial intelligence decision system continues to
    47  learn after such high-risk artificial intelligence decision system is:
    48    (A) offered, sold, leased, licensed, given or otherwise made available
    49  to a deployer; or
    50    (B) deployed; and
    51    (ii) such change:
    52    (A) is made to such high-risk artificial intelligence decision  system
    53  as  a result of any learning described in subparagraph (i) of this para-
    54  graph;
    55    (B) was predetermined by the deployer, or the third  party  contracted
    56  by the deployer, when such deployer or third party completed the initial

        A. 768                              4
 
     1  impact  assessment  of  such  high-risk artificial intelligence decision
     2  system pursuant to  subdivision  three  of  section  one  thousand  five
     3  hundred fifty-two of this article; and
     4    (C)  is  included  in  the  technical documentation for such high-risk
     5  artificial intelligence decision system.
     6    12. "Person" shall  mean  any  individual,  association,  corporation,
     7  limited  liability  company,  partnership,  trust  or other legal entity
     8  authorized to do business in this state.
     9    13. "Red-teaming" shall mean an exercise that is conducted to identify
    10  the potential adverse behaviors or outcomes of  an  artificial  intelli-
    11  gence  decision  system  and  how  such behaviors or outcomes occur, and
    12  stress test the safeguards against such adverse behaviors or outcomes.
    13    14. "Substantial factor":
    14    (a) shall mean a factor that:
    15    (i) assists in making a consequential decision;
    16    (ii) is capable of altering the outcome of a  consequential  decision;
    17  and
    18    (iii) is generated by an artificial intelligence decision system; and
    19    (b) includes, but is not limited to, any use of an artificial intelli-
    20  gence  decision system to generate any content, decision, prediction, or
    21  recommendation concerning a consumer that is used as a basis to  make  a
    22  consequential decision concerning such consumer.
    23    15.  "Synthetic  digital  content"  shall  mean  any  digital content,
    24  including, but not limited to, any audio, image, text, or video, that is
    25  produced or manipulated by an artificial intelligence  decision  system,
    26  including, but not limited to, a general-purpose artificial intelligence
    27  model.
    28    16.  "Trade  secret"  shall mean any form and type of financial, busi-
    29  ness,  scientific,  technical,  economic,  or  engineering  information,
    30  including,  but  not  limited  to, a pattern, plan, compilation, program
    31  device, formula, design, prototype, method, technique,  process,  proce-
    32  dure,  program,  or  code,  whether  tangible or intangible, and whether
    33  stored, compiled, or  memorialized  physically,  electronically,  graph-
    34  ically, photographically, or in writing, that:
    35    (a)  derives  independent economic value, whether actual or potential,
    36  from not being generally known to, or readily  ascertainable  by  proper
    37  means  by,  other persons who can obtain economic value from its disclo-
    38  sure or use; and
    39    (b) is the subject of efforts that are reasonable  under  the  circum-
    40  stances to maintain its secrecy.
    41    § 1551. Required documentation. 1. (a) Beginning on January first, two
    42  thousand twenty-seven, each developer of a high-risk artificial intelli-
    43  gence  decision  system  shall  use reasonable care to protect consumers
    44  from any known or reasonably foreseeable risks of algorithmic  discrimi-
    45  nation  arising  from  the  intended  and contracted uses of a high-risk
    46  artificial intelligence  decision  system.  In  any  enforcement  action
    47  brought  on  or after such date by the attorney general pursuant to this
    48  article, there shall be a rebuttable presumption that a  developer  used
    49  reasonable care as required pursuant to this subdivision if:
    50    (i) the developer complied with the provisions of this section; and
    51    (ii)  an  independent  third  party identified by the attorney general
    52  pursuant to paragraph (b) of this subdivision and retained by the devel-
    53  oper completed bias and governance audits for the  high-risk  artificial
    54  intelligence decision system.
    55    (b) No later than January first, two thousand twenty-six, and at least
    56  annually thereafter, the attorney general shall:

        A. 768                              5
 
     1    (i)  identify independent third parties who, in the attorney general's
     2  opinion, are qualified to complete bias and governance  audits  for  the
     3  purposes of subparagraph (ii) of paragraph (a) of this subdivision; and
     4    (ii) publish a list of such independent third parties available on the
     5  attorney general's website.
     6    2.  Beginning  on January first, two thousand twenty-seven, and except
     7  as provided in subdivision five of this section, a developer of a  high-
     8  risk  artificial  intelligence  decision  system shall make available to
     9  each deployer or other developer the following information:
    10    (a) A general statement describing the  reasonably  foreseeable  uses,
    11  and  the  known harmful or inappropriate uses, of such high-risk artifi-
    12  cial intelligence decision system;
    13    (b) Documentation disclosing:
    14    (i) high-level summaries of the type of data used to train such  high-
    15  risk artificial intelligence decision system;
    16    (ii) the known or reasonably foreseeable limitations of such high-risk
    17  artificial  intelligence decision system, including, but not limited to,
    18  the known or reasonably foreseeable risks of algorithmic  discrimination
    19  arising from the intended uses of such high-risk artificial intelligence
    20  decision system;
    21    (iii)  the  purpose of such high-risk artificial intelligence decision
    22  system;
    23    (iv) the intended benefits  and  uses  of  such  high-risk  artificial
    24  intelligence decision system; and
    25    (v)  any  other information necessary to enable such deployer or other
    26  developer to comply with the provisions of this article;
    27    (c) Documentation describing:
    28    (i) how such high-risk artificial  intelligence  decision  system  was
    29  evaluated for performance, and mitigation of algorithmic discrimination,
    30  before  such  high-risk  artificial  intelligence  decision  system  was
    31  offered, sold, leased, licensed, given, or otherwise made  available  to
    32  such deployer or other developer;
    33    (ii)  the data governance measures used to cover the training datasets
    34  and examine the suitability of data sources, possible biases, and appro-
    35  priate mitigation;
    36    (iii) the intended outputs of such high-risk  artificial  intelligence
    37  decision system;
    38    (iv)  the measures such deployer or other developer has taken to miti-
    39  gate any known or reasonably foreseeable risks of algorithmic  discrimi-
    40  nation  that  may  arise  from  deployment  of such high-risk artificial
    41  intelligence decision system; and
    42    (v) how such high-risk artificial intelligence decision system  should
    43  be  used, not be used, and be monitored by an individual when such high-
    44  risk artificial intelligence decision system is used to make,  or  as  a
    45  substantial factor in making, a consequential decision; and
    46    (d)  Any  additional  documentation  that  is  reasonably necessary to
    47  assist a deployer or other developer to:
    48    (i) understand the outputs of such high-risk  artificial  intelligence
    49  decision system; and
    50    (ii) monitor the performance of such high-risk artificial intelligence
    51  decision system for risks of algorithmic discrimination.
    52    3.  (a)  Except  as  provided in subdivision five of this section, any
    53  developer that, on or after January first,  two  thousand  twenty-seven,
    54  offers,  sells, leases, licenses, gives, or otherwise makes available to
    55  a deployer or other developer a high-risk artificial intelligence  deci-
    56  sion  system  shall,  to  the  extent  feasible,  make available to such

        A. 768                              6
 
     1  deployers and other developers the documentation and information  relat-
     2  ing  to such high-risk artificial intelligence decision system necessary
     3  for a deployer, or the third party contracted by a deployer, to complete
     4  an  impact assessment pursuant to this article. The developer shall make
     5  such documentation and information available through artifacts  such  as
     6  model cards, dataset cards, or other impact assessments.
     7    (b) A developer that also serves as a deployer for any high-risk arti-
     8  ficial  intelligence  decision  system shall not be required to generate
     9  the documentation and information  required  pursuant  to  this  section
    10  unless   such  high-risk  artificial  intelligence  decision  system  is
    11  provided to an unaffiliated entity acting as a deployer.
    12    4. (a) Beginning on January first,  two  thousand  twenty-seven,  each
    13  developer  shall  publish,  in a manner that is clear and readily avail-
    14  able, on such developer's website, or a public  use  case  inventory,  a
    15  statement summarizing:
    16    (i)  the  types  of high-risk artificial intelligence decision systems
    17  that such developer:
    18    (A) has developed or intentionally and substantially modified; and
    19    (B) currently makes available to a deployer or other developer; and
    20    (ii) how such developer manages any known  or  reasonably  foreseeable
    21  risks  of algorithmic discrimination that may arise from the development
    22  or intentional and substantial modification of the  types  of  high-risk
    23  artificial  intelligence  decision systems described in subparagraph (i)
    24  of this subdivision.
    25    (b) Each developer shall update the statement described  in  paragraph
    26  (a) of this subdivision:
    27    (i) as necessary to ensure that such statement remains accurate; and
    28    (ii)  no  later than ninety days after the developer intentionally and
    29  substantially modifies any high-risk  artificial  intelligence  decision
    30  system  described  in subparagraph (i) of paragraph (a) of this subdivi-
    31  sion.
    32    5. Nothing in subdivisions two  or  four  of  this  section  shall  be
    33  construed to require a developer to disclose any information:
    34    (a)  that  is  a  trade  secret or otherwise protected from disclosure
    35  pursuant to state or federal law; or
    36    (b) the disclosure of which would present  a  security  risk  to  such
    37  developer.
    38    6. Beginning on January first, two thousand twenty-seven, the attorney
    39  general  may  require that a developer disclose to the attorney general,
    40  as part of an investigation conducted by the attorney general and  in  a
    41  form  and  manner prescribed by the attorney general, the general state-
    42  ment or documentation described in subdivision two of this section.  The
    43  attorney general may evaluate such general statement or documentation to
    44  ensure  compliance  with  the  provisions of this section. In disclosing
    45  such general statement or documentation to the attorney general pursuant
    46  to this subdivision, the developer may designate such general  statement
    47  or  documentation  as  including  any  information  that  is exempt from
    48  disclosure pursuant to subdivision five of this section or  article  six
    49  of  the  public  officers  law.  To the extent such general statement or
    50  documentation includes  such  information,  such  general  statement  or
    51  documentation  shall be exempt from disclosure. To the extent any infor-
    52  mation contained in such general statement or documentation  is  subject
    53  to  the  attorney-client  privilege  or  work  product  protection, such
    54  disclosure  shall  not  constitute  a  waiver  of  such   privilege   or
    55  protection.

        A. 768                              7
 
     1    §  1552. Risk management. 1. (a) Beginning on January first, two thou-
     2  sand twenty-seven, each deployer of a high-risk artificial  intelligence
     3  decision  system shall use reasonable care to protect consumers from any
     4  known or reasonably foreseeable risks of algorithmic discrimination.  In
     5  any  enforcement  action  brought  on or after said date by the attorney
     6  general pursuant to this article, there shall be a  rebuttable  presump-
     7  tion  that  a  deployer  of a high-risk artificial intelligence decision
     8  system used reasonable care as required pursuant to this subdivision if:
     9    (i) the deployer complied with the provisions of this section; and
    10    (ii) an independent third party identified  by  the  attorney  general
    11  pursuant  to  paragraph  (b)  of  this  subdivision  and retained by the
    12  deployer completed bias and governance audits for the high-risk  artifi-
    13  cial intelligence decision system.
    14    (b)  No  later  than  January first, two thousand twenty-seven, and at
    15  least annually thereafter, the attorney general shall:
    16    (i) identify the independent third parties who, in the attorney gener-
    17  al's opinion, are qualified to complete bias and governance  audits  for
    18  the  purposes of subparagraph (ii) of paragraph (a) of this subdivision;
    19  and
    20    (ii) make a list of such independent third parties  available  on  the
    21  attorney general's web site.
    22    2.  (a)  Beginning  on  January  first, two thousand twenty-seven, and
    23  except as provided in subdivision seven of this section,  each  deployer
    24  of  a  high-risk artificial intelligence decision system shall implement
    25  and maintain a  risk  management  policy  and  program  to  govern  such
    26  deployer's  deployment of the high-risk artificial intelligence decision
    27  system. The risk management policy and program shall specify and  incor-
    28  porate  the principles, processes, and personnel that the deployer shall
    29  use to identify, document, and mitigate any known or reasonably foresee-
    30  able risks of algorithmic discrimination.  The  risk  management  policy
    31  shall  be  the  product  of  an  iterative  process, the risk management
    32  program shall be an iterative process and both the risk management poli-
    33  cy and program shall be planned, implemented, and regularly and  system-
    34  atically  reviewed and updated over the lifecycle of the high-risk arti-
    35  ficial intelligence decision system. Each  risk  management  policy  and
    36  program implemented and maintained pursuant to this subdivision shall be
    37  reasonable, considering:
    38    (i) the guidance and standards set forth in the latest version of:
    39    (A)  the "Artificial Intelligence Risk Management Framework" published
    40  by the national institute of standards and technology;
    41    (B) ISO or IEC 42001 of the international organization for  standardi-
    42  zation; or
    43    (C)  a nationally or internationally recognized risk management frame-
    44  work for artificial intelligence decision systems, other than the  guid-
    45  ance  and  standards  specified  in clauses (A) and (B) of this subpara-
    46  graph, that imposes requirements that are substantially  equivalent  to,
    47  and  at  least as stringent as, the requirements established pursuant to
    48  this section for risk management policies and programs;
    49    (ii) the size and complexity of the deployer;
    50    (iii) the nature and scope of the  high-risk  artificial  intelligence
    51  decision  systems  deployed  by the deployer, including, but not limited
    52  to, the intended uses of such high-risk artificial intelligence decision
    53  systems; and
    54    (iv) the sensitivity and volume of data processed in  connection  with
    55  the  high-risk  artificial intelligence decision systems deployed by the
    56  deployer.

        A. 768                              8
 
     1    (b) A risk management policy and program  implemented  and  maintained
     2  pursuant  to  paragraph (a) of this subdivision may cover multiple high-
     3  risk artificial intelligence decision systems deployed by the deployer.
     4    3.  (a)  Except as provided in paragraphs (c) and (d) of this subdivi-
     5  sion and subdivision seven of this section:
     6    (i) a deployer that deploys a high-risk artificial intelligence  deci-
     7  sion  system  on or after January first, two thousand twenty-seven, or a
     8  third party contracted by the deployer, shall complete an impact assess-
     9  ment of the high-risk artificial intelligence decision system; and
    10    (ii) beginning on January first, two thousand twenty-seven, a  deploy-
    11  er,  or  a  third  party  contracted  by the deployer, shall complete an
    12  impact assessment of a deployed high-risk artificial intelligence  deci-
    13  sion system:
    14    (A) at least annually; and
    15    (B)  no  later  than  ninety days after an intentional and substantial
    16  modification to such high-risk artificial intelligence  decision  system
    17  is made available.
    18    (b)  (i) Each impact assessment completed pursuant to this subdivision
    19  shall include, at a minimum and to the extent reasonably  known  by,  or
    20  available to, the deployer:
    21    (A)  a  statement by the deployer disclosing the purpose, intended use
    22  cases and deployment context of, and benefits afforded by, the high-risk
    23  artificial intelligence decision system;
    24    (B) an analysis of whether the deployment of the high-risk  artificial
    25  intelligence  decision  system poses any known or reasonably foreseeable
    26  risks of algorithmic discrimination and, if so, the nature of such algo-
    27  rithmic discrimination and the steps that have been  taken  to  mitigate
    28  such risks;
    29    (C) A description of:
    30    (I) the categories of data the high-risk artificial intelligence deci-
    31  sion system processes as inputs; and
    32    (II)  the  outputs  such  high-risk  artificial  intelligence decision
    33  system produces;
    34    (D) if the deployer used data to customize  the  high-risk  artificial
    35  intelligence  decision system, an overview of the categories of data the
    36  deployer used to customize such high-risk artificial intelligence  deci-
    37  sion system;
    38    (E) any metrics used to evaluate the performance and known limitations
    39  of the high-risk artificial intelligence decision system;
    40    (F)  a  description  of any transparency measures taken concerning the
    41  high-risk artificial intelligence decision system,  including,  but  not
    42  limited to, any measures taken to disclose to a consumer that such high-
    43  risk  artificial  intelligence decision system is in use when such high-
    44  risk artificial intelligence decision system is in use; and
    45    (G) a description of the post-deployment  monitoring  and  user  safe-
    46  guards  provided concerning such high-risk artificial intelligence deci-
    47  sion system, including, but not limited  to,  the  oversight,  use,  and
    48  learning  process  established by the deployer to address issues arising
    49  from deployment  of  such  high-risk  artificial  intelligence  decision
    50  system.
    51    (ii)  In  addition to the statement, analysis, descriptions, overview,
    52  and metrics required pursuant to subparagraph (i) of this paragraph,  an
    53  impact  assessment  completed  pursuant to this subdivision following an
    54  intentional and substantial modification made to a high-risk  artificial
    55  intelligence  decision  system  on  or after January first, two thousand
    56  twenty-seven, shall include a statement disclosing the extent  to  which

        A. 768                              9
 
     1  the  high-risk  artificial  intelligence  decision  system was used in a
     2  manner that  was  consistent  with,  or  varied  from,  the  developer's
     3  intended uses of such high-risk artificial intelligence decision system.
     4    (c)  A  single impact assessment may address a comparable set of high-
     5  risk artificial intelligence decision systems deployed by a deployer.
     6    (d) If a deployer, or  a  third  party  contracted  by  the  deployer,
     7  completes an impact assessment for the purpose of complying with another
     8  applicable  law or regulation, such impact assessment shall be deemed to
     9  satisfy the requirements established in this subdivision if such  impact
    10  assessment  is  reasonably  similar  in  scope  and effect to the impact
    11  assessment that would otherwise be completed pursuant to  this  subdivi-
    12  sion.
    13    (e)  A  deployer  shall  maintain  the  most recently completed impact
    14  assessment of a high-risk artificial  intelligence  decision  system  as
    15  required  pursuant to this subdivision, all records concerning each such
    16  impact assessment and all prior impact assessments, if any, for a period
    17  of at least three years following the final deployment of the  high-risk
    18  artificial intelligence decision system.
    19    4.  Except as provided in subdivision seven of this section, a deploy-
    20  er, or a third party contracted by the deployer, shall review, no  later
    21  than  January  first,  two  thousand twenty-seven, and at least annually
    22  thereafter, the deployment of  each  high-risk  artificial  intelligence
    23  decision  system  deployed by the deployer to ensure that such high-risk
    24  artificial intelligence  decision  system  is  not  causing  algorithmic
    25  discrimination.
    26    5.  (a)  Beginning  on  January  first, two thousand twenty-seven, and
    27  before a deployer deploys a high-risk artificial  intelligence  decision
    28  system  to  make,  or be a substantial factor in making, a consequential
    29  decision concerning a consumer, the deployer shall:
    30    (i) notify the consumer that the deployer  has  deployed  a  high-risk
    31  artificial  intelligence  decision  system  to make, or be a substantial
    32  factor in making, such consequential decision; and
    33    (ii) provide to the consumer:
    34    (A) a statement disclosing:
    35    (I) the purpose of such  high-risk  artificial  intelligence  decision
    36  system; and
    37    (II) the nature of such consequential decision;
    38    (B) contact information for such deployer;
    39    (C)  a  description,  in  plain language, of such high-risk artificial
    40  intelligence decision system; and
    41    (D) instructions on how to access the statement made available  pursu-
    42  ant to paragraph (a) of subdivision six of this section.
    43    (b)  Beginning on January first, two thousand twenty-seven, a deployer
    44  that has deployed a high-risk artificial intelligence decision system to
    45  make, or as a substantial factor in  making,  a  consequential  decision
    46  concerning  a  consumer shall, if such consequential decision is adverse
    47  to the consumer, provide to such consumer:
    48    (i) a statement disclosing the principal reason or  reasons  for  such
    49  adverse consequential decision, including, but not limited to:
    50    (A) the degree to which, and manner in which, the high-risk artificial
    51  intelligence  decision  system contributed to such adverse consequential
    52  decision;
    53    (B) the type of data that was processed by such  high-risk  artificial
    54  intelligence  decision system in making such adverse consequential deci-
    55  sion; and
    56    (C) the source of such data; and

        A. 768                             10
 
     1    (ii) an opportunity to:
     2    (A)  correct any incorrect personal data that the high-risk artificial
     3  intelligence decision system processed in making, or  as  a  substantial
     4  factor in making, such adverse consequential decision; and
     5    (B)  appeal such adverse consequential decision, which shall, if tech-
     6  nically feasible, allow for human review unless providing such  opportu-
     7  nity  is  not  in the best interest of such consumer, including, but not
     8  limited to, in instances in which any delay might pose  a  risk  to  the
     9  life or safety of such consumer.
    10    (c)  The  deployer  shall provide the notice, statements, information,
    11  description, and instructions required pursuant to  paragraphs  (a)  and
    12  (b) of this subdivision:
    13    (i) directly to the consumer;
    14    (ii) in plain language;
    15    (iii)  in all languages in which such deployer, in the ordinary course
    16  of such  deployer's  business,  provides  contracts,  disclaimers,  sale
    17  announcements, and other information to consumers; and
    18    (iv) in a format that is accessible to consumers with disabilities.
    19    6.  (a)  Beginning  on  January  first, two thousand twenty-seven, and
    20  except as provided in subdivision seven of this section,  each  deployer
    21  shall make available, in a manner that is clear and readily available on
    22  such deployer's website, a statement summarizing:
    23    (i)  the  types  of high-risk artificial intelligence decision systems
    24  that are currently deployed by such deployer;
    25    (ii) how such deployer manages any  known  or  reasonably  foreseeable
    26  risks  of  algorithmic  discrimination that may arise from deployment of
    27  each high-risk artificial  intelligence  decision  system  described  in
    28  subparagraph (i) of this paragraph; and
    29    (iii)  in  detail,  the  nature,  source and extent of the information
    30  collected and used by such deployer.
    31    (b) Each deployer shall periodically  update  the  statement  required
    32  pursuant to paragraph (a) of this subdivision.
    33    7.  The  provisions  of subdivisions two, three, four, and six of this
    34  section shall not apply to a deployer  if,  at  the  time  the  deployer
    35  deploys  a high-risk artificial intelligence decision system, and at all
    36  times while the high-risk artificial  intelligence  decision  system  is
    37  deployed:
    38    (a) the deployer:
    39    (i) has entered into a contract with the developer in which the devel-
    40  oper has agreed to assume the deployer's duties pursuant to subdivisions
    41  two, three, four, or six of this section; and
    42    (ii)  does  not exclusively use such deployer's own data to train such
    43  high-risk artificial intelligence decision system;
    44    (b) such high-risk artificial intelligence decision system:
    45    (i) is used for the intended uses that are disclosed to such  deployer
    46  pursuant  to  subparagraph  (iv)  of paragraph (b) of subdivision two of
    47  section one thousand five hundred fifty-one of this article; and
    48    (ii) continues learning based on a broad range of data sources and not
    49  solely based on the deployer's own data; and
    50    (c) such deployer makes available to consumers any  impact  assessment
    51  that:
    52    (i)  the  developer of such high-risk artificial intelligence decision
    53  system has completed and provided to such deployer; and
    54    (ii) includes information that is substantially similar to the  infor-
    55  mation  included in the statement, analysis, descriptions, overview, and

        A. 768                             11
 
     1  metrics required pursuant to subparagraph (i) of paragraph (b) of subdi-
     2  vision three of this section.
     3    8. Nothing in this subdivision or subdivisions two, three, four, five,
     4  or  six  of  this  section  shall  be construed to require a deployer to
     5  disclose any information that is a trade secret or  otherwise  protected
     6  from  disclosure  pursuant  to state or federal law. If a deployer with-
     7  holds any information from a consumer  pursuant  this  subdivision,  the
     8  deployer shall send notice to such consumer disclosing:
     9    (a)  that  the  deployer  is  withholding  such  information from such
    10  consumer; and
    11    (b) the basis for the deployer's decision to withhold such information
    12  from such consumer.
    13    9. Beginning on January first, two thousand twenty-seven, the attorney
    14  general may require that a deployer, or a third party contracted by  the
    15  deployer  pursuant  to subdivision three of this section, as applicable,
    16  disclose to the attorney general, as part of an investigation  conducted
    17  by  the  attorney  general, no later than ninety days after a request by
    18  the attorney general, and in a form and manner prescribed by the  attor-
    19  ney general, the risk management policy implemented pursuant to subdivi-
    20  sion  two  of  this section, the impact assessment completed pursuant to
    21  subdivision three of this section; or  records  maintained  pursuant  to
    22  paragraph (e) of subdivision three of this section. The attorney general
    23  may  evaluate  such risk management policy, impact assessment or records
    24  to ensure compliance with the provisions of this section. In  disclosing
    25  such  risk management policy, impact assessment or records to the attor-
    26  ney general pursuant to this subdivision, the  deployer  or  third-party
    27  contractor,  as  applicable,  may designate such risk management policy,
    28  impact assessment or records as including any information that is exempt
    29  from disclosure pursuant to subdivision eight of this section or article
    30  six of the public officers law. To the extent such risk management poli-
    31  cy, impact assessment, or records include such  information,  such  risk
    32  management  policy,  impact  assessment, or records shall be exempt from
    33  disclosure. To the extent any information contained in such risk manage-
    34  ment policy, impact assessment, or record is subject  to  the  attorney-
    35  client  privilege  or work product protection, such disclosure shall not
    36  constitute a waiver of such privilege or protection.
    37    § 1553. Technical documentation. 1. Beginning on  January  first,  two
    38  thousand  twenty-seven,  each  developer of a general-purpose artificial
    39  intelligence model shall, except as provided in subdivision two of  this
    40  section:
    41    (a)  create  and maintain technical documentation for the general-pur-
    42  pose artificial intelligence model, which shall:
    43    (i) include:
    44    (A) the training and testing processes for such general-purpose  arti-
    45  ficial intelligence model; and
    46    (B)  the  results  of an evaluation of such general-purpose artificial
    47  intelligence model performed to determine whether  such  general-purpose
    48  artificial  intelligence  model  is in compliance with the provisions of
    49  this article;
    50    (ii) include, as appropriate, considering the size and risk profile of
    51  such general-purpose artificial intelligence model, at least:
    52    (A) the tasks such general-purpose artificial  intelligence  model  is
    53  intended to perform;
    54    (B) the type and nature of artificial intelligence decision systems in
    55  which  such general-purpose artificial intelligence model is intended to
    56  be integrated;

        A. 768                             12
 
     1    (C) acceptable use policies for such general-purpose artificial intel-
     2  ligence model;
     3    (D)  the  date  such  general-purpose artificial intelligence model is
     4  released;
     5    (E) the methods by which such general-purpose artificial  intelligence
     6  model is distributed; and
     7    (F)  the  modality  and format of inputs and outputs for such general-
     8  purpose artificial intelligence model; and
     9    (iii) be reviewed and revised at least annually, or  more  frequently,
    10  as  necessary  to maintain the accuracy of such technical documentation;
    11  and
    12    (b) create, implement, maintain and make  available  to  persons  that
    13  intend  to  integrate such general-purpose artificial intelligence model
    14  into such persons' artificial intelligence decision  systems  documenta-
    15  tion and information that:
    16    (i) enables such persons to:
    17    (A)  understand  the capabilities and limitations of such general-pur-
    18  pose artificial intelligence model; and
    19    (B) comply with such persons' obligations pursuant to this article;
    20    (ii) discloses, at a minimum:
    21    (A) the technical means required for such  general-purpose  artificial
    22  intelligence model to be integrated into such persons' artificial intel-
    23  ligence decision systems;
    24    (B)  the  information  listed in subparagraph (ii) of paragraph (a) of
    25  this subdivision; and
    26    (iii) except as provided  in  subdivision  two  of  this  section,  is
    27  reviewed and revised at least annually, or more frequently, as necessary
    28  to maintain the accuracy of such documentation and information.
    29    2. (a) The provisions of paragraph (a) and subparagraph (iii) of para-
    30  graph (b) of subdivision one of this section shall not apply to a devel-
    31  oper  that  develops,  or  intentionally  and  substantially modifies, a
    32  general-purpose artificial intelligence model on or after January first,
    33  two thousand twenty-seven, if:
    34    (i) (A) the developer releases such general-purpose artificial  intel-
    35  ligence model under a free and open-source license that allows for:
    36    (I)  access  to,  and  modification,  distribution, and usage of, such
    37  general-purpose artificial intelligence model; and
    38    (II) the parameters of such  general-purpose  artificial  intelligence
    39  model  to  be  made  publicly  available  pursuant to clause (B) of this
    40  subparagraph; and
    41    (B) unless  such  general-purpose  artificial  intelligence  model  is
    42  deployed  as  a  high-risk  artificial intelligence decision system, the
    43  parameters  of  such  general-purpose  artificial  intelligence   model,
    44  including,  but  not  limited to, the weights and information concerning
    45  the model architecture and model usage for such general-purpose  artifi-
    46  cial intelligence model, are made publicly available; or
    47    (ii) the general-purpose artificial intelligence model is:
    48    (A) not offered for sale in the market;
    49    (B) not intended to interact with consumers; and
    50    (C) solely utilized:
    51    (I) for an entity's internal purposes; or
    52    (II) pursuant to an agreement between multiple entities for such enti-
    53  ties' internal purposes.
    54    (b) The provisions of this section shall not apply to a developer that
    55  develops, or intentionally and substantially modifies, a general-purpose
    56  artificial  intelligence  model  on or after January first, two thousand

        A. 768                             13
 
     1  twenty-seven, if such  general  purpose  artificial  intelligence  model
     2  performs  tasks  exclusively  related to an entity's internal management
     3  affairs, including, but not limited  to,  ordering  office  supplies  or
     4  processing payments.
     5    (c)  A  developer that takes any action under an exemption pursuant to
     6  paragraph (a) or (b) of this subdivision shall bear the burden of demon-
     7  strating that such action qualifies for such exemption.
     8    (d) A developer that is exempt pursuant to subparagraph (ii) of  para-
     9  graph (a) of this subdivision shall establish and maintain an artificial
    10  intelligence risk management framework, which shall:
    11    (i) be the product of an iterative process and ongoing efforts; and
    12    (ii) include, at a minimum:
    13    (A) an internal governance function;
    14    (B) a map function that shall establish the context to frame risks;
    15    (C) a risk management function; and
    16    (D) a function to measure identified risks by assessing, analyzing and
    17  tracking such risks.
    18    3.  Nothing  in  subdivision one of this section shall be construed to
    19  require a developer to disclose any information that is a  trade  secret
    20  or otherwise protected from disclosure pursuant to state or federal law.
    21    4. Beginning on January first, two thousand twenty-seven, the attorney
    22  general  may  require that a developer disclose to the attorney general,
    23  as part of an investigation conducted by the attorney general, no  later
    24  than  ninety  days after a request by the attorney general and in a form
    25  and manner prescribed by the attorney general, any  documentation  main-
    26  tained  pursuant to this section. The attorney general may evaluate such
    27  documentation to ensure compliance with the provisions of this  section.
    28  In disclosing any documentation to the attorney general pursuant to this
    29  subdivision, the developer may designate such documentation as including
    30  any  information  that is exempt from disclosure pursuant to subdivision
    31  three of this section or article six of the public officers law. To  the
    32  extent  such documentation includes such information, such documentation
    33  shall be exempt from disclosure. To the extent any information contained
    34  in such documentation is subject to  the  attorney-client  privilege  or
    35  work  product  protection, such disclosure shall not constitute a waiver
    36  of such privilege or protection.
    37    § 1554. Required disclosure. 1. Beginning on January first, two  thou-
    38  sand  twenty-seven,  and  except  as provided in subdivision two of this
    39  section, each person doing business in this state,  including,  but  not
    40  limited to, each deployer that deploys, offers, sells, leases, licenses,
    41  gives,  or  otherwise  makes  available,  as  applicable, any artificial
    42  intelligence decision system that is intended to interact with consumers
    43  shall ensure that it is disclosed to each consumer  who  interacts  with
    44  such  artificial  intelligence  decision  system  that  such consumer is
    45  interacting with an artificial intelligence decision system.
    46    2. No disclosure shall be required pursuant to subdivision one of this
    47  section under circumstances in which a reasonable person would  deem  it
    48  obvious  that such person is interacting with an artificial intelligence
    49  decision system.
    50    § 1555. Preemption. 1. Nothing in this article shall be  construed  to
    51  restrict a developer's, deployer's, or other person's ability to:
    52    (a) comply with federal, state or municipal law;
    53    (b)  comply  with  a  civil,  criminal or regulatory inquiry, investi-
    54  gation, subpoena, or summons by a federal, state,  municipal,  or  other
    55  governmental authority;

        A. 768                             14
 
     1    (c)  cooperate  with  a  law  enforcement agency concerning conduct or
     2  activity that the developer, deployer, or other person reasonably and in
     3  good faith believes may violate federal, state, or municipal law;
     4    (d)  investigate,  establish, exercise, prepare for, or defend a legal
     5  claim;
     6    (e) take immediate steps to protect an interest that is essential  for
     7  the life or physical safety of a consumer or another individual;
     8    (f)  (i)  by  any  means  other  than  facial  recognition technology,
     9  prevent, detect, protect against, or respond to:
    10    (A) a security incident;
    11    (B) a malicious or deceptive activity; or
    12    (C) identity theft, fraud, harassment or any other illegal activity;
    13    (ii) investigate, report, or prosecute the persons responsible for any
    14  action described in subparagraph (i) of this paragraph; or
    15    (iii) preserve the integrity or security of systems;
    16    (g) engage  in  public  or  peer-reviewed  scientific  or  statistical
    17  research in the public interest that:
    18    (i) adheres to all other applicable ethics and privacy laws; and
    19    (ii) is conducted in accordance with:
    20    (A)  part  forty-six  of title forty-five of the code of federal regu-
    21  lations, as amended; or
    22    (B) relevant requirements established by the  federal  food  and  drug
    23  administration;
    24    (h) conduct research, testing, and development activities regarding an
    25  artificial  intelligence  decision  system  or model, other than testing
    26  conducted pursuant to real  world  conditions,  before  such  artificial
    27  intelligence decision system or model is placed on the market, deployed,
    28  or put into service, as applicable;
    29    (i) effectuate a product recall;
    30    (j)  identify  and  repair  technical  errors  that impair existing or
    31  intended functionality; or
    32    (k) assist another developer, deployer, or  person  with  any  of  the
    33  obligations imposed pursuant to this article.
    34    2.  The obligations imposed on developers, deployers, or other persons
    35  pursuant to this article shall not apply where compliance by the  devel-
    36  oper,  deployer,  or  other  person  with the provisions of this article
    37  would violate an evidentiary privilege pursuant to state law.
    38    3. Nothing in this article shall be construed to impose any obligation
    39  on a developer, deployer, or other person  that  adversely  affects  the
    40  rights  or  freedoms  of  any person, including, but not limited to, the
    41  rights of any person:
    42    (a) to freedom of speech or freedom of the press guaranteed in:
    43    (i) the first amendment to the United States constitution; and
    44    (ii) section eight of the New York state constitution; or
    45    (b) pursuant to section seventy-nine-h of the civil rights law.
    46    4. Nothing in this article shall be construed to apply to any develop-
    47  er, deployer, or other person:
    48    (a) insofar as such developer,  deployer  or  other  person  develops,
    49  deploys, puts into service, or intentionally and substantially modifies,
    50  as applicable, a high-risk artificial intelligence decision system:
    51    (i) that has been approved, authorized, certified, cleared, developed,
    52  or granted by:
    53    (A)  a federal agency, including, but not limited to, the federal food
    54  and drug administration or the federal aviation  administration,  acting
    55  within the scope of such federal agency's authority; or

        A. 768                             15
 
     1    (B)  a  regulated  entity subject to supervision and regulation by the
     2  federal housing finance agency; or
     3    (ii) in compliance with standards that are:
     4    (A) established by:
     5    (I)  any  federal  agency,  including, but not limited to, the federal
     6  office of the national coordinator for health information technology; or
     7    (II) a regulated entity subject to supervision and regulation  by  the
     8  federal housing finance agency; and
     9    (B)  substantially  equivalent  to,  and at least as stringent as, the
    10  standards established pursuant to this article;
    11    (b) conducting research to support an application:
    12    (i) for approval or certification from any federal agency,  including,
    13  but not limited to, the federal food and drug administration, the feder-
    14  al aviation administration, or the federal communications commission; or
    15    (ii) that is otherwise subject to review by any federal agency;
    16    (c)  performing  work  pursuant  to, or in connection with, a contract
    17  with the federal department  of  commerce,  the  federal  department  of
    18  defense,  or  the  national aeronautics and space administration, unless
    19  such developer, deployer, or other person is performing such work  on  a
    20  high-risk  artificial intelligence decision system that is used to make,
    21  or as a substantial factor in making, a decision  concerning  employment
    22  or housing; or
    23    (d)  that  is  a  covered  entity,  as defined by the health insurance
    24  portability and accountability act of 1996 and the  regulations  promul-
    25  gated  thereunder, as amended, and providing health care recommendations
    26  that:
    27    (i) are generated by an artificial intelligence decision system;
    28    (ii) require a health care provider to take action to  implement  such
    29  recommendations; and
    30    (iii) are not considered to be high risk.
    31    5.  Nothing in this article shall be construed to apply to any artifi-
    32  cial intelligence decision system that is acquired by or for the federal
    33  government or any federal  agency  or  department,  including,  but  not
    34  limited  to,  the federal department of commerce, the federal department
    35  of defense, or the national aeronautics and space administration, unless
    36  such artificial intelligence decision system is a  high-risk  artificial
    37  intelligence  decision  system that is used to make, or as a substantial
    38  factor in making, a decision concerning employment or housing.
    39    6. Any insurer, as defined by section five hundred one of  the  insur-
    40  ance law, or fraternal benefit society, as defined by section four thou-
    41  sand  five  hundred  one  of the insurance law, shall be deemed to be in
    42  full compliance with the provisions of this article if such  insurer  or
    43  fraternal  benefit society has implemented and maintains a written arti-
    44  ficial intelligence decision systems  program  in  accordance  with  all
    45  requirements established by the superintendent of financial services.
    46    7.  (a)  Any  bank,  out-of-state bank, New York credit union, federal
    47  credit union, or out-of-state credit union, or any affiliate or  subsid-
    48  iary  thereof,  shall  be  deemed  to  be  in  full  compliance with the
    49  provisions of this article if such bank,  out-of-state  bank,  New  York
    50  credit  union,  federal  credit union, out-of-state credit union, affil-
    51  iate, or subsidiary is subject to examination by any  state  or  federal
    52  prudential  regulator  pursuant to any published guidance or regulations
    53  that apply to the use  of  high-risk  artificial  intelligence  decision
    54  systems, and such guidance or regulations:
    55    (i)  impose  requirements that are substantially equivalent to, and at
    56  least as stringent as, the requirements of this article; and

        A. 768                             16
 
     1    (ii) at a minimum, require such  bank,  out-of-state  bank,  New  York
     2  credit  union,  federal  credit union, out-of-state credit union, affil-
     3  iate, or subsidiary to:
     4    (A)  regularly audit such bank's, out-of-state bank's, New York credit
     5  union's, federal credit union's,  out-of-state  credit  union's,  affil-
     6  iate's,  or  subsidiary's use of high-risk artificial intelligence deci-
     7  sion systems for compliance with state and  federal  anti-discrimination
     8  laws  and  regulations  applicable  to such bank, out-of-state bank, New
     9  York credit union, federal  credit  union,  out-of-state  credit  union,
    10  affiliate, or subsidiary; and
    11    (B)  mitigate  any  algorithmic  discrimination caused by the use of a
    12  high-risk artificial intelligence decision system, or any risk of  algo-
    13  rithmic discrimination that is reasonably foreseeable as a result of the
    14  use of a high-risk artificial intelligence decision system.
    15    (b)  For  the  purposes of this subdivision, the following terms shall
    16  have the following meanings:
    17    (i) "Affiliate" shall have the same meaning as set  forth  in  section
    18  nine hundred twelve of the business corporation law.
    19    (ii) "Bank" shall have the same meaning as set forth in section two of
    20  the banking law.
    21    (iii)  "Credit  union"  shall  have  the  same meaning as set forth in
    22  section two of the banking law.
    23    (iv) "Out-of-state bank" shall have the same meaning as set  forth  in
    24  section two hundred twenty-two of the banking law.
    25    (v)  "Subsidiary"  shall have the same meaning as set forth in section
    26  one hundred forty-one of the banking law.
    27    8. If a developer, deployer, or other person  engages  in  any  action
    28  under an exemption pursuant to subdivisions one, two, three, four, five,
    29  six,  or seven of this section, the developer, deployer, or other person
    30  bears the burden of demonstrating that such action  qualifies  for  such
    31  exemption.
    32    §  1556.  Enforcement.  1.  The  attorney general shall have exclusive
    33  authority to enforce the provisions of this article.
    34    2. Except as provided in subdivision six of this section,  during  the
    35  period beginning on January first, two thousand twenty-seven, and ending
    36  on January first, two thousand twenty-eight, the attorney general shall,
    37  prior  to initiating any action for a violation of this section, issue a
    38  notice of violation to the developer, deployer, or other person  if  the
    39  attorney  general determines that it is possible to cure such violation.
    40  If the developer, deployer, or other person fails to cure such violation
    41  within sixty days after receipt of such notice of violation, the  attor-
    42  ney general may bring an action pursuant to this section.
    43    3. Except as provided in subdivision six of this section, beginning on
    44  January  first,  two thousand twenty-eight, the attorney general may, in
    45  determining whether to grant a developer, deployer, or other person  the
    46  opportunity  to  cure  a  violation described in subdivision two of this
    47  section, consider:
    48    (a) the number of violations;
    49    (b) the size and complexity  of  the  developer,  deployer,  or  other
    50  person;
    51    (c)  the  nature  and  extent of the developer's, deployer's, or other
    52  person's business;
    53    (d) the substantial likelihood of injury to the public;
    54    (e) the safety of persons or property; and
    55    (f) whether such violation was likely caused  by  human  or  technical
    56  error.

        A. 768                             17
 
     1    4.  Nothing  in this article shall be construed as providing the basis
     2  for a private right of action for violations of the provisions  of  this
     3  article.
     4    5.  Except  as provided in subdivisions one, two, three, four, and six
     5  of this section, a violation of the  requirements  established  in  this
     6  article  shall  constitute  an  unfair  trade  practice  for purposes of
     7  section three hundred forty-nine of this chapter and shall  be  enforced
     8  solely  by the attorney general; provided, however, that subdivision (h)
     9  of section three hundred forty-nine of this chapter shall not  apply  to
    10  any such violation.
    11    6.  (a)  In  any  action  commenced  by  the  attorney general for any
    12  violation of this article, it shall be an affirmative defense  that  the
    13  developer, deployer, or other person:
    14    (i)  discovers  a  violation  of any provision of this article through
    15  red-teaming;
    16    (ii) no later than sixty days after discovering such violation through
    17  red-teaming:
    18    (A) cures such violation; and
    19    (B) provides to the attorney general, in a form and manner  prescribed
    20  by  the  attorney general, notice that such violation has been cured and
    21  evidence that any harm caused by such violation has been mitigated; and
    22    (iii) is otherwise in compliance with the latest version of:
    23    (A) the Artificial Intelligence Risk Management Framework published by
    24  the national institute of standards and technology;
    25    (B) ISO/IEC 42001 of the  international  organization  for  standardi-
    26  zation and the international electrotechnical commission;
    27    (C)  a nationally or internationally recognized risk management frame-
    28  work for artificial intelligence decision systems, other than  the  risk
    29  management  frameworks described in clauses (A) and (B) of this subpara-
    30  graph, that imposes requirements that are substantially  equivalent  to,
    31  and  at  least as stringent as, the requirements established pursuant to
    32  this article; or
    33    (D) any risk management framework for artificial intelligence decision
    34  systems that is substantially equivalent to, and at least  as  stringent
    35  as,  the  risk  management frameworks described in clauses (A), (B), and
    36  (C) of this subparagraph.
    37    (b) The developer, deployer, or  other  person  bears  the  burden  of
    38  demonstrating  to the attorney general that the requirements established
    39  pursuant to paragraph (a) of this subdivision have been satisfied.
    40    (c) Nothing in this  article,  including,  but  not  limited  to,  the
    41  enforcement  authority  granted to the attorney general pursuant to this
    42  section, shall be construed to preempt or otherwise  affect  any  right,
    43  claim,  remedy,  presumption,  or defense available at law or in equity.
    44  Any rebuttable presumption or affirmative defense  established  pursuant
    45  to this article shall apply only to an enforcement action brought by the
    46  attorney  general  pursuant  to  this section and shall not apply to any
    47  right, claim, remedy, presumption, or defense available  at  law  or  in
    48  equity.
    49    §  3.  This  act  shall  take effect on the two hundred seventieth day
    50  after it shall have become a law.
Go to top