Oct. 16, 2024

Deciphering California’s Pioneering Mandate for an AI Nutrition Label 

California has created the first nutrition label for generative AI (Gen AI). The AI Training Data Transparency Act (CAIT‑D) requires an AI developer, which is broadly defined, to post on its website 12 details about datasets it uses for training AI. This article, with insights from attorneys at BakerHostetler, Carlton Fields, IAPP and Luminos Law, explains the new requirements, CAIT‑D’s benefits and shortcomings for downstream AI governance professionals, and how it compares to requirements in the E.U. and Colorado laws on AI. It also discusses the extent to which the law applies to workplace use of AI and the many companies adapting Gen AI models. See “How to Address the Colorado AI Act’s ‘Complex Compliance Regime’” (Jun. 5, 2024).

Cybersecurity and Privacy: Two Sides of the Same Coin

Cybersecurity Awareness Month is a good time to visit the latest evidence of how cybersecurity and privacy are overlapping and often blending, evident in the convergence of laws and regulations in the space. Many frameworks also contain both cyber and privacy elements. There is overlap in regulatory enforcement as well – just last week, the FTC’s settlement with Marriott and Starwood to resolve charges that lax data security led to three large data breaches included both privacy and cybersecurity mandates. Despite the ties, there is still a hint of tension in how to govern data privacy and cybersecurity to ensure a cohesive, continued alignment. In this guest article, Divya Sridhar, vice president, global privacy division and privacy initiatives operations, and Leah Smyle, privacy compliance coordinator, both at BBB National Programs, examine and offer perspective on the crossover, and provide a plan of action for closing the gaps between these two operations and putting coordinated efforts to work. See “Fostering Collaboration and Communication Between Security and Compliance” (Mar. 13, 2024).

Meeting DOJ Expectations Post-Resolution Requires Realism and Accountability

Many companies think that settling an issue with the SEC or DOJ brings the matter to a close. However, the ongoing obligations that appear in numerous settlements require companies to mind their manners with U.S. enforcers for years after a deal is inked. In a recent panel hosted by Ethico, Sidley Austin partner and former Assistant Attorney General Kenneth Polite, compliance consultant and former DOJ Compliance Counsel Expert Hui Chen, and compliance consultant and former Albemarle CCO Andrew McBride discussed the intricacies and challenges of navigating the aftermath of regulatory resolutions. This article summarizes the key takeaways from the discussion, including who manages continued communications with the DOJ, how much to report and accountability. See “What CCOs Should Know About the DOJ’s Efforts to Curtail Criminal Use of AI” (Oct. 9, 2024).

Privacy, Cyber & Data Strategy Partner Joins Alston & Bird in London

Alston & Bird has strengthened its privacy, cyber & data strategy team with the addition of Kelly Hagedorn as a partner in the firm’s London office. She arrives from Orrick. For commentary from Hagedorn, see “The Right to Be Forgotten: English High Court Details When Google Must Delist Links to Crimes” (May 9, 2018). For insights from Alston & Bird, see “FTC Signals Stricter Children’s Enforcement in NGL Labs Settlement: Compliance Lessons” (Sep. 25, 2024); as well as our two-part series on cybersecurity obligations in the E.U.’s Digital Laws: “AI Act, CRA and NIS2” (Sep. 4, 2024), and “Data Act, DORA and Compliance Steps” (Sep. 11, 2024).