Policy Tracker

Enacts the New York Artificial Intelligence Civil Rights Act establishing protections for individual rights with respect to computational algorithms; establishes protections against the use of algorithms involved in consequential decisions, such as those that impact people's rights, civil liberties, and livelihoods, including employment, banking, health care, the criminal justice system, public accommodations, and government services; prohibits developers and deployers from offering, licensing, or using covered algorithms that discriminate based on protected characteristics or that cause a disparate impact; requires developers and deployers of covered algorithms to complete independently audited pre-deployment evaluations and post-deployment impact assessments to identify, evaluate, and mitigate any potential biased use or discriminatory outcomes; requires developers and deployers to mitigate any harms identified by the pre-deployment evaluations and impact assessments and ensure that any covered algorithm performs reasonably well and is consistent with its publicly-advertised purpose; increases transparency around the use of covered algorithms in consequential decisions, including providing individuals a right to appeal an algorithmic decision to a human decision-maker; provides remedies for violations.

NY · Legislation · 2025 · A09654

LegislationAI
Introduced

Record updated Jan 21, 2026

Summary

Enacts the New York Artificial Intelligence Civil Rights Act establishing protections for individual rights with respect to computational algorithms; establishes protections against the use of algorithms involved in consequential decisions, such as those that impact people's rights, civil liberties, and livelihoods, including employment, banking, health care, the criminal justice system, public accommodations, and government services; prohibits developers and deployers from offering, licensing, or using covered algorithms that discriminate based on protected characteristics or that cause a disparate impact; requires developers and deployers of covered algorithms to complete independently audited pre-deployment evaluations and post-deployment impact assessments to identify, evaluate, and mitigate any potential biased use or discriminatory outcomes; requires developers and deployers to mitigate any harms identified by the pre-deployment evaluations and impact assessments and ensure that any covered algorithm performs reasonably well and is consistent with its publicly-advertised purpose; increases transparency around the use of covered algorithms in consequential decisions, including providing individuals a right to appeal an algorithmic decision to a human decision-maker; provides remedies for violations.

Timeline

2026-01-21

A

referred to science and technology

Bill Text

Rendered HTML Filing

Official document markup is preserved and restyled to match the active site theme.


                STATE OF NEW YORK
        ________________________________________________________________________

                                          9654

                   IN ASSEMBLY

                                    January 21, 2026
                                       ___________

        Introduced  by M. of A. SOLAGES -- read once and referred to the Commit-
          tee on Science and Technology

        AN ACT to amend the civil rights law, in relation to enacting  the  "New
          York Artificial Intelligence Civil Rights Act"

          The  People of the State of New York, represented in Senate and Assem-
        bly, do enact as follows:

     1    Section 1. Article 10 and sections 100 and 101  of  the  civil  rights
     2  law,  as  renumbered  by chapter 263 of the laws of 2019, are renumbered
     3  article 20 and sections 200 and 201, and a new article 10  is  added  to
     4  read as follows:
     5                                  ARTICLE 10
     6              NEW YORK ARTIFICIAL INTELLIGENCE CIVIL RIGHTS ACT
     7  Section 100. Short title.
     8          101. Definitions.
     9          102. Discrimination.
    10          103. Pre-deployment evaluations.
    11          104. Post-deployment impact assessments.
    12          105. Content regulations.
    13          106. Covered algorithm standards.
    14          107. Relationships between developers and deployers.
    15          108. Human alternatives and other protections.
    16          109. Prohibition on retaliation; whistleblower protections.
    17          110. Notice and disclosure.
    18          111.  Study  on  explanations regarding the use of covered algo-
    19                 rithms.
    20          112. Consumer awareness.
    21          113. Enforcement.
    22          114. Private right of action.
    23          115. Regulations.
    24          116. Rules of construction.
    25          117. Severability.
    26    § 100. Short title. This article shall be known and may  be  cited  as
    27  the "New York Artificial Intelligence Civil Rights Act".
    28    § 101. Definitions. As used in this article:

         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD14318-01-5

        A. 9654                             2

     1    1.  "Collection  of  personal  data" means buying, renting, gathering,
     2  obtaining, receiving, accessing, or otherwise acquiring an  individual's
     3  data by any means.
     4    2. "Commercial act", with respect to a covered algorithm, means an act
     5  conducted  for  monetary  or  other  valuable  consideration,  including
     6  conducting an activity in furtherance of obtaining such consideration.
     7    3. "Consequential action" means an act that is likely to have a  mate-
     8  rial  effect on, or to materially contribute to, access to, security and
     9  authentication relating to, eligibility  for,  cost  of,  terms  of,  or
    10  conditions related to any of the following:
    11    (a) employment, including hiring, pay, independent contracting, worker
    12  management, promotion, and termination;
    13    (b)  education  and  career and technical education, including assess-
    14  ment,  proctoring,  promotion  of  academic  integrity,   accreditation,
    15  certification,  admissions,  enrollment,  disciplinary actions including
    16  suspension, expulsion, or referral to law enforcement,  eligibility  for
    17  graduation,  grade  promotion  or degree conferral, academic performance
    18  evaluation, and provision of financial aid and scholarships;
    19    (c) housing and lodging, including rental and short-term  housing  and
    20  lodging,  home appraisals, rental subsidies, publicly supported housing,
    21  and mortgage lending;
    22    (d) essential utilities, including electricity, heat, water, municipal
    23  trash or sewage services, internet and telecommunications  service,  and
    24  public transportation;
    25    (e)  health  care,  including  mental health care, dental, vision, and
    26  adoption services, and other  health  care-related  services,  treatment
    27  options, trials, and studies;
    28    (f) credit, banking, and other financial services;
    29    (g) insurance, including insurance claim determinations;
    30    (h)  actions of the criminal justice system, law enforcement or intel-
    31  ligence operations, immigration determinations  or  enforcement,  border
    32  control (vetting, screening, and inspection), child protective services,
    33  child  welfare,  and  family services, including risk and threat assess-
    34  ments,  situational  awareness  and  threat  detection,  investigations,
    35  watchlisting, bail determinations, sentencing, administration of parole,
    36  surveillance,  use  of  unmanned  vehicles  and machines, and predictive
    37  policing;
    38    (i) justice and determinations concerning guilt or liability,  includ-
    39  ing  assignment  of cases or counsel, bail determinations, pre-detention
    40  risk assessments, case intake, sequencing,  and  processing,  awards  of
    41  actual or punitive damages, and binding and nonbinding determinations in
    42  arbitration, mediation, or other alternative dispute resolution;
    43    (j)  elections,  including  voting,  requirements for documentation or
    44  proof of identity to vote or register to vote (and determinations  about
    45  whether  an individual meets those requirements), redistricting, polling
    46  place resources, reduction or  alteration  of  multilingual  or  English
    47  language  voting  materials,  alteration  of  the manner in which voting
    48  materials are provided  or  distributed,  reduction,  consolidation,  or
    49  relocation of voting locations in elections for federal, state, or local
    50  office  (including  early, absentee, and election-day voting locations),
    51  reduction in days or hours of in-person voting during a period occurring
    52  prior to the date of an election for federal,  state,  or  local  office
    53  during  which voters may cast ballots in such election, election securi-
    54  ty, and election administration,  including  maintenance  processes  for
    55  voter  registration lists that add a new basis for removal from the list
    56  of active voters registered to vote in elections for federal, state,  or

        A. 9654                             3

     1  local  office, or that incorporate a new source of information in deter-
     2  mining a voter's eligibility to vote in elections for federal, state, or
     3  local office;
     4    (k) government benefits and services, as well as verification of iden-
     5  tity, citizenship, and immigration status, fraud prevention, and assign-
     6  ment of penalties;
     7    (l) a public accommodation; and/or
     8    (m)  any  other  service, program, product, or opportunity which has a
     9  comparable legal, material, or similarly significant effect on an  indi-
    10  vidual's life as determined by the division through rules.
    11    4. "Covered algorithm" means:
    12    (a)  a  computational  process  derived from machine learning, natural
    13  language processing, artificial intelligence techniques, or other compu-
    14  tational processing techniques of similar or greater  complexity,  that,
    15  with respect to a consequential action:
    16    (i)  creates  or  facilitates the creation of a product or information
    17  that is used as an integral part of the consequential action;
    18    (ii) promotes, recommends, ranks, or otherwise affects the display  or
    19  delivery  of  information that is used as an integral part of the conse-
    20  quential action;
    21    (iii) makes a decision; or
    22    (iv) facilitates human decision making; or
    23    (b) any other computational process deemed appropriate by the division
    24  through rules.
    25    5. "Covered language" means the ten languages with the  most  speakers
    26  in  the state, according to the most recent data collected by the United
    27  States Census Bureau;
    28    6. "De-identified data" means information:
    29    (a) that does not identify and is not linked or reasonably linkable to
    30  an individual or a device, regardless  of  whether  the  information  is
    31  aggregated; and
    32    (b)  with respect to which any developer or deployer using such infor-
    33  mation:
    34    (i) takes reasonable technical measures to ensure that the information
    35  cannot, at any point, be used to re-identify any  individual  or  device
    36  that identifies or is linked or reasonably linkable to an individual;
    37    (ii) publicly commits in a clear and conspicuous manner:
    38    (A)  to process and transfer the information solely in a de-identified
    39  form without any reasonable means for re-identification; and
    40    (B) to not attempt to re-identify the information with any  individual
    41  or  device  that  identifies  or  is linked or reasonably linkable to an
    42  individual; and
    43    (C) contractually obligates any person that receives  the  information
    44  from  the  developer or deployer to comply with all of the provisions of
    45  this paragraph with respect to such information;  and  to  require  that
    46  such contractual obligations be included in all subsequent instances for
    47  which the information may be received.
    48    7.  "Deployer"  means  any  person that uses a covered algorithm for a
    49  commercial act. The terms "deployer" and "developer" shall not be inter-
    50  preted to be mutually exclusive.
    51    8. (a) "Developer" means any person that designs,  codes,  customizes,
    52  produces,  or  substantially  modifies  an algorithm that is intended or
    53  reasonably likely to be used as a covered algorithm  for  such  person's
    54  own  use,  or use by a third party, in connection with a commercial act,
    55  or for use by a government entity.

        A. 9654                             4

     1    (b) In the event that a deployer uses an algorithm as a covered  algo-
     2  rithm,  and  no  person is considered the developer of the algorithm for
     3  purposes of paragraph (a) of this subdivision,  the  deployer  shall  be
     4  considered  the  developer  of the covered algorithm for the purposes of
     5  this article.
     6    (c)  The  terms "deployer" and "developer" shall not be interpreted to
     7  be mutually exclusive.
     8    9. (a) "Disparate impact" means an unjustified differential effect  on
     9  an  individual  or  group  of  individuals  on the basis of an actual or
    10  perceived protected characteristic. An action, a policy, or  a  practice
    11  of a developer or deployer, a differential effect is unjustified if:
    12    (i)  the  developer or deployer fails to demonstrate that such action,
    13  policy, or practice causing the  differential  effect  is  necessary  to
    14  achieve a substantial, legitimate, and nondiscriminatory interest; or
    15    (ii)  in  the event the developer or deployer demonstrates such inter-
    16  est, an alternative action, policy, or practice could serve such  inter-
    17  est with less differential effect.
    18    (b)  With  respect to demonstrating that a covered algorithm causes or
    19  contributes to a differential effect, the covered algorithm is  presumed
    20  to  be  not separable for analysis and may be analyzed holistically as a
    21  single action, policy, or practice, unless  the  developer  or  deployer
    22  proves that the covered algorithm is separable by a preponderance of the
    23  evidence.
    24    10. "Division" means the division of consumer protection.
    25    11.  "Harm",  with  respect  to a consequential action, means a non-de
    26  minimis adverse effect on an individual or group of individuals:
    27    (a) on the basis of a protected characteristic;
    28    (b) that involves the  use  of  force,  coercion,  harassment,  intim-
    29  idation, or detention; or
    30    (c)  that  involves  the  infringement  of a right protected under the
    31  Constitution of the United States or the Constitution of  the  state  of
    32  New York.
    33    12.  (a)  "Independent  auditor"  means  an individual that conducts a
    34  pre-deployment evaluation or impact assessment of a covered algorithm in
    35  a manner that exercises objective and impartial judgment on  all  issues
    36  within the scope of such evaluation or assessment.
    37    (b) An individual is not an independent auditor of a covered algorithm
    38  if such individual:
    39    (i)  is  or was involved in using, developing, offering, licensing, or
    40  deploying the covered algorithm for a commercial act;
    41    (ii) at any point  during  the  pre-deployment  evaluation  or  impact
    42  assessment,  has  an  employment  relationship,  including  a contractor
    43  relationship, but not including a contractor relationship for the audit-
    44  ing service described in subparagraph (i)  of  this  paragraph,  with  a
    45  developer  or  deployer that uses, offers, or licenses the covered algo-
    46  rithm; or
    47    (iii) at any point during  the  pre-deployment  evaluation  or  impact
    48  assessment,  has  a  direct financial interest, a reasonably foreseeable
    49  future financial interest, or a material indirect financial interest  in
    50  a  developer  or deployer that uses, offers, or licenses a covered algo-
    51  rithm, not including routine payment for the auditing services described
    52  in subparagraph (i) of this paragraph.
    53    13. "Individual" means a natural person in the state.
    54    14. "Personal data" means information that identifies or is linked  or
    55  reasonably  linkable, alone or in combination with other information, to
    56  an individual or an individual's device; and shall include derived  data

        A. 9654                             5

     1  and  unique  persistent  identifiers.  The term "personal data" does not
     2  include de-identified data.
     3    15.  "Process",  with  respect  to  personal data, means to conduct or
     4  direct any operation or  set  of  operations  performed  on  such  data,
     5  including analyzing, organizing, structuring, retaining, storing, using,
     6  or otherwise handling such data.
     7    16.  "Protected  characteristic"  means any of the following actual or
     8  perceived traits of an individual or group of individuals:
     9    (a) race;
    10    (b) color;
    11    (c) ethnicity;
    12    (d) national origin, nationality, or immigration status;
    13    (e) religion;
    14    (f) sex, including a  sex  stereotype,  pregnancy,  childbirth,  or  a
    15  related  medical  condition,  sexual orientation or gender identity, and
    16  sex characteristics, including intersex traits;
    17    (g) disability;
    18    (h) limited English proficiency;
    19    (i) biometric information;
    20    (j) familial or marital status;
    21    (k) source of income;
    22    (l) income level, not including the ability to pay for a specific good
    23  or service being offered;
    24    (m) age;
    25    (n) veteran status;
    26    (o) genetic information or medical conditions; and/or
    27    (p) any other classification protected by federal or  New  York  state
    28  law.
    29    17. (a) "Public accommodation" means:
    30    (i)  a  business  that offers goods or services to the general public,
    31  regardless of whether the business is operated for  profit  or  operates
    32  from a physical facility;
    33    (ii) a park, road, or pedestrian pathway open to the general public;
    34    (iii) a means of public transportation; or
    35    (iv) a publicly owned or operated facility open to the general public.
    36    (b) The term "public accommodation" does not include a private club or
    37  establishment,  any private club or other establishment not in fact open
    38  to the public, as described in section 201(e) of the Civil Rights Act of
    39  1964 (42 U.S.C. 2000a(e)).
    40    18. "Transfer", with respect to  personal  data,  means  to  disclose,
    41  release,  disseminate, make available, license, rent, or share such data
    42  orally, in writing, electronically, or by any other means.
    43    § 102. Discrimination. 1. A developer or  deployer  shall  not  offer,
    44  license, promote, sell, or use a covered algorithm in a manner that:
    45    (a)  causes  or  contributes  to  a  disparate impact in a manner that
    46  prevents;
    47    (b) otherwise discriminates in a manner that prevents; or
    48    (c)  otherwise  makes  unavailable,  the  equal  enjoyment  of  goods,
    49  services,  or other activities or opportunities, related to a consequen-
    50  tial action, on the basis of a protected characteristic.
    51    2. This section shall not apply to:
    52    (a) the offer, licensing, or use of a covered algorithm for  the  sole
    53  purpose of:
    54    (i)  a developer's or deployer's self-testing (or auditing by an inde-
    55  pendent auditor at a developer's or  deployer's  request)  to  identify,

        A. 9654                             6

     1  prevent,  or  mitigate discrimination, or otherwise to ensure compliance
     2  with obligations, under federal or state law;
     3    (ii)  expanding  an  applicant, participant, or customer pool to raise
     4  the likelihood of increasing diversity or redressing historic  discrimi-
     5  nation; or
     6    (iii)  conducting  good faith security research, or other research, if
     7  conducting the research is not part or all of a commercial act; or
     8    (b) any private club or other establishment not in fact  open  to  the
     9  public,  as  described in section 201(e) of the Civil Rights Act of 1964
    10  (42 U.S.C. 2000a(e)).
    11    § 103. Pre-deployment evaluations. 1. Prior to  deploying,  licensing,
    12  or  offering  a covered algorithm (including deploying a material change
    13  to a previously-deployed covered algorithm or  a  material  change  made
    14  prior to deployment) for a consequential action, a developer or deployer
    15  shall  conduct  a  pre-deployment  evaluation  in  accordance  with this
    16  section.
    17    2. (a) The developer shall conduct a  preliminary  evaluation  of  the
    18  plausibility  that  any expected use of the covered algorithm may result
    19  in a harm.
    20    (b) The deployer shall conduct a preliminary evaluation of the plausi-
    21  bility that any intended use of the covered algorithm may  result  in  a
    22  harm.
    23    (c)  Based on the results of the preliminary evaluation, the developer
    24  or deployer shall:
    25    (i) in the event that a harm is not plausible, record a finding of  no
    26  plausible  harm, including a description of the developer's expected use
    27  or the deployer's intended use of the covered algorithm, how the prelim-
    28  inary evaluation was conducted, and an explanation for the finding,  and
    29  submit such record to the division; and
    30    (ii) in the event that a harm is plausible, conduct a full pre-deploy-
    31  ment evaluation as described in subdivision three or subdivision four of
    32  this section, as applicable.
    33    (d)  When conducting a preliminary evaluation of a material change to,
    34  or new use of, a previously-deployed covered algorithm, the developer or
    35  deployer may limit the scope of the evaluation to  whether  use  of  the
    36  covered  algorithm  may  result  in  a  harm as a result of the material
    37  change or new use.
    38    3. (a) If a developer  determines  a  harm  is  plausible  during  the
    39  preliminary evaluation described in subdivision two of this section, the
    40  developer  shall  engage an independent auditor to conduct a pre-deploy-
    41  ment evaluation. The  evaluation  required  by  this  subdivision  shall
    42  include  a detailed review and description, sufficient for an individual
    43  having ordinary skill in the art to understand the  functioning,  risks,
    44  uses,  benefits,  limitations,  and  other  pertinent  attributes of the
    45  covered algorithm, including:
    46    (i) the covered algorithm's  design  and  methodology,  including  the
    47  inputs the covered algorithm is designed to use to produce an output and
    48  the outputs the covered algorithm is designed to produce;
    49    (ii)  how  the  covered  algorithm  was  created, trained, and tested,
    50  including:
    51    (A) any metric used to test the performance of the covered algorithm;
    52    (B) defined benchmarks and goals  that  correspond  to  such  metrics,
    53  including  whether  there  was  sufficient representation of demographic
    54  groups that are reasonably likely to use or be affected by  the  covered
    55  algorithm in the data used to create or train the algorithm, and whether
    56  there was reasonable testing, if any, across such demographic groups;

        A. 9654                             7

     1    (C) the outputs the covered algorithm actually produces in testing;
     2    (D)  a  description  of  any  consultation with relevant stakeholders,
     3  including any communities that will be impacted  by  the  covered  algo-
     4  rithm,  regarding the development of the covered algorithm, or a disclo-
     5  sure that no such consultation occurred;
     6    (E) a description of which protected  characteristics,  if  any,  were
     7  used  for  testing  and evaluation, and how and why such characteristics
     8  were used, including:
     9    (1) whether the testing occurred in comparable  contextual  conditions
    10  to the conditions in which the covered algorithm is expected to be used;
    11  and
    12    (2)  if  protected  characteristics were not available to conduct such
    13  testing, a description of alternative  methods  the  developer  used  to
    14  conduct the required assessment;
    15    (F)  any  other computational algorithm incorporated into the develop-
    16  ment of the covered algorithm,  regardless  of  whether  such  precursor
    17  computational algorithm involves a consequential action;
    18    (G)  a  description of the data and information used to develop, test,
    19  maintain, or update the covered algorithm, including:
    20    (1) each type of personal  data  used,  each  source  from  which  the
    21  personal  data  was  collected,  and  how each type of personal data was
    22  inferred and processed;
    23    (2) the legal authorization for collecting and processing the personal
    24  data; and
    25    (3) an explanation of how the data (including personal data)  used  is
    26  representative,  proportional,  and  appropriate  to the development and
    27  intended uses of the covered algorithm; and
    28    (H) a description of the training process for  the  covered  algorithm
    29  which  includes  the  training,  validation,  and  test data utilized to
    30  confirm the intended outputs;
    31    (iii) the potential for the covered algorithm to produce a harm or  to
    32  have  a  disparate  impact in the equal enjoyment of goods, services, or
    33  other activities or opportunities, and a description of  such  potential
    34  harm or disparate impact;
    35    (iv)  alternative practices and recommendations to prevent or mitigate
    36  harm and recommendations for how the developer could  monitor  for  harm
    37  after offering, licensing, or deploying the covered algorithm; and
    38    (v)  any other information the division deems pertinent to prevent the
    39  covered algorithm from causing harm or having a disparate impact in  the
    40  equal  enjoyment  of  goods,  services,  or other activities or opportu-
    41  nities, as prescribed by rules promulgated by the division.
    42    (b) The independent auditor shall submit to the developer a report  on
    43  the  evaluation conducted under this subdivision, including the findings
    44  and recommendations of such independent auditor.
    45    4. (a) If a deployer determines a harm is plausible during the prelim-
    46  inary evaluation described in  subdivision  two  of  this  section,  the
    47  deployer shall engage an independent auditor to conduct a pre-deployment
    48  evaluation.  The evaluation required by this subdivision shall include a
    49  detailed review and description, sufficient  for  an  individual  having
    50  ordinary  skill  in  the art to understand the functioning, risks, uses,
    51  benefits, limitations, and other pertinent  attributes  of  the  covered
    52  algorithm, including:
    53    (i)  the manner in which the covered algorithm makes or contributes to
    54  a consequential action and the purpose for which the  covered  algorithm
    55  will be deployed;

        A. 9654                             8

     1    (ii)  the  necessity  and  proportionality of the covered algorithm in
     2  relation to its planned use, including the intended benefits and limita-
     3  tions of the covered algorithm and a description of the baseline process
     4  being enhanced or replaced by the covered algorithm, if applicable;
     5    (iii)  the inputs that the deployer plans to use to produce an output,
     6  including:
     7    (A) the type of  personal  data  and  information  used  and  how  the
     8  personal  data  and  information  will be collected, inferred, and proc-
     9  essed;
    10    (B) the legal authorization for collecting and processing the personal
    11  data; and
    12    (C) an explanation of how the data  used  is  representative,  propor-
    13  tional, and appropriate to the deployment of the covered algorithm;
    14    (iv)  the outputs the covered algorithm is expected to produce and the
    15  outputs the covered algorithm actually produces in testing;
    16    (v) a description of any additional testing or training  completed  by
    17  the  deployer  for  the  context  in which the covered algorithm will be
    18  deployed;
    19    (vi) a description of any  consultation  with  relevant  stakeholders,
    20  including  any  communities  that  will be impacted by the covered algo-
    21  rithm, regarding the deployment of the covered algorithm;
    22    (vii) the potential for the covered algorithm to produce a harm or  to
    23  have  a  disparate  impact in the equal enjoyment of goods, services, or
    24  other activities or opportunities in the context in  which  the  covered
    25  algorithm  will  be deployed and a description of such potential harm or
    26  disparate impact;
    27    (viii) alternative practices and recommendations to prevent  or  miti-
    28  gate harm in the context in which the covered algorithm will be deployed
    29  and  recommendations  for  how the deployer could monitor for harm after
    30  offering, licensing, or deploying the covered algorithm; and
    31    (ix) any other information the division deems pertinent to prevent the
    32  covered algorithm from causing harm or having a disparate impact in  the
    33  equal enjoyment of goods, services, or other activities or opportunities
    34  as prescribed by rules promulgated by the division.
    35    (b)  The  independent auditor shall submit to the deployer a report on
    36  the evaluation conducted under this subdivision, including the  findings
    37  and recommendations of such independent auditor.
    38    §  104. Post-deployment impact assessments. 1. After the deployment of
    39  a covered algorithm, a deployer shall, on an annual  basis,  conduct  an
    40  impact  assessment  in  accordance with this section. The deployer shall
    41  conduct a preliminary impact assessment  of  the  covered  algorithm  to
    42  identify  any  harm  that resulted from the covered algorithm during the
    43  reporting period and:
    44    (a) if no resulting harm  is  identified  by  such  assessment,  shall
    45  record  a finding of no harm, including a description of the developer's
    46  expected use or the deployer's intended use of  the  covered  algorithm,
    47  how  the  preliminary  evaluation  was conducted, and an explanation for
    48  such finding, and submit such finding to the division; and
    49    (b) if a resulting  harm  is  identified  by  such  assessment,  shall
    50  conduct a full impact assessment as described in subdivision two of this
    51  section.
    52    2.  In  the event that the covered algorithm resulted in a harm during
    53  the reporting period, the deployer shall engage an  independent  auditor
    54  to  conduct a full impact assessment with respect to the reporting peri-
    55  od, including:

        A. 9654                             9

     1    (a) an assessment of the harm that resulted or was  reasonably  likely
     2  to have been produced during the reporting period;
     3    (b)  a  description  of  the  extent  to  which  the covered algorithm
     4  produced a disparate impact in the equal enjoyment of  goods,  services,
     5  or other activities or opportunities, including the methodology for such
     6  evaluation,  of  how  the  covered algorithm produced or likely produced
     7  such disparity;
     8    (c) a description of the types of data input into  the  covered  algo-
     9  rithm during the reporting period to produce an output, including:
    10    (i)  documentation  of  how  data  input into the covered algorithm to
    11  produce an output is represented and complete descriptions of each field
    12  of data; and
    13    (ii) whether and to what extent the data input into the covered  algo-
    14  rithm  to  produce  an  output was used to train or otherwise modify the
    15  covered algorithm;
    16    (d) whether and to what extent  the  covered  algorithm  produced  the
    17  outputs it was expected to produce;
    18    (e)  a  detailed  description of how the covered algorithm was used to
    19  make a consequential action;
    20    (f) any action taken to prevent or mitigate harms, including how rele-
    21  vant staff are informed of, trained about, and implement harm mitigation
    22  policies and practices, and recommendations for how the  deployer  could
    23  monitor for and prevent harm after offering, licensing, or deploying the
    24  covered algorithm; and
    25    (g)  any other information the division deems pertinent to prevent the
    26  covered algorithm from causing harm or having a disparate impact in  the
    27  equal enjoyment of goods, services, or other activities or opportunities
    28  as prescribed by rules promulgated by the division.
    29    3.  (a) After the engagement of the independent auditor, the independ-
    30  ent auditor shall submit to the deployer a report on the impact  assess-
    31  ment  conducted  under  subdivision  two  of this section, including the
    32  findings and recommendations of such independent auditor.
    33    (b) Not later than thirty days after the submission of a report on  an
    34  impact  assessment  under  this  section, a deployer shall submit to the
    35  developer of the covered algorithm a summary of such report, subject  to
    36  the trade secret and privacy protections described in subdivision six of
    37  this section.
    38    4.  A  developer shall, on an annual basis, review each impact assess-
    39  ment summary submitted by a deployer  of  its  covered  algorithm  under
    40  subdivision three of this section for the following purposes:
    41    (a) to assess how the deployer is using the covered algorithm, includ-
    42  ing the methodology for assessing such use;
    43    (b)  to  assess  the  type  of data the deployer is inputting into the
    44  covered algorithm to produce an output and  the  types  of  outputs  the
    45  covered algorithm is producing;
    46    (c)  to  assess  whether  the  deployer is complying with any relevant
    47  contractual agreement with the developer and whether any remedial action
    48  is necessary;
    49    (d) to compare  the  covered  algorithm's  performance  in  real-world
    50  conditions versus pre-deployment testing, including the methodology used
    51  to evaluate such performance;
    52    (e)  to  assess  whether  the  covered algorithm is causing harm or is
    53  reasonably likely to be causing harm;
    54    (f) to assess whether the covered algorithm is causing, or is  reason-
    55  ably  likely to be causing, a disparate impact in the equal enjoyment of

        A. 9654                            10

     1  goods, services, or other activities or opportunities, and, if  so,  how
     2  and with respect to which protected characteristic;
     3    (g) to determine whether the covered algorithm needs modification;
     4    (h)  to  determine  whether  any other action is appropriate to ensure
     5  that the covered algorithm remains safe and effective; and
     6    (i) to undertake any other assessment or responsive action  the  divi-
     7  sion  deems pertinent to prevent the covered algorithm from causing harm
     8  or having a disparate impact in the equal enjoyment of goods,  services,
     9  or other activities or opportunities, as prescribed by rules promulgated
    10  by the division.
    11    5.  If  a person is both the developer and deployer of a covered algo-
    12  rithm, the person may conduct combined  pre-deployment  evaluations  and
    13  annual assessments, provided that each combined evaluation or assessment
    14  satisfies all requirements for both developers and deployers.
    15    6.  (a)  A  developer  or deployer that conducts a full pre-deployment
    16  evaluation, full  impact  assessment,  or  developer  annual  review  of
    17  assessments shall:
    18    (i)  not  later  than  thirty days after completion, submit the evalu-
    19  ation, assessment, or review to the division;
    20    (ii) upon request, make the evaluation, assessment, or  review  avail-
    21  able to the legislature; and
    22    (iii) not later than thirty days after completion:
    23    (A)  publish a summary of the evaluation, assessment, or review on the
    24  website of the developer or deployer in a manner that is easily accessi-
    25  ble to individuals; and
    26    (B) submit such summary to the division.
    27    (b) A developer or deployer shall retain all evaluations, assessments,
    28  and reviews described in this section for a period of not fewer than ten
    29  years.
    30    (c) A developer or deployer:
    31    (i) may redact and segregate any trade secret (as defined  in  section
    32  1839  of title 18, United States Code) from public disclosure under this
    33  subdivision; and
    34    (ii) shall redact and segregate personal data from  public  disclosure
    35  under this section.
    36    §  105. Content regulations. Not later than two years after the effec-
    37  tive date of this article, the division shall:
    38    (a) promulgate rules specifying:
    39    (i) what information and factors a developer or deployer shall consid-
    40  er in making the preliminary evaluation or preliminary impact assessment
    41  described in sections one hundred three and one  hundred  four  of  this
    42  article, respectively;
    43    (ii)  what  information  a  developer  or  deployer shall include in a
    44  summary of an evaluation, assessment, or developer review  described  in
    45  section one hundred four of this article; and
    46    (iii) the extent to and process by which a developer may request addi-
    47  tional  information  from a deployer, including the purposes for which a
    48  developer is permitted to use such additional information; and
    49    (b) in promulgating such rules,  consider  the  need  to  protect  the
    50  privacy of personal data, as well as the need for information sharing by
    51  developers  and  deployers  to  comply  with this section and inform the
    52  public.
    53    § 106. Covered algorithm standards. 1. A developer or  deployer  shall
    54  do the following:
    55    (a)  take reasonable measures to prevent and mitigate any harm identi-
    56  fied by a pre-deployment evaluation described  in  section  one  hundred

        A. 9654                            11

     1  three  or  an impact assessment described in section one hundred four of
     2  this article;
     3    (b) take reasonable measures to ensure that an independent auditor has
     4  all  necessary information to complete an accurate and effective pre-de-
     5  ployment evaluation described in section one hundred three or an  impact
     6  assessment described in section one hundred four of this article;
     7    (c) with respect to a covered algorithm, consult stakeholders, includ-
     8  ing  any  communities  that  will  be impacted by the covered algorithm,
     9  regarding the development or deployment of the covered  algorithm  prior
    10  to the deploying, licensing, or offering the covered algorithm;
    11    (d)  with  respect  to a covered algorithm, certify that, based on the
    12  results of a pre-deployment evaluation described in section one  hundred
    13  three  or  an impact assessment described in section one hundred four of
    14  this article:
    15    (i) use of the covered algorithm is not likely to result  in  harm  or
    16  disparate  impact  in  the  equal enjoyment of goods, services, or other
    17  activities or opportunities;
    18    (ii) the benefits from the use of the covered algorithm to individuals
    19  affected by the covered algorithm likely outweigh the harms from the use
    20  of the covered algorithm to such individuals; and
    21    (iii) use of the covered algorithm is not likely to result in a decep-
    22  tive act or practice;
    23    (e) ensure that any covered algorithm of  the  developer  or  deployer
    24  functions  at a level that would be considered reasonable performance by
    25  an individual with ordinary skill in the art; and in a  manner  that  is
    26  consistent   with  its  expected  and  publicly-advertised  performance,
    27  purpose, or use;
    28    (f) ensure any data used in the design,  development,  deployment,  or
    29  use  of the covered algorithm is relevant and appropriate to the deploy-
    30  ment context and the publicly-advertised purpose or use; and
    31    (g) ensure use of the covered algorithm as intended is not  likely  to
    32  result in a violation of this article.
    33    2.  (a)  It shall be unlawful for a developer or deployer to engage in
    34  false, deceptive, or misleading advertising, marketing,  or  publicizing
    35  of a covered algorithm of the developer or deployer.
    36    (b) It shall be unlawful for a developer to knowingly offer or license
    37  a covered algorithm for any consequential action other than those evalu-
    38  ated  in  the pre-deployment evaluation described in section one hundred
    39  three of this article.
    40    (c) It shall be unlawful for a deployer to  knowingly  use  a  covered
    41  algorithm for any consequential action other than a use evaluated in the
    42  pre-deployment evaluation described in section one hundred three of this
    43  article,  unless the deployer agrees to assume the responsibilities of a
    44  developer required by this article.
    45    § 107. Relationships between developers and deployers. 1. A  developer
    46  shall do the following:
    47    (a) upon the reasonable request of the deployer, make available to the
    48  deployer  information  necessary  to  demonstrate  the compliance of the
    49  deployer with the requirements of this article, including:
    50    (i)  making  available  a  report  of  the  pre-deployment  evaluation
    51  described  in  section  one  hundred three of this article or the annual
    52  review of assessments conducted  by  the  developer  under  section  one
    53  hundred four of this article; and
    54    (ii) providing information necessary to enable the deployer to conduct
    55  and document a pre-deployment evaluation under section one hundred three

        A. 9654                            12

     1  or  an  impact  assessment described in section one hundred four of this
     2  article; and
     3    (b) either:
     4    (i)  allow  and cooperate with reasonable assessments conducted by the
     5  deployer or the deployer's designated independent auditor; or
     6    (ii) arrange for an independent auditor to conduct  an  assessment  of
     7  the  developer's  policies  and  practices in support of the obligations
     8  under this article using an appropriate and accepted control standard or
     9  framework and assessment procedure for such assessments  and  provide  a
    10  report of such assessment to the deployer upon request.
    11    2.  A developer may offer or license a covered algorithm to a deployer
    12  pursuant to a written  contract  between  the  developer  and  deployer,
    13  provided that the contract:
    14    (a) clearly sets forth the data processing procedures of the developer
    15  with  respect  to  any  collection,  processing,  or  transfer  of  data
    16  performed on behalf of the deployer;
    17    (b) clearly sets forth:
    18    (i) instructions for collecting, processing, transferring, or  dispos-
    19  ing  of  data  by the developer or deployer in the context of the use of
    20  the covered algorithm;
    21    (ii) instructions for deploying the covered algorithm as intended;
    22    (iii) the nature and purpose of any collection, processing, or  trans-
    23  ferring of data;
    24    (iv)  the  type  of  data  subject  to such collection, processing, or
    25  transferring;
    26    (v) the duration of such processing of data; and
    27    (vi) the rights and obligations of both parties, including a method by
    28  which the developer shall notify the deployer of material changes to its
    29  covered algorithm;
    30    (c) shall not relieve a developer or deployer of  any  requirement  or
    31  liability imposed on such developer or deployer under this article;
    32    (d)  prohibits  both  the  developer  and deployer from combining data
    33  received from or collected on behalf of the other party  with  data  the
    34  developer  or  deployer  received from or collected on behalf of another
    35  party; and
    36    (e) shall not prohibit a developer or deployer from  raising  concerns
    37  to any relevant enforcement agency with respect to the other party.
    38    3.  Each  developer  shall  retain for a period of ten years a copy of
    39  each contract  entered  into  with  a  deployer  to  which  it  provides
    40  requested products or services.
    41    4.  For  purposes  of this section, any requirement for a developer to
    42  contract with, assist, and follow the instructions of a  deployer  shall
    43  be  read  to  include a requirement to contract with, assist, and follow
    44  the instructions of a government entity if the developer is providing  a
    45  service to a government entity.
    46    § 108. Human alternatives and other protections. 1. Not later than two
    47  years  after  the  effective  date  of  this article, the division shall
    48  promulgate regulations in accordance with specifying  the  circumstances
    49  and manner in which a deployer shall provide to an individual a means to
    50  opt-out of the use of a covered algorithm for a consequential action and
    51  to  elect  to  have  the  consequential action concerning the individual
    52  undertaken by a human without the use of a covered algorithm. In promul-
    53  gating the  regulations  under  this  subdivision,  the  division  shall
    54  consider the following:

        A. 9654                            13

     1    (a) how to ensure that any notice or request from a deployer regarding
     2  the  right  to  a  human  alternative is clear and conspicuous, in plain
     3  language, easy to execute, and at no cost to an individual;
     4    (b)  how  to  ensure that any such notice to individuals is effective,
     5  timely, and useful;
     6    (c) the specific types of consequential  actions  for  which  a  human
     7  alternative  is appropriate, considering the magnitude of the action and
     8  risk of harm;
     9    (d) the extent to which a human alternative  would  be  beneficial  to
    10  individuals and the public interest;
    11    (e)  the  extent  to which a human alternative can prevent or mitigate
    12  harm;
    13    (f) the risk of harm to individuals beyond the requestor  if  a  human
    14  alternative is available or not available;
    15    (g)  the  feasibility  of  providing  a human alternative in different
    16  circumstances; and
    17    (h) any other considerations the division deems appropriate to balance
    18  the need to give an  individual  control  over  a  consequential  action
    19  related to such individual with the practical feasibility and effective-
    20  ness of granting such control.
    21    2.  A  developer or deployer may not condition, effectively condition,
    22  attempt to condition, or attempt to effectively condition  the  exercise
    23  of any individual right under this article or individual choice through:
    24    (a)  the  use  of  any  false,  fictitious,  fraudulent, or materially
    25  misleading statement or representation; or
    26    (b) the design, modification, or manipulation of  any  user  interface
    27  with  the  purpose  or  substantial  effect of obscuring, subverting, or
    28  impairing a reasonable individual's autonomy, decision making, or choice
    29  to exercise any such right.
    30    3. Not later than two years after the effective date of this  article,
    31  the  division  shall promulgate regulations specifying the circumstances
    32  and manner in which a deployer shall provide to an  individual  a  mech-
    33  anism  to  appeal  to  a human a consequential action resulting from the
    34  deployer's use of a covered algorithm. In promulgating  the  regulations
    35  under this subdivision, the division shall do the following:
    36    (a)  ensure  that  the  appeal  mechanism is clear and conspicuous, in
    37  plain language, easy-to-execute, and at no cost to individuals;
    38    (b) ensure that the appeal mechanism is proportionate  to  the  conse-
    39  quential action;
    40    (c) ensure that the appeal mechanism is reasonably accessible to indi-
    41  viduals  with disabilities, timely, usable, effective, and non-discrimi-
    42  natory;
    43    (d) require, where appropriate, a mechanism for individuals to identi-
    44  fy and correct any personal data used by the covered algorithm;
    45    (e) specify training requirements for human reviewers with respect  to
    46  a consequential action; and
    47    (f) consider any other circumstances, procedures, or matters the divi-
    48  sion deems appropriate to balance the need to give an individual a right
    49  to  appeal  a  consequential  action related to such individual with the
    50  practical feasibility and effectiveness of granting such right.
    51    § 109. Prohibition on retaliation;  whistleblower  protections.  1.  A
    52  developer or deployer may not:
    53    (a)  discriminate  or  retaliate  against  an individual (including by
    54  denying or threatening to deny the equal enjoyment of  goods,  services,
    55  or  other  activities  or  opportunities  in relation to a consequential
    56  action) because the individual exercised any right, refused to waive any

        A. 9654                            14

     1  such right, raised a concern about a  consequential  action  under  this
     2  article, or assisted in any investigation or proceeding under this arti-
     3  cle; or
     4    (b)  directly  or  indirectly,  discharge,  demote, suspend, threaten,
     5  harass, or otherwise discriminate or retaliate against an individual for
     6  raising a concern, reporting or attempting to report a violation of this
     7  article, or cooperating in any investigation or  proceeding  under  this
     8  article.
     9    2.  Nothing  in  this  article  shall prohibit a developer or deployer
    10  from:
    11    (a) denying service to an individual, charging an individual a differ-
    12  ent price or rate, or providing a different level or quality of goods or
    13  services to an individual if the differential in  service  is  necessary
    14  and  directly related to the value provided to the developer or deployer
    15  by the covered algorithm; or
    16    (b) offering loyalty, rewards, premium features,  discounts,  or  club
    17  card  programs  that  provide  benefits or rewards based on frequency of
    18  patronizing, or the amount of money spent at, a business consistent with
    19  this article.
    20    § 110. Notice and disclosure. 1. Each developer or deployer shall make
    21  publicly available, in plain language and in a clear,  conspicuous,  not
    22  misleading,  easy-to-read,  and  readily accessible manner, a disclosure
    23  that provides a detailed and accurate representation of the developer or
    24  deployer's practices regarding the requirements under this article.
    25    2. The disclosure required under subdivision one of this section shall
    26  include, at a minimum, the following:
    27    (a) the identity and the contact information of:
    28    (i) the developer or deployer to which the disclosure applies (includ-
    29  ing the developer or deployer's point  of  contact  and  electronic  and
    30  physical  mail  address,  as  applicable  for  any  inquiry concerning a
    31  covered algorithm or individual rights under this article); and
    32    (ii) any other entity within  the  same  corporate  structure  as  the
    33  developer  or  deployer  to  which  personal  data is transferred by the
    34  developer or deployer.
    35    (b) a link to the  website  containing  the  developer  or  deployer's
    36  summaries  of pre-deployment evaluations, impact assessments, and annual
    37  review of assessments, as applicable;
    38    (c) the categories of personal data the developer or deployer collects
    39  or processes in the development or deployment of a covered algorithm and
    40  the processing purpose for each such category;
    41    (d) whether the developer or deployer transfers personal data, and, if
    42  so, each third party to which the developer or deployer  transfers  such
    43  data  and  the  purpose  for which such data is transferred, except with
    44  respect to a transfer to a governmental entity pursuant to a court order
    45  or law that prohibits the developer or  deployer  from  disclosing  such
    46  transfer;
    47    (e)  a  prominent  description  of  how an individual can exercise the
    48  rights described in this article;
    49    (f) a general description of the developer or deployer's practices for
    50  compliance with the requirements described in sections one hundred three
    51  and one hundred six of this article;
    52    (g) the following disclosure:
    53    "The audit of this algorithm was conducted to comply with the New York
    54  Artificial Intelligence Civil Rights Act, which seeks to avoid  the  use
    55  of any algorithm that has a disparate impact on certain protected class-

        A. 9654                            15

     1  es  of  individuals. The audit does not guarantee that this algorithm is
     2  safe or in compliance with all applicable laws."; and
     3    (h) the effective date of the disclosure.
     4    3.  The disclosure required under this section shall be made available
     5  in each covered language in which the developer or deployer operates  or
     6  provides a good or service.
     7    4.  Any disclosure provided under this section shall be made available
     8  in a manner that is reasonably accessible to and usable  by  individuals
     9  with disabilities.
    10    5.  (a)  If  a  developer  or  deployer makes a material change to the
    11  disclosure required under this section, the developer or deployer  shall
    12  notify  each individual affected by such material change prior to imple-
    13  menting the material change.
    14    (b) Each developer or deployer shall take all reasonable  measures  to
    15  provide  to  each  affected  individual a direct electronic notification
    16  regarding any  material  change  to  the  disclosure,  in  each  covered
    17  language  in  which  the  disclosure  is  made available and taking into
    18  account available technology and the nature  of  the  relationship  with
    19  such individual.
    20    (c)  (i)  Beginning  after  the  effective  date of this article, each
    21  developer or deployer shall retain a copy of each  previous  version  of
    22  the  disclosure required under this section for a period of at least ten
    23  years after the last day on which such version was effective and publish
    24  each such version on its website. Each developer or deployer shall  make
    25  publicly  available,  in  a  clear,  conspicuous, and readily accessible
    26  manner, a log describing the date and nature of each material change  to
    27  its  disclosure during the retention period, and such descriptions shall
    28  be sufficient for a reasonable individual  to  understand  the  material
    29  effect of each material change.
    30    (ii)  The  obligations  described in this paragraph shall not apply to
    31  any previous version of a developer or deployer's  disclosure  of  prac-
    32  tices  regarding  the  collection,  processing, and transfer of personal
    33  data, or any material change  to  such  disclosure,  that  precedes  the
    34  effective date of this article.
    35    6.  A  deployer  shall provide a short-form notice regarding a covered
    36  algorithm it develops, offers, licenses, or uses in a manner that:
    37    (a) is  concise,  clear,  conspicuous,  in  plain  language,  and  not
    38  misleading;
    39    (b) is readily accessible to individuals with disabilities;
    40    (c)  is  based on what is reasonably anticipated within the context of
    41  the relationship between the individual and the deployer;
    42    (d) includes an overview  of  each  applicable  individual  right  and
    43  disclosure  in a manner that draws attention to any practice that may be
    44  unexpected to a reasonable individual or that involves  a  consequential
    45  action;
    46    (e) is not more than five hundred words in length; and
    47    (f) is available to the public at no cost.
    48    7.  (a)  If  a  deployer  has  a  relationship with an individual, the
    49  deployer shall provide an electronic version of  the  short-form  notice
    50  directly  to the individual upon the individual's first interaction with
    51  the covered algorithm.
    52    (b) If a deployer does not have a relationship with an individual, the
    53  deployer shall provide the short-form notice in  a  clear,  conspicuous,
    54  accessible, and not misleading manner on their website.
    55    8.  The  division  shall promulgate regulations specifying the minimum
    56  content required to be included in the short-form  notice  described  in

        A. 9654                            16

     1  subdivision  six  of  this  section,  which shall not exceed the content
     2  requirements described in subdivision six  of  this  section  and  shall
     3  include  a  template  or  model  for  the short-form notice described in
     4  subdivision seven of this section.
     5    9.  Each  developer  or  deployer  shall make publicly available, in a
     6  clear, conspicuous, and readily accessible manner, a  mechanism  for  an
     7  individual impacted by a covered algorithm to report to the developer or
     8  deployer potential violations of this article.
     9    §  111. Study on explanations regarding the use of covered algorithms.
    10  1.  The division shall conduct a study, with notice and public  comment,
    11  on  the feasibility of requiring deployers to provide a clear, conspicu-
    12  ous, easy-to-use, no-cost mechanism that is accessible  for  individuals
    13  with  disabilities and allows an individual to receive an explanation as
    14  to whether and how a covered algorithm used by the deployer  affects  or
    15  affected an individual.
    16    2.  The  study  required  under  subdivision one of this section shall
    17  include the following:
    18    (a) an overview of the purposes for  which  an  explanation  would  be
    19  provided  to  an individual and the extent to which an explanation would
    20  feasibly serve such purposes.
    21    (b) how explanations can be  provided  in  a  manner  that  is  clear,
    22  conspicuous,  easy-to-use, no-cost, accessible to individuals with disa-
    23  bilities, effective for individuals with limited English language profi-
    24  ciency, and calibrated to the level of risk based on the  covered  algo-
    25  rithm;
    26    (c) an assessment of the feasibility of a requirement for deployers to
    27  provide a mechanism for individuals who may be affected or were affected
    28  by a covered algorithm to request an explanation that:
    29    (i)  includes information regarding why the covered algorithm produced
    30  the result it  produced  with  respect  to  the  individual  making  the
    31  request, and that is truthful, accurate, and scientifically valid;
    32    (ii)  identifies  at least the most significant factors used to inform
    33  the covered algorithm's outputs; and
    34    (iii) includes any other information deemed relevant by  the  division
    35  to  provide  an explanation for an individual who may be affected or was
    36  affected by a covered algorithm;
    37    (d) an assessment of what  information  a  developer  must  provide  a
    38  deployer  in order to ensure explanations can be provided to individuals
    39  upon request;
    40    (e) the extent to which  current  technical  capabilities  of  covered
    41  algorithms impacts the feasibility of providing explanations;
    42    (f) how a deployer can take reasonable measures to verify the identity
    43  of  an individual making a request for an explanation to ensure that the
    44  deployer provides  an  explanation  only  to  the  affected  individual,
    45  including  steps  a  deployer  should take to ensure the safe and secure
    46  storage, collection, and deletion of personal information; and
    47    (g) recommendations for the legislature  on  how  to  implement  regu-
    48  lations around mechanisms for explanations.
    49    3.  In  conducting the study required under this subsection, the divi-
    50  sion shall consult with the office of information  technology  services,
    51  and  any  other agency, office, commission or department deemed relevant
    52  by the division.
    53    4. Not later than eighteen months after the  effective  date  of  this
    54  article,  the  division  shall  submit to the governor, the majority and
    55  minority leaders of the senate and the assembly, the senate Internet and
    56  Technology Committee, and the assembly Science and Technology  Committee

        A. 9654                            17

     1  a  report that includes the findings of the study conducted under subdi-
     2  vision one of this  section,  together  with  recommendations  for  such
     3  legislation  and administrative action as the division determines appro-
     4  priate.
     5    § 112. Consumer awareness. 1. (a) Not later than ninety days after the
     6  effective  date  of  this  article,  the  division shall publish, on the
     7  internet website of  the  division,  a  web  page  that  describes  each
     8  provision,  right, obligation, and requirement of this article (categor-
     9  ized with respect to individuals, deployers,  and  developers)  and  the
    10  remedies,  exemptions,  and protections associated with this article, in
    11  plain and concise language, in each covered language, and in an easy-to-
    12  understand, accessible manner.
    13    (b) The division shall update the information  published  under  para-
    14  graph  (a)  of  this  subdivision  as necessitated by any change in law,
    15  regulation, guidance, or judicial decision. Any  such  update  shall  be
    16  published  in  plain and concise language, in each covered language, and
    17  in an easy-to-understand, accessible manner.
    18    2. Not later than two years after the date of effective date  of  this
    19  article,  and  annually  thereafter,  the  division shall publish on the
    20  internet website of the division a report that:
    21    (a) describes and summarizes the information contained in any  pre-de-
    22  ployment  evaluation,  impact assessment, and developer review submitted
    23  to the division in accordance with this article;
    24    (b) describes broad  trends,  aggregated  statistics,  and  anonymized
    25  information  about  performing impact assessments of covered algorithms,
    26  for the purposes of updating guidance related to impact assessments  and
    27  summary  reporting, oversight, and making recommendations to other regu-
    28  latory agencies; and
    29    (c) is accessible and machine readable.
    30    3.(a) Not later than  one  hundred  eighty  days  after  the  division
    31  publishes the first annual report under subdivision two of this section,
    32  the  division  shall develop a publicly accessible repository to publish
    33  each pre-deployment evaluation, impact assessment, and developer  review
    34  submitted  to  the division in accordance with section one hundred three
    35  and one hundred four of this article.
    36    (b) The division shall design the repository established  under  para-
    37  graph (a) of this section to:
    38    (i)  be  publicly  available  and  easily discoverable on the internet
    39  website of the division;
    40    (ii) allow users to sort and search the repository by multiple charac-
    41  teristics (such as by developer or deployer and  date  reported)  simul-
    42  taneously;
    43    (iii)  allow  users  to  make  a  copy  of or download the information
    44  obtained from the  repository,  including  any  subsets  of  information
    45  obtained  by  sorting  or searching as described in subparagraph (ii) of
    46  this paragraph;
    47    (iv) be in accordance with  user  experience  and  accessibility  best
    48  practices; and
    49    (v)  include information about the design, use, and maintenance of the
    50  repository, including any other information  determined  appropriate  by
    51  the division.
    52    (c)  The  division  shall publish in the repository any pre-deployment
    53  evaluation, impact assessment, and developer review not later than thir-
    54  ty days after receiving such evaluation, assessment, or  review,  except
    55  if the division has good cause to delay such publication.
    56    (d) The division:

        A. 9654                            18

     1    (i)  may  redact and segregate any trade secret (as defined in section
     2  1839 of title 18, United States Code) from public disclosure under  this
     3  subsection;
     4    (ii)  shall  redact and segregate personal data from public disclosure
     5  under this subdivision; and
     6    (iii) may withhold information as permitted under section 552 of title
     7  5, United States Code.
     8    § 113. Enforcement. In any case in  which  the  attorney  general  has
     9  reason  to  believe  that  an interest of the residents of the state has
    10  been or is threatened or adversely  affected  by  the  engagement  of  a
    11  person in a practice that violates this article, or a regulation promul-
    12  gated  thereunder,  the attorney general may, as parens patriae, bring a
    13  civil action on behalf of the residents of the state in  an  appropriate
    14  Federal  district  court  of  the  United  States  that meets applicable
    15  requirements relating to venue under section 1391 of  title  28,  United
    16  States Code, to:
    17    1. enjoin any such violation by the person;
    18    2. enforce compliance with the requirements of this article;
    19    3.  obtain  a permanent, temporary, or preliminary injunction or other
    20  appropriate equitable relief;
    21    4. obtain civil penalties in the amount of  fifteen  thousand  dollars
    22  per  violation,  or four percent of the defendant's average gross annual
    23  revenue over the preceding three years, whichever is greater;
    24    5. obtain damages, restitution, or other compensation on behalf of the
    25  residents of the state;
    26    6. obtain reasonable attorneys' fees and litigation costs; and
    27    7. obtain such other relief as the court may consider to be  appropri-
    28  ate.
    29    § 114. Private right of action. 1. Any individual or class of individ-
    30  uals  alleging  a violation of this article, or a regulation promulgated
    31  hereunder, may bring a civil action in any court of competent  jurisdic-
    32  tion.
    33    2. In a civil action brought under this section in which the plaintiff
    34  prevails, the court may award:
    35    (a) treble damages or fifteen thousand dollars per violation, whichev-
    36  er is greater;
    37    (b) nominal damages;
    38    (c) punitive damages;
    39    (d) reasonable attorneys' fees and litigation costs; and
    40    (e)  any other relief, including equitable or declaratory relief, that
    41  the court determines appropriate.
    42    3.(a) Prior to an  individual  bringing  a  civil  action  under  this
    43  section,  such  individual  shall  notify  the division and the attorney
    44  general, in writing and  including  a  description  of  the  allegations
    45  included  in  the  civil action, that such individual intends to bring a
    46  civil action under such paragraph.  Not  later  than  sixty  days  after
    47  receiving  such notice, the division and the attorney general shall each
    48  or jointly make a determination and respond to  such  individual  as  to
    49  whether  they will intervene in such action. The division and the attor-
    50  ney general shall have a right to intervene in any  civil  action  under
    51  this  section,  and upon intervening, to be heard on all matters arising
    52  in such action and file petitions for  appeal  of  a  decision  in  such
    53  action.
    54    (b)  Paragraph (a) of this subdivision shall not be construed to limit
    55  the authority of the division or the attorney general  to,  at  a  later
    56  date,  commence a civil action or intervene by motion if the division or

        A. 9654                            19

     1  the attorney general does not commence  a  proceeding  or  civil  action
     2  within  the sixty-day period described in paragraph (a) of this subdivi-
     3  sion.
     4    4.  (a)  Notwithstanding  any  other  provision of law, no pre-dispute
     5  arbitration agreement or pre-dispute joint action waiver shall be  valid
     6  or enforceable with regard to a dispute arising under this article.
     7    (b) Any determination as to whether or how this subdivision applies to
     8  any dispute shall be made by a court, rather than an arbitrator, without
     9  regard to whether such agreement purports to delegate such determination
    10  to an arbitrator.
    11    (c) For purposes of this subdivision:
    12    (i)  "pre-dispute  arbitration agreement" means any agreement to arbi-
    13  trate a dispute that has not arisen at the time of  the  making  of  the
    14  agreement; and
    15    (ii)  "pre-dispute joint-action waiver" means an agreement, whether or
    16  not part of a pre-dispute arbitration agreement, that would prohibit  or
    17  waive the right of one of the parties to the agreement to participate in
    18  a  joint,  class, or collective action in a judicial, arbitral, adminis-
    19  trative, or other related forum, concerning a dispute that has  not  yet
    20  arisen at the time of the making of the agreement.
    21    §  115.  Regulations. The division may promulgate such rules and regu-
    22  lations as may be necessary to carry out this this article.
    23    § 116. Rules of construction. 1. Nothing  in  this  article  shall  be
    24  construed to:
    25    (a)  waive or otherwise limit any requirement under the National Labor
    26  Relations Act (29 U.S.C. 151 et seq.) for an employer (as such  term  is
    27  defined in section 2 of such Act (29 U.S.C. 152)) to bargain collective-
    28  ly regarding the deployment or effects of a covered algorithm;
    29    (b)  absolve  an  employer of any obligation to ensure a covered algo-
    30  rithm and its effects comply with health and safety laws;
    31    (c) allow an employer to deploy a covered  algorithm  that  interferes
    32  with the rights of employees under any federal, state, or local law; or
    33    (d)  absolve  any  other  duty or requirement under any other federal,
    34  state, or local law.
    35    2. No regulation  or  standard  imposed  under  this  article  may  be
    36  construed  in  a manner that would lessen the stringency of the require-
    37  ments of any applicable federal  or  state  agency  that  are  otherwise
    38  applicable. This article does not divest any such agency of any authori-
    39  ty derived from any other applicable law.
    40    § 117. Severability. If any provision of this article, or the applica-
    41  tion thereof to any person or circumstance, is held invalid, the remain-
    42  der  of  this  article,  and  the application of such provision to other
    43  persons not similarly situated or to other circumstances, shall  not  be
    44  affected by the invalidation.
    45    §  2. This act shall take effect on the first of January next succeed-
    46  ing the date upon which it shall have become a law.
Back to Tracker