As technology professionals take on increased privacy responsibilities, our updated certification is staying up-to-date with 50% new content that covers the latest advancements. It is the first certification to confirm compliance with strict requirements in knowledge, skill, proficiency, and ethics in privacy law. It is also one of the newest specialties accredited by the ABA. The IAPP's US State Privacy Legislation Tracker includes proposed and enacted comprehensive state privacy bills from across the United States. On this topic page, you can find the IAPP's collection of coverage, analysis, and resources that explore the connections between AI and privacy. For the EU General Data Protection Regulation, the IAPP's page gathers guidance, analysis, tools, and resources to ensure that you meet your obligations. We are also hosting a must-attend event for business leaders, tech professionals, and privacy experts who work with AI. At this event, you can learn about practical AI governance, accountability, fairness testing, and more. Legislative and regulatory trends specific to artificial intelligence are uncertain and evolving. It can be challenging to make informed predictions about future oversight requirements. However, it is clear that vendors of AI-based systems will need to implement stricter controls to manage their own liability risks, increase oversight, and plan accordingly for issues and legal trends relating to third-party and product liability. Traditionally, consumer protection law in the United States has been favorable for software vendors, with limited liability to end users. However, recent case law indicates a shift in liability boundaries between software vendors and their customers. Courts have started holding vendors responsible for selling products that could knowingly or unknowingly violate federal housing laws and regulations. Another notable lawsuit involved Meta Platforms, accused of discriminatory advertising for housing. The settlement required Meta to develop a new ad delivery algorithm to address racial disparities. These cases demonstrate an expansion of vendor liability beyond antidiscrimination laws. In the context of a large-scale data breach at Marriott, a U. S. District Judge found that Accenture, as Marriott's IT service provider, had an independent duty of care to prevent the breach. This ruling highlights the need for vendors to consider liability risks even when providing predeployment services. Managing these risks requires additional considerations, such as designing products with appropriate documentation, allowing independent debugging and validation, and being cautious about configurable options that could enable legal noncompliance. It is essential for AI vendors to understand their obligations under product liability law, which varies from state to state.

Product liability principles have garnered some agreement among various state courts. However, the distinction between "hardware" and "software" and the consideration of software as a "good" subject to product liability remain under debate. If clients make substantial modifications to the software sold by a vendor, the vendor is less likely to be liable under failure-to-warn or design-defect theories. Vendors may also have a defense if a defect is a result of client specifications. Therefore, it is crucial for vendors to document clients' specifications and have relevant contractual controls, disclaimers, and liability agreements. The U. S. National Institute of Standards and Technology recently published the AI Risk Management Framework, a voluntary standard for AI system governance. The framework highlights the need for documenting third-party technology risks and ensuring internal risk controls. It also emphasizes policies and procedures to address risks associated with third-party entities. In the European Union, there has been ongoing debate and legal controversy regarding AI liability. There is a suggestion for a regulation specifically on AI liability, with different liability regimes for high-risk and other AI systems. High-risk AI systems would be subject to strict liability, while other AI systems would have a presumption of fault-based liability. The resolution calls for the prohibition of contractual nonliability clauses and supposes that vendors must hold insurance for claims. Vendors involved in developing and deploying software, particularly in high-impact applications, may require distinct mitigation measures to reduce legal exposure. It is important to note that existing legal authorities apply to the use of automated systems. Beyond security obligations and liabilities for controllers and processors under data protection regulations, other security-related laws are being enacted. Privacy professionals must stay informed on these developments. The IAPP is a trusted resource for information privacy professionals, offering a comprehensive global community. With individual, corporate, and group memberships, members have access to a wide range of benefits to navigate the complexities of today's data-driven world.