PRESS RELEASE: Report: Privacy Harms from AI Necessitate Robust Risk Assessments

WASHINGTON, DC — Today, the Electronic Privacy Information Center (EPIC) released Assessing the Assessments: Maximizing the Effectiveness of Algorithmic & Privacy Risk Assessments. The report lays out the ideal elements of a risk assessment framework and engages with the California Privacy Protection Agency (CPPA)’s ongoing development of risk assessment rules under the California Consumer Privacy Act. It is the culmination of EPIC’s project launched in 2023, with the support of the Rose Foundation, to ensure that risk assessments are as effective as possible at protecting consumer rights. 

The report illustrates the privacy harms that result from the unchecked collection of personal data, including in behavioral advertising and surveillance pricing, as well as the opaque deployment of automated decision systems in employment, healthcare, law enforcement, housing, and education. These systems can have a profound impact on consumers’ lives, even as consumers are kept in the dark about how such systems make decisions, whether those decisions are fair and accurate, and how to challenge erroneous outcomes.  

In a recent survey by Consumer Reports, most Americans (83%) said that if an algorithm had been used to determine whether they would be interviewed for a job they applied for, they would want to know specifically what information the program used to make the decision. 

“Deploying an automated decision system to make significant decisions about consumers provides businesses with a cloak of unwarranted rationality and neutrality that tends to hide its inner workings, making it difficult to hold businesses accountable,” said Mayu Tobin-Miyaji, EPIC Law Fellow and report author. “Risk assessments are a critical way to make businesses show their work and ensure that their data practices are not putting consumers at risk.” 

The report lays out the components of an ideal risk assessment framework that would provide transparency and accountability for consumers and an analysis of California’s proposed regulations on automated decision systems and risk assessments.  

“As EPIC’s report lays out, robust risk assessments are an essential safeguard for consumers in today’s commercial surveillance ecosystem,” said John Davisson, Senior Counsel and Director of Litigation at EPIC. “Sadly, California looks poised to squander its best chance to enact strong risk assessment requirements. The CPPA owes it to the public to stand up to efforts by industry lobbyists and Governor Newsom to weaken this critical transparency and accountability tool.”  

The report concludes that even without a robust risk assessment mandate, conducting risk assessments is in the best interests of businesses collecting personal information or using automated decision systems. 

### 

About EPIC 
The Electronic Privacy Information Center (EPIC) was established in 1994 to protect privacy, freedom of expression, and democratic values in the information age. Our mission is to secure the fundamental right to privacy in the digital age for all people through advocacy, research, and litigation. EPIC recently hosted “Risks and Risk Assessments: Reporting Out on California’s Proposed AI & Privacy Regulations,” in which panelists discussed how risk assessments can ensure transparency and accountability for consumers, California’s ongoing rulemaking, and what other regulatory approaches can strengthen consumer privacy.