States’ privacy is a ‘continual conversation’ amid AI growth, officials say

States and cities have all begun their journeys towards data privacy regulations for different reasons, but now all face the prospect of artificial intelligence and other emerging technologies accelerating, or even upending, progress they have made.

Speakers at this week’s Innovation Spotlight hosted by Route Fifty and GovExecTV highlighted those differing origin stories.

Ginger Armbruster, chief privacy officer for Seattle, and Chris Bramwell, chief privacy officer in the Utah Office of Data Privacy, said their governments were inspired to act over the sometimes-controversial use of technology in public safety. Meanwhile, Nebraska’s Chief Information Security and Privacy Officer Patrick Wright said the collection of student data in public schools sparked that state’s privacy conversation.

Utah’s comprehensive privacy law went into effect in late 2023, while Nebraska’s is due to take effect at the start of next year. Seattle adopted its six principles to govern its Data Privacy Program in 2015, after a mandate to develop them from the mayor and city council.

But the growth of AI presents major challenges for state and local governments, in particular given the technology’s reliance on data to train generative AI tools like ChatGPT. The variety of data collected by states and localities all will need protecting, and laws may need updating to ensure that they consider the challenges and opportunities with new technologies.

“It's a great time to be modernizing your laws,” Bramwell said. “Instead of worrying about coming into compliance with all the existing laws, everybody can start saying, ‘Hey, we know we have some noncompliance issues. Let's plan for what's going to be here in 10 years with AI when it matures.’”

It means privacy must be a “continual conversation” with legislators, businesses, other government agencies and residents as technology evolves, Armbruster said. But, she added, guiding principles that have been established early on help keep the conversation focused and are a good selling point for any skeptics.

“When we work with departments, we consult and talk about the principles and why privacy is there, and once you explain what it is we're protecting and how this will help actually build trust around the programs they're building and build transparency, it goes a long way,” she said. “It's a continual awareness building.”

Nebraska had a similar experience, Wright said, as state leaders had to make the concept of privacy real to people who may not have seen the need to regulate it.

“Getting over the initial hurdle of making it relatable, that was the big thing, and having that stakeholder engagement and stakeholder buy in to say, ‘How would you want someone to handle your data?’” Wright said. “We had to define what data privacy means for the state of Nebraska, talking about consumer data versus government agency data versus school, student and administrator data.”

Flexibility will be key, Wright added, especially if laws need to be amended to reflect technological changes or advancement.

“It comes down to the conversation of the foundational principles of what these privacy laws were established on, and continuing to go back home to those so that we can use those as a baseline and continue to review policies as technology evolves and the implementation of those principles to the new emerging technologies,” he said.

It can be difficult for states to regulate privacy, however, especially as they have largely been left to their own devices to tackle the subject in the absence of comprehensive federal legislation. That has led to concerns of a “patchwork” of state laws and a lack of interoperability between those disparate regulations.

But Armbruster said many of those state-level privacy laws are “starting to look the same,” especially when it comes to protecting consumer privacy. She and Bramwell said states should continue to explore how to regulate agencies’ use of data through their privacy laws, something Utah has tackled. Meanwhile, Congress could step in and build on what has gone before on consumer privacy.

“I think we’re building enough of a headway that a federal law will make sense and we’ll have a model for it,” Armbruster said.

For states and cities with decentralized IT, it can be complicated to write privacy regulations when agencies collect and house data themselves, especially as there may be no central data repository. 

“We all have big ships to turn,” Bramwell said. It can also be challenging to ensure that new laws on privacy are not duplicative of existing regulations or conflicting with them. Bramwell said an effort to harmonize privacy regulations is a “multi-year project” that is still in its early stages.

Education on data privacy’s importance will continue to be key, Armbruster said, especially considering numerous high-profile breaches of government agencies and businesses. She said she is encouraged by younger generations’ focus on privacy in their everyday lives and said that should translate into government action.

“Privacy’s not dead,” Armbruster said. “It’s alive and well, and we have to keep that in focus.”