The DC Council is moving forward with the “Stop Discrimination by Algorithms Act” B24-0558. This complex legislation would apply to large and small DC businesses alike, from hospitals, universities, and other large employers to one-of-a-kind storefront shops and sole proprietors.
B24-0558 WOULD IMPOSE MAJOR NEW REQUIREMENTS AND PENALTIES FOR VIOLATIONS ON A NUMBER OF SMALL- AND MEDIUM-SIZED DC BUSINESSES.
THE NEW RESTRICTIONS
The proposed legislation prohibits both for-profit and nonprofit organizations from using algorithms that make decisions based on protected personal traits. Algorithms are tools that use machine learning and personal data to make predictions about individuals. Note that algorithms are already widely used by a very broad cross-section of businesses – including marketing vendors or others working on their behalf. Specifically, this bill makes it unlawful for a DC business to make a decision stemming from an algorithm if it is based on a broad range of personal characteristics, including actual or perceived race, color, religion, national origin, sex, gender identity or expression, sexual orientation, familial status, source of income or disability in a manner that makes “important life opportunities” unavailable to that individual or class of individuals.
DOES THIS THREAT APPLY TO YOU?
The bill is sweeping in its reach, covering entities that knowingly or unknowingly use algorithms to make decisions related to offers of credit, insurance, education, employment, or are considered a place of public accommodation.
The bill applies to a wide range of businesses, including those that meet at least one of the following criteria:
- Businesses that possess or control – either directly or through vendors – personal information (including purchasing or consuming history) on more than 25,000 District residents. (NOTE: Many small businesses routinely retain this volume of customer, payment, or marketing information); or
- Businesses that retain greater than $15 million in average annualized gross receipts for the three years preceding the most recent fiscal year; or
- Businesses that are data brokers or other entities that derive at least 50% of their annual revenue from collecting, assembling, selling, distributing, providing access to or maintaining personal information, and some proportion of the personal information concerns a District resident who is not a customer or an employee of that entity; or
- Vendors that perform algorithmic eligibility determinations or algorithmic information availability determinations on behalf of another business. (NOTE: Many small businesses use third-party tools or service vendors to retain payment, customer relations, marketing, or other data. If your business does, it could be subject to this legislation.)
THE NEW REQUIREMENTS
- Businesses relying on a “service provider” – a vendor that performs “algorithmic eligibility determinations or algorithmic information availability determinations” – would be required to execute a written agreement with that provider to comply with the law.
- Businesses would be required to develop a one-page notice in English and any other language spoken by more than 500 DC residents. The notice must be made public on the entity’s website. Furthermore, businesses must provide this notice before applying an algorithm-based decision to an individual.
- Businesses must disclose an adverse decision algorithm to an individual, including the factors used to reach the determination. Covered entities must also provide an opportunity for an individual to submit correction information.
- Businesses must conduct and maintain for a minimum of five years an annual audit to determine if their practice of using algorithms discriminates against protected traits. There are as yet no generally accepted guidelines for such audits, so these services would need to be conducted by outside experts at the cost of the business itself.
- Businesses must submit an annual report to the Office of the Attorney General that includes the performance metrics of the algorithm, the reason for the use of the algorithm, and disclosure of any algorithmic determination complaints the business receives.
VIOLATIONS AND PENALTIES
Any covered entity or service provider who violates the act would be liable for a civil penalty of up to $10,000 per violation. Private plaintiffs could bring a civil action and receive damages between $100 and $10,000 per violation or actual damages. Additional punitive damages could be awarded, including attorney fees, costs, and other relief that the court deems appropriate. Businesses would be held liable for violations even if there is no discriminatory intent.
HOW TO GET MORE INVOLVED
Please contact Brett Allen, Director of Government Relations & Public Policy at the DC Chamber of Commerce, at [email protected] to join the fight to fix or defeat this measure.
THIS DOCUMENT IS INTENDED TO PROVIDE YOU GENERAL INFORMATION REGARDING “THE STOP DISCRIMINATION BY ALGORITHM ACT”. THE CONTENTS OF THIS DOCUMENT ARE NOT INTENDED TO PROVIDE SPECIFIC LEGAL ADVICE. BECAUSE THE LAW IN THIS JURISDICTION CHANGES RAPIDLY, THE DC CHAMBER OF COMMERCE CAN NOT GUARANTEE CONTINUED ACCURACY.