Researcher: DC Page 1 3/27/23
OLR Bill Analysis
sSB 1103
AN ACT CONCERNING ARTIFICIAL INTELLIGENCE, AUTOMATED
DECISION-MAKING AND PERSONAL DATA PRIVACY.
SUMMARY
This bill sets several requirements for state agencies’ development
and use of automated systems for “critical decisions” (i.e., those with a
significant effect on an individual’s life). Among other things, it requires
the (1) Office of Policy and Management (OPM) secretary to designate
an artificial intelligence (AI) officer to develop and adopt procedures for
using automated systems and (2) Department of Administrative
Services (DAS) commissioner to designate an AI implementation officer
to inventory the automated systems by December 31, 2023, and
periodically review agencies’ use of them. Under the bill, state agencies
developing, procuring, or using any automated system on or after
January 1, 2024, must (1) satisfy the automated systems procedures and
(2) notify the implementation officer, who may direct the agency to stop
development, procurement, or use if he or she finds that it does not
comply with the procedures.
Additionally, the bill establishes the Connecticut Artificial
Intelligence Advisory Board in the legislative branch to hold public
hearings on the draft procedures and advise state agencies on AI and
automated system policies. It also establishes a task force to study AI
and develop and make recommendations on adoption of an AI bill of
rights.
Separately, the bill prohibits state contracting agencies from entering
into a contract unless it has a provision requiring the business to comply
with the consumer data privacy law. It also (1) exempts certain air
carriers from the consumer data privacy law and (2) modifies the
prohibition on targeted advertisement for children between ages 13 and 2023SB-01103-R000228-BA.DOCX
Researcher: DC Page 2 3/27/23
16. The consumer data privacy law is effective July 1, 2023, and sets a
framework for controlling and processing personal data.
EFFECTIVE DATE: July 1, 2023, except the task force provision is
effective upon passage.
§ 1 — AUTOMATED SYSTEMS
Definitions
The bill’s procedural and inventory requirements apply to
“automated systems,” which consist of automated decision systems,
automated decision support systems, and automated final decision
systems.
An “automated decision system” is a machine-based learning system
or application developed, procured, or used to make, inform, or
materially support a state agency’s “critical decisions” (see below). It
includes systems or applications derived from machine learning,
statistics, or other data processing or AI techniques, but excludes
passive computing infrastructure (e.g., web hosting, data storage, and
other intermediary technology that does not influence or determine a
decision’s outcome).
An ”automated decision support system” is an automated decision
system that provides material information to inform an individual’s
conclusion, decision, or judgment on behalf of a state agency.
An “automated final decision system” is an automated decision
system that makes a final conclusion, decision, or judgment on behalf of
a state agency without intervention by an individual acting on behalf of
a state agency.
The bill defines “critical decision” as any decision or judgment that
has any legal, material, or similarly significant effect on an individual’s
life concerning access to, or the cost, terms, or availability of, the
following:
1. education and vocational training, including assessment,
accreditation, or certification; 2023SB-01103-R000228-BA.DOCX
Researcher: DC Page 3 3/27/23
2. employment, worker management, or self-employment;
3. essential utilities such as electricity, heat, water, Internet or
telecommunications access, or transportation;
4. family planning services, including adoption or reproductive
services;
5. financial services, including any financial service provided by a
mortgage company;
6. services from a creditor or mortgage broker;
7. health care, including mental health care, dental care, or vision
care;
8. housing or lodging, including any rental, short-term housing, or
lodging;
9. legal services, including private mediation or arbitration; or
10. government benefits or public services.
§ 1 — AI OFFICER
Designation
By October 1, 2023, the bill requires the OPM secretary to designate
an employee to serve as the AI officer. The employee must have (1)
extensive knowledge of automated systems and AI analysis,
governance, principles, practices, technology, terminology, and trends;
and (2) experience in administration, planning, policy development,
project management, and service coordination. The secretary may
contract with a third party, if he deems it necessary, to help the officer
do his or her duties.
Automated Systems Procedures
The bill requires the AI officer to biennially develop and adopt
automated systems procedures for state agencies to use in developing,
procuring, and using automated systems for critical decisions. The
officer must do so beginning by December 31, 2023, and in consultation 2023SB-01103-R000228-BA.DOCX
Researcher: DC Page 4 3/27/23
with state agency heads and data officers. A state agency is any
department, board, commission, council, institution, office, state higher
education constituent unit, technical education and career school, or
other agency in the executive, legislative, or judicial branch. (It is unclear
whether all agencies have data officers.) The bill prohibits state agencies
from developing, procuring, or using any automated system on or after
January 1, 2024, unless it satisfies the procedural requirements the bill
sets (see below).
Safeguards. In developing these automated systems procedures, the
officer must consider requiring state agencies to develop, procure, and
use automated systems in a way that is consistent with national and
international standards. He or she must also consider imposing the
following safeguards, where appropriate, to mitigate risk and ensure
that:
1. state agencies develop, procure, and use automated systems
consistent with state and federal laws, including those
prohibiting discrimination and addressing privacy, civil rights,
and civil liberties;
2. automated systems do not unlawfully and disproportionately
impact any individual or group of individuals on the basis of any
actual or perceived differentiating characteristic, including age,
genetic information, color, ethnicity, race, creed, religion,
national origin, ancestry, sex, gender identity or expression,
sexual orientation, marital status, familial status, pregnancy,
veteran status, disability, or lawful source of income;
3. any benefits that a state agency gains by using an automated
system outweigh any risks inherent in using it;
4. each automated system is (a) applied and used consistent with
the use cases for which the system was trained in order to ensure
accuracy, reliability, and efficacy and (b) safe, secure, and
resilient, including in circumstances where the system is
confronted with any systematic vulnerability, adversarial
manipulation, or other malicious exploitation; 2023SB-01103-R000228-BA.DOCX
Researcher: DC Page 5 3/27/23
5. subject matter experts and users sufficiently understand the
automated system’s operations and outcomes;
6. individual roles and responsibilities are clearly defined,
understood, and appropriately assigned consistent with the
system’s intended purpose;
7. the system’s development, procurement, and use are
documented and traceable, including the system’s inputs and
outputs for applications;
8. the system’s design, development, procurement, monitoring,
and intended purposes are appropriately transparent to the
public under uniform protocols and public access requirements
on releases and posting of appropriate information by each state
agency using the system; and
9. data inputs are appropriately transparent under the Freedom of
Information Act (FOIA).
Additionally, the bill requires the AI officer to consider safeguards to
ensure each state agency that uses an automated system does the
following:
1. examines the system, at least once every two years, to ensure
compliance with the procedures;
2. supersedes, disengages, and deactivates any system application
that demonstrates performance that is, or outcomes that are,
inconsistent with the procedures or the bill’s other systems
requirements;
3. is appropriately transparent in disclosing any information
relevant to the agency’s use of the system;
4. implements safeguards to ensure that the system is properly
applied, used, and functioning; and
5. provides appropriate training to all personnel responsible for 2023SB-01103-R000228-BA.DOCX
Researcher: DC Page 6 3/27/23
developing, procuring, or using the automated system.
Draft and Public Hearing
Beginning by November 1, 2023, the bill requires the AI officer to
biennially submit a preliminary draft of the automated systems
procedures to the Connecticut Artificial Intelligence Advisory Board
(see below). Within 30 days after receiving the draft, the board must
hold a public hearing on the draft procedures and submit any suggested
revisions to the officer.
After the public hearing and, if applicable, receiving any
recommended revisions from the board, the AI officer must finalize the
procedures and submit them to the board. The officer must send a copy
of the final procedures to all state agency data officers and OPM must
post them on its website.
Inventory
Beginning by December 31, 2024, the bill requires each state agency
to biennially (1) do an inventory of the automated systems that the state
agency uses, in a form the officer prescribes; and (2) submit the
inventory to the officer and the board. OPM must make each inventory
publicly available on its website.
§ 2 — CONNECTICUT ARTIFICI AL INTELLIGENCE ADVI SORY
BOARD
Membership
The bill establishes an 18-member Connecticut Artificial Intelligence
Advisory Board, with 10 voting members and eight non-voting
members. The bill places the board in the legislative branch.
Under the bill, the board consists of the following voting members:
(1) two each appointed by the House speaker, Senate president pro
tempore, and Senate and House minority leaders; and (2) the House and
Senate General Law chairpersons or their appointees. All appointed
members must have professional experience or academic qualifications
in matters related to automated systems, AI, AI governance and
accountability, or other related fields. 2023SB-01103-R000228-BA.DOCX
Researcher: DC Page 7 3/27/23
Additional nonvoting ex-officio members must include the following
officials or their designees: the DAS commissioner; chief data officer;
Freedom of Information Commission executive director; Commission
on Women, Children, Seniors, Equity and Opportunity executive
director; attorney general, chief court administrator, state treasurer, and
state comptroller. The House speaker and the Senate president pro
tempore must each select a co-chair of the board from among the board
members.
Terms and Meetings
The bill requires that all initial board appointments be made by
September 1, 2023. Each appointed member’s term is coterminous with
his or her appointing authority’s term, and the appointing authority
must fill any vacancy for the balance of the unexpired term. A board
member may serve more than one term. The co-chairs must jointly
schedule the first board meeting, which must be held by October 1, 2023.
The bill requires the board to meet at least twice a year and may meet
at other times as the co-chairs jointly deem or by a majority of board
members.
The bill requires the General Law administrative staff to serve as the
board’s administrative staff.
Powers and Duties
The bill establishes the following powers and duties for the board:
1. advise state agencies on AI and automated systems policy,
including best practices for using AI and automated systems;
2. hold a public hearing on the AI officer’s draft automated systems
procedures and make revisions (see § 1 above);
3. issue reports and recommendations;
4. request that any state agency data officer or state agency head
appear before the board to answer questions, if requested by at
least two board members; 2023SB-01103-R000228-BA.DOCX
Researcher: DC Page 8 3/27/23
5. request assistance and data from any state agency as necessary
and available to carry out the board’s purposes;
6. make recommendations to the legislative leaders concerning AI
and automated systems policy; and
7. establish bylaws to govern the board’s procedures.
§ 3 — AI IMPLEMENTATION OFFI CER
The bill requires the DAS commissioner to designate an employee by
October 1, 2023, to serve as the AI implementation officer. The bill sets
the same knowledge and experience requirements as it does for the AI
officer designated by OPM.
The bill requires the implementation officer to perform several duties
related to automated systems, such as creating an inventory of all
automated systems state agencies use for critical decisions. The DAS
commissioner may contract with a third party, if she deems it necessary,
to help the implementation officer do his or her duties.
Oversight of State Agency Automated Systems
Under the bill, any state agency that intends to develop, procure, or
use any automated system on or after January 1, 2024, must provide the
implementation officer, in a form and manner the officer prescribes, at
least 60 days’ advance written notice of its intended action.
Within 90 days after the implementation officer receives any notice,
he or she may review it and any available documentation on the
system’s operation and any related safeguards to determine whether
developing, procuring, or using the system would satisfy the automated
systems procedure requirements. If the implementation officer does not
make any determination during this period, the state agency that
submitted the notice may develop, procure, or use the system.
If the implementation officer determines that any automated system
that a state agency develops, procures, or uses does not satisfy the
procedures, the officer must direct the agency to immediately stop these
actions. On and after July 1, 2025, the implementation officer: 2023SB-01103-R000228-BA.DOCX
Researcher: DC Page 9 3/27/23
1. may periodically reevaluate any automated system that is
developed, procured, or used by any state agency to ensure that
the system satisfies the automated systems procedure
requirements;
2. must, at least biennially, reevaluate any automated system that
any state agency develops, procures, or uses, if the officer
determines that the automated system poses any significant risk;
and
3. may take other actions if he or she deems it appropriate to carry
out the purposes above.
Inventory of Automated Systems
By December 31, 2023, the bill requires the AI implementation officer
to inventory all automated systems that state agencies use for critical
decisions. The inventory must include each automated system’s name
and vendor, if any, and a description of the system’s general capabilities.
This description must include:
1. any reasonably foreseeable capability of the automated system
that is outside of any state agency’s intended use of the system;
2. whether the automated system was used, or may be used, to
independently make, inform, or materially support a conclusion,
decision, or judgment, and the resulting impact on state
residents;
3. each type of data input that was used by the automated system;
how the inputted data was collected, generated, or processed;
and the type or types of data the automated system generated or
is reasonably likely to generate;
4. whether the automated system (a) discriminated against any
individual or group of individuals in violation of state or federal
law, or (b) disproportionately and unlawfully impacted any
individual or group of individuals on the basis of any actual or
perceived differentiating characteristic, including age, genetic 2023SB-01103-R000228-BA.DOCX
Researcher: DC Page 10 3/27/23
information, color, ethnicity, race, creed, religion, national origin,
ancestry, sex, gender identity or expression, sexual orientation,
marital status, familial status, pregnancy, veteran status,
disability, or lawful source of income;
5. a description of the purpose and intended use of the automated
system, including (a) which decision or decisions the system was
used to make, inform, or materially support, (b) whether the
system is an automated final decision system or automated
decision support system, and (c) the benefit or benefits the
system was supposed to confer and any data or research needed
for determining whether the system conferred the purported
benefit or benefits; and
6. (a) how the data used or generated by the automated system was
processed and stored; (b) whether the state agency or agencies
that developed, procured, or used the system intend to share
access to it or data with any other person, such person’s name;
and (c) why the state agency or agencies intend to share access or
data with that person.
Under the bill, the implementation officer must, as part of the
required inventory, determine whether any automated system included
in the inventory:
1. infringed on any legal right of any state resident; and
2. was publicly disclosed under FOIA in an appropriately
transparent manner.
The bill requires the AI implementation officer to prepare and submit
a report to the General Law Committee by December 31, 2024, that
contains the inventory.
§§ 1-4 — DISCLOSURES AND REST RICTIONS
The bill explicitly subjects the AI officer, AI implementation officer,
and the AI advisory board to FOIA. Under the bill, the AI provisions
must not be construed to: 2023SB-01103-R000228-BA.DOCX
Researcher: DC Page 11 3/27/23
1. require disclosing any trade secret;
2. abrogate any work product protection; or
3. restrict the officers’, advisory board’s, or any state agency’s
ability to (a) conduct any internal research to develop, improve,
or repair any product, service, or technology; (b) prevent, detect,
protect against, or respond to, or investigate, report, or prosecute
any person responsible for any security incident, identity theft,
fraud, harassment, malicious or deceptive activity, or illegal
activity; or (c) preserve the integrity or security of any system.
Under the bill, a “trade secret” is information, including a formula,
pattern, compilation, program, device, method, technique, process,
drawing, cost data, or customer list that (1) derives actual or potential
independent economic value from not being generally known to, and
not being readily ascertainable by proper means by, other individuals
who can get economic value from its disclosure or use, and (2) is the
subject of efforts that are reasonable under the circumstances to
maintain its secrecy.
§ 8 — TASK FORCE TO STUDY AI
The bill establishes a nine-member task force to study AI. The task
force must (1) develop, and make recommendations for adopting, an AI
bill of rights based on the White House Office of Science and Technology
Policy’s “Blueprint for an AI Bill of Rights” and (2) study the feasibility
of, and make recommendations for, establishing a department of AI
enablement to help state agencies and municipalities ethically
implement AI technologies.
The task force must consist of the following members:
1. two appointments each by the House speaker, Senate president
pro tempore, and the governor;
2. one appointment each by the House and Senate majority and
minority leaders; and 2023SB-01103-R000228-BA.DOCX
Researcher: DC Page 12 3/27/23
3. the DAS commissioner, or her designee.
The bill allows legislative appointees to be General Assembly
members. The House speaker and Senate president pro tempore must
select the task force’s chairpersons from the members. The chairpersons
must schedule the first task force meeting within 60 days after the bill
passes. The bill requires the General Law administrative staff to serve as
the task force’s administrative staff.
By January 1, 2024, the bill requires the task force to submit a report
on its findings and recommendations to the General Law Committee.
The task force terminates on the date it submits the report or January 1,
2024, whichever is later.
§§ 5-7 — CONSUMER DATA PRIVAC Y LAW
Beginning July 1, 2023, existing law (i.e., the consumer data privacy
law) sets a framework for controlling and processing personal data. The
framework requires a controller (i.e., an individual or legal entity that
determines the purpose and means of processing personal data) to limit
the collection of personal data and establish security practices, among
other things.
Contract Requirement
Regardless of any state law, the bill prohibits state contracting
agencies from entering into any contract with a business on or after July
1, 2023, unless the contract contains a provision requiring the business
to comply with all applicable provisions of the consumer data privacy
law. By law, a state contracting agency is an executive branch agency,
board, commission, department, office, institution, or council. The
definition excludes (1) the offices of the Secretary of the State, State
Treasurer, State Comptroller, and Attorney General with respect to their
constitutional functions and (2) any state agency with respect to
contracts specific to the constitutional and statutory functions of the
Office of the State Treasurer.
Exemption
The consumer data privacy law exempts various entities from its 2023SB-01103-R000228-BA.DOCX
Researcher: DC Page 13 3/27/23
requirements. The bill expands the exemption to include any air carrier
(i.e., a U.S. citizen that provides air transportation by any means) that is
regulated under the Federal Aviation Act of 1958 (49 U.S.C. § 40101 et
seq.), and the Airline Deregulation Act (49 U.S.C. § 41713).
Targeted Advertising Prohibition
Existing law prohibits controllers from processing a consumer’s
personal data for purposes of targeted advertising without the
consumer’s consent for consumers who are at least 13 years old, but
under 16 years old. Under current law, the prohibition applies only if
the controller both has actual knowledge that the consumer’s age is in
this range and willfully disregards it. Under the bill, the prohibition
applies in either case (i.e., actual knowledge or willful disregard of the
consumer’s age).
BACKGROUND
Related Bill
sSB 1058, § 9, reported favorably by the General Law Committee,
contains an identical provision prohibiting a controller that has actual
knowledge or willfully disregards the consumer’s age from processing
the consumer’s data for targeted advertising without the consumer’s
consent.
COMMITTEE ACTION
General Law Committee
Joint Favorable Substitute
Yea 23 Nay 0 (03/09/2023)