Algorithmic Accountability Act for AI Product Managers: Section 3

This text follows my notes on Sections 1 and 2 of the the Algorithmic Accountability Act (2022 and 2023). When (if?) the Act becomes law, it will apply across all kinds of software products, or more generally, products and services which rely in any way on algorithms to support decision making. This makes it necessary for any product manager whose products rely on any kind of algorithm, however implemented, to understand the details of the Act.

This is the second of a series of texts where I’m providing my critical reading of the Algorithmic Accountability Act of 2022. I held various product management positions in the past, for products/services which included software as a significant component, and my notes are inevitably biased by that experience; in almost all cases, products supported non-trivial decisions. If you have any questions, suggestions, or want to connect, email me at ivan@ivanjureta.com.

Algorithmic Accountability Act (2022 and 2023)Implications to product management
SEC. 3. ASSESSING THE IMPACT OF AUTOMATED DECISION SYSTEMS AND AUGMENTED CRITICAL DECISION PROCESSES.
(a) Acts Prohibited.—
(1) IN GENERAL.—It is unlawful for—
(A) any covered entity to violate a regulation promulgated under subsection (b); or
(B) any person to knowingly provide substantial assistance to any covered entity in violating subsection (b).
(2) PREEMPTION OF PRIVATE CONTRACTS.—It shall be unlawful for any covered entity to commit the acts prohibited in paragraph (1), regardless of specific agreements between entities or consumers.
This makes it necessary for any entity that meets conditions for Covered Entity to comply with the Act, and makes it unlawful to support entities who do not comply.

3.a.2 makes it impossible to formalize agreements that enable behaviors which violate the Act, provided that the Act applies.
(b) Regulations.—
(1) IN GENERAL.—Subject to paragraph (2), not later than 2 years after the date of enactment of this Act, the Commission shall, in consultation with the Director of the National Institute of Standards and Technology, the Director of the National Artificial Intelligence Initiative, the Director of the Office of Science and Technology Policy, and other relevant stakeholders, including standards bodies, private industry, academia, technology experts, and advocates for civil rights, consumers, and impacted communities, promulgate regulations, in accordance with section 553 of title 5, United States Code, that—
(A) require each covered entity to perform impact assessment of any—
(i) deployed automated decision system that was developed for implementation or use, or that the covered entity reasonably expects to be implemented or used, in an augmented critical decision process by any person, partnership, or corporation that meets the requirements described in section 2(7)(A)(i); and
(ii) augmented critical decision process, both prior to and after deployment by the covered entity;
Covered Entities need to make impact assessments, and be ready to communicate them according to the Act, two years from the date when the Act becomes law, which hasn’t happened when I wrote this, in January 2024.
(B) require each covered entity to maintain documentation of any impact assessment performed under subparagraph (A), including the applicable information described in section 4(a) for 3 years longer than the duration of time for which the automated decision system or augmented critical decision process is deployed;This is a straightforward requirement to keep all impact assessments as records for at least 3 years past the date when the Automated Decision System was decommissioned.
(C) require each person, partnership, or corporation that meets the requirements described in section 2(7)(A)(i) to disclose their status as a covered entity to any person, partnership, or corporation that sells, licenses, or otherwise provides through a commercial relationship any automated decision system deployed by the covered entity in an automated decision system or augmented critical decision process;If your product is an Automated Decision System, and you are a Covered Entity, and your product is used by other entities in their products, then you must ensure that they are informed that your product is subject to the Act.
(D) require each covered entity to submit to the Commission, on an annual basis, a summary report for ongoing impact assessment of any deployed automated decision system or augmented critical decision process;The summary report is an annual one.
(E) require each covered entity to submit an initial summary report to the Commission for any new automated decision system or augmented critical decision process prior to its deployment by the covered entity;The product release process needs to include a step for developing and communicating the summary report prior to release. Only the communication of the report is needed, and no response from the Commission is required before the product can be released.
(F) allow any person, partnership, or corporation over which the Commission has jurisdiction under section 5(a)(2) of the Federal Trade Commission Act (15 U.S.C. 45(a)(2)) that deploys any automated decision system or augmented critical decision process, but is not a covered entity, to submit to the Commission a summary report for any impact assessment performed with respect to such system or process;No comments on this one.
(G) require each covered entity, in performing the impact assessment described in subparagraph (A), to the extent possible, to meaningfully consult (including through participatory design, independent auditing, or soliciting or incorporating feedback) with relevant internal stakeholders (such as employees, ethics teams, and responsible technology teams) and independent external stakeholders (such as representatives of and advocates for impacted groups, civil society and advocates, and technology experts) as frequently as necessary;To satisfy this requirement, it is necessary to maintain a register of stakeholders, as well as have communication plans and records of their execution, across all stakeholder groups. Moreover, it is likely relevant to explain how they are consulted, and how their feedback is integrated in the product lifecycle.
(H) require each covered entity to attempt to eliminate or mitigate, in a timely manner, any impact made by an augmented critical decision process that demonstrates a likely material negative impact that has legal or similarly significant effects on a consumer’s life;Firstly, it is necessary to define “negative impact”, including the probability of that impact. You can think of this as a register of risks to users, from the use of the Automated Decision System.
Secondly, the requirement states that the impact had to be made, not that it is possible, so that it needs to be demonstrated that the risk in fact realized.
Thirdly, there needs to be a definition of “material” negative impact, meaning that there’s a tradeoff to balance between cautiously low thresholds for an impact to qualify as material, and lower thresholds, but possibly more difficult to defend.
Fourthly, there needs to exist a documented process and target quality level (response time being part of this) to ensure a timely mitigation of the negative impact. This, in turn, requires a means for customers to report negative impacts, a process to assess those negative impacts to determine which ones require reporting, and so on.
(I) establish definitions for—
(i) what constitutes “access to or the cost, terms, or availability of” with respect to a critical decision;
(ii) what constitutes “possession”, “management”, “modification”, and “control” with respect to identifying information;
(iii) the different categories of third-party decision recipients that a covered entity must document under section 5(1)(H); and
(iv) any of the services, programs, or opportunities described in subparagraphs (A) through (I) of section 2(8) for the purpose of informing consumers, covered entities, and regulators, as the Commission deems necessary;
This requirement impacts the content of Terms and Conditions provided to customers. All items are fairly straightforward, but require also that corresponding processes, roles, and responsibilities are in place.
(J) establish guidelines for any person, partnership, or corporation to calculate the number of consumers, households, or consumer devices for which the person, partnership, or corporation possesses, manages, modifies, or controls identifying information for the purpose of determining covered entity status;Remember that this is a requirement that the Commission needs to satisfy. Consequently, the Commission will provide the guidelines, and these then become requirements for product analytics.
(K) establish guidelines for a covered entity to prioritize different automated decision systems and augmented critical decision processes deployed by the covered entity for performing impact assessment; andThe Commission will provide guidelines on how a Covered Entity should prioritize the development of summary reports, depending on the properties of their Automated Decision Systems. These guidelines will then influence internal resource allocation in a Covered Entity, to develop summary reports.
(L) establish a required format for any summary report, as described in subparagraphs (D), (E), and (F), to ensure that such reports are submitted in an accessible and machine-readable format.In short, there’s no need to invent a report before the Commission provides the specification for it.
(2) CONSIDERATIONS.—In promulgating the regulations under paragraph (1), the Commission—
(A) shall take into consideration—
(i) that certain assessment or documentation of an automated decision system or augmented critical decision process may only be possible at particular stages of the development and deployment of such system or process or may be limited or not possible based on the availability of certain types of information or data or the nature of the relationship between the covered entity and consumers;
(ii) the duration of time between summary report submissions and the timeliness of the reported information;
(iii) the administrative burden placed on the Commission and the covered entity;
(iv) the benefits of standardizing and structuring summary reports for comparative analysis compared with the benefits of less-structured narrative reports to provide detail and flexibility in reporting;
(v) that summary reports submitted by different covered entities may contain different fields according to the requirements established by the Commission, and the Commission may allow or require submission of incomplete reports;
(vi) that existing data privacy and other regulations may inhibit a covered entity from storing or sharing certain information; and
(vii) that a covered entity may require information from other persons, partnerships, or corporations that develop any automated decision system deployed in an automated decision system or augmented critical decision process by the covered entity for the purpose of performing impact assessment; and
These Considerations help set expectations from the said parties. They are there to recognize that in practice, it takes resources, including time to develop both the guidelines that the Commission needs to develop, and for Covered Entities to make and communicate the summary reports.
(B) may develop specific requirements for impact assessments and summary reports for particular—
(i) categories of critical decisions, as described in subparagraphs (A) through (I) of section 2(8) or any subcategory developed by the Commission; and
(ii) stages of development and deployment of an automated decision system or augmented critical decision process.
Over time, as the Commission gathers summary reports, it is likely that they will provide more guidelines and standardize the categories of information they require through summary reports, as well as from impact assessments. In short, change in guidelines from the Commission should be expected.
(3) EFFECTIVE DATE.—The regulations described in paragraph (1) shall take effect on the date that is 2 years after such regulations are promulgated.As mentioned above, first summary reports are due at the earliest two years from the date when the Act becomes law.

The above covers only Section 3 of the Act. Sections 1 and 2 are covered in another text. Texts covering other Sections are coming soon.