IAPP transparency, accountability, and Bedoya on AI ethics

The IAPP Global Privacy Summit drew over five thousand attendees and put regulators front and center, articulating their enforcement priorities in unusually direct terms. Transparency and accountability emerged as the twin pillars of the regulatory message. Transparency means clearly describing what you do with data — with a higher obligation to disclose upfront when practices are likely to affect someone in a personal or significant way. Accountability means that if you make a promise in your privacy policy and your conduct doesn’t match it, the FTC or state AGs have a ready hook for enforcement. Material omissions — failing to disclose relevant practices when collecting sensitive personal information — carry the same risk. And accountability extends through vendor relationships: disclosing data to a partner doesn’t transfer liability, as regulators look at whether companies did diligence, reviewed contracts, and responded to red flags. A recurring theme across IAPP panels was the gap between legal complexity and practical action. Privacy professionals face a proliferating landscape of state laws with overlapping obligations, and the most common challenge is not just knowing what the laws require but translating those requirements into clear operational priorities for business stakeholders. The recommendation from practitioners: avoid legal speak, prioritize ruthlessly, and frame compliance in terms of what the business needs to accomplish — not just as a penalty-avoidance exercise, but as a way to build consumer trust and unlock data-driven revenue. FTC Commissioner Bedoya’s keynote addressed AI directly, making the case that generative AI is already regulated — just by existing laws. The FTC Act, Equal Employment Opportunity statutes, fair lending and housing laws: these apply to AI outputs that affect protected classes or produce discriminatory results, and “it’s a black box” is not a defense. Transparency about inputs and weighting is essential, and refusing to provide it — as some AI providers have done by citing user safety — is a mistake regulators will not accept. A further wrinkle raised in conversation with a Forrester analyst: achieving fairer algorithmic outcomes often requires more training data from underrepresented groups, but that data is frequently sensitive personal information, creating a genuine tension between privacy protection and algorithmic fairness that the industry has yet to resolve.

**Jonathan:** Hey, Alysa. How are you? **Alysa:** Hello. Happy post-weekend. Nice to be back home after it was pretty intense last week at IAPP. **Jonathan:** That there were a lot of people. I think that was the biggest IAPP they've had. **Alysa:** I thought it was like over five thousand, five hundred maybe, something like that. **Jonathan:** Yeah. That's what they said. It was kind of interesting though. I said this week we'd talk about some of the themes that got picked up there. I'm used to being in DC and having lawyers everywhere you turn, but it was quite another thing to be in DC and just have the place just decked out with privacy lawyers and privacy professionals. You could see that pretty much everywhere you went. Just a huge, huge attendance and the buzzwords in the hall. Right? Just all the different privacy discussions that folks were having in the meetup. So that was pretty cool. **Alysa:** Yeah, look, I'm with you. For me, I loved seeing the regulators out in force. I mean, not that they hadn't been before, but it just felt like now they were really articulating how they're going after — not going after people, but how they're looking at this and some of the things and themes you should look for. The two words I heard a lot were transparency and accountability from regulators. Now transparency we know and love, even though it might be confusing to people. I mean, what is transparency exactly and how do you clearly communicate what you're doing with data? **Jonathan:** Do you have an easy kind of color-by-numbers on how to be transparent? I know that's a tough question. **Alysa:** Describe what you do. And I think the more important it is — the more it really affects somebody in a very personal way — then the bigger obligation you have to make that disclosure upfront and in somebody's face. And I think the reason why the regulators kept talking about trust and accountability is because both the state AGs and the FTC, the easiest hook they have is if you make a promise — you make a privacy promise, such as in your privacy policy — and then you don't act consistently with that. So that's the accountability. They can enforce, right, if your conduct is not truthful about what you said. They also can allege that you have a material omission, meaning you should have disclosed certain practices when you collected sensitive personal information, for example. **Jonathan:** I wanted to ask you this and I don't want to sound like it's a silly question, but when I said accountability, I couldn't help but think — accountability to whom? Is it a consumer? Is it accountability to your own organization? Accountability to whom? When they say that, what do they mean? **Alysa:** Well, these are consumer protection laws, right? So accountability is to the consumer. If you make a promise, you need to hold up your end of the bargain in terms of that promise. But they also talk in terms of your relationships. So if you hire a partner or a vendor and you disclose data to that partner or vendor, you're not off the hook just because something happened in another entity's hands. They look at the relationship. They look at, did you ignore red flags? Did you do any type of diligence? What does your contract look like? We heard that from Stacy Shester out of California. We heard that from FTC representatives. It's not supposed to just be words on a page. And let's be honest, they have a lot of complaints about just having the words on the page and how effective those are to begin with. But in addition to notice, there's this extra layer of teeth, I think, when it comes to enforcement. **Jonathan:** That's a good point. So it's not — I was thinking of it as maybe two separate pillars of what they're going after — transparency and accountability — but actually they're related. Be transparent about what you're doing and then be accountable to what you've just said and make sure you're doing what you said you'd do, basically. **Alysa:** Exactly. **Jonathan:** The only thing we heard a lot on the show floor actually was that it seems like this idea that you're going to chase every regulation and tick and tie every little piece that you need to from a legal perspective — the thing we've heard the most is people don't know what to do. It's super confusing out there. It changes all the time. Even if they did know what to do, they're not quite sure how to balance that with what's good for the business. What should we do? And how do these laws work with how the business runs? I love one of the panels that we sat in on — Alysa with Pedro Medo — where he said, if you want to get into this pain in legal detail, should have been a judge. The role here is to try to figure out the business and the legal. Which — at Ketch, we love saying that there's data dignity for consumers, but also businesses should be able to unlock this opportunity in data. So how, from your perch, how do you help people with that? **Alysa:** Well, one — and I'll go back to takeaways from IAPP because this was a theme we saw in that panel, but we saw it in a number of others — is the translation layer. Lawyers, we can nerd out all the time about the intricacies and the distinctions and have our lovely comparison charts between the different laws. But at the end of the day, every in-house practitioner or privacy professional that supports a company's compliance has to translate what these laws mean into how does it work for the business. What does the business have to do and in what order? What's the order of operations for these obligations? And what we heard from a lot of professionals on the panels on this point were: prioritize. Right? So much is happening. What is the top of the funnel, kind of the umbrella item that you have to address first? And one of the points that I think really resonated so much is: don't put it in legal speak. We know that, right? How do you make it relevant to the business in terms of what their needs are — to your point on consumer brand and trust and how that really can unlock revenue for the company — that's exactly it. Like, how do you make it relevant in terms of what the business's bottom line is? It's not always the stick in terms of legal penalties. It's really: here's what you need to do to be able to do x, y, and z, and have the privacy obligations really be part and parcel with that business objective. **Jonathan:** I love how you do that, by the way, Alysa. Not to embarrass you here, but I will. One of the things I heard in the panel was, hey, we get this list of requirements from our outside counsel. And for lawyers who work for businesses, they need to take that list and kind of translate it into, here's what we need to do for our business. Here's what makes sense for us. And I feel like you shortcut that. Right? Is that yeah. **Alysa:** Well, I — that's — thank you. I appreciate that. I think it's — we're all — it's a Rubik's cube. Right? All of these different laws and all these different directions. And that's super cool and interesting. But at the end of the day, it needs to be usable. Right? What is the output? And the output has to be clear because if directions are garbled, then they're incomprehensible. And right now, a lot of these laws feel incomprehensible to people who just want to know: tell me what I need to do. I want to do the right thing. I just don't know what to do. And so I think our job really as professionals in this area is: can we translate and distill and prioritize? The more we do that, the more we all meet the objective about addressing privacy. **Jonathan:** Sounds like some workshops, a roadshow might be in order. **Alysa:** I love it. Yes. All right. We'll have to think about that. Think about other things I love — seeing FTC Commissioner Bedoya out there and the way he unpacked AI, one of the big issues. AI, children's privacy, healthcare, absolutely. If we talk about AI for a little bit — I loved how he unpacked his whole experience with generative AI and his intersections with art and with his dog and all that stuff. And for a second there I thought, where's he going with this? And then he just delivered it so beautifully. I love that quote about: hey, if you're waiting around for regulations on AI, guess what? Those dusty old laws that we've been enforcing for such a long time — they do it. They do it. If the output of your AI is affecting protected classes, if it's not giving people opportunity, we've already got the tools to do that. **Jonathan:** What do you think of that? And it's — I mean, you talked about the Equal Opportunity Act, you talked about the FTC Act as examples of AI already being regulated. **Alysa:** Well, I think that that's true. We've seen over the years, there's always — first it was IoT or mobile apps way back when — what are the privacy laws that apply? And so old laws get dusted off and apply to just new scenarios. Right now, AI, generative AI, obviously are big ticket items. And the way he broke it down was the way that we would — and we have, I think, talked about this in the past. Are you making promises or representations about how data will be used? Well, how is that consistent with how the AI tool that you're using works? And if it's a third-party tool, what data are they collecting and using for what purposes? And is that consistent with what you have said and the promises you've made to your data? So there's that whole deception component. They've also talked about unfairness and some of the discriminatory anti-bias issues. We've talked about that before, too. There are other laws that regulate extension of credit, bias and discrimination in connection with extending credit. So what tools are you using that could trigger some of those laws? Or for housing or for employment. There's a lot of different scenarios that then pull in these other specific laws that regulate — just because it's generative AI doesn't mean that the laws don't apply. So I think that was his main point: it's not unregulated. It absolutely isn't. But you really do need to parse out what is happening — just because it's a black box, so to speak — that's not a defense. **Jonathan:** I love when he did that. He really tied it back masterfully to transparency. When he said, you can't hide behind, oh, it's a black box, I didn't know what it was going to do. But then also, he was talking about how ChatGPT came out with some document that says, look, here's why we can't be transparent about the way the models work and the way all these things work — because it's user safety. Or, pick your reason why we're not giving you this stuff. And basically, he was super clear: that's a mistake. **Alysa:** Yeah, because it's all about the input and the weighting. And if you're not going to be transparent about that, then it's hard to know whether the output was too weighted or discriminatory, given kind of what factors it really prioritized over others. And so that was — as we think about different uses, imagine how you're going to describe it and talk about it. And do you have the information you need to be able to describe that accurately? You know, on the inputs and outputs — if we have a few more moments here, maybe we can talk about this another time. But I had a great conversation with Steph Lou, who's a Forrester analyst on privacy and marketing. And she talked about policing and how with policing you have a limited data set, and sometimes that limited data set shows that certain classes or certain segments of the population are being treated unfairly. But if your input isn't complete, then the output can never be fair. How do you mean — there's so many things. Maybe the point mostly is there's so many things to think about here that without transparency on the outputs and the inputs, we can't get there as a society and really think about how we build an ethical internet. **Jonathan:** First of all, do you agree with that as a good example? Or how do you think about that? **Alysa:** Well, I agree with it, but it also raises the whole privacy challenge because in order to get fairer outputs, you need more data for inputs. And particularly in some of those aspects, that can be sensitive personal information, right? Somebody's religious background or ethnicity — that could be sensitive. And so if you need more of that from underrepresented groups to make the algorithmic decision-making fairer, well, that means you're collecting more sensitive personal information. But it highlights there are some societal good things for collecting sensitive personal information, but it comes with responsibility. And so those are all — we're all gonna have to wrestle through that in terms of the ethical use of data and how we collect it and how we use it. **Jonathan:** Gotcha. Thanks, Alysa. That might be a nice one to end on. You know, we've been fascinated with this idea that you start with privacy, and that's basically the tip of the spear for an ethical internet. And I'm starting to see why we do that. It all comes and meets in the middle. **Alysa:** Exactly. Yeah, exactly. Well, thanks. I appreciate you as always and have a good week. **Jonathan:** Have a good week.