Key point: Kentucky attorney general files a lawsuit against an artificial intelligence chatbot company, eight days after the Kentucky Consumer Data Protection Act went into effect.

On January 8, the Kentucky attorney general (AG) announced its first lawsuit for violations of the Kentucky Consumer Data Protection Act (KCDPA) against an artificial intelligence (AI) chatbot company. The complaint alleges that the defendant violated the KCDPA with unfair, false, misleading, or deceptive acts and practices, and through unfair collection and exploitation of children’s data. Among other claims, the complaint also states claims under the state’s consumer protection law and data breach law.

The complaint is the latest in a growing trend of states regulating AI chatbots, including companion chatbots. As we recently discussed, New York and California passed laws last year specifically regulating companion chatbots. Lawmakers in other states have already proposed numerous bills this year. This comes notwithstanding the recent executive order, which seeks to preempt “onerous” state AI laws. As we foreshadowed in our analysis of that order, the instant complaint also reinforces the difficulty in defining what constitutes a state AI law, as the complaint is brought under existing state laws that are not specifically written to cover AI.

In the article below, we provide a summary of the allegations in the complaint.

Background

The defendant designed, built, marketed, and distributed an AI chatbot that it markets as a product for interactive entertainment. The complaint provides that the company has more than 20 million monthly active users and more than 180 million monthly website visitors. The company provides a web and mobile application that allows users to create, customize, and converse with millions of chatbots that may include real or fictional characters, including well-known children’s fictional characters. Users can engage with AI characters in text chats or audio calls.

Allegations

The complaint alleges that the platform’s features are unsafe for children, with easy account creation and lack of effective age verification. The AG outlines that the chatbots are designed to emulate humans, the platform’s design and lack of guardrails causes grave and detrimental harm, and a lack of disclosure of risks. The AG further asserts the chatbots have ineffective chat filters, which leads to exposure to harmful content, such as conversations with sexually explicit content; promotion of suicidal or self-harm ideations; and encouragement of drug, substance, and alcohol use. The complaint contains pages of images from chatbots as evidence of these allegations.

The bulk of the complaint focuses on allegations that the defendant violated Kentucky’s general consumer protection law, the Kentucky Consumer Protection Act. The AG alleges that the defendant engaged in unfair, false, misleading, or deceptive acts and practices, and in the unfair collection and exploitation of children’s data. The complaint provides that the defendant failed to implement effective, verifiable age-gating, parental consent, or identity-verification mechanisms to prevent children under 13 from accessing the platform or interacting with the chatbots.

With respect to consumer data privacy, the complaint alleges that the defendant violated the KCDPA by not obtaining verifiable parental consent to collect and process children’s personal data.

The KCDPA went into effect January 1. Under the KCDPA, “sensitive data” includes personal data collected from a known child, which is an individual under the age of 13. The KCDPA requires businesses to first obtain verifiable consent from the child’s parent in accordance with the Children’s Online Privacy Protection Act (COPPA), to process the personal data of a known child. To obtain verifiable parental consent, a business must (1) provide notice of the business’s personal data collection, use, and disclosure practices to the child’s parent, and (2) obtain the parent’s authorization of any collection, use, and/or disclosure of the child’s personal data. The AG alleges that the defendant does not provide adequate notice or collect parental consent in compliance with these requirements.

The complaint also alleges violations of Kentucky’s statutory and constitutional privacy protections and unjust enrichment.

Relief

Notably, the AG only seeks injunctive relief, not monetary relief, for its KCDPA claim.

Before initiating any action for violations of the KCDPA, the AG must provide 30 days’ written notice of the specific provisions a business is allegedly violating and must allow the business 30 days to cure the alleged violations. The complaint does not specifically address this 30-day right-to-cure issue.

In its announcement, the AG stated, “The United States must be a leader in the development of AI, but it can’t come at the expense of our kids’ lives.” Based on the timing of this lawsuit, it is clear that the AG was prepared to enforce the KCDPA.