The US AI Regulatory Landscape
Unlike the European Union, which enacted a comprehensive AI Act covering all member states, the United States has taken a fragmented approach to AI regulation. In the absence of federal legislation, individual states have begun enacting their own AI laws—creating a complex compliance landscape for organizations operating across state lines.
Why States Are Acting
Several factors are driving state-level AI regulation:
- Federal inaction: Despite multiple proposed bills, Congress has not passed comprehensive AI legislation, leaving a regulatory vacuum
- Consumer protection concerns: High-profile cases of algorithmic discrimination in hiring, lending, and insurance have prompted state responses
- Privacy law extension: States with existing privacy laws (California, Virginia, Connecticut, Colorado) are extending those frameworks to address AI
- Economic competition: States like California and Colorado are positioning themselves as leaders in responsible AI governance
Types of State AI Laws
State AI legislation generally falls into several categories:
Categories of State AI Legislation
| Category | Focus | Example States |
|---|---|---|
| Comprehensive AI Laws | Broad regulation of high-risk AI systems across multiple domains | Colorado (enacted), California (pending) |
| Employment AI | AI in hiring, promotion, termination decisions | Illinois (AIPLA), New York (Local Law 144), Maryland |
| Biometric AI | Facial recognition, voice recognition, biometric data | Illinois (BIPA), Texas, Washington |
| Privacy + AI | Automated decision-making provisions in privacy laws | California (CCPA/CPRA), Virginia (VCDPA), Connecticut (CTDPA) |
| Healthcare AI | AI in clinical decisions, insurance, care management | California (pending), New York (proposed) |
| Government AI | AI use by state and local government agencies | California, Washington, multiple states |
Colorado: The First Comprehensive State AI Law
Colorado's Artificial Intelligence Act (SB 24-205), signed May 17, 2024 and effective June 30, 2026, is the first comprehensive US state law regulating AI systems. It establishes obligations for both "developers" (those who build AI) and "deployers" (those who use AI in consequential decisions).
Colorado AI Act Key Points
- Scope: High-risk AI in employment, housing, credit, healthcare, education, insurance, government services, legal services
- Standard: "Reasonable care" to prevent algorithmic discrimination
- Safe Harbor: NIST AI RMF or ISO 42001 compliance creates rebuttable presumption
- Penalties: Up to $20,000 per violation (Consumer Protection Act)
- Enforcement: Attorney General only (no private right of action)
Developer Requirements
Developers of high-risk AI systems must:
- Use reasonable care to protect consumers from algorithmic discrimination
- Provide documentation (model cards, dataset cards) to deployers
- Publicly disclose summaries of high-risk AI systems offered
- Report known discrimination risks to Attorney General within 90 days
- Support deployer impact assessments with necessary information
Deployer Requirements
Deployers of high-risk AI systems must:
- Implement risk management policies governing AI deployment
- Complete annual impact assessments for each high-risk system
- Provide consumer disclosures before AI-assisted decisions
- Establish consumer appeal rights with human review
- Allow consumers to correct data used in AI decisions
For comprehensive coverage, see our Colorado AI Act Complete Compliance Guide.
California: The Privacy Leader Expands to AI
California leads US states in data privacy regulation, and its frameworks increasingly address AI. While California hasn't enacted a comprehensive AI law equivalent to Colorado's, multiple overlapping regulations affect AI deployment:
California Consumer Privacy Act (CCPA/CPRA)
CCPA/CPRA AI Provisions
- Profiling opt-out: Consumers can opt out of automated decision-making
- Access rights: Consumers can access information about automated decisions
- Risk assessments: Required for processing posing significant risk (including profiling)
- Penalties: $2,500-$7,500 per intentional violation
California Automated Decision-Making Technology (ADMT) Regulations
The California Privacy Protection Agency (CPPA) is developing comprehensive ADMT regulations that will significantly expand AI requirements. Key provisions under consideration:
- Pre-use notice: Detailed disclosure before ADMT is used in significant decisions
- Opt-out rights: Consumers may request human review or alternative processes
- Access to logic: Businesses must explain how automated decisions are made
- Impact assessments: Required for ADMT used in significant decisions
These regulations are expected to take effect in 2026 or 2027 following the formal rulemaking process.
California Pending AI Legislation
California's legislature has considered multiple AI bills, including proposals modeled on the EU AI Act:
- SB 1047 (2024): "Safe and Secure Innovation for Frontier Artificial Intelligence Models Act" - Originally imposed significant requirements on large AI models; later amended significantly before passing
- AB 2013 (2024): AI training data transparency for generative AI
- AB 2885 (2024): AI watermarking for synthetic content
- Healthcare AI bills: Multiple proposals addressing AI in clinical settings
Illinois: Biometrics and Employment AI Pioneer
Illinois has been at the forefront of regulating specific AI applications, particularly biometric data and employment decisions:
Illinois Biometric Information Privacy Act (BIPA)
BIPA Requirements
- Scope: Fingerprints, face geometry, iris scans, voice prints, hand geometry
- Notice & consent: Written consent required before collection
- Private right of action: Individuals can sue directly
- Penalties: $1,000 per negligent violation; $5,000 per intentional violation
BIPA has generated significant litigation against AI companies using facial recognition technology, with settlements reaching hundreds of millions of dollars. The law effectively prohibits most commercial facial recognition uses without explicit consent.
Illinois Artificial Intelligence Video Interview Act (AIVIA)
AIVIA Requirements
Employers using AI to analyze video interviews must: (1) notify applicants that AI will be used; (2) explain how the AI works and what characteristics it evaluates; (3) obtain applicant consent before the interview; (4) limit who can view the video; (5) delete videos upon applicant request.
Illinois Employment AI Legislation
Illinois continues to expand employment AI regulation:
- HB 3773 (2024): Broader employment AI transparency and discrimination prevention requirements
- Amendments to AIVIA: Expanded disclosure and consent requirements
- Human Rights Act integration: AI discrimination treated as civil rights violation
Texas: Emerging AI Regulation
Texas, with its large technology sector and business-friendly reputation, has taken a measured approach to AI regulation while addressing specific concerns:
Texas Capture or Use of Biometric Identifier Act (CUBI)
Texas CUBI
Requires notice and consent before capturing biometric identifiers for commercial purposes. Unlike Illinois BIPA, Texas does not provide a private right of action—enforcement is through the Attorney General. Penalties up to $25,000 per violation.
Texas Data Privacy and Security Act (TDPSA)
Effective July 1, 2024, the TDPSA includes provisions affecting AI:
- Profiling opt-out: Consumers can opt out of profiling for decisions with legal or significant effects
- Data protection assessments: Required for processing that presents heightened risk, including profiling
- No private right of action: Attorney General enforcement only
Texas AI Advisory Council
Texas established an AI Advisory Council to study AI issues and recommend legislation. Areas under consideration include:
- AI in government decision-making
- AI in healthcare and insurance
- AI workforce implications
- AI safety and security standards
New York: Local and State AI Regulation
New York presents a complex regulatory landscape with both city-level and state-level AI requirements:
New York City Local Law 144 (Automated Employment Decision Tools)
NYC Local Law 144
- Scope: Automated employment decision tools (AEDTs) used in NYC hiring/promotion
- Bias audit: Annual independent audit for disparate impact by race, ethnicity, sex
- Publication: Audit summary must be publicly posted
- Notice: Candidates must be notified at least 10 days before AEDT use
- Penalties: $500 first violation; $500-$1,500 subsequent violations per day
New York State AI Legislation
New York State has multiple pending and enacted AI-related laws:
- NY SHIELD Act: Data security requirements applicable to AI systems processing personal information
- Proposed comprehensive AI bills: Multiple bills modeled on Colorado's approach
- Healthcare AI bills: Requirements for AI in clinical decision-making
- Insurance AI bills: Restrictions on AI in underwriting and claims
Other State AI Laws and Pending Legislation
Beyond the major states covered above, AI regulation is advancing across the country:
States with Privacy Laws Including AI Provisions
Virginia (VCDPA)
EnactedEffective January 1, 2023
- • Profiling opt-out rights
- • Data protection assessments for profiling
- • No private right of action
Connecticut (CTDPA)
EnactedEffective July 1, 2023
- • Profiling opt-out for legal/significant decisions
- • Data protection assessments required
- • 60-day cure period
Utah (UCPA)
EnactedEffective December 31, 2023
- • Consumer access to profiling information
- • More limited than other state laws
- • AG enforcement only
Montana (MCDPA)
EnactedEffective October 1, 2024
- • Profiling opt-out rights
- • Data protection assessments
- • 60-day cure period
Oregon (OCPA)
EnactedEffective July 1, 2024
- • Profiling opt-out for automated decisions
- • Data protection assessments
- • Cure period through 2026
Delaware (DPDPA)
EnactedEffective January 1, 2025
- • Profiling opt-out rights
- • No revenue threshold
- • Broad applicability
States with Biometric/Facial Recognition Laws
| State | Law | Private Action | Key Requirements |
|---|---|---|---|
| Illinois | BIPA | Yes | Most stringent; written consent required |
| Texas | CUBI | No | Notice and consent; AG enforcement |
| Washington | HB 1493 | No | Notice required; enrollment consent |
| Arkansas | PIPA | No | Notice and consent requirements |
| Maryland | SB 169 | No | Facial recognition restrictions in employment |
States with Government AI Restrictions
Several states have enacted or proposed restrictions on government use of AI:
- California: Restrictions on law enforcement facial recognition
- Massachusetts: Proposed moratorium on government facial recognition
- Maine: Limits on law enforcement use of facial recognition
- Vermont: Restrictions on government AI without human oversight
- Washington: State agency AI accountability requirements
State AI Law Comparison Matrix
This matrix provides a high-level comparison of key AI regulatory requirements across major states:
| Requirement | Colorado | California | Illinois | New York | Texas |
|---|---|---|---|---|---|
| Comprehensive AI Law | ✓ Enacted | Pending | Partial | Pending | — |
| Employment AI | ✓ | CPRA | ✓ AIVIA | ✓ LL144 | — |
| Biometric AI | — | CCPA | ✓ BIPA | Pending | ✓ CUBI |
| Impact Assessments | ✓ Required | ✓ CPRA | — | ✓ LL144 | ✓ TDPSA |
| Consumer Opt-Out | ✓ | ✓ | Limited | — | ✓ |
| Private Right of Action | No | Limited | Yes (BIPA) | No | No |
| Safe Harbor (Frameworks) | ✓ NIST/ISO | — | — | — | — |
Federal Context: No Comprehensive Law Yet
Understanding the federal landscape helps contextualize state action:
Why No Federal AI Law?
Despite bipartisan interest in AI regulation, federal legislation has stalled due to:
- Partisan disagreement: Different approaches to regulation vs. innovation promotion
- Industry lobbying: Tech companies opposing comprehensive requirements
- Definitional challenges: Difficulty defining "AI" and "high-risk" applications
- Jurisdictional complexity: Multiple committees claiming authority over AI
Existing Federal AI-Related Laws
While no comprehensive AI law exists, several federal laws affect AI deployment:
- Civil Rights Act (Title VII): Prohibits employment discrimination, including via AI
- Fair Credit Reporting Act (FCRA): Governs AI used in credit and background checks
- Equal Credit Opportunity Act (ECOA): Prohibits lending discrimination
- Fair Housing Act: Applies to AI in housing decisions
- Americans with Disabilities Act: AI accessibility requirements
- HIPAA: Governs AI processing protected health information
Federal Agency Guidance
Federal agencies have issued AI guidance within their regulatory domains:
- EEOC: Guidance on AI in employment decisions (May 2023)
- FTC: Enforcement actions against deceptive AI practices
- CFPB: Statements on AI in consumer financial services
- FDA: Guidance on AI/ML medical devices
- HHS OCR: AI guidance for HIPAA covered entities
NIST AI Risk Management Framework
The NIST AI RMF, released January 2023, provides a voluntary framework that multiple state laws reference. Colorado explicitly provides a safe harbor for organizations following NIST AI RMF or ISO 42001.
Multi-State Compliance Strategy
Organizations operating across multiple states need a strategic approach to managing divergent requirements:
Highest Common Denominator Approach
Rather than maintaining separate compliance programs for each state, implement controls satisfying the strictest applicable requirements:
Multi-State AI Compliance
Adopt NIST AI RMF
Implement NIST AI Risk Management Framework as baseline. Provides Colorado safe harbor and maps to most state requirements. Document implementation across all four functions: Govern, Map, Measure, Manage.
Implement Comprehensive Impact Assessments
Create impact assessment templates that satisfy Colorado, California CPRA, NYC LL144, and pending state requirements. Include bias testing, discrimination risk analysis, and consumer rights documentation.
Build Unified Consumer Rights Infrastructure
Implement consumer-facing capabilities: opt-out mechanisms, explanation rights, data correction, appeal processes with human review. Design once, deploy across all states.
Document for Multiple Regulators
Maintain documentation that can be adapted for any state regulator: risk management policies, bias testing results, training records, incident response procedures. Use standardized formats (model cards, dataset cards).
Monitor Regulatory Evolution
Establish processes to track new state legislation, regulatory guidance, and enforcement actions. Update compliance programs proactively rather than reactively. Subscribe to AG office updates and industry associations.
Sector-Specific Considerations
Certain industries face additional state-specific requirements:
Healthcare AI
- HIPAA compliance remains primary federal requirement
- State health privacy laws may impose additional AI restrictions
- Insurance AI regulations vary significantly by state
- Telehealth AI may trigger multiple state licensing requirements
Employment AI
- NYC LL144 sets high bar for bias auditing
- Illinois AIVIA requires video interview AI disclosure
- Colorado covers all employment AI as high-risk
- EEOC guidance applies nationally to Title VII compliance
Financial Services AI
- FCRA and ECOA provide federal baseline
- State fair lending laws may be more restrictive
- Insurance AI regulations are state-by-state
- Model risk management (SR 11-7) applies to banks
Frequently Asked Questions
Which state has the strictest AI law?
Colorado currently has the most comprehensive state AI law with broad coverage of high-risk AI systems. However, Illinois BIPA is the strictest for biometric AI due to its private right of action and significant damages. For employment AI, NYC Local Law 144 sets rigorous bias audit requirements. California's pending ADMT regulations may eventually surpass Colorado in some respects.
Do state AI laws apply to companies headquartered elsewhere?
Yes. State AI laws typically apply based on where consumers are located, not where companies are headquartered. If you serve Colorado residents, make decisions affecting Illinois employees, or deploy AI impacting NYC job candidates, you must comply with those jurisdictions' laws regardless of your company's location.
Will federal AI law preempt state laws?
Uncertain. If comprehensive federal AI legislation passes, it may or may not preempt state laws depending on the law's language. Historically, federal privacy laws (like HIPAA and FCRA) have included limited preemption, allowing states to enact more protective requirements. Current state AI laws generally don't conflict with federal requirements—they fill gaps in federal coverage.
How do I know which state laws apply to my AI system?
Consider: (1) Where are the people affected by your AI decisions located? (2) What type of AI application is it (employment, healthcare, credit, etc.)? (3) What data does it process (biometric, personal information)? (4) Who deploys the system (government, private sector)? Most organizations operating nationally should assume the strictest applicable requirements apply.
What's the difference between a developer and deployer under state AI laws?
Developers create or substantially modify AI systems (model providers, algorithm developers). Deployers use AI systems to make decisions affecting consumers (employers using hiring AI, lenders using credit scoring). An organization can be both if they build and use their own AI. Each role has distinct compliance obligations under laws like the Colorado AI Act.
Do small businesses need to comply with state AI laws?
It depends on the law. Some states (like California and Virginia) have revenue or data volume thresholds. Colorado AI Act applies based on high-risk AI use, not company size. NYC LL144 applies to any employer using AEDTs in NYC hiring. Illinois BIPA has no size exemption. Check specific law thresholds, but assume requirements apply if you're using high-risk AI.
Key Takeaways
- Colorado leads: First comprehensive state AI law, effective June 2026 with reasonable care standard
- Patchwork is growing: 30+ states have AI bills; major states have enacted targeted laws
- NIST AI RMF provides safe harbor: Colorado explicitly recognizes framework compliance
- Illinois BIPA is highest risk: Private right of action creates significant litigation exposure
- National companies need unified approach: Implement highest common denominator controls
- More regulation coming: California ADMT, healthcare AI bills, and new state laws in 2026