US, California·Automated decisions·effective 2026-01-01
Regulations under the California Consumer Privacy Act governing businesses' use of automated decision-making technology to process consumers' personal information for significant decisions affecting finances, housing, education, employment, or health care.
Obligations & detailsHide details
ObligationsBusinesses using ADMT for significant decisions must: provide a Pre-use Notice disclosing the specific purpose for using ADMT and consumers' rights; honor consumer opt-out rights; honor consumer requests to access information about ADMT use. Risk assessment and cybersecurity audit requirements effective January 1, 2026. ADMT-specific compliance with opt-out and access rights required by January 1, 2027.- Applies to
- businesses subject to the CCPA that use ADMT to make or substantially make significant decisions affecting California consumers
- Enacted
- 2025-09-22
CPPA Board adopted July 24, 2025; approved by Office of Administrative Law and filed with Secretary of State September 22, 2025. Risk assessment provisions effective January 1, 2026. ADMT opt-out and access rights compliance required January 1, 2027. Attestations to CPPA due April 1, 2028.
US, California·Hiring·effective 2025-10-01
Applies to California employers with at least five employees (at least one in California) that use automated-decision systems in employment decisions.
Obligations & detailsHide details
ObligationsProhibits use of automated-decision systems in ways that discriminate against applicants or employees on the basis of FEHA-protected characteristics. Requires preservation of personnel records including ADS-related data for four years. Restricts online application technology that screens or ranks applicants in ways creating disparate impact on protected classes. Anti-bias testing constitutes an affirmative defense; absence of such testing can be evidence in a discrimination claim. Liability extends to third parties acting on behalf of employers.- Applies to
- California employers with 5+ employees using automated-decision systems in employment contexts
Regulations approved by the Office of Administrative Law on June 27, 2025, under the Fair Employment and Housing Act (FEHA). Distinct from the California CPPA ADMT regulations, which are privacy-law based. These are anti-discrimination regulations enforced through FEHA's existing framework.
US, California·Transparency·effective 2026-01-01
Requires developers of generative AI systems publicly available to Californians (released on or after January 1, 2022) to disclose training data on their website.
Obligations & detailsHide details
ObligationsDevelopers must post on their website documentation including: a high-level summary of datasets used; dataset sources and owners; how datasets serve the AI's intended purpose; number of data points; types of data points; whether data includes copyrighted, trademarked, or personal information; whether datasets were purchased or licensed; time period of data collection; and whether synthetic data generation was used.- Applies to
- developers of generative AI systems or services publicly accessible to California consumers, released or substantially modified on or after January 1, 2022
- Enacted
- 2024-09-28
Signed September 28, 2024. First US law establishing comprehensive training-data disclosure requirements. Exemptions for systems designed solely for security, aircraft operation, or national defense.
US, California·Safety·effective 2026-01-01
Imposes transparency, safety reporting, and whistleblower-protection obligations on developers of frontier AI models trained using more than 10^26 FLOPs. Additional requirements for large frontier developers with annual revenue over $500 million.
Obligations & detailsHide details
ObligationsFrontier developers must: publish a transparency report before or at launch of each new or substantially modified frontier model; report any critical safety incident to the California Office of Emergency Services within 15 days (24 hours for imminent risk of death or injury); comply with whistleblower protections for employees disclosing safety risks. Large frontier developers must additionally publish a frontier AI framework describing technical and organizational measures to assess and mitigate catastrophic risks, reviewed at least annually.- Applies to
- frontier developers (training compute greater than 10^26 FLOPs); heightened obligations for large frontier developers (annual revenue greater than $500 million)
- Enacted
- 2025-09-29
- Penalties
- Civil penalty not to exceed $1,000,000 per violation for failure to publish required documents, false statements, failure to report incidents, or failure to comply with own framework.
Signed September 29, 2025. The first US frontier AI safety law. Successor to the vetoed SB 1047; takes a lighter-touch approach focused on transparency and reporting rather than pre-deployment safety tests. CalCompute consortium provision operative only upon budget appropriation.
US, Illinois·Hiring·effective 2020-01-01
Applies to any employer that asks applicants for Illinois positions to record video interviews and uses artificial intelligence to analyze those videos.
Obligations & detailsHide details
ObligationsBefore the interview: notify applicants that AI may be used to evaluate them, explain how the AI works and what characteristics it uses, and obtain written consent. Employers may not share applicant videos except with persons whose expertise or technology is necessary for evaluation. Upon applicant request, delete videos within 30 days. Employers relying solely on AI analysis must annually report applicant race and ethnicity data to the Department of Commerce and Economic Opportunity.- Applies to
- employers using AI analysis of video interviews for Illinois-based positions
Enacted as P.A. 101-260 (signed August 9, 2019). Demographic reporting requirement added effective January 1, 2022 by P.A. 102-47. No statutory monetary penalties specified in the Act; enforcement may proceed through civil action.
US, Illinois·Hiring·effective 2026-01-01
Amends the Illinois Human Rights Act to address employer use of AI across the full employment lifecycle in Illinois.
Obligations & detailsHide details
ObligationsIt is a civil rights violation for an employer to: (1) use AI that has the effect of subjecting employees or applicants to discrimination on the basis of IHRA-protected classes; (2) use zip codes as a proxy for protected classes; or (3) fail to notify employees and applicants that AI is being used in covered employment decisions. Covers recruitment, hiring, promotion, renewal of employment, selection for training or apprenticeship, discharge, discipline, tenure, and other terms or conditions of employment. The Illinois Department of Human Rights (IDHR) is responsible for adopting implementing rules.- Applies to
- employers operating in Illinois using AI in covered employment decisions
- Enacted
- 2024-08-09
- Penalties
- Liable for actual damages, civil penalties up to 5,000 USD per willful or repeated violation, attorneys fees, and compliance reporting; each affected individual may count as a separate violation.
Enacted as Public Act 103-0804. IDHR temporarily postponed rulemaking and a June 10, 2026 public hearing to allow continued collaboration with other state agencies.
US, Maryland·Hiring·effective 2020-10-01
Prohibits employers from using facial recognition services to create facial templates of job applicants during employment interviews unless the applicant provides written consent.
Obligations & detailsHide details
ObligationsEmployer may not use facial recognition during an applicant's interview to generate a facial template unless the applicant signs a written waiver specifying: the applicant's name, the date of the interview, a statement that the applicant consents, and confirmation the applicant has read the waiver.- Applies to
- employers using facial recognition services during employment interviews in Maryland
- Enacted
- 2020-05-08
Enacted as Chapter 446 of the 2020 Laws of Maryland, codified at Maryland Labor and Employment Article Section 3-717. Passed the House 133-0 and Senate 45-0. No specific statutory monetary penalties; enforcement through existing Maryland employment law frameworks and civil action.
US, Texas·General·effective 2026-01-01
Regulates development and deployment of high-risk AI systems in Texas that make or substantially factor into consequential decisions in employment, education, healthcare, housing, insurance, financial services, or government services. Prohibits specific harmful AI uses.
Obligations & detailsHide details
ObligationsDevelopers and deployers of high-risk AI systems must conduct impact assessments. Prohibited practices include: AI systems designed to encourage self-harm or criminal activity; AI systems producing child sexual abuse imagery or deepfake pornography involving minors; government use of social scoring. NIST AI RMF GenAI Profile compliance is an affirmative defense. A 36-month regulatory sandbox allows approved participants to test AI applications.- Applies to
- entities that develop or deploy AI systems in Texas, advertise or conduct business in the state, or offer products or services used by Texas residents
- Enacted
- 2025-06-22
- Penalties
- Enforceable exclusively by the Texas Attorney General; penalties up to $200,000 per uncurable violation and $40,000 per day for continuing violations. 60-day cure period for curable violations.
Signed June 22, 2025 by Governor Greg Abbott; effective January 1, 2026. A pared-back version of the original TRAIGA proposal; does not require broad risk management programs for all high-risk AI. Focuses on prohibited uses and impact assessments.
US, Utah·Transparency·effective 2024-05-01
Requires businesses using generative AI in regulated consumer interactions to disclose AI involvement when asked; prohibits AI-generated content used to defraud or deceive consumers; establishes the Utah Office of Artificial Intelligence Policy and a regulatory sandbox.
Obligations & detailsHide details
ObligationsPersons using generative AI in consumer interactions must clearly and conspicuously disclose AI involvement when a consumer asks whether they are interacting with AI or a human. Using generative AI to generate content with intent to defraud, deceive, or manipulate consumers constitutes a deceptive trade practice. AI tools used by licensed professionals remain subject to existing professional licensing requirements.- Applies to
- businesses using generative AI in consumer interactions; regulated occupations using AI with clients
- Enacted
- 2024-03-13
- Penalties
- Division of Consumer Protection may seek fines up to $2,500 per violation; potential private lawsuits for triple damages in willful cases.
Signed March 13, 2024; effective May 1, 2024. First US state law regulating private-sector use of generative AI. Originally set to automatically repeal May 7, 2025; SB 332 (2025) extended expiration to July 2027. 2025 amendments (SB 226, SB 332, HB 452, SB 271) added rules on consumer protection, mental-health AI applications, and deepfakes.
US, California·Transparency·effective 2026-08-02
Requires large generative AI providers (over 1,000,000 monthly users or visitors in California) to make available a free AI-content detection tool and to include disclosures in AI-generated content.
Obligations & detailsHide details
ObligationsCovered providers must: make available a free AI detection tool allowing users to assess whether image, video, or audio content was created by the provider's generative AI system; include manifest disclosures in AI-generated content; support latent disclosures (content provenance metadata). AB 853 (2025) added requirements for large online platforms and GenAI hosting platforms effective January 1, 2027.- Applies to
- persons that create, code, or otherwise produce a generative AI system with over 1,000,000 monthly visitors or users publicly accessible in California
- Enacted
- 2024-09-19
Signed September 19, 2024. Original operative date January 1, 2026, extended to August 2, 2026 by AB 853 (signed October 13, 2025). As of June 22, 2026, not yet operative.
US, Colorado·Automated decisions·effective 2027-01-01
Regulates use of automated decision-making technology that materially influences consequential decisions, including employment, housing, education, healthcare, financial services, and government benefits. Excludes routine tools such as calculators, spreadsheets, antivirus software, and fraud prevention systems.
Obligations & detailsHide details
ObligationsDevelopers: provide deployers with technical documentation on intended uses, training data categories, known limitations, and instructions; notify deployers of material updates; retain records for three years. Deployers: provide clear pre-use notice at point of interaction; within 30 days of an adverse outcome, furnish a plain-language explanation of the ADMT role. Consumers have rights to request data correction and meaningful human review following adverse outcomes where commercially reasonable.- Applies to
- developers and deployers of covered ADMT used in consequential decisions affecting Colorado residents
- Enacted
- 2026-05-14
Signed May 14, 2026 by Governor Polis. Repeals and replaces SB 24-205 (the original 2024 Colorado AI Act, which never went into effect). No private right of action; enforcement exclusively by the Colorado Attorney General as unfair/deceptive trade practices with a 60-day cure period (sunsets January 1, 2030). Developer technical-documentation obligations begin January 1, 2027.
US, New York·Safety·effective 2027-01-01
Requires large frontier AI developers to publish safety frameworks, report critical safety incidents to the state within 72 hours, and submit to oversight by a new office within the New York Department of Financial Services. Applies to companies with annual revenue exceeding $500 million that develop frontier models trained using more than 10^26 FLOPs.
Obligations & detailsHide details
ObligationsLarge frontier developers must: create and publish detailed plans describing how they handle safety standards, risk assessment, risk-mitigation techniques, third-party catastrophic-risk evaluation, cybersecurity to prevent model theft, safety-incident response, and best-practices frameworks; report safety incidents to the State within 72 hours of determining an incident occurred.- Applies to
- large frontier developers: companies with annual revenue exceeding $500 million that develop frontier models (training compute greater than 10^26 FLOPs)
- Enacted
- 2025-12-19
- Penalties
- New York Attorney General may bring civil actions; penalties up to $1,000,000 for first violation and $3,000,000 for subsequent violations for failure to report or false statements.
Signed December 19, 2025 by Governor Hochul; chapter amendment signed March 27, 2026. Second US frontier AI safety law after California SB 53. Creates oversight office within the Department of Financial Services. Effective January 1, 2027.
US, California·Safety·effective
Would have imposed pre-deployment safety testing, kill-switch requirements, and developer liability for harms caused by AI models trained at a cost exceeding $100 million or using substantial computational power.
Obligations & detailsHide details
Obligations- Applies to
- developers of covered AI models (training cost exceeding $100 million)
Vetoed by Governor Newsom on September 29, 2024. The successor, SB 53 (TFAIA), was signed in 2025 with a narrower scope. Widely cited in the regulatory debate; included here because practitioners frequently ask about it.
US, Colorado·General·effective
Broad risk-based duties on developers and deployers of high-risk AI systems that could cause algorithmic discrimination in consequential decisions; covered sectors included employment, housing, health care, education, and financial services.
Obligations & detailsHide details
ObligationsDevelopers: use reasonable care to protect consumers from algorithmic discrimination; maintain risk management policies; make impact assessments available. Deployers: conduct impact assessments; notify consumers; disclose AI use in consequential decisions.- Applies to
- developers and deployers of high-risk AI systems used by Colorado consumers
- Enacted
- 2024-05-17
Signed May 17, 2024. Implementation delayed twice (first to Feb 2026, then Jun 2026 via SB 25B-004). On May 14, 2026, Governor Polis signed SB 26-189, which repeals SB 24-205 in its entirety and replaces it with a narrower ADMT framework. The original law never took effect.
