Applicable Regulations
On 2026-05-14 Governor Polis signed SB 26-189, which repeals and reenacts the Colorado AI Act (originally SB 24-205). The new law abandons the risk-management / annual-impact-assessment model and replaces it with a disclosure-and-notice framework governing "automated decision-making technology" (ADMT) that makes or substantially influences "consequential decisions" (education, employment, housing, financial services, insurance, healthcare, government services). The statute formally takes effect 2026-08-12 (no safety clause), but all substantive compliance obligations — for both deployers and developers — begin 2027-01-01, which is the operative date for regulated businesses; the Attorney General's implementing rules are also due by 2027-01-01. The AG has stated he will not enforce until the mandatory rulemaking process concludes.
Key Requirements
Interaction Notice Deployers must give clear notice at the point of interaction when a consumer interacts with an automated decision-making technology (ADMT)
Adverse-Outcome Disclosure Provide a plain-language explanation within 30 days of an adverse consequential decision made or substantially influenced by an ADMT
Data Correction Right Allow consumers to request correction of factually incorrect personal data used by the ADMT
Meaningful Human Review Provide meaningful human review and reconsideration after an adverse consequential decision
Developer Documentation Developers must supply technical documentation (intended uses, known harmful uses, training-data categories, known limitations and risks, and instructions enabling meaningful human review), notify deployers of material updates, and retain compliance records for 3+ years. Like all duties under the act, these obligations begin 2027-01-01
Effective: 2027-01-01 Penalties: Enforced exclusively by the Colorado Attorney General; violations are treated as deceptive trade practices under the Colorado Consumer Protection Act. Before enforcement the AG must give 60 days' written notice and an opportunity to cure; this cure right sunsets 2030-01-01, after which enforcement may be immediate. The AG has stated no enforcement will occur until the mandatory rulemaking process concludes.
Amends the Illinois Human Rights Act (775 ILCS 5/) to prohibit employers from using artificial intelligence that subjects employees or applicants to discrimination based on protected classes, and from using zip codes as a proxy for protected classes. Requires employers to notify employees when AI is used in recruitment, hiring, promotion, discharge, discipline, or other terms and conditions of employment. Defines "artificial intelligence" and "generative artificial intelligence" for purposes of the Act.
Key Requirements
AI Discrimination Prohibition Cannot use AI that has the effect of subjecting employees to discrimination on the basis of protected classes identified under the Illinois Human Rights Act
Zip Code Proxy Ban Cannot use zip codes as a proxy for protected classes under the Illinois Human Rights Act
Employee Notice of AI Use Must provide notice to an employee that the employer is using AI for recruitment, hiring, promotion, discharge, discipline, or other employment-related decisions
Effective: 2026-01-01 Penalties: Enforced through the Illinois Human Rights Act framework by the Illinois Department of Human Rights (IDHR); remedies follow IHRA procedures (injunctive relief, damages, attorney's fees) rather than a specific monetary penalty schedule in the amendment itself.
Requires providers of large-scale generative AI systems (1 million+ monthly users) to make AI-generated content detectable through free public detection tools and embedded technical watermarks in image, video, and audio output. Signed September 19, 2024.
Key Requirements
Free AI Detection Tool Offer a free, publicly accessible tool allowing anyone to assess whether image, video, or audio content was created or altered by the provider's generative AI system
Manifest Disclosure Give users the option to attach a clear, conspicuous, human-readable disclosure on AI-generated content
Latent Technical Disclosure Embed technical metadata (provider name, system version, creation date, unique identifier) in AI-generated content, detectable by the provider's tool
Third-Party Licensee Enforcement Revoke licenses within 96 hours if a licensee disables disclosure capabilities
Effective: 2026-01-01 Penalties: Civil penalties of $5,000 per violation, each day constituting a separate violation.
Public Act 23-16 — the enacted form of Connecticut SB-1103 (2023 session). Signed by Governor Ned Lamont on June 7, 2023, making Connecticut among the first states to impose oversight on state agency use of AI. Government-only scope: does NOT directly regulate private-sector AI. Requires state agencies to complete impact assessments before deploying AI systems, publish a public AI inventory, and submit annual reports to the joint standing consumer-protection committee. Sections 1–3 effective July 1, 2023; Section 4 effective October 1, 2023; Section 5 effective upon passage.
Key Requirements
State Agency AI Impact Assessments State agencies may not employ AI systems that have not undergone impact assessments or that result in unlawful discrimination or disparate impact against specified individuals or groups
Public AI Inventory All inventory reports detailing AI systems used by state agencies and the Judicial Department must be publicly accessible online, with the Department of Administrative Services making its inventories available on the state's open data site
Annual Consumer-Protection Report Annual report to the joint standing committee on consumer protection, due February 15 beginning 2025 and annually thereafter
Effective: 2023-07-01 Penalties: Oversight and enforcement through legislative reporting requirements. Agencies failing to comply face ongoing reporting obligations to the Connecticut General Assembly.
Enacted May 24, 2024 as Chapter 121 of the 2024 Minnesota Session Laws, codified at Minnesota Statutes Chapter 325O. Effective July 31, 2025 with full enforcement (no cure period) from February 1, 2026. Applies to controllers and processors of personal data of Minnesota residents meeting the thresholds below. Grants consumers rights to access, correct, delete, and port personal data; to opt out of targeted advertising, data sales, and profiling; and — uniquely among state laws — to question the result of a profiling decision, receive the reason for that outcome, and request reevaluation if inaccurate data was used. Requires data protection assessments before processing personal data for targeted advertising, data sales, sensitive data, and profiling with heightened risk. Enforced exclusively by the Minnesota Attorney General; no private right of action.
Key Requirements
Core Consumer Rights Right to access, correct, delete, and obtain a portable copy of personal data. Right to know which third parties received data sales.
Opt-Out of Profiling and Targeted Advertising Consumers may opt out of processing for targeted advertising, sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects.
Profiling Challenge and Explanation Right When profiling produces legal or similarly significant effects, consumers may question the result, receive the reason for the outcome, and request reevaluation if inaccurate data was used. Covered decisions include housing, insurance, education, employment, healthcare, and financial services.
Data Protection Assessment Controllers must conduct and document data protection assessments before processing for targeted advertising, data sales, sensitive data, profiling with heightened risk, and other high-risk processing activities.
Privacy Notice Requirements Controllers must provide a privacy notice with a hyperlink labeled 'Your Privacy Rights' disclosing data categories, purposes, third-party disclosures, and opt-out mechanisms.
Attorney General Enforcement Only the Minnesota AG may enforce. A 30-day cure period applied through January 31, 2026; from February 1, 2026, no cure period — violations subject to immediate civil penalty action.
Effective: 2025-07-31 Penalties: Civil penalties of up to $7,500 per violation, enforceable by the Minnesota Attorney General. No private right of action. Court may also award injunctive relief and litigation costs. The 30-day cure period expired January 31, 2026; full enforcement without cure rights began February 1, 2026.
Signed June 22, 2025; effective January 1, 2026. TRAIGA is Texas's primary comprehensive AI governance law from the 89th Legislature. It establishes prohibited AI practices applying to all entities that promote, advertise, or conduct business in Texas, produce products or services for Texas residents, or develop/deploy AI systems in the state. Key prohibitions cover behavioral manipulation (inciting self-harm, violence, or criminal activity), government social scoring, unlawful discrimination, government biometric identification from public sources without consent, and constitutional rights infringement via AI. Government agencies must disclose to consumers when they are interacting with an AI system, using clear and conspicuous language free of dark patterns; healthcare-provider AI disclosure to patients is governed separately by Texas SB 1188. Enforcement is exclusively by the Texas Attorney General; no private right of action exists. A 36-month regulatory sandbox program allows companies to test AI systems with certain requirements waived. The law also establishes the Texas Artificial Intelligence Council (seven members) to advise on ethical, privacy, and public safety implications — though the Council cannot adopt binding rules.
Key Requirements
Prohibition on Behavioral Manipulation Cannot develop or deploy AI systems intentionally designed to incite or encourage a person to commit physical self-harm (including suicide), harm another person, or engage in criminal activity
Government Social Scoring Ban Government entities cannot use AI to assign detrimental categorical scores to individuals based on their behavior or personal characteristics
Biometric Identification Prohibition (Government Entities) Government entities cannot use AI with publicly available images or data to uniquely identify individuals via biometric identifiers without consent (law enforcement and fraud prevention excepted). This prohibition does not apply to private-sector employers; their biometric consent obligations for AI tools — such as video-interview face or voice capture — are governed by Texas's CUBI statute (Tex. Bus. & Com. Code §503.001), which TRAIGA amended effective January 1, 2026
Unlawful Discrimination Prohibition Cannot intentionally deploy AI to discriminate against protected classes under state and federal law; note that disparate impact alone is insufficient to prove intent
Constitutional Rights Protection Cannot develop or deploy AI systems designed to infringe constitutional rights or target individuals based on constitutionally protected characteristics
AI Interaction Disclosure Government agencies must disclose to consumers, before or at the time of interaction, that they are interacting with an AI system; disclosures must be clear and conspicuous with no dark patterns. Healthcare-provider AI disclosure to patients is governed separately by Texas SB 1188 (effective September 1, 2025), not by TRAIGA
Effective: 2026-01-01 Penalties: Civil penalties enforced exclusively by the Texas Attorney General. Curable violations: up to $12,000 per violation. Uncurable violations: up to $200,000 per violation. Continuing violations: up to $40,000 per day. A 60-day written cure period is provided before enforcement action for curable violations. State agencies may also impose additional sanctions including license suspension or revocation up to $100,000.
Makes New York the first state to impose comprehensive oversight on how state agencies use automated decision-making systems and AI. Mandates public disclosure of existing AI systems, prohibits unauthorized agency AI use without meaningful human review, and requires impact assessments. Government-sector law; does not directly impose obligations on private businesses.
Key Requirements
Agency AI Inventory Disclosure State agencies must disclose every automated decision-making system in use, including vendor, purpose, start date, and extent of human replacement
Authorization Requirement Agencies may not use automated decision-making systems without authorization and must ensure meaningful human review
Impact Assessments Agencies must publish impact assessments for any new or substantially modified automated decision-making system
Human Oversight No state agency decision-making process may be fully delegated to an automated system
Effective: 2024-12-21 Penalties: Oversight and enforcement through legislative reporting requirements. Agencies failing to comply face reporting obligations to the legislature.
Utah's Artificial Intelligence Policy Act (SB 149, signed March 13, 2024; effective May 1, 2024) was the first US state law regulating private-sector generative AI. It requires any entity using consumer-facing generative AI to disclose AI involvement when clearly and unambiguously asked by the consumer. Entities operating in "regulated occupations" (those requiring a Utah Department of Commerce license or state certification — including attorneys, insurance producers, healthcare providers, and other licensed professionals) must proactively disclose AI use at the start of each interaction, without waiting to be asked. The law establishes that using AI is not a defense to violations of existing consumer protection statutes. It also creates the Office of Artificial Intelligence Policy and an AI Learning Laboratory regulatory sandbox. Amended by SB 226 (effective May 7, 2025), which narrowed the disclosure trigger to require a "clear and unambiguous" consumer request, added a "high-risk AI interaction" category requiring proactive disclosure for regulated occupations in sensitive decision contexts, narrowed the GenAI definition to systems "designed to simulate human conversation," and established a statutory safe harbor for compliant disclosures. SB 332 extended the UAIPA's sunset date from May 2025 to July 1, 2027.
Key Requirements
On-Request Disclosure (General) Any entity using generative AI in a consumer interaction must clearly and conspicuously disclose that a person is interacting with AI (not a human) when the consumer makes a clear and unambiguous request to know whether they are interacting with AI. Oral disclosure for verbal interactions; written disclosure for text-based interactions.
Proactive Disclosure (Regulated Occupations) Entities providing services in a regulated occupation — any occupation requiring a Utah Department of Commerce license or state certification — must proactively disclose GenAI use at the beginning of an interaction during a high-risk AI interaction. A high-risk interaction involves (a) collection of sensitive personal information (health, financial, or biometric data) AND (b) providing personalized recommendations, advice, or information the consumer could reasonably rely on to make significant personal decisions, including financial, legal, medical, or mental health advice.
No AI-as-Defense It is not a defense to violation of any consumer protection statute that an AI system generated the violative content or act. Liability attaches to the deploying entity.
Safe Harbor A person is not subject to enforcement action if the generative AI clearly and conspicuously discloses it is nonhuman at the outset of and throughout the consumer interaction. Disclosure must be provided orally at the start of verbal interactions and in writing before written interactions.
Effective: 2024-05-01 Penalties: Enforced by the Utah Division of Consumer Protection (Utah AG may also act). Administrative fines up to $2,500 per violation. Civil penalties up to $5,000 per violation of a prior administrative or court order. Additional remedies include injunctive relief, disgorgement of profits, restitution, and prevailing-party attorney fees and investigative costs. No private right of action.
Amends Tennessee's existing Personal Rights Protection Act (TN Code Ann. § 47-25-1101 et seq.) to add explicit protection for an individual's "voice" alongside name, photograph, and likeness. Prohibits the unauthorized commercial use or distribution of any individual's voice — whether actual or AI-simulated — without consent. Establishes secondary liability for those who distribute AI tools or platforms whose primary purpose is producing a particular individual's voice or likeness without authorization. Signed March 21, 2024 by Governor Bill Lee; effective July 1, 2024. Public Chapter 588 (113th General Assembly).
Key Requirements
Consent Required for Voice Use No person may publish, perform, distribute, transmit, or otherwise make available an individual's voice — including AI-simulated replicas — for commercial purposes without prior authorization from that individual
Broad Definition of Voice Protected 'voice' means any sound in a medium that is readily identifiable and attributable to a particular individual, regardless of whether it contains the actual voice or a simulation of the voice
Secondary Liability for AI Platforms Any person who distributes, makes available, or otherwise provides an AI tool or service whose primary purpose or function is the production of a particular identifiable individual's voice or likeness without authorization is subject to liability
Platform Safe Harbor Media platform owners and employees are not liable unless they had knowledge, or reasonably should have known, of the unauthorized use
Civil Remedies Including Treble Damages Injured individuals may seek actual damages, injunctive relief, and treble damages when the defendant knowingly used an unauthorized voice replica; additional treble damages plus attorney fees apply for unauthorized replicas of armed forces members
Effective: 2024-07-01 Penalties: Criminal: Class A misdemeanor carrying up to 11 months and 29 days imprisonment and fines up to $2,500 per violation. Civil: actual damages, injunctive relief, and treble damages for knowing violations. Additional treble damages plus attorney fees for unauthorized replicas of armed forces members.
Passed by the Virginia General Assembly on February 20, 2025, but VETOED by Governor Glenn Youngkin on March 24, 2025. Would have made Virginia the second U.S. state to enact comprehensive AI regulation. The bill targeted machine-learning-based AI systems used as the principal basis for consequential decisions — defined as decisions with material legal or similarly significant effects on consumers regarding education, employment, financial services, health care, housing, insurance, legal services, or marital status. Developers would have been required to exercise a reasonable duty of care against algorithmic discrimination and provide deployers with documentation on system performance and limitations. Deployers would have been required to implement risk management programs, conduct algorithmic impact assessments before deployment and after significant updates, and disclose AI use to affected consumers with an opportunity to correct inaccuracies or appeal adverse decisions. Enforcement by the Virginia Attorney General with fines of $1,000 per violation and up to $10,000 for willful violations, with a 45-day right-to-cure period. Governor Youngkin vetoed citing burdens on small businesses and startups. Delegate Maldonado has indicated plans to reintroduce narrower legislation targeting healthcare in a future session.
Key Requirements
Developer Duty of Care Developers must use reasonable care to protect consumers from known or reasonably foreseeable risks of algorithmic discrimination arising from intended and contracted uses of high-risk AI systems
Developer Documentation Developers must provide deployers with documentation describing system performance evaluation, intended outputs, risk mitigation measures, proper use, prohibited uses, and monitoring requirements
Synthetic Content Detection Developers must ensure AI-generated synthetic material can be detected using industry-standard tools or tools provided by the developer
Deployer Risk Management Program Deployers must devise and implement a risk management policy and program specific to each high-risk AI system they deploy
Algorithmic Impact Assessment Deployers must complete an impact assessment before deployment and before significant updates, covering system purpose, discriminatory risks, and mitigation steps; records retained for the longer of deployment duration plus 3 years
Consumer Disclosure Deployers must disclose to consumers when a high-risk AI system made or substantially influenced a consequential decision affecting them, including principal reasons for the decision
Consumer Correction and Appeal Rights Deployers must provide consumers an opportunity to correct inaccurate personal data used in consequential decisions and to appeal adverse decisions
Effective: Penalties: Attorney General enforcement. Civil penalties up to $1,000 per violation with attorney fee shifting; willful violations up to $10,000 per violation. Discretionary 45-day right-to-cure period before formal penalties apply.
Enacted as Chapter 747, signed May 20, 2025 by Governor Wes Moore. Requires health insurance carriers, pharmacy benefit managers (PBMs), and private review agents (PRAs) that use AI, algorithms, or software tools in utilization review to base coverage determinations on each enrollee's individual clinical information — not aggregate group datasets. Mandates quarterly AI performance reviews, written AI use policies, annual reporting to the Insurance Commissioner on AI-driven adverse decisions, and auditable access to AI tools for the Commissioner. Final coverage decisions must be made by a licensed physician with relevant clinical experience, not by AI alone. Mirrors California SB 1120 (2024) in structure and intent.
Key Requirements
Individual Clinical Basis Required AI tools used in utilization review must base determinations on the enrollee's specific medical or clinical history and individual clinical circumstances reported by the treating provider — not on aggregate population or group datasets
Clinician Final Decision Final medical necessity and coverage decisions must be made by a licensed physician with clinical experience relevant to the condition under review; AI may not replace clinician judgment
Written AI Use Policies Carriers, PBMs, and PRAs must develop and maintain written policies and procedures governing their use of AI tools in utilization management
Quarterly AI Performance Review Regulated entities must conduct at least quarterly reviews evaluating the performance, use, and patient outcomes of AI tools used in utilization review
Annual Reporting to Commissioner Carriers must report metrics on AI use in adverse coverage decisions to the Insurance Commissioner, who compiles annual summary reports
Commissioner Audit Access AI tools must remain available for audit or compliance review by the Insurance Commissioner on request
Non-Discrimination Requirement AI tool use must not result in unfair discrimination against enrollees
Effective: 2025-10-01 Penalties: Criminal: misdemeanor charges for willful violations. Administrative: the Insurance Commissioner may deny, suspend, or revoke certificates of authority; issue cease-and-desist orders; impose administrative monetary penalties; and order restitution to harmed enrollees. (Insurance Article enforcement framework applies.)