The State Of AI Policy, Privacy, And Compliance In The United States

Last week, I had the pleasure of taking the main stage at CincyAI Week in Cincinnati, Ohio to talk with entrepreneurs, business leaders, academics, and artificial intelligence enthusiasts about the current state of AI policy, privacy, and compliance across the United States.

Here are the key takeaways from the presentation.

The Legal Landscape is Evolving Rapidly

Through June 2026, over 260 AI-specific laws have been enacted across the country. The largest share, roughly 40%, target AI-generated images and deepfakes. Another 25% focus on government and political campaign use of AI. Beyond that, we now have 21 automated decision-making laws, nine AI transparency laws, four employment-related AI laws, and two comprehensive AI statutes in Colorado and Texas.

Beyond AI-specific legislation, existing consumer privacy laws are playing an increasingly important role in regulating AI. The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is a prime example. The CCPA gives consumers the right to know what personal information is being collected, to delete it, and to opt out of its sale or sharing. Those rights matter for AI. If your system relies on personal data for training or decision-making, the CCPA applies. Businesses processing personal information of California residents through AI tools need to meet CCPA requirements around transparency, data minimization, and purpose limitation. Likewise, CCPA’s “right to deletion” may cause problems for businesses relying upon personal information to continuously train underlying models. The CCPA also introduced the concept of “automated decision-making technology” and requires businesses to let consumers opt out of certain automated decisions. Other states have followed suit with their own comprehensive privacy laws, many of which include similar provisions relevant to AI.

Transparency is Important

Businesses should track disclosure obligations. That includes bot and AI identity disclosure, content labeling and provenance, and required disclosures in employment, healthcare, and telemarketing. This is one of the fastest-growing areas of AI regulation. Utah enacted the Artificial Intelligence Policy Act, which requires businesses to disclose when a consumer is interacting with generative AI rather than a human. California’s Bolstering Online Transparency Act does something similar, requiring clear disclosure when a bot is used to communicate with consumers. Several states now require labeling of AI-generated content in political advertising and elections so voters know when they are viewing synthetic media. Healthcare is seeing new transparency requirements around AI in patient communications and clinical decision support. In employment, disclosure is quickly becoming a baseline expectation. The common thread across all of these laws is simple: if AI is involved, people have a right to know.

Be Wary of AI Use in Employment Decisions

The trend lines are clear: anti-discrimination and bias prevention, pre-use notice to applicants and employees, recordkeeping, whistleblower protections, and human review. Illinois was an early mover. Its Artificial Intelligence Video Interview Act requires employers to notify applicants when AI is used to analyze video interviews, explain how the AI works, and get consent. Illinois also amended its Human Rights Act to prohibit AI that results in discrimination in employment decisions. Connecticut followed with its Senate Bill 5 (Public Act 26-15), requiring employers to notify candidates, offer an opportunity to appeal adverse decisions, and conduct impact assessments. These state-level laws signal a clear expectation: if you are using AI in hiring or workforce management, transparency and accountability are not optional.

Consider Data Privacy Issues with Respect to Training and Processing

Businesses should also look for training data transparency obligations, AI-specific privacy requirements for high-risk systems, and the extension of existing privacy laws to AI-generated data. Virginia, Colorado, Connecticut, Indiana, Texas, and others have enacted their own consumer privacy statutes, many with provisions directly relevant to AI. Common requirements include data minimization, purpose limitation, and data protection assessments before processing that presents a heightened risk of harm. Several statutes specifically call out profiling and automated decision-making. Some require opt-out rights for consumers subject to profiling that produces legal or similarly significant effects. For businesses deploying AI, these laws create overlapping obligations around how personal data is collected, used for model training, and fed into automated systems. The practical takeaway is that AI governance and privacy compliance are not separate workstreams. They need to be integrated.

Even Existing Laws Can Be Applied to AI

Title VII, HIPAA, and state consumer protection and unfair and deceptive trade practices statutes all have clear applications to AI. Title VII’s prohibition on employment discrimination does not go away because a hiring decision was made by an algorithm. If an AI tool produces a discriminatory outcome, the employer is still on the hook. The EEOC has made that clear. HIPAA applies to AI systems that handle protected health information, full stop. That covers AI-powered diagnostics, patient-facing chatbots, and predictive analytics in clinical settings. Covered entities and business associates need to make sure their AI vendors meet HIPAA’s privacy, security, and breach notification requirements. On the consumer protection side, the FTC has signaled that using AI to deceive consumers or make false claims about AI-powered products falls squarely within its Section 5 enforcement authority. State attorneys general have similar tools through UDAP statutes. The point is simple: you do not need a new AI-specific law to face liability. The existing framework covers a lot of ground.

So, What Should Businesses Do?

Start by continuing to comply with state AI and privacy laws, which remain in full effect regardless of what happens at the federal level. Rather than building AI governance from scratch, integrate it into your existing privacy compliance programs. When in doubt, default to notice and transparency. And understand how the AI tools you use handle data. How are models trained? What data do they ingest? Where is it being shared? You do not need to wait for a comprehensive federal AI law. The obligations are here now.

The bottom line: this is only getting more complex. Get ahead of it now.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.