AI capabilities are growing by the day, and with them, so are increasing government efforts to put in place guardrails, principles, and rules to govern the AI space. In May alone, Utah’s Artificial Intelligence Policy Act became the first state-level AI law to take effect, Colorado and Minnesota enacted new laws addressing AI, and the European Union passed historic comprehensive AI regulations. Meanwhile, the FTC continues to issue AI-related guidance materials that emphasize the importance of transparency in human-AI interactions, especially those involving native advertising (prior guidance here and here). As we continue to monitor the flurry of activity underway, we outline below new laws and important bills, standards, and initiatives to monitor.

Federal Efforts

American Privacy Rights Act

Last week, the House Energy and Commerce Committee abruptly canceled a scheduled markup of the latest American Privacy Rights Act (APRA) discussion draft, Congress’s most recent comprehensive privacy proposal. Some privacy advocates welcomed the cancellation, strongly opposing the removal of AI and civil rights protections in the latest draft. These protections included prohibitions against algorithmic discrimination and requirements for transparency and impact assessments for AI systems.

At present, it seems APRA may not advance as far as the 2022 American Data Privacy and Protection Act, which was passed out of the Energy and Commerce Committee but ultimately never received a floor vote. With the August recess and October break ahead of the November elections approaching, the likelihood of any comprehensive privacy legislation reaching the House floor this year seems dim. However, we will continue to monitor these federal legislative efforts and their potential impact on AI providers.

White House Executive Order

Last year, the White House released the federal government’s first comprehensive guidelines regarding AI. Although the Executive Order focuses almost entirely on the government’s own use of AI, the ultimate effects of the order will be significant for private sector businesses engaging with federal agencies.

Pursuant to the Executive Order, on April 29, 2024, NIST released a draft risk management profile specifically addressing generative AI. The Generative AI Profile—which is intended as a companion resource to NIST’s AI Risk Management Framework—offers voluntary best practice guidance regarding the design, deployment, and operation of generative AI systems. As states continue to draft AI legislation, the NIST AI Risk Management Framework will likely continue to serve as an instructive reference point for legislators across the country.

State Legislation

Colorado AI Act

The Colorado AI Act, SB 205, is now set to take effect February 1, 2026, although the freshly-signed law is already slated for revisions: in a recent letter, Gov. Jared Polis, AG Phil Weiser and Senate Majority Leader Robert Rodriguez acknowledged that ​“a state by state patchwork of regulation” on AI poses ​“challenges to the cultivation of a strong technology sector” and promised to engage in a process to revise the new law to ​“minimize unintended consequences associated with its implementation.”

As drafted, the law introduces new obligations and reporting requirements for both developers and deployers of AI systems. Key requirements include:

• Transparency. Moving forward, any businesses that use AI systems to interact with consumers must disclose this fact during consumer interactions.

• Algorithmic Discrimination in High-Risk AI Systems. The new law seeks to combat ​“algorithmic discrimination,” where the use of AI results in outcomes that disfavor consumers based on several personal and sensitive data categories. High-risk AI systems are defined as systems used to make decisions about individuals in the areas of education, employment, finance or lending, government services, healthcare, housing, insurance, and legal. Developers and deployers of such systems have a duty to use reasonable care to protect consumers from known or reasonably foreseeable risks of algorithmic discrimination, and the law identifies specific obligations such entities must undertake.

• Consumer Notice, Correction, and Opt-Out Rights. Consumers must be notified when high-risk AI systems are used to make any decisions about them in the areas outlined above (e.g., education, employment, etc.), and must have the right to correct inaccurate data and appeal the decision to a human reviewer.

• Existing Obligations Under the Colorado Privacy Act (CPA). Deployers must also respect the existing rights of consumers under the CPA, including the right to opt-out of the processing of personal information for profiling with legal or similarly significant effects concerning the consumer, including decisions made using AI. In April, Colorado amended the CPA’s definition of sensitive data to include both biological and neural data used either in insolation or in combination with other personal data elements for identification purposes. The CPA additionally creates AI-related disclosure obligations, requiring businesses to provide privacy policy language that details the personal data categories used for profiling, a plain-language explanation regarding the AI logic in use, explanations describing its benefits and potential consequences, and text explaining whether the system has been evaluated for accuracy, fairness or bias.

• Enforcement. The Colorado attorney general has sole authority to enforce the Colorado AI Act, and the law includes no private right of action. Violations are considered breaches of Colorado’s general consumer protection laws, which can result in a maximum civil penalty of $20,000 per violation. Notably, each violation is counted individually for every affected consumer or transaction. Consequently, just 50 impacted consumers could result in a maximum civil penalty of $1 million. Actions must be brought within three years of the violation occurring, or from the time when the violation was discovered.

We’ll keep an eye on whether all these requirements survive the revision process suggested above.

Utah Artificial Intelligence Policy Act

On May 1, 2024, Utah’s Artificial Intelligence Policy Act, SB 149, became effective. Generally, Utah’s legislature has pursued a far lighter touch to AI regulation than Colorado. Key takeaways include:

• Disclosure Upon Request. Most businesses and individuals will only be required to disclose the use of AI when prompted by a consumer.

• Disclosing the Use of AI in Regulated Professions. Businesses and individuals operating within regulated professions (e.g., healthcare professionals) must prominently disclose the use of AI before its use with customers.

• Responsibility for Generative AI Outputs. Companies are responsible for the outputs of their generative AI tools and cannot pass on blame if those tools violate Utah consumer protection laws.

Comprehensive State Privacy Laws

Twenty states have now passed comprehensive state privacy laws: California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia. These states, with the exceptions of Utah and Iowa, impose additional requirements on companies engaging in ​“profiling,” which is defined as the automated processing of personal data to analyze or predict something personal about an individual, such as one’s economic situation, behavior, health, or personal preferences. Under these laws, consumers must be able to opt-out of being profiled in a manner that could lead to a ​“legal effect” on that consumer or another ​“similarly significant effect.” Although a few of these laws are currently effective, the majority come into effect over the next few years. Here are the key dates to keep mind:

• Effective in 2024. Florida, Montana, Oregon, and Texas have comprehensive privacy laws coming into effect in the next several months.

[View source.]