We have promised you a bevy of AI + law headlines this year, and we intend to deliver. Fortunately, so do state legislatures, which are busy considering bills to regulate different aspects or applications of AI. Here is a brief overview: some states are going for disclosure requirements, some for safety assurances, some for back-end liability if things go wrong, some for a cross-over with data privacy, and some, for good measure, are trying to pass comprehensive legislation that would touch on multiple areas from that list.
WHY IT MATTERS
The US has no over-arching federal regulation of AI. The incoming administration is formulating some AI plans that appear, for now, to relate to boosting investment in AI (more on that in separate posts). But neither Congress nor federal regulators has passed any meaningful AI rules. Enter the states.
If this sounds familiar, it should: a very similar thing has happened on the data privacy front. By the end of this year, we will have dozens of state privacy laws on the books, regulating everything from opt-in consent to liability for data breach to privacy of health data. The state laws started out as comprehensive statutes that aimed to cover privacy generally. They are becoming increasingly specialized, however, as to the types of data they cover.
We may see the same sort of fragmentation in AI. Already, different states have enacted laws regulating AI differently – e.g., some apply only to using fake content in election ads, some require disclosure to consumers, etc. This environment can be a challenge for small companies, which may lack the resources to parse multiple overlapping or conflicting state laws and decide how to reconcile them operationally.
To that end, however, we may also see that AI follows the trend of data privacy, which often uses the EU's bloc-wide (federal) legislative rules as a starting point for best practices. Indeed, many small companies are likely to be required (by contract with their larger customers) to implement EU-type AI compliance into their operations. This has been the norm for many years in privacy, and should feel familiar. In short, AI may come to feel like it is led by EU rules and enhanced by state law compliance – as is often the case in the data privacy area.
/Passle/5fe0c4f453548a10fc881e09/SearchServiceImages/2025-02-11-19-57-18-862-67abab9ec921c768e82658c1.jpg)
/Passle/5fe0c4f453548a10fc881e09/SearchServiceImages/2025-02-04-16-51-42-335-67a2459e492e357b9e7b047d.jpg)
/Passle/5fe0c4f453548a10fc881e09/SearchServiceImages/2025-02-04-14-45-49-042-67a2281d46247b2a3c2e8fac.jpg)