Status of AI-specific legislation

On September 12, 2023, the US Senate held public hearings regarding AI,¹⁴ which laid out potential forthcoming AI regulations. Possible legislation could include requiring licensing and creating a new federal regulatory agency. Additionally, US lawmakers held closed-door listening sessions with AI developers, technology leaders and civil society groups on September 13, 2023 in a continued push to understand and address AI.¹⁵

There are several proposed federal laws related to AI. A non-exhaustive list of key examples includes:

SANDBOX Act¹⁶, which seeks to establish a federal "regulatory sandbox" for AI developers to apply for waivers or modifications on compliance with federal regulations in order to test, experiment with, or temporarily offer AI products and services.

The SAFE Innovation AI Framework,¹⁷ which is a bipartisan set of guidelines for AI developers, companies and policymakers. This is not a law, but rather a set of principles to encourage federal law-making on AI.

The REAL Political Advertisements Act,¹⁸ which aims to regulate generative AI in political advertisements.

The Stop Spying Bosses Act,¹⁹ which aims to regulate employers surveilling employees with machine learning and AI techniques.

The Draft No FAKES Act,²⁰ which would protect voice and visual likenesses of individuals from unauthorized recreations from Generative AI.

The AI Research Innovation and Accountability Act,²¹ which calls for greater transparency, accountability and security in AI, while establishing a framework for AI innovation. It would create an enforceable testing and evaluation standard for high-risk AI systems and require companies that use high-risk AI systems to produce transparency reports. It also empowers the National Institute of Standards and Technology to issue sector-specific recommendations to regulate them.

The American Privacy Rights Act, which would create a comprehensive consumer privacy framework.²² The draft bill includes provisions on algorithms, including a right to opt-out of covered algorithms used to make or facilitate consequential decisions.

House Republicans had included a provision in the "One Big Beautiful Bill Act" (enacted July 4, 2025) proposing a 10-year moratorium on state and local AI regulations. This move purportedly aimed to establish uniform federal oversight but sparked bipartisan opposition from many state lawmakers concerned about losing the ability to address AI-related harm locally. Ultimately, on July 1, 2025, the Senate voted 99-1 to remove the proposed moratorium – there was broad agreement among lawmakers and consumer protection advocates that the provision was unreasonably vague and likely to spur a wave of litigation about its scope and impact. Various lawmakers also expressed concerns that the moratorium would undermine efforts to regulate AI for purposes such as improving children's online safety and preventing deceptive trade practices.

Absent federal legislation, we can expect to see more state laws, and state legislatures have already introduced a substantial number of bills aimed at regulating AI, notably:

• On May 17, 2024, Colorado enacted the first comprehensive US AI legislation, the Colorado AI Act. The Act creates duties for developers and for those that deploy AI. Unlike certain state privacy laws, there is no revenue threshold for applicability – the Act applies to all developers and deployers of high-risk AI systems in Colorado. The Act focuses on automated decision-making systems and defines a covered high-risk AI system as one that "when deployed, makes, or is a substantial factor in making a consequential decision" that has a material legal or similarly significant effect on the provision or denial to any consumer of, or the cost or terms of: education, employment, essential government services, healthcare, housing, insurance, and legal services. There is a specific focus on bias and discrimination, and developers and deployers must use reasonable care to avoid discrimination via AI systems that make, or are a substantial factor in making a consequential decision in the above enumerated fields. The Act will go into effect in 2026. Before the law takes effect, the state legislature will host special legislative sessions to address the fiscal impact of the Act and practical considerations relating to its implementation. This will offer an opportunity to respond to industry concerns and clarify some of the legislative requirements.²³
• The Colorado AI Act is emerging as a key template for state AI regulation. For example, state legislatures in Connecticut, Massachusetts, New Mexico, New York, and Virginia are considering bills that would generally track the Colorado AI Act and impose safeguards against bias by AI systems.
• In September 2024, California enacted various AI bills relating to transparency, privacy, entertainment, election integrity, and government accountability. Some of the key laws include:
  • Assembly Bill 2655 (in effect): Defending Democracy from Deepfake Deception Act:²⁴ requires large online platforms to identify and block the publication of materially deceptive content related to elections in California during specified time periods before and after an election. Additionally, under this Act, large online platforms must label – within 72 hours of notice – certain content as inauthentic, fake, or false during specified time periods before and after an election in California.
  • Assembly Bill 1836 (in effect): Use of Likeness: Digital Replica Act:²⁵ establishes a cause of action for beneficiaries of deceased celebrities to recover damages for the unauthorized use of an AI-created digital replica of the celebrity in audiovisual works or sound recordings. This Act requires deployers of AI systems to obtain the consent of a deceased personality's estate before producing, distributing, or making available the digital replica of a deceased personality's voice or likeness in an expressive audiovisual work or sound recording.
  • Note: In March 2024, Tennessee enacted a similar bill entitled the Ensuring Likeness, Voice, and Image Security Act ("ELVIS Act") that expands personality rights by prohibiting the unauthorized use of AI to mimic a person's name, photograph, voice, or likeness, without a license.²⁶

  • Senate Bill 942: California AI Transparency Act (effective January 1, 2026):²⁷ mandates that "Covered Providers" (AI systems that are publicly accessible within California with more than one million monthly visitors or users) implement comprehensive measures to disclose when content has been generated or modified by AI. This Act outlines requirements for AI detection tools and content disclosures, and establishes licensing practices to ensure that only compliant AI systems are permitted for public use. Covered Providers that violate the Act are liable for a penalty of US$5,000 per violation per day.

    Note: State legislatures in Washington and Virginia are currently considering similar AI transparency bills.

  • Assembly Bill 2013 (effective January 1, 2026): Generative AI: Training Data Transparency Act:²⁸ mandates that developers of generative AI systems (GenAI) publish a "high-level summary" of the datasets used to develop and train GenAI systems. For example, developers of GenAI systems would need to publish a summary of the following information, which is non-exhaustive:
    • Sources and owners of the datasets
    • Description of how the datasets further the intended purpose of the GenAI system
    • Whether the datasets include any information protected by IP law
    • Whether the datasets include personal information as defined in the CCPA
    • Whether the datasets were purchased or licensed by the developer
  • Assembly Bill 3030 (in effect): Health Care Services: Artificial Intelligence Act:²⁹ requires health care providers that use GenAI to generate patient communications to (i) disclaim that the communication was generated by a GenAI system, and (ii) provide clear instructions for how the patient can contact a human health care provider for assistance. Where the GenAI communication has been reviewed by a human health care provider, the disclaimer requirements do not apply.
  • Other bills governing AI across a range of fields include:
    • Assembly Bill 2602 (in effect): Contracts against Public Policy: Personal or Professional Services: Digital Replica Act³⁰
    • Bill 896 (in effect): Generative Artificial Intelligence Accountability Act³¹
    • Assembly Bill 2885 (in effect): Unified Definition of Artificial Intelligence
• In May 2025, the California Privacy Protection Agency (CPPA) Board finalized the long-awaited rules on cybersecurity, risk assessments and automated decision-making technologies (ADMT) ("the Proposed CPPA Regulations"³²). The CPPA must now submit the Proposed CPPA regulations to the Office of Administrative Law, which has 30 working days to review them for compliance with the Administrative Procedure Act. If approved and finalized, the Proposed CCPA regulations would impose new obligations on businesses, including providing consumers with the right to opt out of ADMT in contexts involving "significant decisions" (e.g., in housing, employment, credit, or healthcare) that replace or substantially replace human decision-making. Businesses would also be required to conduct risk assessments when engaging in certain high-risk data practices, such as selling or sharing personal information, processing sensitive personal information, using ADMT for significant decisions, using personal data to train ADMT, or using profiling technologies in education or employment-related contexts. Notably, the CPPA Board members cautioned that the Proposed CCPA Regulations are intended to be responsive to how technology is currently used and could be revisited if they do not meet the moment.
• Since the August 29, 2025 deadline for state legislature fiscal committees to advance bills has passed, the list of active AI-related bills in California has narrowed. Bills that advanced and remain active include:
  • AB 1018: requires developers to conduct performance evaluations of covered automated decision systems (that make consequential decisions) before deployment.
  • SB 53: requires developers of "foundation models" deemed to present a "critical risk" to create, follow, and publish a safety and security protocol, including catastrophic risk testing for foundation models and monitoring for critical safety incidents.
  • SB 243: aims to counter the marketing of chatbots as a recourse to loneliness and/or mental health struggles.
• Bills that failed at committee stage include:
  • SB 420: would have required notification when automated systems made certain decisions about individuals, as well as a right to human review in certain instances.
  • AB 412: would have required generative AI developers to disclose copyrighted training data and provide rights owners with a mechanism to request certain information.
• In May 2024, the Utah Artificial Intelligence Policy Act³³ went into effect. The Act requires individuals and entities to disclose the use of GenAI in communications with consumers.
  • For individuals and entities that engage in "regulated occupations" (i.e., those who must obtain a license or state certification to practice the occupation, such as lawyers or health care providers), the disclosure must be made "prominently" at the beginning of any communication with the consumer, regardless of whether the consumer asks whether they are dealing with a GenAI system (i.e., a proactive disclosure obligation).
  • For individuals and entities that do not engage in "regulated occupations," the disclosure must be made "clearly and conspicuously" only if the consumer asks whether they are dealing with a GenAI system (i.e., a reactive disclosure obligation).
  • Non-compliant individuals and entities may be fined up to US$2,500 per violation by the Utah Division of Consumer Protection.
  • Enactment of the Utah Artificial Policy Act and the California Health Care Services: Artificial Intelligence Act both underscore legislative concern with ensuring that consumers know when they are dealing with GenAI systems in certain settings.
• More than 40 state AI bills were introduced in 2023, with Connecticut³⁴ and Texas³⁵ actually adopting statutes. Both of those enacted statutes establish state working groups to assess state agencies' use of AI systems to ensure they do not result in unlawful discrimination.
• In Texas, Governor Greg Abbott signed the Texas Responsible AI Governance Act (TRAIGA) into law on June 22, 2025. Although the original bill mirrored the more expansive Colorado and EU AI Acts, Texas lawmakers significantly narrowed its scope during the legislative process. The final version eliminates many private sector obligations (e.g., impact assessments and consumer disclosures) and limits most compliance obligations to government use of AI. However, TRAIGA still imposes categorical restrictions on the development and deployment of AI systems for certain purposes such as behavioral manipulation, unlawful discrimination, and infringement of constitutional rights. TRAIGA also provides that AI systems may not be developed or distributed with the sole intent of producing, assisting or aiding in producing, or distributing child pornography or unlawful deepfake videos or images. Intentionally developing or distributing an AI system that engages in explicit text-based conversations while impersonating a child under the age of 18 is also prohibited. TRAIGA takes effect on January 1, 2026.

As for international commitments, on September 5, 2024, the United States joined Andorra, Georgia, Iceland, Norway, the Republic of Moldova, San Marino, the United Kingdom, Israel, and the European Union to sign the Council of Europe's Framework Convention³⁶ on AI. The treaty will enter into force on the first day of the month following three months after five signatories, including at least three Council of Europe Member States, have ratified it. Countries from all over the world will be eligible to join and commit to its provisions. However, given changes to US AI policy under President Trump, the US may withdraw from the Framework Convention on AI or otherwise decline to adhere to the Framework.

Other laws affecting AI

Existing legislation has been the primary way in which the US regulates AI as established law, including privacy and intellectual property laws, which are generally applicable to AI technologies.

Notably, in April 2023, the Federal Trade Commission, Equal Employment Opportunity Commission, Consumer Financial Protection Bureau, and Department of Justice issued a joint statement noting that "existing legal authorities apply to the use of automated systems and innovative new technologies."³⁷ As cited above, in February 2024, the Federal Communications Commission applied restrictions in the Telephone Consumer Protection Act on AI-generated voices.

Several states have enacted comprehensive privacy legislation that can also regulate AI. A non-exhaustive list of notable state legislation includes:

• The California Privacy Protection Act (CPPA), which regulates automated decision-making.³⁸
• The Minnesota Consumer Data Privacy Act (which took effect on July 31, 2025) grants consumers additional rights compared to other state privacy laws, such as the ability to question profiling decisions and access the data used in those decisions. The consumer may also review their data used in the profiling and correct inaccurate data for reevaluation.
• The Biometric Information Privacy Act in Illinois,³⁹ which is very broad and allows for extremely high damages for violations. There is currently pending litigation in the AI context 
  Existing intellectual property laws also apply to AI, both with respect to the data AI technologies are trained upon and the outputs of such technologies. For example, with respect to outputs, the US District Court has held that human authorship is an essential part of a valid copyright claim, and the Copyright Office will refuse to register a work unless it was created by a human being."⁴⁰ There are also numerous cases before the courts in the US alleging copyright infringement, among other things, with respect to training data. On the product liability front, there is a growing number of lawsuits against large language model developers on issues such as defective design and deceptive business practices.

Definition of “AI” 

There is no single definition of AI.

The National Artificial Intelligence Initiative and Removing Barriers EO define AI as "a machine-based system that can, for a given set of human-defined objectives, make predictions, recommendations, or decisions influencing real or virtual environments. Artificial intelligence systems use machine- and human-based inputs to perceive real and virtual environments; abstract such perceptions into models through analysis in an automated manner; and use model inference to formulate options for information or action."⁴¹

Many state privacy bills have different definitions of automated decision-making technology or "profiling":

• A recent Texas statute establishing an AI advisory council (HB 2060) defines an "automated decision system" as "an algorithm, including an algorithm incorporating machine learning or other artificial intelligence techniques, that uses data-based analytics to make or support governmental decisions, judgments or conclusions"⁴²
• Connecticut's Public Act No. 22-15 defines "profiling" as "any form of automated processing performed on personal data to evaluate, analyze or predict personal aspects related to an identified or identifiable individual's economic situation, health, personal preferences, interests, reliability, behavior, location or movements"⁴³
• The CCPA defines "profiling" as "any form of automated processing of personal information, [...] to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements."⁴⁴
  • Additionally, recently enacted California Assembly Bill 10084543 clarifies that the CCPA applies to consumers' "personal information" regardless of its format. Specifically, AB 1008⁴⁵ clarifies that the CCPA encompasses "personal information" contained in "abstract digital formats" (i.e., generative AI systems that are capable of outputting consumers' personal information).
  • Further, recently enacted California Senate Bill 1223⁴⁶ clarifies that "sensitive personal information" under the California Privacy Rights Act (CPRA) encompasses consumers' neural data. As with AB 1008, SB 1223 aims to keep pace with emerging technology (in this case, neurotechnology) in an effort to protect information about consumers' brain and nervous system functions. While SB 1223 does not articulate a specific nexus to AI systems, if signed into law, it would constrain developers and deployers from using neural data under the CPRA.
• The recently finalized CPPA's rules on cybersecurity, risk assessments and ADMT defines "ADMT" as "any technology that processes personal information and uses computation to replace human decision-making or substantially replace human decision-making" (note: the rules defines "substantially replace human decision-making" as a business using the technology's output to make a decision without human involvement).

Territorial scope

As noted above, there are currently no comprehensive federal laws that have been enacted to specifically regulate AI. Accordingly, there is no specific territorial scope of federal legislation. However, many existing statutes regulate activities in which AI can be used, and those federal statutes typically apply nationally and, in some cases, extra-territorially. State legislation regulating AI generally has extra-territorial effect as its application typically extends to entities that target its residents from within or outside the state.

Sectoral scope

As noted above, there are currently no comprehensive federal laws that directly regulate AI. Accordingly, there is no specific federal sectoral scope at this stage. Nevertheless, there are certain sector-specific frameworks that have been implemented in the US to regulate the use of AI. A non-exhaustive list of key examples includes:

• In the insurance sector, the National Association of Insurance Commissioners issued a model bulletin⁴⁷ that focuses on governance frameworks, risk management protocols and testing methodologies that insurers should have in place to govern their use of AI systems that impact insurance consumers. Once adopted by the NAIC (expected early 2024), state insurance departments could use the bulletin at their discretion as the bulletin is not new law, but instead enforces the application of current laws to insurers' use of AI and serves as guidance as to regulatory expectations
• In the employment sector, the City of New York enacted Local Law 144 of 2021⁴⁸ that "prohibits employers and employment agencies [in the city] from using an automated employment decision tool unless the tool has been subject to a bias audit within one year of the use of the tool, information about the bias audit is publicly available, and certain notices have been provided to employees or job candidates"⁴⁹

Compliance roles

As noted above, there is currently no comprehensive federal legislation in the US that directly regulates AI. Accordingly, there are currently no specific or unique federal obligations imposed on developers, users, operators and/or deployers of AI systems. However, developers, users, operators and deployers of AI systems should anticipate that existing law will apply to any regulated activity that uses AI, and consult legal counsel about the potential liabilities that may arise. While potentially novel, the use of AI does not per se provide a shield from the application of existing law.

Core issues that the AI regulations seek to address

As noted above, there is currently no comprehensive legislation in the US that directly regulates AI. However, proposed legislation at the federal and state level generally seeks to address the following issues:

• Safety and security
• Responsible innovation and development
• Equity and unlawful discrimination
• Protection of privacy and civil liberties

Risk categorization

As noted above, there is currently no comprehensive legislation in the US that directly regulates AI. AI is also not generally classified according to risk in the relevant frameworks and principles.

Regulators

Currently, there is no AI-specific federal regulator in the US. However, in April 2023, the Federal Trade Commission, Equal Employment Opportunity Commission, Consumer Financial Protection Bureau and Department of Justice issued a joint statement clarifying that their authority applies to "software and algorithmic processes, including AI."⁵⁰

Similarly, state regulators that regulate privacy legislation likely also have the authority to regulate AI vis-à-vis existing privacy provisions. The FTC has been active in this area, and we can expect to see more from them going forward; see discussion of Rite Aid below.

Enforcement powers and penalties

As noted above, there are currently no comprehensive federal laws or regulations in the US that have been enacted specifically to regulate AI. As such, enforcement and penalties relating to the creation, dissemination and/or use of AI are governed by application of existing law to situations involving AI, through regulatory or judicial application of non-AI-specific federal and state statutes or AI-specific state privacy legislation.

In addition, the Federal Trade Commission has evoked an interest in and focus on regulating AI through enforcement. On December 19, 2023, the FTC settled a significant action focused on artificial intelligence bias and discrimination against Rite Aid regarding the company's use of facial recognition technology for retail theft deterrence. This illustrative case provides guidance on the FTC's enforcement on AI systems. For example, the proposed consent order⁵¹ between Rite Aid and the FTC:

• Prohibits Rite Aid from using AI facial recognition for five years
• Requires Rite Aid to delete all photos and videos of consumers used in its AI facial recognition
• Specifies that after Rite Aid's ban on using AI facial recognition expires, if Rite Aid operates AI facial recognition technology for surveillance, it must maintain a comprehensive automated biometric security or surveillance system monitoring program that identifies and addresses the risks of such operation and notifies consumers of its use of AI facial recognition. Rite Aid must also provide a means for consumers to lodge complaints, and investigate and respond to all complaints received, among other requirements

With respect to Colorado AI Act, the Colorado Attorney General has rule-making authority to implement, and exclusive authority to enforce, the requirements of the Act.⁵² A developer or deployer who violates the Act is deemed to engage in unfair or deceptive trade practices.

Enforcement mechanisms and penalties vary under the different California AI bills. Bills that specifically provide for enforcement include:

• Senate Bill 942: California AI Transparency Act: provides for penalties of US$5,000 per violation per day, enforceable through civil action by the California Attorney General, city attorneys, or county counsel
• Assembly Bill 3030: Health Care Services: Artificial Intelligence Act: enforceable by the Medical Board of California and Osteopathic Medical Board of California, with non-compliance punishable by, inter alia, civil penalties, suspension or revocation of a medical license, and administrative fines as set out in the California Health and Safety Code
• Assembly Bill 2655: Defending Democracy from Deepfake Deception Act: the California Attorney General, any district attorney, or any city attorney may seek injunctive relief to compel removal of materially deceptive content

Further insights from White & Case:

• White House Unveils Comprehensive AI Strategy: "Winning the Race America's AI Action Plan"
• US Enforcement Agencies Intensify Scrutiny of AI Washing
• Two California District Judges Rule That Using Books to Train AI is Fair Use
• From California to Kentucky: Tracking the Rise of State AI Laws in 2025
• Evolution of AI Washing Enforcement: DOJ Enters the Picture
• Automated Decision Making Emerges as an Early Target of State AI Regulation
• SEC Will Prioritize AI, Cybersecurity, and Crypto in its 2025 Examination Priorities
• 2025 State Privacy Laws: What Businesses Need to Know for Compliance
• NYDFS Releases Artificial Intelligence Cybersecurity Guidance For Covered Entities
• Raft of California AI Legislation Adds to Growing Patchwork of US Regulation
• Newly passed Colorado AI Act will impose obligations on developers and deployers of high-risk AI systems
• Long awaited EU AI Act becomes law after publication in the EU's Official Journal (July 2024)
• Dawn of the EU's AI Act: political agreement reached on world's first comprehensive horizontal AI regulation
• Processing personal data using AI Systems (Part 1)
• The EU AI Act's extraterritorial scope (Part 2)

Nick Reem and John Oltean (Associates, White & Case, Los Angeles) contributed to this publication.

_{1 See Removing Barriers to American Leadership in Artificial Intelligence
2 See White House, "Winning the Race: America's AI Action Plan
3 See Federal Aviation Administration Reauthorization Act
4 See National Defense Authorization Act
5 See National AI Initiative Act of 2020
6 See Preventing Woke AI in the Federal Government
7 See White House fact sheet
8 See Voluntary Commitments from Leading Artificial Intelligence Companies
9 See FCC declaratory ruling
10 See EEOC-CRT-FTC-CFPB-AI-Joint-Statement (final)
11 See Keep your AI claims in check
12 See FTC Announces Crackdown on Deceptive AI Claims and Schemes
13 See Rite Aid Banned from Using AI Facial Recognition
14 See The Need for Transparency in Artificial Intelligence
15 See IAPP article
16 See Strengthening Artificial Intelligence Normalization and Diffusion by Oversight and eXperimentation Act ("SANDBOX Act")
17 See SAFE Innovation AI Framework
18 See REAL Political Advertisements Act
19 See Stop Spying Bosses Act
20 See NO FAKES Act
21 See AI Research, Innovation, and Accountability Act
22 See American Privacy Rights Act
23 See Governor Polis Calls Special Session to Address Budget Hole Created by Federal Bill
24 See Defending Democracy from Deepfake Deception Act
25 See Use of likeness: digital replica
26 See Tennessee Code
27 See California AI Transparency Act
28 See Bill Text - AB-2013 Generative artificial intelligence: training data transparency
29 See Bill Text - AB-3030 Health care services: artificial intelligence
30 See Bill Text - AB-2602 Contracts against public policy: personal or professional services: digital replicas
31 See Generative Artificial Intelligence Accountability Act
31 See Utah S.B. 149 Artificial Amendments
32 See CPPA, Modified Text of Proposed Regulations (CCPA Updates, Cyber, Risk, ADMT, and Insurance Regulations)
33 See Utah S.B. 149 Artificial Amendments
34 See An Act concerning AI, automated decision-making and personal data privacy
35 See An Act relating to the creation of the AI council
36 See Convention text here
37 See EEOC-CRT-FTC-CFPB-AI-Joint-Statement
38 See California Consumer Privacy Act of 2018
39 See 740 ILCS 14/ Biometric Information Privacy Act
40 See THALER v. PERLMUTTER
41 See here
42 See An Act relating to the creation of the AI council
43 See An Act concerning personal data privacy and online monitoring
44 See California Consumer Privacy Act of 2018
45 See California Consumer Privacy Act of 2018: personal information
46 See Consumer privacy: sensitive personal information: neural data
47 See Model - Innovation, Cybersecurity, and Technology (H) Working Group
48 See The New York City Council File
49 See DCWP - Automated Employment Decision Tools (AEDT)
50 See Joint Statement
51 See Stipulated Order For Permanent Injunction and Other Relief
52 See Colorado AI Act}

_{White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.}

_{This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.}

_{© 2025 White & Case LLP}