In 2024, several states enacted laws regulating developers and deployers of AI systems. These state laws are among the first of their kind and cover multiple subjects, including:
- Mandatory notice requirements when AI is used for:
-
- marketing;
- interaction with the public; or
- specific automated consequential decisions.
- Requirements regarding use of customer data by AI systems in training or as an input.
- Audit and reporting requirements.
- Criminal and civil penalties for:
-
- unauthorized likenesses in deepfakes (also known as synthetic media); and
- algorithmic discrimination.
Any organization implementing AI in their business or using AI-enabled tools must be aware of the laws in all jurisdictions where they operate, how the laws differ among jurisdictions, and what responsibilities the laws impose.
Some topics, such as patents, are federally preempted, but the broad powers given to states allow wide-ranging latitude for action. New state laws follow general themes of transparency and prevention of possible harms, both systemic and to individuals. Compliance requires close attention to the nuances of laws that may seem similar on their face. Even small businesses that do not use AI in their main operations may still be exposed to laws that govern common third-party software for functions such as hiring.
Risk from new state laws is a subset of the larger category of AI risk, a growing concern for businesses. Analysis of state AI laws should be part of a larger enterprise-wide AI risk plan. (For more on AI risk management across an enterprise, see AI Governance Roadmap (US) on Practical Law.)
