AI Compliance Requirements by State

Despite being written independently across more than a dozen state legislatures, most of these laws follow a recognizable pattern. At the core, almost every state AI law requires some form of notice to people affected by AI-driven decisions. If your system is making or significantly influencing decisions about someone — who gets hired, who gets a loan, who pays more for insurance — that person is typically entitled to know that AI is involved.

Most laws also require documented assessments of AI risk and potential for discrimination. These go by different names — data protection assessments, impact assessments, algorithmic impact assessments — but the core question is the same: have you evaluated whether this AI system treats different demographic groups differently, and have you documented that evaluation? Virginia, Connecticut, Oregon, Texas, Delaware, Minnesota, Indiana, Montana, Kentucky, and New Jersey all require this for profiling activities. Colorado requires it for consequential decisions more broadly.

Enforcement across all these laws runs almost exclusively through state Attorneys General. None of the current state AI or privacy laws create a private right of action specifically for AI violations — meaning a consumer can't sue you directly for an ADMT violation the way they could for a contract breach. But AG offices in states like California, Colorado, and Minnesota have explicitly flagged AI enforcement as a priority heading into 2026, and AG offices don't need a consumer complaint to open an investigation.

Perhaps the most important pattern is how penalties multiply with automated systems. Most of these laws set penalties on a per-violation basis — and when an AI system makes thousands of decisions per day, "per violation" can mean something very different than it does with a human-driven process. A $7,500 per-violation penalty is manageable when you make ten manual decisions a month. It's a different calculation when your hiring platform screens 500 resumes a day.