MenuMenu

  1. Home
  2. Data Education
  3. Data Columns
  4. Legal Issues for Data Professionals: Current Leading U.S. AI Laws

Legal Issues for Data Professionals: Current Leading U.S. AI Laws

There is no nationwide federal law in the U.S. that specifically regulates the development, deployment, and use of AI in the private sector. (This contrasts with AI use in U.S. federal agencies, as discussed below.) This absence of such a federal law contrasts with the recently enacted AU AI law. 

Instead, in the U.S., there is a “patchwork” of federal, state, and municipal laws. “Patchwork” means there is no uniform approach and that there is variation between federal and state laws as well as between the laws of the different states. 

The U.S. approach is based on the following:  

  • The recognition that AI, especially generative AI (Gen AI) is still developing.
  • The benefit of a nuanced approach to regulation by regulating different sectors of the economy in different ways.
  • The domain expertise of different agencies means that they should regulate in their industrial sector.
  • There are jurisdictional differences in our federal system.
  • The influence of big tech.

One of the most important takeaways is that many state laws have an effect on AI, even if the title or the primary purpose of the laws is not AI-specific. This is primarily because the laws affect the right to collect personally identifiable information. This matters because good AI depends on good data, and data collected under these statutes has useful or critical information on AI solutions. 

This column provides an overall introduction to significant existing and proposed state and federal legislation relating to artificial intelligence. This is not a comprehensive review of all the existing or proposed legislation. There are a plethora of existing and proposed state laws and an emerging number of proposed federal states, and this is a field where ongoing investigation is required to stay current with emerging and abandoned developments. By design, not all existing and proposed legislation is covered here. Instead, notable existing and proposed federal legislation is outlined to provide an overall view of how U.S. law approaches. 

While there is no comprehensive existing national U.S. law for AI in the way that the European Union has enacted the AI Act, at the onset, we note that there are a number of federal statutes that apply only to a federal agency’s use of AI. Similarly, 11 states enacted similar laws for state agencies, and other states have issued Executive Orders to direct AI-related state regulatory studies. According to one report, as of this writing, there are approximately 685 proposed pieces of AI-related legislation in the U.S. and approximately 100 of those are proposed federal legislation. 

1. Representative Proposed U.S. National Legislation 

  • Several pending legislative proposals discussed below take the so-called “soft” AI approach, namely, non-binding government approaches involving multiple stakeholders, the development of voluntary best practices, industry standards, and oversight mechanisms. Their approach reflects designing the government involvement that meets a need for flexibly to address fast-moving technology developments. 
  • An example is legislation proposed in the U.S. Senate called “Promoting United States Leadership in Standards Act of 2004.” It would require NIST (the National Institute of Standards and Technology) to report to Congress current U.S. participation standards development of AI and other critical technologies.
  • The “Future of Artificial Intelligence Innovation Act of 2024 proposes creating a U.S. “AI Safety Institute” within NIST as a public-private partnership to develop collaborative standards and best practices for AI and calls for international information sharing to promote international AI standards.  
  • The “Artificial Intelligence Research, Innovation and Accountability Act of 2023” goes further than the others and proposes tiered evaluation requiring a greater level of government oversight for “critical-impact” AI systems in comparison to “high-impact” AI systems, which are deemed to present fewer sensitive issues. 

2. Executive Order 14110 (the Biden Administration AI Executive Order) 

  • Effective as of October 2023. The President, as head of the Executive Branch, directed over 50 federal agencies in the Executive Branch to take more than 100 specific tasks, subject to successive 15-day or 30-day deadlines ending in June 2025. All agencies met the 90-day deadline in January 2024, which imposed significant milestones. The next significant 180-day deadline was in April 2024, which mandated the reporting of approximately 30 agency initiatives in their respective fields, including the Department of Transportation, to formulate a plan addressing the use of AI in transportation. 
  • The Executive Order creates standards and reporting for companies developing and deploying AI systems. This could affect AUDI, but it is too early in the regulatory process to provide the timeline. 
  • Prediction: We believe there is a private sector impact of the Executive Order. The practices developed by the agencies will effectively become a set of best practices for private sector companies. The best practices may also become what is referred to as a “safe harbor” for companies to show they are meeting acceptable standards of practice. 
  • The Executive Order requires the future development of rules for ongoing reporting on the development and deployment of large-scale AI large language models and computer clusters that have combined civilian and military uses. Reporting includes the results of “red team testing” (including for cyberattacks). It is not clear whether AUDI’s use of this AI will subject it to reporting requirements. 

3. Significant Federal Agencies Whose Board Authority Gives Them Broad Authority in AI Matters 

  • The authority of the Federal Trade Commission (FTC), which is part of the Department of Commerce, merits special notice because it undertakes enforcement actions, imposes sanctions (including algorithmic disgorgement), and issues guidance on AI “misuse,” pursuant to its authority with respect to unfair trade practices and consumer protection, including the rise of AI use across a wide spectrum. 
  • The National Institute of Standards and Technology (NIST), which is also part of the Department of Commerce, merits special notice as well because of its mandate to issue risk management frameworks for AI systems (including under the Executive Order). NIST issued an Artificial Intelligence Risk Management Framework 1.0. NIST has a leadership role in establishing motor vehicle safety standards that allow for innovative automated vehicle designs and automation through the development and deployment of AI. 
  • In addition, the Department of Transportation (DOT) issued its “Automotive Vehicles Comprehensive Plan” in January 2021. 

4. Federal Laws Now in Effect or Agencies Imposing Requirements on the Use of AI    

  • This Act relates to vehicles: The Inflation Reduction Act of 2022 (established requirements to provide a $7,500 tax credit to EV purchasers) (EV includes AI) 
  • Americans with Disabilities Act (Discriminatory use of AI) 
  • Consumer Financial Protection Bureau (CFPB) 
  • Cybersecurity Act of 2015  
  • Equal Credit Reporting Opportunity Act (Discrimination)
  • Equal Employment Opportunity Commission (EEOC) 
  • Fair Credit Reporting Act (Finance) 
  • Fair Housing Act (Use of AI in screening residential tenants) 
  • Federal Information Security Modernization Act (FISMA) 
  • Genetic Information and Nondiscrimination Act (Employment and health insurance) 
  • International Traffic in Arms Regulations (ITAR) (AI with military applications) 
  • National Defense Authorization Act for Fiscal Year 2021 
  • Occupational Safety and Health Administration (worker safety) 

5. State Privacy Laws Applicable to AI in Effect 

  • Comprehensive State Privacy Laws Applicable to AI (which may be subject to further amendment)  
  • California Consumer Privacy Act (CCPA) of 2018 as amended and expanded by the California Privacy Rights Act (CPRA), effective January 1, 2023
  • Colorado Privacy Act (CPA), effective July 1, 2023 
  • Connecticut Data Privacy Act (CTDPA), effective January 1, 2023 
  • Illinois Personal Information Protection Act (PIPA), effective January 1, 2006 (includes Biometric Information Privacy Act, effective October 3, 2008, and covers biometrics as personal data)   
  • Utah Consumer Privacy Act (UCPA), effective December 31, 2023  
  • Virginia Consumer Data Protection Act (VCDPA), effective January 1, 2024 
  • States with Narrow Consumer Privacy 
    • Maine 
    • Michigan 
    • Minnesota 
    • New York (supplements current law addressed to data held by state agencies) 
    • Nevada 
    • Vermont  
    • Washington State  

6. State Privacy Laws with General Applicability  

  • Delaware Personal Data Privacy Act, effective January 1, 2025 
  • Florida Digital Bill of Rights, effective July 1, 2024 (applies to companies with more than $1 billion in gross annual revenues and derive more than half of their revenue from online ads) 
  • Indiana Consumer Data Protection Act, effective January 1, 2026 (applies to companies that process data of at least 100,000 Indiana residents or handle the information of at least 25,000 state consumers, and the company derives more than 50% of its revenue from selling data)
  • Indiana Consumer Protection Act (ICPA), effective July 1, 2026 
  • Iowa Consumer Data Protection Act (ICDPA), effective January 1, 2025 
  • Montana Consumer Data Privacy Act, effective October 1, 2024 
  • New Jersey Data Privacy Act (NJDPA), effective January 15, 2025
  • Oregon Consumer Privacy Act (OCPA), effective July 1, 2024 
  • Tennessee Information Protection Act, effective July 1, 2025 
  • Texas Data Privacy and Security Act (TDPSA), effective July 1, 2024 (excludes small businesses) 

7. States Whose Legislatures Introduced or Proposed Privacy Acts in 2023-2024 

  • Hawaii 
  • Illinois (Illinois Data Privacy and Protection Act, proposed) 
  • Kentucky 
  • Maine 
  • Maryland 
  • Massachusetts 
  • Michigan 
  • Minnesota 
  • Missouri 
  • Nebraska 
  • New Hampshire 
  • New York (“It’s Your Data Act,” proposed) 
  • Ohio 
  • Pennsylvania 
  • Wisconsin 
  • West Virginia 

8. Federal Government Advisory Bodies 

  1. DOT guidelines on automated driving 
  2. National AI Initiative Office  
  3. National Artificial Intelligence Advisory Committee (NAIAC)
  4. National Security Commission on Artificial Intelligence and Government Accountability Office (GAO)  
  5. NHTSA guidelines 
  6. Ensuring American Leadership in Automated Vehicle Technologies: Automated Vehicles 4.0 (AV 4.0) 
  7. Preparing for the Future of Transportation: Automated Vehicles Policy (AV 3.0) 
  8. A Vision for Safety 2.0 (calls for industry, state and local governments, safety and mobility advocates and the public to lay the path for deployment of AV and technologies; provides voluntary guidance that encourages best practices and prioritizes safety) 
  9. Office of Science and Technology Policy 

9. Federal and State Proposed Legislation and Executive Orders 

  • Key Proposed Federal Legislation (most unlikely to take effect)  
    • On April 9, 2024, the first U.S. nationwide comprehensive privacy legislation was introduced in Congress on a bipartisan basis. It is called the “American Privacy Rights Act.” The proposal is too new for timelines to be known. 
    • Bipartisan Framework on AI Legislation (includes a proposal for AI-specific regulatory agency) (Senators Blumenthal and Hawley) 
    • SAFE Innovation Framework (Senator Schumer) 
    • CREATE AI Act (multiple Senators and Representatives)  
  • New York 
    1. Governor’s proposed AI-related amendments to existing laws. 
  • Texas 
    • HB (House Bill) 3026 (2021) (exempts AVs from regulations)  
    • SB (Senate Bill) 1308 (2021) relates to a border traffic study on the impacts of using certain motor vehicle technologies. 
    • SB (Senate Bill) 2205 (2017) set ground rules.
  • Relevant Topics of Proposed Local and State-Level Legislation
    • Algorithmic Discrimination (District of Columbia, California, Connecticut, Hawaii, New Jersey, New York, Oklahoma, Rhode Island, Vermont, Virginia, and Washington State) 
    • Automated Employment Decision-Making (New York City (enacted), Massachusetts, New Jersey, New York State, Vermont, Washington State 

Conclusion 

The patchwork of AI and AI-related laws in the U.S. requires that companies give attention to the type of data they need to conduct AI. As noted, in the absence of an overarching federal law, state laws play a critical role in U.S. AI law analysis because their regulation of personal information is imperative to creating good data and AI. 

Share this post

William A. Tanenbaum

William A. Tanenbaum

William A. Tanenbaum is a data, technology, privacy, and IP lawyer, and a partner in the 100-year old New York law firm Moses Singer. Who’s Who Legal says Bill is a “go-to expert” on “the management of and protection of data across a variety of sectors.” It named him “one of the leading names” in AI and data, and ranked him as one of the international "Thought Leaders in Data." Chambers, America’s Leading Lawyers for Business, says Bill has “notable expertise in cybersecurity, data law, and IP,” has a “solid national reputation,” and “brings extremely high integrity, a deep intellect, fearlessness, and a practical, real-world mindset to every problem.” Bill is a member of the DAMA Speakers Bureau and the Past President of the International Technology Law Association. He is a graduate of Brown University (Phi Beta Kappa), Cornell Law School, and the Bob Bondurant School of High-Performance Driving. Follow William on LinkedIn.

scroll to top