US AI Regulation 2026: State-by-State Compliance Guide for AI Businesses

Published: February 28, 2026 | 14 min read | AI Compliance Guide

The Current State of US AI Regulation

Unlike the EU's AI Act, which provides a unified framework across 27 countries, the United States has taken a fragmented approach. As of February 2026:

• No comprehensive federal AI law — Multiple bills in Congress, but none passed
• State-led regulation — 12+ states have enacted AI-specific laws
• Industry-specific rules — Federal agencies (FTC, FDA, EEOC) issuing guidance
• Executive orders — Biden-era AI directives still in effect

State-by-State AI Regulations (2026)

1. Colorado — Most Comprehensive AI Law

The Colorado AI Act (CAIA), effective February 1, 2026, is the most comprehensive state AI law in the US. It applies to "high-risk AI systems" that make or materially influence consequential decisions.

What's Covered:

• Employment decisions (hiring, firing, promotions)
• Education access (admissions, financial aid)
• Financial services (lending, insurance underwriting)
• Housing (rental applications, mortgage approvals)
• Healthcare (treatment recommendations, coverage decisions)
• Criminal justice (bail, sentencing, parole)

Key Requirements:

1. Impact assessments: Document AI system risks and mitigation measures
2. Transparency: Disclose when AI is making decisions
3. Human oversight: Allow human review of AI decisions
4. Bias testing: Regular audits for discriminatory outcomes
5. Opt-out rights: Users can opt out of AI-driven decisions

Penalties:

• $10,000 per violation (first offense)
• $20,000 per violation (subsequent offenses)
• Daily fines for ongoing violations
• Attorney General enforcement (no private right of action)

2. California — Broad AI Requirements

California's AI regulation comes from multiple sources: CCPA/CPRA (privacy), existing anti-discrimination laws, and 2025's AB 331 (automated decision-making transparency).

Key Requirements:

• CCPA/CPRA: Right to opt out of AI profiling
• AB 331: Notice when AI makes "significant decisions"
• Anti-discrimination: AI cannot violate Unruh Act or FEHA
• Bot disclosure: SB 1001 requires disclosure of bots in commercial contexts

Penalties:

• $2,500 per unintentional violation
• $7,500 per intentional violation
• Private right of action under CCPA

3. Illinois — AI in Employment

Illinois leads in AI employment regulation with BIPA (biometrics) and AI Video Interview Act.

Key Requirements:

• BIPA: Consent required for biometric data collection
• AI Video Interview Act: Notify applicants of AI use in video interviews
• Explanation: Provide how AI works upon request
• Data retention: Delete interview videos within 30 days

Penalties:

• $1,000-$5,000 per violation (liquidated damages)
• Private right of action (class actions common)
• Attorney's fees recoverable

4. New York — NYC Local Law 144

NYC's Automated Employment Decision Tool (AEDT) Law is the most stringent local AI regulation.

Key Requirements:

• Bias audits: Annual third-party audits of AI hiring tools
• Public posting: Publish audit results on website
• Notice: Inform candidates of AI use 10 business days before use
• Accommodation: Allow alternative selection processes

Penalties:

• $500-$1,500 per violation
• Daily fines for ongoing violations
• Candidates can file complaints with NYC Commission on Human Rights

5. Other States with AI Laws

State	Focus Area	Key Requirement	Penalty
Virginia	Consumer privacy	Opt-out right for profiling	$7,500/violation
Texas	Consumer privacy	Transparency for AI profiling	$7,500/violation
Connecticut	Consumer privacy	Profiling opt-out + impact assessments	$5,000/violation
Utah	Consumer privacy	Profiling transparency	$7,500/violation
Massachusetts	AI discrimination	Bias testing for high-risk AI	$5,000-$10,000
Maryland	Employment	AI disclosure in hiring	$1,000-$5,000
New Jersey	Consumer privacy	Profiling opt-out rights	$10,000/violation

Federal Agency Guidance

While Congress debates, federal agencies are actively regulating AI under existing authority:

FTC (Federal Trade Commission)

• Section 5: Unfair or deceptive AI practices
• Algorithmic accountability: Must be transparent about AI use
• Bias enforcement: Discriminatory AI = consumer harm
• Data security: AI systems must protect training data

EEOC (Equal Employment Opportunity Commission)

• Title VII: AI hiring tools cannot discriminate
• ADA: AI must accommodate disabilities
• Guidance: 2023-2025 bulletins on AI in hiring
• Enforcement: Active investigations into AI bias

FDA (Food and Drug Administration)

• Medical AI: Regulated as medical devices
• Pre-market approval: Required for diagnostic AI
• Continuous learning: Special rules for adaptive AI
• Clinical validation: Must prove safety and efficacy

Compliance Checklist for AI Businesses

Step 1: Determine Which States Apply

• Where are your customers located?
• Where are your employees based?
• Where does AI processing occur?
• Most states apply if you target residents (not just physical presence)

Step 2: Classify Your AI Systems

Risk Level	Examples	Regulatory Burden
High-Risk	Hiring, lending, healthcare, criminal justice	Full compliance (impact assessments, audits, transparency)
Medium-Risk	Customer service chatbots, recommendation engines	Transparency + data protection
Low-Risk	Spam filters, search, basic automation	Minimal (general consumer protection laws)

Step 3: Implement Required Controls

1. Impact assessments: Document purpose, data, risks, mitigation
2. Bias testing: Regular audits across protected classes
3. Transparency notices: Clear disclosure when AI is used
4. Human oversight: Mechanism for human review of AI decisions
5. Opt-out mechanisms: Allow users to opt out of AI profiling
6. Data retention: Define retention periods and deletion procedures
7. Record-keeping: Maintain compliance documentation for 3-7 years

Step 4: Ongoing Monitoring

• Quarterly audits: Test for bias, accuracy, drift
• Annual reviews: Update impact assessments
• Incident response: Plan for bias complaints or regulatory inquiries
• Training: Educate employees on AI compliance

What's Coming: 2027-2028 Predictions

Federal AI Legislation

Congress is considering multiple bills:

• Algorithmic Accountability Act: Impact assessments for high-risk AI
• AI Bill of Rights: Codifying Biden-era principles
• SAFE AI Act: Comprehensive federal framework
• Expected timeline: 2027-2028 passage, 2028-2029 implementation

More State Laws

• 15-20 additional states expected to pass AI laws by 2027
• Trend toward Colorado-style comprehensive frameworks
• Industry-specific laws (healthcare, finance) likely

EU AI Act Influence

• EU AI Act effective August 2025 (prohibited uses) and August 2026 (high-risk systems)
• US companies operating in EU must comply
• Pressure to align US laws with EU standards

Compliance Costs

Business Size	Initial Setup	Annual Maintenance	Staffing Needed
Small (<50 employees)	$10K-$30K	$5K-$15K	0.5 FTE (part-time legal/compliance)
Medium (50-500 employees)	$30K-$100K	$20K-$50K	1-2 FTE (compliance officer + legal)
Large (500+ employees)	$100K-$500K	$50K-$200K	3-5 FTE (compliance team + external counsel)

Common Compliance Mistakes

1. Assuming federal law preempts state law — States can be stricter
2. Ignoring biometric data — BIPA-style laws are spreading
3. No human oversight — Many states require human review
4. Inadequate documentation — Regulators demand proof of compliance
5. One-time compliance — Laws change, audits must be continuous
6. Vendor blind spots — You're responsible for third-party AI tools
7. No opt-out mechanism — Required in most privacy laws
8. Insufficient notice — Transparency is non-negotiable

Resources

• Colorado AI Act: coag.gov/resources/artificial-intelligence
• NYC AEDT Law: nyc.gov/site/cchr/law/automated-employment-decision-tools.page
• FTC AI Guidance: ftc.gov/business-guidance/topics/artificial-intelligence
• EEOC AI Resources: eeoc.gov/ai
• NIST AI RMF: nist.gov/itl/ai-risk-management-framework

Related Articles