US State AI Privacy Laws in 2026: The Landscape for AI Users

The United States does not have a federal AI privacy law. What it has instead is a patchwork of state consumer privacy statutes, sector-specific federal laws (HIPAA, GLBA, FERPA), and a growing number of state AI-specific laws addressing automated decision-making, risk assessments, and high-risk AI uses. For organizations that use AI tools across multiple states, the compliance picture in 2026 is complex — and moving faster than most legal teams can track.

This guide maps the state-level legal landscape for AI and data privacy in 2026, identifies the most practically significant laws, and explains what they mean for organizations using ChatGPT, Claude, Gemini, and other AI tools with personal data.

The three categories of state law that affect AI

State laws relevant to AI use fall into three categories:

Category 1: Consumer privacy laws. Comprehensive state privacy acts modeled on GDPR (and, loosely, on the California Consumer Privacy Act). These laws apply to any business that processes personal data about residents of the enacting state above certain thresholds. They impose data subject rights, consent requirements for certain processing, data protection assessments, and restrictions on automated decision-making.

Category 2: AI-specific legislation. Laws that target AI directly — requiring impact assessments, disclosures, audits, or human review for AI systems used in high-stakes decisions. These are narrower than comprehensive privacy laws but create explicit AI-governance obligations.

Category 3: Sectoral laws with AI implications. Existing state laws (employment, housing, credit, consumer protection) that are being applied to AI-assisted decisions by regulators and courts. Illinois' BIPA (biometric data) is the most litigated example.

The comprehensive privacy law states

As of May 2026, the following states have enacted comprehensive consumer privacy laws that are in effect:

| State | Law | In effect | | --- | --- | --- | | California | CCPA/CPRA | January 2020 / January 2023 | | Virginia | VCDPA | January 2023 | | Colorado | CPA | July 2023 | | Connecticut | CTDPA | July 2023 | | Utah | UCPA | December 2023 | | Texas | TDPSA | July 2024 | | Oregon | OCPA | July 2024 | | Montana | MCDPA | October 2024 | | Florida | FDBR | July 2024 | | Iowa | ICPA | January 2025 | | Indiana | IDCPA | January 2026 | | Tennessee | TIPA | July 2025 | | New Hampshire | NHPDA | January 2025 | | New Jersey | NJDPA | January 2025 | | Delaware | DPDPA | January 2025 | | Nebraska | NDPA | January 2025 | | Maryland | MODPA | April 2026 | | Minnesota | MNDPA | July 2025 | | Rhode Island | RICDPA | January 2026 | | Kentucky | KCDPA | January 2026 |

Most of these laws have common features: opt-out rights for targeted advertising and profiling, opt-in consent for sensitive data (including health and biometric data), data minimization obligations, and privacy assessments for high-risk processing. Several have explicit automated decision-making provisions.

The automated decision-making provisions

The most AI-specific provisions in state privacy laws are those governing automated decision-making — decisions made solely by an automated system without meaningful human involvement. The scope and requirements vary significantly by state:

Colorado CPA (§ 6-1-1309): Consumers have the right to opt out of profiling for decisions that produce legal or similarly significant effects. Controllers conducting processing that presents a heightened risk of harm must complete a data protection assessment that addresses automated processing logic.

Connecticut CTDPA (§ 42-515): Opt-out right for profiling used in decisions producing legal or similarly significant effects (employment, credit, housing, education). The definition of "automated decision-making" includes AI-assisted decisions where the AI's output has a significant influence on the outcome.

Virginia VCDPA: Right to opt out of the use of personal data for profiling in decisions producing legal or similarly significant effects.

Texas TDPSA: Data protection assessment required for processing activities that present a heightened risk of harm to consumers, including profiling for decisions that produce legal or similarly significant effects.

California CPRA regulations (CPRA Regs Section 7011): The California Privacy Protection Agency (CPPA) has proposed regulations specifically addressing automated decision-making technology (ADMT). Draft regulations (still under development as of 2026) would require opt-out rights and, for high-risk ADMT, opt-in consent and access to meaningful human review.

Maryland MODPA: Has the broadest automated decision-making provisions of any state law enacted to date, requiring consent for automated processing that results in legally significant decisions and imposing human review requirements.

Illinois: the biometric privacy outlier

Illinois' Biometric Information Privacy Act (BIPA), enacted in 2008, has become the most litigated AI-adjacent law in the country. BIPA requires written consent before collecting biometric identifiers (facial geometry, voiceprints, fingerprints, retina scans) and prohibits their sale or profit from their disclosure.

Why it matters for AI:

• Facial recognition: Any AI-powered system that scans faces — employee time-tracking systems, security cameras with AI, candidate video-interview AI — must comply with BIPA for Illinois workers and residents.
• Voice AI: Some courts have held that voice-to-text systems and voice authentication AI collect "voiceprints" subject to BIPA.
• Statutory damages: BIPA allows $1,000–$5,000 per violation with no cap. Class actions have produced multi-hundred-million-dollar settlements. The litigation risk is real.

For organizations using AI tools with voice features or facial recognition in Illinois, BIPA compliance (written consent, data destruction policy, written biometric data policy) is non-negotiable.

Texas: the BIPA-lite state

Texas' Capture or Use of Biometric Identifier (CUBI) Act (Tex. Bus. & Com. Code § 503.001) is often called BIPA-lite. It requires consent before capturing biometric identifiers for commercial purposes. Unlike BIPA, there is no private right of action — enforcement is by the Attorney General only. As of 2026, the Texas AG has brought enforcement actions against facial-recognition AI companies operating in Texas.

Colorado: the AI-specific law (SB 24-205)

Colorado enacted SB 24-205 in May 2024 — the first comprehensive state AI law specifically targeting high-risk AI systems. It goes into effect February 1, 2026.

Key provisions:

• Applies to: Developers and deployers of "high-risk AI systems" — systems that make or substantially influence consequential decisions about access to employment, education, financial or lending services, essential government services, healthcare, housing, or legal services.
• Deployer obligations: Must use reasonable care to protect consumers from known or reasonably foreseeable algorithmic discrimination. Must disclose to consumers when a consequential decision is made using high-risk AI. Must provide an opportunity for human review of adverse consequential decisions. Must implement an AI risk management program.
• Developer obligations: Must provide deployers with impact assessments, usage documentation, and technical information about the AI's reasonably foreseeable uses and risks.
• Enforcement: Colorado Attorney General; private right of action not included.

For organizations using AI for hiring, credit decisions, healthcare triage, or benefits determination, SB 24-205 creates a new layer of governance obligations beyond the CPA's existing automated decision-making provisions.

California CCPA and AI: the ongoing rulemaking

California's CCPA and CPRA are the most comprehensive consumer privacy laws in the US, and the California Privacy Protection Agency (CPPA) has been developing AI-specific regulations since 2023. Key areas under development:

• Automated decision-making technology (ADMT) regulations: Would require opt-out rights for ADMT that produces legal or similarly significant effects, and opt-in consent for "significant" ADMT (including AI used in employment, credit, housing, and insurance). Would require organizations to provide meaningful human review upon consumer request.
• Risk assessments: Would require data protection assessments for ADMT and other high-risk processing.
• Training data: The CPPA has raised questions about whether personal data used to train AI models is separately regulated.

The ADMT regulations were still in the rulemaking process as of mid-2026; organizations operating in California should monitor CPPA releases.

The practical compliance matrix for AI users

For organizations using AI tools (ChatGPT, Claude, Gemini, Copilot) with personal data about US consumers and employees, the practical obligations depend on the nature of the processing:

| AI use case | Key laws implicated | Core obligation | | --- | --- | --- | | AI hiring, screening, or scoring | Colorado SB 24-205, NYC LL144, EEOC guidance, VCDPA/CTDPA/TX TDPSA | Bias audit, human review, opt-out right | | AI credit or lending decisions | FCRA, ECOA, Colorado CPA, CTDPA | Adverse action notice, ECOA compliance | | AI healthcare decisions | HIPAA, Colorado SB 24-205 | BAA + human review for consequential decisions | | AI-powered facial recognition | BIPA (IL), Texas CUBI, WA My Health My Data Act | Written consent before capture | | AI marketing personalization | CCPA/CPRA, most state privacy laws | Opt-out right; consent for sensitive data | | AI employee monitoring | NLRA, BIPA, state wiretapping laws | Disclosure; consent in some states | | AI summary of consumer communications | Most state privacy laws | Disclosure in privacy notice; data minimization |

What to do now: a practical checklist

1. Map your AI tools to your data footprint. For each AI tool your organization uses, identify: what personal data reaches the tool, from which states' residents, and what decisions (if any) the AI influences. This inventory is the input to every compliance step that follows. For a complete template covering the seven sections every AI governance policy needs, see the AI Acceptable Use Policy template.

2. Identify your highest-risk AI uses. High-stakes automated decisions (hiring, lending, healthcare, benefits) in states with AI-specific laws (Colorado, Maryland, California) are the highest priority. Address those first. For the full federal and local law picture specifically on AI in hiring — EEOC, NYC Local Law 144, and EU AI Act Annex III — see AI in Hiring 2026.

3. Update privacy notices. State privacy laws require disclosure of processing purposes. If you use AI tools to process personal data, describe this in your privacy notice with sufficient specificity (the AI tool used, the purpose, the categories of data, and the lawful basis).

4. Implement opt-out mechanisms. For AI-assisted profiling or automated decision-making that produces legal or similarly significant effects, create a way for consumers to opt out. "Do not sell/share my personal information" links are standard for California; analogous mechanisms are required in most other comprehensive privacy states.

5. Conduct data protection assessments. Colorado, Virginia, Texas, Connecticut, and most other comprehensive privacy states require data protection assessments (DPAs) for high-risk processing, including automated decision-making. Conduct and document these before deploying AI for high-risk use cases.

6. Prepare for human review requests. Colorado SB 24-205 and several state ADMT regulations require that consumers can request human review of adverse AI decisions. Build that process before the law requires it.

Frequently asked questions

Do state privacy laws apply to B2B AI use?

Most comprehensive state privacy laws (CCPA, CPA, VCDPA, etc.) apply to personal data about consumers and, in some states, employees. B2B data (business contact information used purely in a business-to-business context) is typically excluded or narrowly regulated. However, if AI tools are used to process personal data about individual employees or consumers — even in a B2B workflow — those individuals' rights are still protected.

Does using ChatGPT count as "automated decision-making" under state law?

It depends on how you use it. Using ChatGPT to draft a marketing email or summarize a report is not automated decision-making. Using ChatGPT to score job applicants, determine creditworthiness, or generate outputs that directly drive access to services may qualify. The key is whether the AI's output produces a legal or similarly significant effect for an individual.

We operate nationally. Which state law applies?

The law of the state where the data subject (consumer or employee) resides, not where your business is incorporated or operates. Compliance is typically designed around the most restrictive requirement that applies to your data processing — often California's CCPA/CPRA — with state-specific overlays for states with more targeted provisions (Colorado SB 24-205 for high-risk AI, Illinois BIPA for biometrics).

What is the difference between a data protection assessment and a DPIA?

A DPA under US state law and a DPIA under the GDPR serve similar purposes but have different structures. State law DPAs typically analyze the benefits of the processing against the risks to consumers and document the balancing. GDPR DPIAs are more structured and may require consultation with the supervisory authority if high residual risk remains. Organizations operating under both frameworks often produce a unified impact assessment document that satisfies both.

Are there federal AI laws I also need to worry about?

Several sector-specific federal laws touch AI: FCRA (adverse action for AI-assisted credit decisions), ECOA (anti-discrimination in lending, including AI-generated scores), EEOC guidance on AI and employment discrimination, FTC Act Section 5 (unfair or deceptive acts — the FTC has taken action against AI companies), and COPPA (children's online privacy, including AI tools). The EU AI Act applies if you have customers or employees in the EU/EEA. A comprehensive federal AI privacy law has been proposed multiple times but has not passed as of mid-2026.

How do state AI laws interact with the EU AI Act for multinationals?

Independently — they apply based on different jurisdictional triggers. The EU AI Act applies when an AI system is placed on the EU market or affects EU persons. State AI laws apply when US consumers' or employees' data is processed. For multinationals, the practical answer is to design AI governance to the highest common standard: the EU AI Act's risk classification and governance requirements are generally more prescriptive than current US state laws, but Colorado SB 24-205 (consequential decisions) and Illinois BIPA (biometrics) add US-specific obligations the EU AI Act does not fully address.

The bottom line

The US state AI privacy landscape in 2026 is fragmented, fast-moving, and consequential. The organizations that navigate it best treat it as a risk management exercise: identify the AI uses with the highest stakes (decisions that affect people's access to jobs, credit, healthcare, housing), apply the most demanding applicable requirements, and build governance structures (inventory, assessments, opt-out mechanisms, human review) that can accommodate the next state law before it takes effect. The patchwork will not consolidate into a federal standard in the near term; the governance infrastructure you build now is the infrastructure you will operate under for years.