Chapter 11: Other Key U.S. States and Federal Sector Laws — The Complete Map of American AI Regulatory Fragmentation

A lawyer advising a technology company deploying AI systems across the United States faces a problem that has no equivalent in the European framework. In Europe, the AI Act applies uniformly. In the United States, the question is never just what federal law requires — it is what combination of state laws, sector-specific federal statutes, and constitutional obligations apply simultaneously to this system, in this jurisdiction, affecting this category of person. A hiring tool compliant with New York’s Local Law 144 may still generate liability under Illinois biometric law. A credit scoring system that satisfies ECOA may still violate California’s privacy framework. A facial recognition deployment cleared by federal law enforcement may be prohibited under state legislation in the city where it operates.

That patchwork is the subject of this chapter — not as a list, but as a map that a practicing lawyer needs to read strategically.

Illinois — the biometric privacy fortress

Illinois Biometric Information Privacy Act (BIPA), 740 ILCS 14/1 et seq. (2008). Amended by SB 2979, signed August 2, 2024, effective immediately.

Illinois has the most powerful biometric privacy law in the United States, and it remains one of the most dangerous legal environments for companies deploying facial recognition, fingerprint scanning, or any other biometric AI system — even after the 2024 amendment that significantly reduced, but did not eliminate, its liability exposure.

BIPA, enacted in 2008 with unanimous legislative support, regulates the collection, storage, and disclosure of biometric identifiers including fingerprints, voiceprints, retina and iris scans, and scans of facial geometry. The statute requires organizations collecting biometric data to obtain informed written consent before collection, disclose the purpose and duration of storage, and maintain a publicly available retention and destruction policy. What makes BIPA uniquely powerful compared to other state privacy laws is its private right of action: any person whose biometric data is collected or disclosed unlawfully may sue directly and recover $1,000 for negligent violations or $5,000 for intentional or reckless violations, plus attorney’s fees and injunctive relief. Critically, the Illinois Supreme Court held in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, that plaintiffs need not prove actual harm — mere violation of the statute is sufficient for standing.

The combination of statutory damages, no-actual-harm standing, and class action procedures produced extraordinary litigation exposure. The first BIPA jury trial, in Rogers v. BNSF Railway, resulted in a $228 million verdict for the plaintiff class. Companies faced per-scan damages calculations under Cothron v. White Castle Sys., Inc., 2023 IL 127801, where the Illinois Supreme Court held that a BIPA claim accrues each time biometric information is captured without consent — meaning that a company scanning thousands of employees’ fingerprints daily faced thousands of individual violations accumulating over years.

The Illinois legislature responded with SB 2979, signed by Governor Pritzker on August 2, 2024, and effective immediately. The amendment limits damages to a single recovery per person per type of violation regardless of how many times the same biometric identifier was collected or disclosed using the same method. The amendment also clarifies that written consent can be obtained via electronic signature. BIPA remains materially dangerous — a large employer with thousands of workers whose biometric data was collected without consent still faces multi-million-dollar exposure on a per-person basis. But the per-scan theory that threatened to generate astronomical damages has been legislatively foreclosed.

A further complication for defendants is that the amendment’s retroactive application remains unresolved. The Seventh Circuit Court of Appeals is currently reviewing consolidated cases on whether the damage limitation applies to suits filed before August 2, 2024. Until that question is settled, companies facing pre-amendment BIPA litigation cannot yet rely on the new damages ceiling.

For lawyers advising clients deploying biometric AI systems with any Illinois connection — employees, customers, or operations — BIPA compliance is not optional and is not satisfied by federal law compliance. The consent requirements, retention policies, and disclosure obligations must be specifically addressed for Illinois, and the litigation risk of non-compliance remains among the highest of any AI-related statute in the country.

Colorado — the closest U.S. analogue to the EU AI Act

Colorado SB 24-205, Consumer Protections for Artificial Intelligence Act. Signed May 17, 2024. Amended by SB 25B-004, signed August 28, 2025. Effective June 30, 2026.

Colorado’s SB 24-205 — known informally as the Colorado AI Act — is the most structurally ambitious state AI law in the United States. When it becomes fully enforceable on June 30, 2026, it will be the closest American analogue to the EU AI Act that currently exists at any level of government.

Governor Polis signed the original bill on May 17, 2024, but added a letter expressing reservations and urging the legislature to improve the law before it took effect. Those reservations reflected industry pressure and genuine complexity in the statute’s implementation requirements. Multiple amendment attempts followed in the 2025 legislative session, all of which ultimately failed. Governor Polis then called a special legislative session, and on August 28, 2025, signed SB 25B-004 — the “Increase Transparency for Algorithmic Systems Act” — which delayed implementation by five months, from February 1, 2026 to June 30, 2026. The substance of the law is unchanged.

The Colorado AI Act imposes obligations on both developers and deployers of high-risk AI systems — defined as systems that make or significantly influence consequential decisions affecting employment, education, housing, healthcare, or financial and legal services. Developers must exercise reasonable care to prevent algorithmic discrimination, furnish technical documentation, publish public statements, and report incidents. Deployers must implement risk management programs, conduct initial and annual impact assessments, issue pre-decision and adverse-decision consumer notices, and create website disclosures. The attorney general has exclusive enforcement authority, and non-compliance constitutes an unfair trade practice.

Two dimensions of the Colorado Act are particularly significant for lawyers already familiar with the European framework. First, the law explicitly identifies NIST AI RMF and ISO 42001 as governance frameworks whose adoption creates a rebuttable presumption of “reasonable care” — connecting directly to the standards we examined in Chapter 6. A company that has implemented a functioning AIMS under ISO 42001 is not just compliant under European law. It is also positioned to invoke the Colorado Act’s safe harbor. Second, the Trump administration’s Executive Order 14281 on equality of opportunity directed federal agencies to deemphasize disparate-impact enforcement — creating potential tension with Colorado’s law, which is built around preventing algorithmic discrimination defined to include disparate impact. Whether federal preemption challenges narrow Colorado’s enforcement remains an open question that will develop in the courts between now and the enforcement date.

California — privacy law as AI governance

California Consumer Privacy Act (CCPA), Cal. Civ. Code § 1798.100 et seq. (2018). Amended by the California Privacy Rights Act (CPRA), Proposition 24, effective January 1, 2023.

California governs AI primarily through privacy law rather than AI-specific statutes — a regulatory philosophy that reflects the state’s history of data protection leadership and its reluctance to impose sector-specific AI obligations that might constrain its technology industry.

The CCPA, enacted in 2018 and substantially expanded by the CPRA which took effect January 1, 2023, grants California consumers rights over their personal data that affect AI deployments in significant ways. Consumers have the right to know what personal information is collected and how it is used, the right to delete personal data, the right to correct inaccurate information, and the right to opt out of automated decision-making technology and profiling. The California Privacy Protection Agency, established by the CPRA, has rulemaking authority over automated decision-making — regulations that are still being developed and which, when finalized, will add specific AI obligations to the existing privacy framework.

The practical implication for lawyers advising companies deploying AI systems with California users is that the CCPA/CPRA creates disclosure and consent obligations that attach to any algorithmic system processing personal data at scale. Companies that collect behavioral data to train or operate AI systems must account for California consumers’ rights to access, correct, and delete that data — rights that interact directly with the data governance obligations we examined under GDPR Article 16 and the rectification mechanism under the EU framework.

Federal sector laws — HIPAA and ECOA

Two federal statutes create AI governance obligations in specific sectors that operate independently of any state law framework and apply nationally.

The Health Insurance Portability and Accountability Act, 42 U.S.C. § 1320d et seq., and its implementing Privacy and Security Rules at 45 CFR Parts 160 and 164, regulate the use and disclosure of protected health information by covered entities and their business associates. When machine learning systems process patient data — for diagnostics, predictive analytics, clinical decision support, or hospital administration — HIPAA’s requirements apply regardless of whether the system is classified as AI under any state or federal framework. Covered entities must ensure secure handling of health data, proper authorization for data use and disclosure, and breach notification if protected information is exposed. AI systems trained on medical records or deployed in clinical settings must be built and operated within HIPAA’s compliance architecture, and vendors providing those systems are business associates subject to the same obligations under business associate agreements.

The Equal Credit Opportunity Act, 15 U.S.C. § 1691 et seq., and its implementing Regulation B at 12 CFR Part 1002, prohibit discrimination in credit decisions and require lenders to provide adverse action notices explaining the principal reasons for denying credit. When lenders use automated decision systems or machine learning models to evaluate applicants, these obligations persist regardless of algorithmic complexity. The Consumer Financial Protection Bureau has made clear that “we used a model” is not an adequate adverse action explanation — lenders must identify the actual factors the system used that were most significant in the adverse outcome. Applied to blackbox credit scoring models, this requirement creates a transparency obligation that operates through the same logic as the GDPR’s right to explanation: the decision must be explainable in terms the affected person can understand and act upon.

Reading the map

The American AI regulatory landscape in 2026 is best understood not as a patchwork of gaps but as a set of overlapping jurisdictional layers that a competent lawyer must read simultaneously. Federal constitutional floor. Federal sector law ceiling in healthcare and credit. State biometric requirements in Illinois that apply to any employer with Illinois connections regardless of headquarters. State comprehensive AI obligations in Colorado that become enforceable in June 2026. Privacy-as-AI-governance in California for consumer-facing systems. New York’s employment and frontier model requirements from Chapter 10.

The compliance question for a company deploying AI hiring tools with users in multiple states is not whether federal law is satisfied. It is whether the system’s bias audit satisfies Local Law 144 in New York, whether its biometric components comply with BIPA in Illinois, whether its consequential decision processes meet Colorado’s impact assessment requirements, whether its data collection practices satisfy CCPA in California, and whether its Title VII disparate impact exposure has been assessed at the federal level. Those are five distinct legal analyses, each with different standards, different enforcement mechanisms, and different litigation risks.

The lawyer who can navigate that map — and connect it to the EU framework for clients operating transatlantically — is the lawyer that AI governance practice needs. The chapters that follow build the practical tools to do exactly that.