AI Privacy and Regulation Update

By Scott Hall

Artificial intelligence regulation has entered a new phase. What started as policy conversations about innovation, ethics, and voluntary guardrails is now a real compliance issue centered on privacy, transparency, discrimination risk, and accountability for automated outcomes. For businesses, the question is no longer just whether to use AI, but how to use it responsibly, lawfully, ethically, and efficiently, while building trust with consumers.

California remains one of the key states to watch. The state has continued to expand its privacy framework in ways that directly affect AI systems, including through the CPPA’s finalized rules on automated decision-making technology, risk assessments, and cybersecurity audits, as well as statutes addressing AI disclosures, training-data transparency, and synthetic content. Those developments are important —not just because of California’s market power, but because they reflect a broader regulatory instinct: treating AI as part of the privacy and consumer protection landscape, especially when automated tools rely on personal information.

At the same time, federal AI policy has become more unsettled. Rather than moving toward one comprehensive federal law, the national approach has continued to shift with changing administrations, executive branch priorities, and agency agendas. President Trump recently issued a “National Policy Framework for Artificial Intelligence” intended to preempt state law and address seven objectives that, in many ways, directly contradict the AI framework set out by the Biden administration and states that have already implemented AI regulations. In particular, rather than tighten restrictions on AI systems, the Trump framework would avoid broad content standards with the goal of avoiding excessive litigation. Even if the framework is not enacted, the uncertainty leaves businesses in an awkward position. Less federal oversight does not necessarily mean lower risk. In practice, it often means less uniformity, more uncertainty, and greater pressure to track what states, regulators, and private plaintiffs are doing without a lot of central guidance.

This reality helps explain why states continue to move aggressively to fill the gap. Some are adopting broad, risk-based AI frameworks. Others are focusing on narrower but still important issues, such as chatbot disclosures, profiling, health-related uses, insurance determinations, and AI tools used in employment decisions. The regulatory picture is developing issue by issue and sector by sector, rather than through a single national standard. That legal and regulatory patchwork—which is familiar in the privacy landscape—is harder for businesses to manage, but it is quickly becoming the reality for AI.

One notable theme is that states are increasingly using existing legal frameworks to address AI risk, rather than waiting for entirely new AI statutes. In employment, for example, states are starting to apply discrimination principles directly to automated hiring and screening tools. In privacy, states are using profiling, sensitive-data, and transparency rules to reach AI systems that make or support consequential decisions. That means companies must not only monitor new AI laws, but also consider how older laws may apply to the new technologies they are using.

We are also likely to see different rules for different AI uses. Not every AI-enabled tool will draw the same level of scrutiny. Consumer-facing tools that support routine tasks are likely to face lighter oversight than systems used for underwriting, hiring, eligibility, diagnosis, or other decisions that can significantly affect individuals. That risk-based approach is consistent with both the EU model and California’s Automated Decision-making Technology (ADMT) rules, which focus more closely on significant decision-making contexts. For companies, the practical takeaway is that compliance efforts should be prioritized based on use case, not just on whether a tool is labeled “AI.”

Globally, the EU AI Act remains the leading comprehensive model, with obligations tied to risk classification and substantial requirements for high-risk and general-purpose AI systems. Other jurisdictions are taking different approaches, but the overall direction is the same: more formal governance and more regulatory interest in documentation, transparency, and accountability. For companies operating across borders, that means AI compliance cannot be treated solely as a U.S. state-law issue. It increasingly requires a governance structure that can respond to different legal triggers while maintaining a consistent baseline of documentation and control.

We can also expect regulators to dig deeper into how AI works in practice. They want to know what data a system uses, how its outputs are reviewed, whether human oversight is real or just nominal, and whether the system creates privacy, fairness, or transparency concerns. As a result, AI governance is starting to look a lot like privacy compliance: inventorying systems, documenting use cases, assessing risk, limiting data use, testing for problems, and putting controls in place that can be defended later. Accountability in how AI is actually used matters more than simply having a policy on paper. It is also worth noting that enforcement risk is not limited to agency action. As AI becomes more embedded in decision-making, private plaintiffs are also testing new theories in private litigation, including through discrimination claims for AI use in employment and hiring decisions, or wiretapping claims for AI notetaking tools or other online services.

Ultimately, AI regulation is not emerging through just one statute, one agency, or one theory of liability. It is developing through privacy law, consumer protection, sector-specific regulation, administrative rulemaking, state legislation, and private litigation, often all at once. In the U.S., California remains one of the clearest signals of where this is heading, but it is not alone. Businesses adopting AI should expect questions not just about what the technology can do, but about what data is used, how it is governed, whether and how humans remain accountable, and whether AI use matches reasonable expectations of privacy and fairness. As AI becomes embedded in business operations, companies will be best positioned to manage risk when governance is built into everyday decision-making and workflows, rather than addressed only after problems arise.

If your company needs assistance with any privacy issues, Coblentz Data Privacy & Cybersecurity attorneys can help. Please contact Scott Hall at shall@coblentzlaw.com for further information or assistance.