AI laws, privacy rules, and cybersecurity requirements — tracked for you.

Montana grants rights to access, delete, correct, and port personal data and to opt out of sale, targeted advertising, and profiling. Controllers and processors must provide clear notices, maintain contracts, and honor consumer rights requests. Amendments effective in 2025 lowered applicability thresholds and tightened disclosure and opt-out expectations for data sales and targeted advertising.

The FTC Safeguards Rule requires covered non-bank financial institutions to maintain a written information security program with risk assessments, qualified oversight, access controls, encryption, and monitoring. Updated requirements also added mandatory breach reporting to the FTC for certain notification events. The rule affects lenders, mortgage brokers, auto dealers, and other financial institutions under FTC jurisdiction.

New York requires covered financial entities to maintain a risk-based cybersecurity program, governance controls, incident reporting, and documented policies. The 2023 amendments strengthened board and senior-governance accountability, privileged-access management, asset inventory, vulnerability management, and incident notice requirements. Larger Class A companies face additional controls such as independent audits and enhanced monitoring.

Virginia requires entities and state agencies that suffer qualifying breaches involving personal information to notify affected residents and, in many cases, the Attorney General. It affects businesses and public bodies that own or license personal information and sets timelines, notice content expectations, and substitute-notice rules.

Colorado requires developers and deployers of high-risk AI systems to use risk management, impact assessments, and consumer notices tied to consequential decisions.

California requires covered generative AI providers to give users clear provenance disclosures when AI-generated or AI-altered content is created or presented. It affects providers and some licensees of large generative AI systems and gives the Attorney General and local public lawyers a civil-enforcement path.

California requires developers of generative AI systems made available to Californians to publish documentation about the data used to train those systems. It affects developers releasing public-facing generative AI systems or major modifications and is meant to improve transparency around dataset sources and composition.

Illinois amended its Human Rights Act to address the use of artificial intelligence and predictive data analytics in employment decisions. Employers cannot use AI in ways that subject employees to unlawful discrimination in recruiting, hiring, promotion, renewal, selection for training, discharge, discipline, tenure, or terms and privileges of employment. The law also requires notice when AI is used for employment decisions and bars the use of zip code as a proxy for protected classes.

Indiana gives consumers rights to confirm processing, access data, correct inaccuracies, delete certain personal data, obtain portable copies, and opt out of targeted advertising, sale, and profiling. It applies to businesses that meet threshold tests and requires clear notices, purpose limitation, security safeguards, and contracts with processors. The attorney general enforces the law after a cure process.

Texas established a statewide AI governance framework with disclosure duties, prohibited-use rules, enforcement powers, and a regulatory sandbox. It affects government agencies, health care providers, developers, and deployers using AI in Texas, especially where biometric collection, unlawful discrimination, or constitutional harms are at issue.

Australia amended its online safety regime to require providers of age-restricted social media platforms to take reasonable steps to prevent under-16 users from holding accounts. The framework affects covered social platforms serving Australian users and relies on age-assurance systems rather than mandating government digital ID. It also gives the eSafety Commissioner implementation and oversight responsibilities.

Texas gives certain businesses a safe harbor from exemplary damages after a breach if they implemented and maintained a qualifying cybersecurity program. It affects Texas businesses that handle sensitive personal information and pushes them toward recognized cybersecurity frameworks and scaled security controls.

Virginia now requires human decision-makers to remain responsible for major criminal justice decisions even when AI-based tools generate recommendations or predictions. It affects judicial officers and other criminal-justice decision-makers by limiting AI to an assistive role and preserving opportunities to challenge AI outputs.

New York requires operators of covered online sites, services, and connected devices to provide privacy-by-default protections for minors and to limit data processing unless a statutory exception applies. It affects operators directed to children or that know a user is under 18, with special focus on profiling, data transfers, and persistent identifiers.

Florida requires third parties performing anonymous age verification to avoid retaining or repurposing personal identifying information once age is confirmed. It affects businesses and verification providers that support age-gated experiences and sets security and data-minimization rules around the verification process.

Florida requires covered social media platforms to block or terminate certain accounts for younger minors and to obtain parental authorization for 14- and 15-year-old account holders. It affects social media services that meet Florida''s statutory thresholds and ties compliance to age-estimation and account-governance practices.

Iowa gives consumers rights to know whether personal data is processed, access and delete data they provided, and obtain a portable copy, while also allowing opt outs from data sale. It applies to controllers that meet volume thresholds and focuses on privacy notices, reasonable security, and processor contracts. Compared with some other state privacy laws, it is narrower on correction and sensitive-data consent requirements.

Australia's 2024 ERP Act updates the Security of Critical Infrastructure regime with stronger powers to manage consequences of incidents and to address deficient risk management programs. It affects operators of critical infrastructure and critical telecommunications assets, including some data storage systems that hold business-critical data. The reforms are part of the broader cyber legislative package tied to the 2023-2030 Cyber Security Strategy.

Texas requires covered digital service providers that are likely to be used by minors to offer parental tools and to limit certain data and design practices for known minor users. The law restricts targeted advertising to minors, requires age-appropriate experience controls, and imposes transparency obligations on covered services. It affects social media and other account-based digital services used by Texas minors.

The EU AI Act creates a single risk-based rulebook for AI across the bloc, ranging from outright bans on a narrow set of uses to detailed duties for high-risk systems and general-purpose AI models. It affects providers, deployers, importers, distributors, and product manufacturers that place AI systems on the EU market or use them in the EU. Core requirements include risk management, technical documentation, transparency, human oversight, post-market monitoring, and incident reporting.

Florida created a state privacy regime for large covered controllers, giving consumers rights around access, deletion, correction, portability, opt outs, and sensitive-data disclosures. It affects the largest consumer-facing platforms doing business in Florida and also imposes privacy notice, contract, and sale-of-data requirements.

Oregon gives consumers rights to access, correct, delete, and port personal data and to opt out of sale, targeted advertising, and certain profiling. Controllers must provide privacy notices, minimize data, conduct assessments for higher-risk processing, and obtain consent before processing sensitive data. The law also reaches many nonprofit organizations that are exempt under other state privacy regimes.

Tennessee expanded its right-of-publicity law to cover voice and likeness cloning, giving creators a clearer path to challenge AI-generated impersonations.

Texas created a broad consumer privacy law that covers access, deletion, portability, and correction rights, with obligations focused on data controllers and processors.

Florida requires political ads, electioneering communications, and certain other campaign materials that use generative AI to include a disclaimer stating that the content was created in whole or in part with AI. It affects candidates, campaigns, political committees, and advertisers distributing covered communications in Florida.

Washington protects consumer health data that falls outside HIPAA, including reproductive, biometric, and location-linked health inferences. Regulated entities generally need separate consent for collection and sharing, valid authorization for sale, and cannot geofence around health care facilities for certain purposes. The law applies broadly to companies doing business in Washington or targeting Washington consumers.

NIST CSF 2.0 updates the widely used cybersecurity framework and broadens it beyond critical infrastructure to organizations of any size or sector. It adds the Govern function and refines guidance for identifying, protecting against, detecting, responding to, and recovering from cyber risk. Although voluntary, it is frequently used in procurement, governance, and regulatory crosswalks.

California expanded its data-broker regime by moving registration oversight to the California Privacy Protection Agency and by requiring a one-stop deletion mechanism for covered data brokers. It primarily affects data brokers that trade in Californians'' personal information and requires recurring deletion processing, public reporting, and audit-related disclosures.

The UK Online Safety Act gives Ofcom powers over child-safety duties and age-assurance measures, especially for services that host harmful or adult content.

The SEC requires public companies to disclose material cybersecurity incidents on Form 8-K and to describe cybersecurity risk management, strategy, and governance in annual reports. It affects Exchange Act reporting companies and pushes boards and management to formalize oversight and reporting processes. The rules also require Inline XBRL tagging for the new disclosures.

China's generative AI rules apply to providers offering generative AI services to the public in China. They require lawful training data and model use, measures to prevent illegal content, user complaint handling, and certain security assessments and algorithm filing obligations. The regime affects model providers and platform operators that make text, image, audio, or video generation services publicly available.

New York City bars employers and employment agencies from using automated employment decision tools unless they complete a bias audit, publish summary results, and provide required notices. It affects hiring and promotion workflows that rely on algorithmic scoring or recommendations for candidates and employees in the city.

Connecticut gives residents rights to access, correct, delete, and port personal data, and to opt out of targeted advertising, sale, and certain profiling. Covered controllers must limit collection to what is reasonably necessary, conduct data protection assessments for higher-risk processing, and obtain consent for sensitive data. The statute also added stronger youth-protection rules beginning in 2025.

NIS2 expands the EU cybersecurity framework to more sectors and entities and requires management-approved cybersecurity risk management measures and incident reporting. It affects essential and important entities across energy, transport, health, digital infrastructure, public administration, manufacturing, and other critical sectors. The directive also increases supervisory and penalty powers and coordinates cross-border cooperation.

The CPRA amended the CCPA, expanded consumer rights around sensitive personal data, and created the California Privacy Protection Agency to enforce the regime.

Louisiana requires commercial websites with a substantial portion of material harmful to minors to perform reasonable age verification before access. It affects publishers and platforms that host adult content and allows civil claims when minors are exposed without the required checks. Accepted methods include digital identification and other commercially reasonable verification systems.

Virginia gives consumers rights to access, correct, delete, and obtain a copy of personal data, and to opt out of targeted advertising, sale, and certain profiling. It applies to controllers and processors that meet statutory thresholds and requires privacy notices, data protection assessments, and contracts with processors. Sensitive data processing generally needs consumer consent.

The United Kingdom's Children's Code requires online services likely to be accessed by children to design around the best interests of the child. It expects a risk-based approach to age assurance and demands high privacy defaults, limits on profiling and geolocation, and stronger transparency for child users. It affects apps, games, connected toys, social platforms, and websites that are likely to be used by children.

The SHIELD Act broadened New York breach-notification rules and requires reasonable administrative, technical, and physical safeguards for private information.

California requires manufacturers of connected devices sold in the state to equip those devices with reasonable security features suited to the device and the data it handles. It affects IoT manufacturers and is aimed at reducing unauthorized access to devices and the information they collect, transmit, or store.

The GDPR sets the EU baseline for personal-data processing, requiring lawful bases, transparency, security safeguards, and rights for access, deletion, and objection.

Florida requires covered entities and government agencies to investigate breaches involving personal information and to notify affected individuals, the Department of Legal Affairs, and sometimes consumer reporting agencies. It affects organizations that maintain electronic personal information and sets breach-notification timelines, reporting thresholds, and recordkeeping duties.

California created child-focused design and privacy duties for online services likely to be accessed by minors, including high-privacy defaults, data protection impact assessments, and limits on harmful profiling or nudging. It affects businesses offering online products, services, or features to children in California, even though enforcement has been tied up in litigation.

Arkansas requires social media companies to perform reasonable age verification before allowing Arkansas users to open or maintain accounts. If a user is a minor, the platform must obtain parental consent and limit retention of age-verification data. The law is aimed at consumer-facing social media services used by children and teenagers.

Canada's proposed AIDA would create a federal framework for high-impact AI systems used in interprovincial and international commerce. It would require responsible persons to assess and mitigate risks of harm and biased output, keep records, publish plain-language descriptions, and notify the government of serious incidents. The proposal also gives the minister audit and order powers and creates offences for reckless or deceptive conduct involving AI systems.

Brazil's PL 2338/2023 would create a national, risk-based AI framework centered on rights, safety, and accountability. The bill would impose governance, documentation, transparency, and impact-assessment duties on providers and deployers of high-risk AI systems, with added rules for generative AI and public-sector use. It is now under review in the Chamber of Deputies after moving out of the Senate.

The United Kingdom continues to pursue a sector-led AI model rather than a single cross-economy AI statute. Its 2024 response keeps five cross-sector principles for existing regulators and signals targeted future legislation for the most capable general-purpose AI models. This affects regulated firms that rely on AI in sectors such as finance, healthcare, telecoms, employment, and consumer platforms.