AI and data privacy regulations in the United States have moved from a slow simmer to a rolling boil. In the last week alone, Illinois, Connecticut, and New York have each introduced significant legislation on these fronts. These bills don’t invent new governance concepts as much as they specifically and emphatically reiterate the practices already expected of business while developing, deploying and managing technologies.

The AI governance and privacy protection rules are specific and enforceable, which also reflects the growing nuance in these legislations. As the window to get ahead of these laws is narrowing fast, let’s learn about them in detail and see how businesses can prepare.

Illinois

Through a combination of accountability, transparency, and risk-management measures, Illinois is seeking to create an AI governance framework that balances innovation with public trust and responsible use. The legislation reflects clear expectations around the development, deployment, and oversight of emerging technologies.

• Frontier AI transparency requirements:  The bill requires companies developing powerful AI models to disclose information about their models. These include capabilities, intended uses, and known risks before deployment. The purpose is to increase transparency so regulators and the public understand what high-risk AI systems can do.
• Mandatory governance and risk management: Companies must establish governance, risk mitigation, and cybersecurity programs. The aim is to ensure AI developers actively manage safety risks instead of reacting after problems occur.
• Annual Third–party audits: The bill mandates independent audits required every year. This will help regulators verify that companies are actually following safety and transparency commitments. This is notable because it is described as a first-of-its-kind requirement among state AI laws.
• Catastrophic Risk Framework: The law focuses on AI systems capable of causing large-scale harm, like large-scale cyberattacks, damages exceeding USD 1 billion, and systems operating beyond human control. This will help regulate the most powerful AI systems before serious harm occurs.

Connecticut

As I said, these bills are more specific in their approach. Connecticut Connecticut’s SB 4 and SB 5 collectively establish a broad framework addressing both digital privacy and artificial intelligence. Together, the measures demonstrate the state’s effort to modernize its regulatory approach to evolving technologies while strengthening protections for residents:

For privacy

• Data broker registration: SB 4 states that data brokers must register annually with the state. The motivation here is to increase accountability for companies that collect and sell personal data.
• Ban on geolocation data sales: Connecticut clearly prohibits companies from selling residents’ location data. The move will protect individuals from tracking and misuse of sensitive location information.
• Facial recognition protections: New requirements apply to facial recognition technologies. SB 4 addresses risks related to biometric surveillance and misuse of facial data.
• Centralized deletion mechanisms: The state will create a system allowing residents to request deletion and opt out of data broker databases. This will give consumers more control over their personal information.

For AI

• Frontier AI obligations: Similar to Illinois, large AI developers face requirements related to advanced AI models. It helps monitor and manage risks from highly capable AI systems.
• Employee whistleblower reporting: Companies must create channels for employees to anonymously report AI risks or malfunctions. This will ensure early identification of safety issues.
• Risk reporting to leadership: Developers must regularly report AI-related risks to company leadership. The idea is to make AI risk management an executive responsibility.
• Automated decision-making: Individuals must be informed when automated systems significantly influence employment decisions. Existing anti-discrimination laws explicitly apply to these AI systems.
• AI Companion regulation: AI companions must disclose that they are not human. Minors under 18 cannot use certain AI companion services. This will protect users, especially children, from deceptive AI interactions.
• AI Regulatory Sandbox: Connecticut will create a sandbox for AI innovation. This will allow companies to test AI technologies under regulatory oversight while encouraging innovation.

New York

New York continues to expand its role in shaping state-level technology policy through a legislative approach focused on emerging digital risks and evolving online environments. The state’s latest measures seek to establish expectations for how organizations design, deploy, and manage technology-driven services while promoting safer and more responsible digital experiences.

For Privacy

• Protection of children’s geolocation data: Platforms must prevent access to a child’s location information by unconnected users. The goal is to restrict stalking, tracking, and online exploitation risks.
• Privacy-by-default protections: Users under 17 receive default safety and privacy protections. This will shift responsibility from children to platforms.
• Restrictions on adult-child interactions: Platforms must implement safeguards limiting unwanted contact between adults and minors. This will reduce grooming and exploitation risks.

For AI

• AI companion restrictions for minors: AI companion access must be turned off by default for minors. The idea is to protect children from potentially harmful emotional or social dependence on AI systems.

Regulators Are Doing Their Homework

As states race to regulate AI and data privacy, businesses can no longer afford a wait-and-see approach. Whether you operate or serve customers in Illinois, Connecticut, or New York, these laws signal a clear direction of travel. Here’s where to start:

On Privacy:

• Obtain appropriate consent and minimize data exposure. Ensure personal data is collected and used with the necessary permissions. Where possible, anonymize, de-identify, or otherwise reduce the sensitivity of data before processing it.
• Be transparent about data practices. Privacy notices should clearly explain what data is collected, how it is used, who it is shared with, and how individuals can exercise their rights.
• Audit your data broker relationships. Know which third parties you share or sell data to, and ensure they meet the registration and disclosure standards Connecticut now requires.
• Build deletion workflows now. Centralized opt-out mechanisms are coming. Getting your data infrastructure deletion-ready ahead of the mandate will save significant pain later.
• Treat children’s data differently. Default privacy protections for minors are no longer optional in New York. Apply stricter data handling across the board for users under 18.
• Train employees on privacy risks. Employees remain one of the largest sources of privacy incidents. Regular training can help reduce the risk of unauthorized disclosures, improper data handling, and non-compliant practices.
• Maintain defensible records. Keep documentation of consent mechanisms, privacy notices, data-sharing arrangements, assessments, and governance activities. Good records are often the strongest defense during audits, investigations, or legal disputes.

On AI:

• Obtain appropriate consent for AI use and protect sensitive data. When AI systems process personal information, ensure the necessary permissions are in place. Where feasible, use anonymized or de-identified data to reduce risk.
• Maintain an AI inventory. Track all AI systems used across the organization, including third-party tools, embedded AI functionality, and emerging AI agents. Organizations cannot govern technologies they do not know they are using.
• Make AI risk an executive conversation. Evaluate AI use cases against internal policies, legal requirements, and organizational risk tolerance. Connecticut mandates reporting AI risks to company leadership. Build that reporting structure internally before a regulator requires it. Document identified risks, mitigation measures, and approval decisions.
• Be transparent about AI usage. Organizations should clearly communicate when and how AI is being used, particularly when it influences decisions, customer experiences, or the processing of personal data.
• Train employees on AI risks. Employees should understand the risks associated with AI tools, including data leakage, bias, hallucinations, intellectual property concerns, and inappropriate use of public AI platforms.
• Create safe channels for internal concerns. Whistleblower protections for AI issues are now law in Connecticut. A culture where employees can flag AI problems early is both a compliance requirement and a risk management asset.
• Maintain defensible records. Keep documentation of AI inventories, risk assessments, governance decisions, approvals, monitoring activities, and training efforts. As AI regulations mature, organizations will increasingly need to demonstrate responsible AI governance.

Emerging Expectations for AI and Privacy

Illinois, Connecticut, and New York are further shaping the nationwide reckoning for how AI and personal data are governed. The specifics will vary from state to state, but we can see the clear directions on more transparency, stronger accountability, and greater protection for individuals, especially children. Businesses that treat these laws as isolated compliance checkboxes will find themselves constantly playing catch-up. Those that use them as a forcing function to build genuinely responsible data and AI practices will always be better positioned.