The provisions we watch.

Under the EU Web Accessibility Directive, public-sector websites and mobile apps must meet EN 301 549 incorporating WCAG 2.1 Level AA.

WCAG 2.1 requires captions for all prerecorded and live multimedia and requires content be accessible to screen readers.

US federal accessibility standards (Section 508 Refresh, 2017) require websites and ICT to conform to WCAG 2.0 Level AA.

DOJ Title II rule mandates that websites and mobile apps conform to WCAG 2.1 Level AA standards.

High-risk AI systems must include human oversight measures to minimize risks to health, safety or fundamental rights.

Providers of AI systems generating synthetic audio, image, video, or text must ensure outputs are marked as artificially generated.

Individuals subject to high-risk AI decisions that significantly affect them have the right to obtain a clear, meaningful explanation of the AI system role and the main decision elements.

Providers must design AI systems interacting with people so that users are informed they are interacting with AI (not a human).

Employers deploying high-risk AI in the workplace must inform affected workers (and their representatives) about the use of such AI before implementation.

Providers of high-risk AI must ensure system compliance, affix CE mark, maintain quality management and documentation, and handle logging, conformity assessment, and corrective actions.

High-risk AI systems must achieve and maintain a high level of accuracy, robustness and cybersecurity, with continuous testing to prevent malfunctions.

A deployer of a high-risk AI system must use reasonable care to address discrimination risks and implement an iterative risk management program.

Colorado AI Act defines an automated decision-making technology as one that processes personal data to generate recommendations or scores used to make consequential decisions.

A developer of a high-risk AI system must use reasonable care to prevent known or foreseeable algorithmic discrimination.

Prohibits unfair or deceptive acts or practices affecting commerce, which can include false claims about an AI product capabilities or negligent AI design endangering consumers.

The EEOC ADA guidance warns that an employer use of AI or algorithms can violate the ADA if it screens out qualified applicants with disabilities.

The EEOC Title VII guidance treats AI hiring tools as selection procedures subject to disparate-impact rules.

Under UK Equality Act, both direct and indirect discrimination including via automated systems is unlawful.

Employers using AI to evaluate video job interviews must notify applicants beforehand that AI will be used, explain how it works and on what criteria, and obtain the applicant consent. Using AI on an interview without consent is prohibited.

Under NYC law, employers must notify job candidates and employees at least 10 business days before using an automated employment decision tool.

NYC Local Law 144 mandates that employers using automated employment decision tools must conduct an annual bias audit of the tool and publicly post a summary of the results before use.

Commerce Department BIS added controls on exporting AI model weights for large models (ECCN 4E091) effective Jan 2025, requiring licenses for certain advanced AI model exports to restricted destinations.

Use of trademarks by AI outputs is evaluated under trademark law.

Recent court guidance indicates that copying copyrighted works into AI models may infringe unless clearly transformative.

Courts are grappling with AI and IP: e.g., in Thomson Reuters v. ROSS, a judge held that output of an AI model may violate copyrights.

Under 17 USC 512, online service providers are shielded from liability for user-posted infringing content if they implement a takedown notice process.

State right-of-publicity laws can prohibit using a person likeness or voice without permission.

The New York Times has sued OpenAI, alleging that using its copyrighted articles to train ChatGPT without permission exceeds fair use.

The EU 2024 update to the Product Liability Directive extends strict liability to digital products including AI-based systems.

In medical liability contexts, the learned intermediary doctrine limits manufacturer liability when a physician acts as intermediary.

Controllers must implement data-protection principles (e.g. minimization, pseudonymisation) into processing from the earliest design stages.

Requires DPIA before processing that is likely high-risk to rights, e.g. systematic automated profiling with significant effects.

Prohibits processing sensitive data (e.g. health, biometrics) unless narrow exceptions (explicit consent, vital interests, etc.) apply.

Personal data processing must fit at least one lawful basis (e.g. consent, contract performance, vital interests, public task, legitimate interest).

Personal data transfers to third countries/organisations are allowed only if conditions (adequacy decision, appropriate safeguards) in Chapter V are met.

Data subjects have a right not to be subject to solely automated decisions (including profiling) producing legal or similarly significant effects on them.

Controllers and processors must implement appropriate technical and organizational measures to secure personal data according to the risk (e.g. encryption, resiliency).

UK GDPR implements GDPR Art 22 on solely automated decisions producing legal or significant effects.

California consumers can direct businesses to limit use of their sensitive personal information to only what is necessary for the requested goods or services.

Businesses using automated decisionmaking technology to make certain decisions must provide consumers with a pre-use notice explaining the ADMT use and informing them of rights including opt-out before processing their personal data.

CPRA requires businesses whose processing poses significant privacy risks to conduct a documented risk assessment before initiating that processing.

HIPAA requires health data to be de-identified (removing PHI identifiers) before use for secondary purposes, meaning AI training on medical data often needs de-identification or patient authorization.

Prohibits private entities from collecting biometric identifiers or information (like face geometry) without first notifying the individual in writing, explaining the purpose and retention schedule, and obtaining written consent.

The FDA Digital Health Action Plan encourages manufacturers of software-based medical devices to implement real-world performance monitoring plans for adaptive AI.

FINRA Notice 24-09 reminds broker-dealers that existing securities laws and rules apply when they deploy AI/GenAI.

The updated interagency model risk management guidance requires robust governance of financial models, noting that generative AI models are currently considered novel.

California Civil Code 1798.80 to 1798.84 require any person doing business in the state to disclose to California residents any data breach involving unencrypted personal information.

CPRA mandates that covered businesses undergo annual independent cybersecurity audits assessing controls to ensure personal data protection.

Under CIRCIA, designated critical-infrastructure companies must report covered cyber incidents to CISA within 72 hours of discovery.

Massachusetts 201 CMR 17.00 requires any entity holding personal information of MA residents to implement a written information security program.

NY SHIELD Act requires entities holding private information to implement reasonable safeguards and notify affected NY residents of data breaches.

Establishes an affirmative defense for developers and deployers of high-risk AI systems. A defendant escapes liability if it (1) discovered and cured the violation through user-feedback channels, red-teaming, adversarial testing, or internal review processes; AND (2) is in compliance with the latest version of NIST AI RMF, ISO/IEC 42001, or another framework designated by the Attorney General or the statute. Burden of proof is on the defendant. No private right of action; exclusive enforcement by the Colorado AG. This provision converts NIST/ISO alignment from voluntary guidance into a codified safe harbor.

Requires certain deployers of high-risk AI systems to perform a Fundamental Rights Impact Assessment (FRIA) before first use. Applies to public bodies, private entities providing public services, and deployers of high-risk credit-scoring or life/health insurance pricing systems. The FRIA documents the deployment context, affected persons, potential harms, human-oversight measures, and complaint mechanisms.

Imposes transparency obligations on providers and deployers of AI systems. Providers must ensure persons interacting with AI systems are informed they are interacting with AI (unless obvious). Providers of generative AI must mark synthetic outputs in a machine-readable way. Deployers of emotion-recognition or biometric-categorisation systems must inform exposed persons. Deployers of deep fakes must disclose that content is artificially generated; deployers publishing AI-generated text on matters of public interest must disclose, with editorial-control and law-enforcement exceptions.

Grants data subjects the right not to be subject to a decision based solely on automated processing (including profiling) which produces legal effects or similarly significantly affects them. Three exceptions: contract necessity, EU or Member State law authorisation, explicit consent. Where exceptions (a) or (c) apply, the controller must implement safeguards: right to human intervention, right to express the data subject's view, right to contest the decision. Decisions falling within Art. 22(2) shall not be based on special-category data under Art. 9(1) unless 9(2)(a) or 9(2)(g) applies.

Prohibits placing on the market, putting into service, or using AI systems for social scoring of natural persons by public authorities (or on their behalf) where the scoring leads to detrimental or unfavourable treatment in social contexts unrelated to the data's original collection, or where the treatment is unjustified or disproportionate to the underlying behaviour.