The US map for deploying AI inside your business
CCPA/CPRA, the Colorado AI Act, Texas TDPSA, Illinois BIPA, NYC Local Law 144, HIPAA, and the FTC, mapped to the deployment decisions you are about to make. Built for operators rolling out ChatGPT, Claude, or AI automation across a US team.
The regulation map
Eight regimes shape AI deployments in the US. Here is what each one actually requires of a business using AI.
CCPA / CPRA (California)
California's privacy law is the de-facto national baseline: if you serve Californian customers at scale, it likely applies to you. For AI use, the operative duties are disclosure (your privacy policy must cover AI processing), purpose limitation (customer data pasted into an AI tool must match the purpose it was collected for), and honoring deletion and opt-out requests — including from data sitting in AI vendor systems. CPPA rulemaking on automated decision-making technology adds access and opt-out rights around profiling.
Colorado AI Act (SB 24-205)
The first comprehensive US state AI law, in effect since June 30, 2026. It targets "high-risk" AI systems — those making consequential decisions in employment, lending, housing, insurance, healthcare, education, or legal services. Deployers owe reasonable care to avoid algorithmic discrimination: an AI risk-management program, impact assessments, consumer notices when AI makes a consequential decision about someone, and a right to appeal to a human. If your AI touches hiring or lending decisions, this is the one to read first.
Texas: TDPSA + TRAIGA
The Texas Data Privacy and Security Act applies broadly to businesses processing Texan personal data (small businesses are largely exempt, but not from its sensitive-data consent rules). TRAIGA — the Texas Responsible AI Governance Act, effective January 1, 2026 — takes a narrower, intent-based approach than Colorado: it prohibits developing or deploying AI for unlawful discrimination, behavioral manipulation, and certain biometric uses, with the Attorney General enforcing. Texas also runs an AI regulatory sandbox for approved pilots.
Illinois BIPA + HB 3773
BIPA is the strictest biometric law in the country: collecting fingerprints, voiceprints, or face geometry from Illinois residents without written consent creates per-violation liability that has produced nine-figure settlements. If an AI tool processes voice or facial data, BIPA is a hard gate. Separately, HB 3773 (effective January 1, 2026) amends the Illinois Human Rights Act so that using AI that discriminates in employment decisions — including using ZIP code as a proxy — is a civil rights violation, and employers must notify workers when AI is used in employment decisions.
NYC Local Law 144 (AEDT)
If you use an automated employment decision tool to screen candidates or employees for jobs performed in New York City, you must commission an independent bias audit every 12 months, publish the audit results, and give candidates advance notice that the tool is being used. This applies to AI resume screeners and ranking tools even when a human makes the final call, if the tool substantially assists the decision.
HIPAA × AI (healthcare)
Protected health information may only flow into an AI tool if the vendor signs a Business Associate Agreement and the use fits HIPAA's permitted purposes. Consumer AI tools (free-tier chatbots, personal accounts) do not offer BAAs — pasting patient information into them is a reportable breach. Practical pattern: enterprise AI with a BAA (or de-identified data per the Safe Harbor rule) for anything clinical; consumer AI only for content that contains no PHI.
FTC Act, Section 5
The FTC's baseline applies to every US business regardless of state: no unfair or deceptive practices. In AI terms that means no overstating what your AI does ("AI washing"), no quietly using customer data to train models beyond what your privacy policy said, substantiation for AI-generated claims, and — per FTC enforcement actions — the risk of "algorithmic disgorgement," where a model built on improperly obtained data must be deleted. Fake AI-generated reviews and undisclosed AI endorsements are explicit enforcement priorities.
NIST AI Risk Management Framework
Voluntary, but the closest thing the US has to a national standard, and the scaffolding most state laws (including Colorado's) point to as evidence of reasonable care. Its four functions — Govern, Map, Measure, Manage — translate for an SMB into: name an owner for AI decisions, inventory where AI touches your business, check outputs and bias where it matters, and have a plan for when something goes wrong. Aligning with NIST AI RMF is the cheapest defensible posture available.
What does AI compliance look like in practice?
Across all eight regimes, the same six controls keep coming up. If your rollout has these, you are ahead of most US businesses using AI today.
- 1
Inventory every place AI touches customer or employee data — including employees' unofficial ChatGPT use.
- 2
Put an AI acceptable use policy in writing before an incident, not after (our free generator produces a US-jurisdiction draft in minutes).
- 3
Use enterprise AI accounts with data processing agreements; block PHI, biometrics, and sensitive PII from consumer tools.
- 4
If AI assists hiring decisions: check Colorado AI Act, Illinois HB 3773, and NYC LL144 duties — notice, bias review, human appeal.
- 5
Update your privacy policy to cover AI processing, and honor deletion/opt-out requests through your AI vendors.
- 6
Keep humans in the loop for consequential decisions (credit, employment, housing, healthcare) and document that they are.
Put it into practice
Free tools and services built around this compliance map.
AI Policy Generator
Free interactive generator that produces an AI acceptable use policy for your US state and industry — CCPA, HIPAA, and employment-AI clauses included.
Generate a policy →Instant AI Audit
Describe your business and get a free report on where AI saves you the most time and money — with compliance-aware recommendations, in minutes.
Run the audit →Work with US clients
We deliver compliance-aware AI rollouts to US businesses remotely, in your time zone, with fixed CAD pricing that stretches your USD 25–35% further.
How it works →US AI Compliance FAQ
No comprehensive one. As of 2026, US AI regulation is a patchwork: the FTC Act applies economy-wide against deceptive or unfair AI practices, sector rules (HIPAA, GLBA, FCRA, EEOC guidance) govern their domains, and states fill the gap — Colorado with the first comprehensive AI act, Texas with TRAIGA, Illinois and NYC with employment-focused rules, and roughly 20 states with general privacy laws that cover AI processing of personal data. Businesses deploying AI plan against the strictest rule that reaches them, which is usually California privacy law plus Colorado's AI framework.
Almost certainly the FTC Act (no revenue threshold), and state privacy laws if you cross their volume thresholds — CCPA at roughly $25M revenue or 100,000 California consumers, with other states in similar ranges. Employment AI rules (NYC LL144, Illinois HB 3773) apply based on where workers are, not company size. HIPAA and BIPA apply based on what data you touch. The safest small-business posture: enterprise AI accounts, no sensitive data in consumer tools, a written AI policy, and human review of consequential decisions.
Yes, with controls. Use a business/enterprise tier where your data is not used for model training and a data processing agreement is in place, disclose AI processing in your privacy policy, only process data consistent with the purpose it was collected for, and be able to delete customer data from the workflow when a deletion request arrives. Pasting customer records into a free consumer account fails most of those tests.
The rules differ, but the discipline transfers. We build under Canada's PIPEDA — consent, purpose limitation, and breach duties stricter than most US state laws — so privacy-by-default is our normal operating mode. For US deployments we design around CCPA/CPRA data handling, keep PHI out of non-BAA tools, and document data flows so your counsel can verify them. We are consultants, not attorneys: for regulated industries we work alongside your legal team, and this page is educational, not legal advice.
This page is educational content, not legal advice. AI legislation is moving quickly at the state level — confirm current requirements with qualified counsel before relying on them.