Pro-Human AI Legislation

Vermont's Data Privacy Act (H.121, 2024) includes strong provisions against AI-driven consumer profiling without consent, requiring controllers to provide clear opt-outs from any AI system that processes sensitive personal data. Vermont became the first state to explicitly ban the sale of data that can be used to train…

The American Privacy Rights Act (APRA, proposed 2024) would create a national consumer data privacy framework that includes specific provisions on AI profiling, requiring opt-in consent for sensitive data used in AI systems, mandating impact assessments for high-risk automated decision-making, and giving individuals th…

Seattle passed an ordinance in 2023 requiring city agencies to complete a surveillance impact report before deploying any new surveillance technology, including AI-powered tools. The ordinance requires public hearings and council approval for any AI surveillance system that collects data on Seattle residents, and manda…

Illinois HB 3773 (2023) expanded BIPA to clarify that AI systems that generate biometric identifiers (such as AI voice cloning or AI face reconstruction from non-biometric data) are covered by the same consent and data protection requirements as direct biometric data collection. The clarification responded to attempts …

Colorado's HB23-1229 expanded the Colorado Privacy Act to add specific protections against AI-based profiling for consequential decisions in housing, credit, education, employment, and healthcare. Controllers must conduct and document risk assessments before using profiling AI, provide opt-out rights, and enable consum…

Texas HB 4 (2023) — the Texas Data Privacy and Security Act — includes provisions restricting AI-driven consumer profiling, requiring opt-out rights for targeted advertising based on AI analysis of personal data, and prohibiting discrimination in AI systems based on race, sex, religion, and other protected characterist…

Washington's My Health MY Data Act (SB 1155, 2023) expands privacy protections to health data collected and processed by AI systems outside of HIPAA's scope. The law requires consent before AI systems can collect, share, or sell health-related behavioral data, location data used to infer health conditions, and biometri…

Italy's data protection authority (Garante) ordered ChatGPT to suspend operations in Italy on March 30, 2023, citing violations of GDPR relating to lack of legal basis for mass data collection, no age verification to protect minors, and inadequate disclosure to users whose data was used for AI training. OpenAI restored…

New York State enacted amendments to the law governing automated employment decisions (the nation's only state law on automated employment decisions at the time) requiring any company using AI tools to screen resumes or rank candidates for jobs in New York to obtain an annual bias audit from an independent auditor and …

New York City Local Law 49 of 2021 bans the NYPD and other city agencies from using predictive policing software and requires all surveillance technology acquisitions to go through a public review process. The law was driven by evidence that predictive policing algorithms — which use AI to forecast crime locations and …

Portland, Oregon enacted two ordinances in 2020 banning facial recognition technology — one for city agencies and another, uniquely, for private businesses operating in public-facing spaces within the city. The private-sector ban was the first of its kind in the US and prohibits retailers, hotels, restaurants, and othe…

San Francisco Ordinance 103-19 was the first law in the United States to ban city government agencies from using facial recognition technology. The ordinance prohibits all city departments, including the police, from acquiring or using facial recognition or surveillance technology without prior board approval. It estab…

The EU General Data Protection Regulation (GDPR, Regulation 2016/679) includes Article 22, which gives individuals the right not to be subject to solely automated decisions, including AI profiling, that significantly affect them. Data protection authorities have used GDPR to impose major fines on AI companies, includin…

The Illinois Biometric Information Privacy Act (BIPA, 740 ILCS 14) requires companies to obtain written consent before collecting biometric data including fingerprints, retina scans, and facial geometry used in AI recognition systems. Companies must publicly disclose retention schedules and cannot sell biometric data. …