The short version

Several major state AI rules flipped on January 1, 2026—and more arrive mid‑year. If you build, buy, or deploy AI in the U.S., you now face new transparency, safety, provenance, and data‑governance duties in California and Texas, with additional requirements coming from Colorado (June 30), Connecticut (July 1), and California’s provenance law in August. New York’s “RAISE Act” starts in 2027 but will drive 2026 planning.

U.S. map highlighting California, Texas, Colorado, Connecticut, Oregon, and New York with icons for transparency, provenance, discrimination, and data deletion

What just took effect on January 1, 2026

  • California’s AI transparency and chatbot safety laws are live. SB 53 (Transparency in Frontier AI Act) requires large frontier developers to publish safety frameworks and enables incident reporting; SB 243 regulates companion/chatbots used by minors (clear bot disclosures, periodic break reminders, and self‑harm safeguards). SB 524 adds disclosure and record‑keeping rules when law enforcement uses AI to draft reports. The Governor’s year‑start roundup confirms these are among the 2026 tech laws now in force. SB 53, SB 243, SB 524, CA “New in 2026” recap.

  • California privacy rules now cover risk assessments and set a date for automated decisionmaking (ADMT) rights. CPPA’s new regulations take effect January 1, 2026 (with ADMT compliance beginning January 1, 2027). If you use ADMT for “significant decisions,” plan now for notices, access, and opt‑outs. CPPA regulations explainer.

  • California’s Delete Act “DROP” portal launched. The CPPA’s single deletion mechanism for data brokers (DROP) is effective January 1, 2026, kicking off the state’s most ambitious data‑broker deletion regime to date. CPPA DROP page.

  • Texas’ TRAIGA (HB 149) is in force. The new law establishes a statewide AI council, updates biometric rules, and prohibits certain harmful or manipulative AI uses. It took effect January 1, 2026. HB 149 enrolled text.

  • Oregon criminalized non‑consensual AI intimate imagery. HB 2299 expands the state’s “revenge porn” law to include AI/deepfake imagery (effective January 1, 2026). HB 2299.

What’s coming later in 2026 (and what to start now)

  • Colorado’s AI Act (SB 24‑205) starts June 30, 2026. Developers and deployers of “high‑risk” AI used in consequential decisions (employment, housing, education, credit, etc.) must use reasonable care to prevent algorithmic discrimination; the statute outlines model disclosures, deployer impact assessments, and incident reporting to the AG. Colorado moved the go‑live from 2026‑02‑01 to 2026‑06‑30 in a 2025 special session. SB 24‑205 and the effective‑date change SB 25B‑004.

  • Connecticut adds AI training disclosures July 1, 2026. The 2025 amendments to the CT Data Privacy Act require privacy notices to state whether personal data is used to train large language models—applies broadly to controllers subject to CTDPA. BCLP analysis of CTDPA amendment.

  • California’s AI Transparency Act (SB 942) starts August 2, 2026 (delayed from January). Covered generative‑AI providers must offer a free detection tool and support manifest/latent provenance disclosures for AI‑generated images, audio, and video. The date shift came via AB 853; additional platform and device provisions phase in 2027–2028. AB 853 (delay), SB 942 overview.

  • Oregon privacy changes also arrive January 1, 2026. Oregon’s 2025 update bans the sale of precise geolocation data and the sale of personal data of known minors under 16, affecting data brokers and adtech. Overview of HB 2008 changes.

  • New York’s RAISE Act is signed; duties begin January 1, 2027. It targets only the largest “frontier” developers, but 2026 will be an active setup year as the Department of Financial Services stands up an oversight office and readies rulemaking. Governor’s signing release, legal summaries with 2027 date.

Your 2026 AI compliance playbook

1) Map your exposure by business role and footprint

  • Developer vs. deployer: In Colorado, both must exercise “reasonable care” to avoid algorithmic discrimination in high‑risk systems; developers owe model documentation to deployers, and deployers must perform impact assessments and consumer notices. SB 24‑205.
  • Frontier developer: In California (now) and New York (2027), large model developers must publish safety frameworks and enable/perform incident reporting; New York will add DFS oversight and higher penalty tiers. SB 53, NY DFS note.
  • Any controller processing CT residents’ data: Update privacy notices by July 1, 2026 to say whether personal data trains LLMs. CTDPA amendment.

2026 state AI laws at a glance

StateLaw (link)Who’s coveredCore obligationsKey 2026 date(s)
CaliforniaSB 53 – TFAIALarge “frontier” AI developersPublish safety framework; incident reporting; whistleblower protectionsJan 1, 2026
CaliforniaCPPA regs (ADMT/risk)Businesses using CA personal dataRisk assessments (2026); ADMT notices, access & opt‑out (2027)Jan 1, 2026 (staged)
CaliforniaSB 243 chatbotsChatbot operatorsBot disclosure to minors, break reminders, self‑harm safeguardsJan 1, 2026
TexasHB 149 – TRAIGABroad, with focus on public sectorAI council; biometric updates; bans harmful/manipulative usesJan 1, 2026
ColoradoSB 24‑205 + SB 25B‑004Developers & deployers of “high‑risk” AIReasonable care; developer transparency; deployer impact assessments; AG reportingJune 30, 2026
ConnecticutCTDPA amendments (LLM training disclosure)Controllers under CTDPAPrivacy notice must state if personal data trains LLMsJuly 1, 2026
CaliforniaSB 942 (CAITA), delayed by AB 853Large GenAI providersFree detection tool; manifest/latent provenance labelsAug 2, 2026

2) Stand up model risk management that travels across states

  • Adopt and document a risk management framework (e.g., NIST AI RMF) and align artifacts to Colorado’s “reasonable care” presumption (model cards, known risks, testing, and monitoring). Maintain evidence that deployers received required documentation. SB 24‑205 summary page.
  • Build an AI incident playbook. California SB 53 adds channels for reporting “critical safety incidents” to Cal OES; New York’s 2027 regime requires 72‑hour reporting to DFS. Harmonize triggers and escalation paths across states now. SB 53 press release, NY Governor release.

3) Prepare for ADMT rights in California

  • Inventory automated decisions that produce legal or similarly significant effects (hiring, lending, housing, benefits). Draft consumer notices, access mechanisms, and opt‑out flows; coordinate with HR and underwriting systems. Compliance enforcement for ADMT begins January 1, 2027, but the data‑mapping and UX work should begin now. CPPA ADMT timeline.

4) Embed content provenance and deepfake defenses

  • If you generate or host AI media, design for provenance. California’s SB 942 (effective Aug 2, 2026) requires a free detection tool and both manifest and latent disclosures for AI‑generated image/audio/video; begin testing C2PA‑style metadata and watermarking pipelines. The date shift came via AB 853. AB 853 (delay) and SB 942 overview.
  • If your product can be misused to create sexual deepfakes, update your AUP and enforcement—Oregon’s HB 2299 expands criminal exposure as of Jan 1, 2026 (many other states have similar laws). HB 2299.

5) Fix your data supply chain

  • California’s DROP means one click can force deletion across hundreds of data brokers. If you train or fine‑tune on brokered datasets—or buy audiences for targeting—stand up deletion response procedures and vet vendors for DROP readiness. CPPA DROP page.
  • Update privacy notices for Connecticut by July 1, 2026 to disclose whether you use personal data to train LLMs. Ensure your vendor contracts flow this obligation to processors. CTDPA amendment analysis.
  • If you target by location or minors’ data, note Oregon’s bans on selling precise geolocation and under‑16 personal data. HB 2008 overview.

6) Special cases: chatbots and policing

  • Chatbots with youth users: SB 243 requires conspicuous bot disclosures to minors, reminder prompts after extended use, and self‑harm protocols. Align your safety systems (e.g., escalations to crisis resources) and prohibit representing bots as licensed professionals (AB 489). SB 243 text, CA “New in 2026” recap.
  • Law enforcement usage: SB 524 mandates policies disclosing when AI drafts official reports, requires watermarks/signatures, and retention of the first AI‑generated draft. Vendors selling to police agencies should ensure audit trails and redlines. SB 524 status/text overview.

Frequently asked questions

Do these rules apply to open‑source or internal models?

It depends. California SB 53 and New York’s 2027 RAISE Act apply to “large”/frontier developers, with thresholds and incident reporting obligations. Colorado’s law focuses on use in “consequential decisions,” regardless of whether you built or bought the system; deployers are squarely covered.

We don’t operate in those states—are we off the hook?

Not necessarily. These laws often apply if your systems are available to residents of the state (or you process their data). Many national businesses will choose to implement a single, stricter standard. Check your data flows, user base, and contracts.

When will California’s automated decisionmaking rights be enforced?

The CPPA says the regulations take effect January 1, 2026, with ADMT obligations enforceable beginning January 1, 2027. Start the inventory and design work now to avoid a 2026 crunch.

What to watch in 2026

  • Colorado rulemaking and AG guidance under SB 24‑205.
  • CPPA guidance and enforcement posture on risk assessments and, later, ADMT.
  • New York DFS standing up its AI office and proposing RAISE Act rules for 2027.
  • Potential federal preemption challenges to state AI laws.

Sources