As lawsuits and regulatory scrutiny targeting “data brokers” continue to accelerate, understanding whether your organization fits within this increasingly broad industry space is a critical risk management priority. The stakes have never been higher for entities that collect, enrich, or license data to understand the evolving causes of action, damages theories, and defense strategies shaping this space.
Key point: The Colorado legislature passed a bill to replace Colorado’s existing artificial intelligence (AI) law with a more business-friendly regulatory regime focused on disclosures and limited consumer rights but, in doing so, added to the growing complexity of state AI regulation.
On May 12, the Colorado legislature passed SB 189, which repeals and replaces the Colorado AI Act. The bill will next head to Colorado Governor Jared Polis, who is expected to sign it, having been a driving force in the drafting of the bill.
SB 189 removes many of the hallmarks of the Colorado AI Act — such as a duty of care, risk management programs, and impact assessments — in favor of a disclosure-based framework with limited rights in narrow circumstances. That said, the bill’s January 1, 2027, effective date means that it will go into effect — the legislature will not reconvene until January 11, 2027 — thereby ending the uncertainty as to whether a Colorado AI law will go into effect.
The bill is complex, with many intertwined definitions and numerous exceptions. The article below provides an overview of the bill, digging into its many nuances. In addition, on May 18 from 12-1 p.m. ET, David Stauss will be hosting a webinar analyzing the bill. Click here to register.
Although the bill removes and narrows obligations under the existing law, Colorado still will have the most far-reaching legislatively enacted deployer/private sector AI law of any state. Further, the bill’s passage only adds to an increasingly complex state regulatory regime for businesses to navigate when deploying AI systems, including the California Consumer Privacy Act’s risk assessment and automated decision-making technology (ADMT) regulations and, in the employment context, laws in Illinois, New York City, and soon-to-be Connecticut.
Key point: Last week, Connecticut’s legislature passed a bill to amend the state’s consumer data privacy law and establish a data broker registration law, Iowa’s governor signed a chatbot bill into law, Colorado’s legislature passed a pricing bill and is poised to pass a bill to repeal and replace the Colorado AI Act, and Vermont’s legislature passed a health care AI bill.
Below is the seventeenth update on the status of proposed state privacy and AI legislation in 2026. With the state legislative activity slowing, we have combined our weekly privacy and AI posts.
Key Point: With the June 3, 2026, compliance deadline fast approaching, small firms subject to amended Regulation S‑P under the Gramm-Leach-Bliley Act (GLBA) should be in the final stages of updating their privacy and safeguards programs. In January 2026, the Securities and Exchange Commission (SEC) held an outreach event to help small firms comply with the amendments to Regulation S-P. This webinar was geared toward small firms in advance of the June 3, 2026, compliance deadline. The SEC highlighted new Regulation S-P compliance obligations, SEC exam team approaches moving forward, and held an examination workshop, which included an incident response tabletop discussion, review of a sample document request list, and a mock examination session.
On April 22, the U.S. House of Representatives Financial Services Committee and the Energy and Commerce Committee jointly unveiled a paired privacy package that, taken together, would substantially recast the federal obligations for the treatment of consumer data. The “Guidelines for Use, Access, and Responsible Disclosure of Financial Data Act” (the GUARD Financial Data Act) would update and enhance Title V of the Gramm‑Leach‑Bliley Act (GLBA) for financial institutions. The “Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act” (the SECURE Data Act) would create a national, cross‑sector privacy framework that would have applicability and features similar to the current patchwork of state comprehensive privacy laws, with strong entity-level and data-level exemptions for financial institutions and financial data subject to GLBA (and for HIPAA-covered entities and business associates, certain nonprofits, and institutions of higher education).
Key point: Connecticut’s AI bill passed the legislature, Maryland’s pricing bill was signed into law, Colorado’s AI Act replacement bill was introduced, and chatbot bills advanced in several states.
Below is the 16th update on the status of proposed state AI legislation in 2026. These posts track state AI bills that can directly or indirectly affect private-sector AI developers and deployers. These posts do not track AI bills that focus on government use of AI; insurance; workgroups; education; legal settings; name, image, and likeness; deepfakes; CSAM and sexual material; and election interference. As always, the contents provided below are time-sensitive and subject to change.
Key point: Colorado’s legislature passed an age attestation bill while Michigan’s Senate passed a Kids Code Act.
Below is the 16th update on the status of proposed state privacy legislation in 2026. This post covers updates on proposed bills dealing with consumer data privacy, children’s privacy, biometric privacy, data brokers
