top of page

State AI Laws That Just Took Effect: California, Colorado, Texas

  • Contributor
  • 3 days ago
  • 8 min read

The US does not have a comprehensive federal AI law. Various federal agencies have issued guidance, executive orders have come and gone, and a few sector-specific rules (FDA, FTC, CFPB) apply to AI in specific contexts. But there is no AI Act analog at the federal level. There may never be one.

In that vacuum, states are setting the rules. As of early 2026, three major state laws have just activated — California's AI Transparency Act, Colorado's AI Act, and Texas's Responsible AI Governance Act. Each targets a different slice of the AI landscape with a different regulatory philosophy. They do not align with each other. They do not align with the EU AI Act. Companies operating nationally now face a compliance matrix with no single answer.

This post is the practical breakdown of what each law actually requires, who it covers, and how to think about complying with all of them at once.

California's AI Transparency Act

California has done what California does: it's gone first on consumer-facing transparency. The AI Transparency Act focuses specifically on generative AI and on the public's ability to know when they're encountering AI-generated content.

Scope. Providers of generative AI systems with substantial California presence — measured by user count, business activity, or other thresholds — are in scope. The law applies to generative AI specifically, not to AI generally. Classification systems, recommendation algorithms, predictive models, and traditional ML are generally out of scope.

Core obligations. Three main requirements:

  1. Free AI detection tool. Covered providers must offer, free of charge, a tool that members of the public can use to determine whether content is likely AI-generated by that provider. The tool can have rate limits and reasonable usage controls, but it must be publicly accessible.

  2. Latent disclosure (provenance metadata). Generative AI providers must embed metadata in generated content that identifies it as AI-generated. The standard expected to be referenced is C2PA-style content credentials — cryptographically signed provenance metadata attached to images, video, and other media.

  3. Visible disclosures in certain contexts. When AI is used to interact with consumers in specific high-context situations (customer service chats, automated phone calls, generated written content presented as from a human), visible disclosure of AI use is required.

Enforcement. Civil penalties enforced by the California Attorney General. There is no private right of action under the Transparency Act itself, though parallel consumer protection laws may give private plaintiffs hooks.

What's hard. The latent disclosure requirement is the most technically demanding. Embedding cryptographically signed provenance into every piece of output requires changes to the inference pipeline and the storage/distribution paths. Foundation model providers and platforms built on top of them are figuring out how to comply at scale.

Colorado's AI Act

Colorado has gone the furthest of any state on comprehensive AI regulation. The Colorado AI Act, effective February 2026, is the first US law to address algorithmic discrimination across multiple sectors with developer and deployer obligations.

Scope. Covers AI systems used in consequential decisions — decisions that materially affect a consumer's access to or terms of: employment, education, financial services, healthcare, housing, insurance, or legal services. The list overlaps significantly with the EU AI Act's Annex III but is not identical.

Developer obligations. If you develop a covered AI system:

  • Use reasonable care to prevent algorithmic discrimination

  • Provide deployers with documentation describing intended uses, known limitations, and risks

  • Produce impact assessments that analyze discriminatory effects

  • Notify the Colorado Attorney General of known cases where the AI has been involved in algorithmic discrimination

  • Maintain ongoing risk management programs

Deployer obligations. If you use a covered AI system to make consequential decisions:

  • Use reasonable care to prevent algorithmic discrimination

  • Provide consumers with notice when AI is used in decisions affecting them

  • Provide consumers with the right to correct inaccurate personal data used by the AI

  • Provide consumers with an appeal process that includes human review

  • Produce impact assessments

  • Notify consumers and the AG of significant algorithmic discrimination

The teeth. Colorado's law has a private right of action for certain violations. This means consumers can sue. Class actions are possible. The litigation risk is substantially higher than under laws that limit enforcement to a state AG.

The reasonable care standard. "Reasonable care" is the legal hook that determines compliance. A developer or deployer who can show documented risk management, impact assessment, and good-faith efforts to prevent discrimination is exercising reasonable care. One who skipped those steps is not. The compliance documentation is what gets you to "reasonable care."

Texas's Responsible AI Governance Act

Texas has taken a more constrained approach than Colorado, with stronger focus on government use of AI and on specific consumer-facing decisions.

Scope split. The law has two distinct regulatory regimes:

  1. Government use. State agencies must conduct AI inventories, perform risk assessments, follow specific procurement procedures, and avoid prohibited uses (social scoring, mass surveillance, etc.). Effective for state government deployments.

  2. Private-sector consequential decisions. When AI is used by private actors to make consequential decisions affecting Texas consumers — particularly in employment, housing, lending, and insurance — notice and transparency requirements apply, with discrimination protections.

Notice requirements. Texas's law requires notice to consumers when AI is materially involved in a decision affecting them. The notice must include what type of AI is being used, what data inputs the AI used, and how the consumer can request human review.

Discrimination protections. Texas explicitly prohibits the use of AI to discriminate against protected classes. This is largely co-extensive with existing federal discrimination law but creates an additional state cause of action.

Enforcement. Texas Attorney General has primary enforcement authority. Civil penalties scale with the number of violations and the size of the operator. The law has been signaled as a priority for the AG's office, particularly around employment screening tools.

How the Three Laws Don't Align

A nationally-operating company faces three different sets of rules. Here's where they conflict.

Scope definitions don't match. California focuses on generative AI; Colorado covers "consequential decisions" in seven specific domains; Texas covers government AI plus a narrower set of consumer decisions. A single AI system might be covered by some but not others, or covered differently by each.

Disclosure requirements differ. California wants latent provenance metadata. Colorado wants notice and an appeal process for consequential decisions. Texas wants notice and a path to human review. Building one disclosure mechanism that satisfies all three is harder than it sounds — the formats, contexts, and content requirements differ.

Impact assessment standards differ. Colorado requires impact assessments analyzing algorithmic discrimination. Texas requires risk assessments for government uses. California does not have an explicit impact assessment requirement. If you do one Colorado-style impact assessment, it satisfies Colorado but may not satisfy other states with different requirements.

Enforcement mechanisms differ. Colorado has a private right of action (highest litigation risk). California enforces through the AG. Texas enforces through the AG. The legal exposure varies by state.

Definitions of AI itself differ. Each statute has its own definition of AI, algorithmic decision-making, and consequential decisions. The definitions overlap substantially but not entirely. A system covered by one definition may not be covered by another.

This is what regulatory fragmentation looks like in practice. There is no harmonization happening at the federal level to resolve it.

Practical Compliance Strategy for Multistate Operators

If you operate across states, here's the only practical approach.

Inventory first. List every AI system you build, deploy, or substantially modify that touches US users. For each, note what data it uses, what decisions it influences, what category of users it affects, and which states have users.

Map each system to each law. For each system, mark which state laws apply and why. This produces a compliance matrix. Most systems will be covered by 0-2 laws; a small number will be covered by all three plus the EU AI Act.

Build to the highest common denominator. For each obligation category (disclosure, risk assessment, notice, appeal, etc.), implement the most stringent version that any applicable law requires. This is more work than complying with any one law, but it avoids per-state implementations and per-state legal review.

Layer state-specific obligations on top. A few obligations are state-specific and cannot be satisfied by a common framework — California's latent disclosure metadata, Colorado's specific impact assessment format, Texas's government procurement rules. These need to be handled separately.

Document everything. The compliance posture you can defend is the one you've documented. Risk assessments, impact analyses, notice templates, appeal processes — all of these need to live in a discoverable place that legal and regulators can review.

Watch for new state laws. New York, Connecticut, Illinois, Virginia, and several other states have pending AI bills. The pace of state-level AI lawmaking is accelerating. Expect to add new state laws to the compliance matrix every six months.

The Real Cost

For a small or mid-sized company, the cost of building this multistate compliance posture is substantial — a multi-quarter project involving legal, engineering, product, and operations. Many companies are deciding it's not worth complying with every state law for every product and are instead segmenting their offerings by geography or simply withdrawing certain products from certain states.

This is not the outcome the laws intended, but it is the outcome they are producing. Until either federal preemption happens or states converge on common standards, regulatory geography is a real product constraint.

What's Coming

The fragmentation is going to get worse before it gets better. State-level AI legislation is the most active legislative area in technology law right now. New York's bills are particularly broad. Several states are considering their own versions of Colorado's comprehensive approach.

There is some federal activity — bipartisan working groups, agency-level rulemaking, occasional executive orders — but no realistic path to a comprehensive federal AI law in the near term. The Senate's AI working groups have produced principles, not legislation.

For most multistate operators, the operational reality for the foreseeable future is: comply with the patchwork, document the posture, and be ready to add new state laws as they come online.

The Takeaway

Three state AI laws are now in force. They don't align. Federal preemption is not coming soon. Companies operating nationally need to build a compliance posture that handles California, Colorado, and Texas simultaneously — plus the EU AI Act for any operations in Europe.

The pattern is the same as state privacy law fragmentation a few years ago, with the same response: build to the highest common denominator, segment when the cost of compliance exceeds the value in a specific jurisdiction, and accept that "AI compliance" in 2026 is a continuous program, not a one-time project.

The work is real. The companies that are getting ahead are the ones who started on it last year. The ones starting now have the same work to do, just compressed.

Frequently Asked Questions

What state AI laws are now in effect in the US?

Three major ones as of early 2026: California's AI Transparency Act (effective January 2026, requires disclosure for generative AI), Colorado's AI Act (effective February 2026, the first comprehensive state AI law targeting consequential decisions), and Texas's Responsible AI Governance Act (effective January 2026, focused on government and consequential consumer decisions). Each has different scope, definitions, and enforcement mechanisms — and they don't align with each other or with the EU AI Act.

Does the California AI Transparency Act apply to my company?

It applies to providers of generative AI systems with significant California reach. The law requires generative AI providers to offer a free AI detection tool to the public, embed latent disclosure (provenance metadata) in AI-generated content, and provide visible disclosures when generative AI is used in specific contexts. Penalties are civil and enforced by the California Attorney General. If you build or deploy generative AI used by Californians, you're likely in scope.

What is the Colorado AI Act?

The first comprehensive state AI law in the US, targeting 'consequential decisions' that materially affect consumers' access to employment, education, financial services, healthcare, housing, insurance, or legal services. Developers must use reasonable care to prevent algorithmic discrimination, disclose intended uses, and produce impact assessments. Deployers have parallel obligations. Effective February 2026, with a private right of action provision creating significant litigation exposure.

What is the Texas Responsible AI Governance Act?

Texas's AI law, effective January 2026, focuses on two areas: government use of AI (transparency, risk assessment, prohibited uses) and AI used in consequential consumer decisions (notice, transparency, discrimination protections). It is generally narrower in scope than Colorado's law but more prescriptive about government deployments. Texas has been signaling enforcement priorities around employment discrimination and credit scoring specifically.

How do I comply with all three state laws plus the EU AI Act?

You can't fully harmonize them — the laws have different definitions, scopes, and obligations that don't always overlap cleanly. The practical approach is to inventory your AI systems, map each to which laws apply, identify the most stringent requirement in each obligation category (transparency, risk assessment, disclosure, etc.), and build to the highest common denominator. Then layer state-specific or EU-specific obligations on top. This is more work than complying with any single law, but it is the only stable position for multistate operators.

bottom of page