AI Legislation: Should The US Be Taking Notes from Other Countries?

By Teghan O'Connell

The United States currently has no comprehensive federal legislation in place for the protection of residents’ personal data. The lack of protection is concerning when we live in a world of mass data collection, more so since the advent of AI. Other governmental entities (like the EU and China) are ahead of the US, already having enacted data privacy laws to protect their citizens from the negative impacts of AI data collection.

European Union’s General Data Protection Regulation (GDPR)

The General Data Protection Regulation or GDPR is a law put in place by the European Union which outlines a plan for the protection of individuals’ personal data.

The GDPR created strict guidelines which outlined how organizations and companies can use/handle personal data.  The regulation states that companies must have a specific, defined purpose for collecting personal data.  

Under the law, companies are limited on how long personal data can be stored for. The GDPR aims to create a culture of transparency, requiring data collectors to be clear on what they are collecting your personal data for and setting a 72-hour limit to report a data breach before facing a fine.

The sanctions for violating any of the instructions are quite high (the higher amount of €20 million or 4% of annual global sales). [1]

EU Artificial Intelligence Act

In addition to the GDPR, the EU also has the Artificial Intelligence Act in place to protect citizens while encouraging advancements in the tech field. The AI Act uses a tiered approach, assigning different models to different levels of risk based on the type of data collected.

Depending on the level of risk, there are requirements from the EU for how AI tech companies manage the data. For example, a limited risk model (includes chat bots and personalization) must be transparent to their users about what the AI is used for and the data involved in the use.

Models relating to social scoring systems and real-time biometric scanning verification are considered an “unacceptable risk” and will be required to change by the EU or will be prohibited. [2]

Interim Measures for the Administration of Generative AI Services (China’s Policy)

The Interim Measures for the Administration of Generative AI Services is a user protection act that exclusively applies to models accessible to the Chinese public.

The act moderates the content which the models create and requires AI generated content be marked as such.

Under the act, AI models are required to get their training data from legitimate sources and process personal data with appropriate consent or legal basis under Chinese laws. Even with consent, only necessary information can be collected.

The disclosure of user data to a third party is illegal under the act, further protecting user data. [3] The Measures do not protect the Chinese public’s data from the Chinese government, only from AI models and their creators.

California CPPA

The California Consumer Privacy Protection Agency is a task force to protect the privacy rights of Californians on the internet, which protects personal data and is one of the first examples of online consumer protection in the US. [4]

Utah AI Policy Act

The act protects the rights of users in the state of Utah, specific to the onset of AI. The first AI specific protection in the US, (along with Colorado, though that state’s law does not go into effect until June 1, 2026 [5])

Utah’s AI Policy Act was passed on the same day as the EU AI Act. The act did two big things: 1) created liability for the inadequate/improper disclosure of generative AI use, and 2) created the Artificial Intelligence Policy Office. [6] The first part of the AI Policy institutes fines for violations of disclosure.

The second part is more complex. The Artificial Intelligence Policy Office (AIPO) was created to adapt to new aspects of AI as they come out.

The office consults with businesses and stakeholders about regulatory proposals and created/runs the AI learning lab. The learning lab works to analyze the effects and functions of AI as well as the risks and benefits of the tech. [7]

 “Blueprint for an AI Bill of Rights” from the US OSTP

The Blueprint for an AI Bill of Rights was a proposal set forth by the Office of Science and Technology Policy outlining what a potential AI protection law should cover for user rights.

The proposal is made up of five principles: 1) safe and effective systems, 2) algorithmic discrimination protection, 3) data privacy, 4) notice and explanation, and 5) human alternatives, consideration, and fallback. [8]

The Safe and Effective Systems principle states users should be protected from unsafe or ineffective systems and should not be put at risk by an automatic system. [9]

The Algorithmic Discrimination Protections principle states users should not face discrimination by algorithms and systems should be used and designed in an equitable way. [10]

The Data Privacy principle states users should be protected from abusive data practices via built-in protections, and you should have agency over how data about you is used. The principle suggests companies ask permission to use data and pushes for transparency of use. [11]

The Notice and Explanation principle states the user should know an automated system is being used and understand how and why the system contributes to outcomes that impact you. The principle calls for the transparency of the use and function of AI, as well as who is responsible for it. [12]

The Human Alternatives, Consideration, and Fallback principle states users should be able to opt-out of AI use (where appropriate) and have access to a person who can quickly consider and remedy problems you encounter.

Essentially, the principle asks for an option of human interface instead of an automated system. [13] The publication of the blueprint encouraged 12 US states to pass AI protection legislation.

American Data Privacy and Protection Act (ADPPA)

The American Data Privacy and Protection Act (ADPPA) is a proposed law which aims to provide users with foundational data privacy rights.

The ADPPA aims to create strong oversight mechanisms and establish meaningful enforcement of the mechanisms. If passed, the act would be the first comprehensive federal protection of consumer data privacy within the US.

As of February 10th, 2025, only 30 US states had any type of legislation relating to consumer data privacy in the age of AI. [14] Among the states, 19 have enacted legislation (meaning the bill has passed and is waiting to go into effect) and 14 have currently active legislation. [15] Four states did not vote to pass legislation. [16]  

Today, the US is waiting for the Senate to vote on the proposed bill and for other states to pass legislation to protect their residents while they browse the internet. [17]

References

[1] ServiceReda Sweden AB, GDPR Summary, GDPR Summary (Accessed Feb. 17, 2025, 12:13 PM), https://www.gdprsummary.com/gdpr-summary/

[2] Param Gopalasamy, Navigating the EU AI Act, onetrust (Nov. 13, 2023), https://www.onetrust.com/blog/navigating-the-eu-ai-act/

[3] Yi Wu, How to Interpret China’s First Effort to Regulate Generative AI Measures, China Briefing (Jul. 27, 2023), https://www.china-briefing.com/news/how-to-interpret-chinas-first-effort-to-regulate-generative-ai-measures

[4] CPPA, 2024-2027 Strategic Plan, CPPA (Accessed Feb. 17, 2025), https://cppa.ca.gov/pdf/strategic_plan_2024_2027.pdf

[5] Stuart D. Levi Ken D. Kumayama William E. Ridgway Mana Ghaemmaghami MacKinzie M. Neal, Colorado’s Landmark AI Act: What Companies Need To Know, Skadden (Jun. 24, 2024), https://www.skadden.com/insights/publications/2024/06/colorados-landmark-ai-act

[6] Rena Bajowala and Arda Goker, Utah Enacts First AI-Focused Consumer Protection Legislation in US, GreenbergTraurig (Apr. 1, 2024), https://www.gtlaw.com/en/insights/2024/4/utah-enacts-first-ai-focused-consumer-protection-legislation-in-us

[7] Hunton Andrews Kurth, Utah’s AI Policy Act Now Effective, The National Law Review (Jun. 6, 2024), https://natlawreview.com/article/utahs-ai-policy-act-now-effective

[8] OSTP, Blueprint for an AI Bill of Rights, The White House (Accessed Feb. 17, 2025), https://bidenwhitehouse.archives.gov/ostp/ai-bill-of-rights/

[9] OSTP, Safe and Effective Systems, The White House (Accessed Feb. 17, 2025), https://bidenwhitehouse.archives.gov/ostp/ai-bill-of-rights/safe-and-effective-systems/

[10] OSTP, Algorithmic Discrimination Protections, The White House (Accessed Feb. 17, 2025), https://bidenwhitehouse.archives.gov/ostp/ai-bill-of-rights/algorithmic-discrimination-protections/

[11] OSTP, Data Privacy, The White House (Accessed Feb. 17, 2025), https://bidenwhitehouse.archives.gov/ostp/ai-bill-of-rights/data-privacy/

[12] OSTP, Notice and Explanation, The White House (Accessed Feb. 17, 2025), https://bidenwhitehouse.archives.gov/ostp/ai-bill-of-rights/notice-and-explanation/

[13] OSTP, Human Alternatives, Consideration, and Fallback, The White House (Accessed Feb. 17, 2025), https://bidenwhitehouse.archives.gov/ostp/ai-bill-of-rights/human-alternatives-consideration-and-fallback/

[14] Husch Blackwell, 2025 State Privacy Law Tracker, Husch Blackwell (Feb. 10, 2025), https://www.huschblackwell.com/2025-state-privacy-law-tracker

[15] Husch Blackwell, 2025 State Privacy Law Tracker, Husch Blackwell (Feb. 10, 2025), https://www.huschblackwell.com/2025-state-privacy-law-tracker

[16] Husch Blackwell, 2025 State Privacy Law Tracker, Husch Blackwell (Feb. 10, 2025), https://www.huschblackwell.com/2025-state-privacy-law-tracker

[17] Text - H.R.8152 - 117th Congress (2021-2022): American Data Privacy and Protection Act, H.R.8152, 117th Cong. (2022), https://www.congress.gov/bill/117th-congress/house-bill/8152/text.