AI & the New Compliance Landscape

The EU AI Act entered into force in August 2024 and applies to any AI system used in the EU — which means it applies to U.S. businesses that serve EU users. It categorizes AI by risk level:

• Prohibited AI: Social scoring by governments, real-time biometric surveillance, subliminal manipulation. These are banned outright.
• High-risk AI: AI used in education (student assessment, admission), employment (hiring, performance), critical infrastructure, credit scoring, biometric identification. Requires conformity assessments, human oversight, and registration in an EU database.
• Limited risk AI: Chatbots and other AI that interacts with humans must disclose they are AI — users must know they're talking to a machine.
• Minimal risk AI: Spam filters, AI-enabled video games — light transparency obligations only.

For trades businesses: AI-powered chatbots on your website must disclose they are AI (limited risk). If you use AI for hiring decisions, that may be high-risk AI requiring additional controls.

For schools: AI used in student assessment, learning analytics, or admissions may qualify as high-risk AI under the EU AI Act.

The Federal Trade Commission (FTC) has made AI enforcement a priority under Section 5 (unfair or deceptive trade practices) and its specific authority over data security and privacy. Key guidance and actions:

• AI endorsements and testimonials (2023): The FTC updated its Endorsement Guides to clarify that AI-generated testimonials and reviews are subject to the same disclosure requirements as human-written ones. Fabricated or AI-generated reviews, testimonials, or expert endorsements are deceptive trade practices.
• "AI washing" enforcement: The FTC has sent warning letters to companies making exaggerated AI capability claims — using "AI-powered" in marketing when AI plays a minimal role. False claims about AI capabilities are deceptive.
• Biometric data and AI: The FTC has flagged AI systems that collect biometric data (voice, facial recognition) without disclosure as unfair practices.
• Data minimization: The FTC has signaled that training AI models on consumer data beyond the purpose for which it was collected may violate Section 5.

Multiple states have enacted or are actively considering AI-specific legislation:

• Colorado AI Act (SB 24-205): Requires developers and deployers of high-risk AI systems to implement risk management programs and disclose AI use to consumers. Effective February 2026.
• California (multiple bills): AB 2013 requires AI training data disclosures. SB 1047 (amended) addresses safety for large AI models. Additional bills address chatbot disclosure and deepfakes.
• Texas (HB 4337): Requires AI system developers to provide risk assessments for high-risk AI systems deployed in Texas.
• Illinois BIPA: The Biometric Information Privacy Act — the most aggressive biometric privacy law in the U.S. — applies to AI systems that collect or process biometric data (voice prints, facial geometry, iris scans). Class action exposure is enormous: $1,000–$5,000 per violation.