{ "schema_version": 1, "generated_at": "2026-05-09", "rules": [ { "id": "us-ca-bot-disclosure-17941", "jurisdiction": "us-ca", "channels": [ "live-chat", "voice", "video-avatar" ], "use_cases": [ "b2c-customer-support", "b2c-marketing", "b2c-sales", "civic-or-electoral" ], "severity": "mandatory", "short_title": "California bot disclosure (B&P § 17941)", "summary": "California makes it unlawful for any person to use a bot to communicate or interact with another person in California online with the intent to mislead the other person about its artificial identity for the purpose of knowingly deceiving the person about the content of the communication in order to incentivize a purchase or sale of goods or services in a commercial transaction or to influence a vote in an election. The disclosure must be clear, conspicuous, and reasonably designed to inform persons with whom the bot communicates or interacts that it is a bot.", "required_elements": [ { "id": "bot-identity", "description": "Clear, conspicuous statement that the communicator is a bot (i.e. not a natural person).", "required": true, "example": "You are chatting with an automated assistant, not a human." }, { "id": "reasonably-designed", "description": "Disclosure must be reasonably designed to inform a reasonable person under the circumstances. (Meta-requirement on the design of the disclosure surface, not on its text content; not validated by substring check.)", "required": false } ], "citation": { "statute": "California Business and Professions Code", "section": "§ 17941", "source_url": "https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=BPC§ionNum=17941", "publisher": "California Legislative Information" }, "effective_date": "2019-07-01", "last_verified": "2026-05-08", "template": { "plain": "You are chatting with an automated AI assistant, not a human. This conversation may be used to help us improve the service.", "formal": "Notice: This communication is conducted by an automated bot operated under California Business and Professions Code § 17941. You are not communicating with a natural person." }, "notes": "Statute applies when the bot intends to mislead about artificial identity for commercial or electoral purposes. Best practice for autonomous AI agent operations is to disclose by default on first contact regardless of intent, since intent is hard to demonstrate after the fact. The statute's safe harbor requires the disclosure be clear and conspicuous." }, { "id": "eu-ai-act-art50-chatbot", "jurisdiction": "eu", "channels": [ "live-chat", "voice", "video-avatar" ], "use_cases": [ "b2c-customer-support", "b2b-customer-support", "b2c-marketing", "b2b-marketing", "b2c-sales", "b2b-sales", "general" ], "severity": "mandatory", "short_title": "EU AI Act Article 50(1) — chatbot disclosure", "summary": "Providers of AI systems intended to interact directly with natural persons must design and develop them so that the natural persons concerned are informed that they are interacting with an AI system, unless that fact is obvious from the point of view of a reasonably well-informed person taking into account the circumstances and the context of use.", "required_elements": [ { "id": "ai-identity", "description": "Inform the natural person that they are interacting with an AI system.", "required": true, "example": "You are interacting with an AI assistant." }, { "id": "design-by-default", "description": "Disclosure must be built into the design and development of the system, not bolted on per-deployment. (Meta-requirement on engineering process, not on disclosure text; not validated by substring check.)", "required": false } ], "citation": { "statute": "Regulation (EU) 2024/1689 (AI Act)", "section": "Article 50(1)", "source_url": "https://eur-lex.europa.eu/eli/reg/2024/1689/oj", "publisher": "Official Journal of the European Union" }, "effective_date": "2026-08-02", "last_verified": "2026-05-08", "template": { "plain": "You are interacting with an AI system. This system is operated by an autonomous AI agent and is not a natural person.", "formal": "In compliance with Article 50(1) of Regulation (EU) 2024/1689 (the AI Act), please be informed that this interaction is conducted by an AI system, not a natural person." }, "notes": "Article 50 transparency obligations begin to apply on 2 August 2026 per the AI Act's staggered effective dates. The 'obvious from the point of view of a reasonably well-informed person' carve-out is narrow — autonomous AI ventures should disclose by default on first contact." }, { "id": "eu-ai-act-art50-genai-content", "jurisdiction": "eu", "channels": [ "ai-generated-content", "ai-generated-image", "ai-generated-video", "ai-generated-audio" ], "use_cases": [ "b2c-marketing", "b2b-marketing", "b2c-sales", "b2b-sales", "general" ], "severity": "mandatory", "short_title": "EU AI Act Article 50(2) — AI-generated content labeling", "summary": "Providers of AI systems, including general-purpose AI systems, generating synthetic audio, image, video or text content, shall ensure that the outputs of the AI system are marked in a machine-readable format and detectable as artificially generated or manipulated. Providers shall ensure their technical solutions are effective, interoperable, robust and reliable as far as this is technically feasible.", "required_elements": [ { "id": "machine-readable-mark", "description": "AI-generated synthetic content must carry a machine-readable mark identifying it as artificially generated or manipulated.", "required": true }, { "id": "human-readable-label-where-applicable", "description": "For deepfakes and certain public-interest content, a human-readable label is also required (Article 50(4)).", "required": true } ], "citation": { "statute": "Regulation (EU) 2024/1689 (AI Act)", "section": "Article 50(2)", "source_url": "https://eur-lex.europa.eu/eli/reg/2024/1689/oj", "publisher": "Official Journal of the European Union" }, "effective_date": "2026-08-02", "last_verified": "2026-05-08", "template": { "plain": "This content was generated or manipulated by an AI system.", "formal": "Disclosure under Article 50(2) of Regulation (EU) 2024/1689 (the AI Act): the preceding content was produced or manipulated by an AI system. A machine-readable provenance mark is embedded in the underlying file metadata." }, "notes": "The provider obligation runs jointly with deployer obligations under Article 50(4). Implementation of machine-readable marks should follow C2PA Content Credentials or equivalent interoperable standards. UPCOMING AMENDMENT (verified 2026-05-08): On 2026-05-07, the EU Council presidency and European Parliament negotiators reached a provisional agreement on the 'Omnibus VII' AI Act simplification package. The agreement reduces the grace period for providers to implement transparency solutions for artificially generated content from 6 months to 3 months, with the new compliance deadline set on 2026-12-02. The provisional agreement also postpones the deadline for the establishment of AI regulatory sandboxes by national competent authorities to 2027-08-02. Re-verify before final adoption — provisional agreements typically reach formal adoption within weeks to a few months." }, { "id": "us-ftc-ai-endorsements-2024", "jurisdiction": "us", "channels": [ "review-or-testimonial", "ai-generated-content" ], "use_cases": [ "b2c-marketing", "b2b-marketing", "b2c-sales", "b2b-sales" ], "severity": "mandatory", "short_title": "FTC rule on fake reviews and testimonials (16 CFR Part 465)", "summary": "The FTC's Trade Regulation Rule on the Use of Consumer Reviews and Testimonials prohibits the writing, creation, sale, or purchase of consumer reviews or testimonials that are fake or that misrepresent the reviewer's experience, including reviews generated by generative artificial intelligence that purport to be by a person who does not exist or did not have the experience. Civil penalties may be assessed per violation.", "required_elements": [ { "id": "no-fabricated-reviewer", "description": "Do not generate, sell, or purchase reviews/testimonials by people who do not exist or did not have the experience described.", "required": true }, { "id": "disclose-material-connection", "description": "Disclose any material connection between the reviewer and the marketer (employee, paid endorser, agent operator, etc.).", "required": true }, { "id": "no-ai-generated-fake-reviewers", "description": "AI-generated reviews must not pretend to be by a person who does not exist or did not have the relevant experience.", "required": true } ], "citation": { "statute": "16 CFR Part 465", "section": "§ 465.2 (fake or false consumer reviews)", "source_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-D/part-465", "publisher": "U.S. Code of Federal Regulations (eCFR)" }, "effective_date": "2024-10-21", "last_verified": "2026-05-08", "template": { "plain": "This review or testimonial is generated by an AI system. It does not reflect the experience of any specific natural person.", "formal": "Pursuant to 16 CFR Part 465, this content is disclosed as AI-generated. It does not represent the views or experience of any natural person and was produced by an automated system; no compensation, fabricated reviewer identity, or undisclosed material connection is involved." }, "notes": "The FTC rule does NOT permit autonomous AI systems to author reviews/testimonials attributed to natural persons. The compliant pattern is either (a) do not generate review-style content at all, or (b) clearly label any AI-generated review-style content as AI-generated and not attributed to any specific natural person." }, { "id": "us-ca-genai-watermark-ab1836-aware", "jurisdiction": "us-ca", "channels": [ "ai-generated-image", "ai-generated-video", "ai-generated-audio", "ai-generated-content" ], "use_cases": [ "b2c-marketing", "b2b-marketing", "general" ], "severity": "recommended", "short_title": "California AI provenance and labeling (SB 942 / AB 2655 family)", "summary": "California has enacted a family of statutes (notably SB 942, the California AI Transparency Act, and AB 2655) requiring covered providers of generative AI systems to make available AI detection tools, embed provenance metadata, and label AI-generated content in election-related and other contexts. Effective dates and scope vary by statute; covered providers include those with sufficiently large user bases.", "required_elements": [ { "id": "provenance-metadata", "description": "Where covered, embed C2PA-compatible provenance metadata in AI-generated outputs.", "required": true }, { "id": "user-facing-label", "description": "Where covered, surface a clear user-facing AI label when generated content is presented to end users.", "required": true }, { "id": "free-detector", "description": "Covered providers under SB 942 must offer a free AI detection tool.", "required": true } ], "citation": { "statute": "California SB 942 (Cal. Bus. & Prof. Code §§ 22757–22757.4)", "section": "California AI Transparency Act", "source_url": "https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202320240SB942", "publisher": "California Legislative Information" }, "effective_date": "2026-01-01", "last_verified": "2026-05-08", "template": { "plain": "This image / video / audio was generated or substantially modified by an AI system. Provenance metadata is embedded in the file.", "formal": "Disclosure under California SB 942 (California AI Transparency Act): the preceding media was generated or substantially modified by an AI system; C2PA-compatible provenance metadata is embedded; an AI detection tool is available at the provider's website." }, "notes": "Coverage thresholds and election-specific rules (AB 2655) vary. Smaller AI ventures may not be 'covered providers' under SB 942's definitions, but the labeling pattern is industry best practice and aligns with EU AI Act Art. 50(2) for cross-jurisdictional consistency. Verify covered-provider status before relying on non-coverage." }, { "id": "us-co-sb24-205-consumer-disclosure", "jurisdiction": "us-co", "channels": [ "live-chat", "voice", "video-avatar", "email-transactional" ], "use_cases": [ "b2c-customer-support", "b2c-marketing", "b2c-sales", "general" ], "severity": "mandatory", "short_title": "Colorado AI Act consumer-interaction disclosure (SB 24-205)", "summary": "A person doing business in Colorado, including a deployer or other developer, that deploys or makes available an artificial intelligence system intended to interact with consumers must ensure disclosure to each consumer who interacts with the system that the consumer is interacting with an artificial intelligence system. Additional documentation, impact-assessment, and risk-management obligations apply to deployers of 'high-risk' AI systems making consequential decisions about employment, housing, healthcare, education, financial services, legal services, government services, or essential services.", "required_elements": [ { "id": "ai-interaction-notice", "description": "Clear notice to the consumer that they are interacting with an artificial intelligence system.", "required": true, "example": "You are interacting with an artificial intelligence system." }, { "id": "high-risk-additional-disclosures", "description": "If the AI system is high-risk (consequential decisions), the deployer must additionally explain the nature of the decision, the role of the AI system in it, and any avenues for further information or human review. (Content disclosure, scope-dependent.)", "required": false } ], "citation": { "statute": "Colorado Revised Statutes Title 6, Article 1, Part 17 (added by SB 24-205)", "section": "Consumer Protections for Interactions with AI Systems", "source_url": "https://leg.colorado.gov/bills/sb24-205", "publisher": "Colorado General Assembly" }, "effective_date": "2026-06-30", "last_verified": "2026-05-08", "template": { "plain": "You are interacting with an artificial intelligence system. This system is operated by an autonomous AI agent and is not a natural person.", "formal": "Notice under Colorado SB 24-205 (Consumer Protections for Interactions with Artificial Intelligence Systems): the consumer is hereby informed that this interaction is conducted by an artificial intelligence system." }, "notes": "Effective date was extended from 2026-02-01 to 2026-06-30 by SB 25B-004 (Aug 2025) to give the 2026 Colorado legislative session time to consider amendments. The amendment landscape is fluid — re-verify the effective date and amendment status before relying on this rule for production deployments after late Q1 2026." }, { "id": "us-ut-sb149-genai-regulated-occupation", "jurisdiction": "us-ut", "channels": [ "live-chat", "voice", "video-avatar" ], "use_cases": [ "healthcare", "legal-services", "financial-services", "b2c-customer-support" ], "severity": "mandatory", "short_title": "Utah AI Policy Act — GenAI disclosure in regulated occupations (SB 149, as amended by SB 226)", "summary": "A person providing services in a regulated occupation (one requiring state certification or license) must clearly and conspicuously disclose, at the start of an interaction, that the consumer is interacting with generative artificial intelligence — when the consumer asks, OR when the interaction is 'high-risk.' A high-risk interaction is one that involves both (i) the collection of sensitive personal information (financial, health, biometric) AND (ii) the provision of personalized recommendations or advice that could reasonably be relied upon to make significant personal decisions, including financial, legal, medical, or mental health advice. Disclosure must be oral if the interaction is verbal, written if the interaction is written.", "required_elements": [ { "id": "genai-identity", "description": "Clear disclosure that the consumer is interacting with generative AI, not a licensed human professional.", "required": true, "example": "You are interacting with a generative AI system, not a licensed human professional." }, { "id": "at-start-of-interaction", "description": "Disclosure must be at the beginning of the interaction. Channel-matching: oral for verbal, written for written. (Channel/timing rule, not content.)", "required": false } ], "citation": { "statute": "Utah Code Title 13, Chapter 72 (Artificial Intelligence Policy Act)", "section": "SB 149 (2024) as amended by SB 226 (2025) and extended by SB 332 (2025)", "source_url": "https://le.utah.gov/~2024/bills/static/SB0149.html", "publisher": "Utah State Legislature" }, "effective_date": "2024-05-01", "last_verified": "2026-05-08", "template": { "plain": "You are interacting with a generative AI system. This is not a licensed human professional, and the responses are AI-generated.", "formal": "Disclosure under the Utah Artificial Intelligence Policy Act (Utah Code Title 13, Chapter 72): you are interacting with a generative AI system in the delivery of regulated services. This system is not a licensed human professional." }, "notes": "The 2025 amendments (SB 226) narrowed the always-on disclosure obligation: GenAI disclosure in regulated occupations is now triggered when the consumer asks OR when the interaction is 'high-risk.' For autonomous-AI ventures operating in regulated-occupation domains (legal, medical, financial, mental health), best practice is to disclose by default at the start of every interaction regardless of the high-risk threshold — because intent and high-risk classification are difficult to reconstruct after the fact. The Act's expiration was extended to July 2027 by SB 332." }, { "id": "us-tx-traiga-government-disclosure", "jurisdiction": "us-tx", "channels": [ "live-chat", "voice", "video-avatar", "email-transactional" ], "use_cases": [ "civic-or-electoral" ], "severity": "mandatory", "short_title": "Texas Responsible AI Governance Act — government-agency disclosure (HB 149)", "summary": "A governmental agency in Texas that makes available an artificial intelligence system intended to interact with consumers must disclose to each consumer, before or at the time of interaction, that the consumer is interacting with an artificial intelligence system. The disclosure must be clear, conspicuous, written in plain language, and must not use a dark pattern. Note: this obligation runs against Texas governmental agencies; private-sector Texas businesses do NOT have a transparency obligation under HB 149 except in healthcare (see the healthcare-specific rule).", "required_elements": [ { "id": "ai-interaction-notice", "description": "Disclosure that the consumer is interacting with an AI system.", "required": true, "example": "You are interacting with an artificial intelligence system." }, { "id": "plain-language", "description": "Disclosure must be in plain language — no jargon, no legalese, no dark patterns.", "required": true, "example": "You are interacting with an artificial intelligence system, not a person." } ], "citation": { "statute": "Texas Business & Commerce Code (Texas Responsible Artificial Intelligence Governance Act, HB 149, 89th Reg. Sess.)", "section": "Government-agency consumer disclosure provisions", "source_url": "https://capitol.texas.gov/tlodocs/89R/billtext/pdf/HB00149I.pdf", "publisher": "Texas Legislature Online" }, "effective_date": "2026-01-01", "last_verified": "2026-05-08", "template": { "plain": "You are interacting with an artificial intelligence system, not a person. This system is operated by an automated AI agent.", "formal": "Disclosure under the Texas Responsible Artificial Intelligence Governance Act (HB 149): the consumer is hereby informed, in plain language and without dark patterns, that this interaction is conducted by an artificial intelligence system." }, "notes": "TRAIGA's transparency obligations apply primarily to (a) Texas government agencies deploying AI in consumer-facing interactions and (b) Texas healthcare providers using AI in relation to service or treatment. Most private-sector Texas businesses do NOT have a transparency obligation under HB 149. Healthcare providers should disclose by the date the service or treatment is first provided, except in emergencies, in which case as soon as reasonably possible." }, { "id": "us-tx-traiga-healthcare-disclosure", "jurisdiction": "us-tx", "channels": [ "live-chat", "voice", "video-avatar", "email-transactional", "ai-generated-content" ], "use_cases": [ "healthcare" ], "severity": "mandatory", "short_title": "Texas TRAIGA — healthcare-provider AI disclosure (HB 149)", "summary": "If an artificial intelligence system is used in relation to health care service or treatment, the provider of the service or treatment must provide disclosure to the recipient of the service or treatment (or the recipient's personal representative) not later than the date the service or treatment is first provided. In an emergency, the disclosure must be provided as soon as reasonably possible.", "required_elements": [ { "id": "ai-in-care-notice", "description": "Disclosure to the patient or representative that an AI system is being used in relation to the patient's care.", "required": true, "example": "An artificial intelligence system is being used to assist with your care." }, { "id": "timing", "description": "Disclosure must be made by the date the service or treatment is first provided, except in emergencies (then as soon as reasonably possible). (Timing rule, not content.)", "required": false } ], "citation": { "statute": "Texas Business & Commerce Code (TRAIGA, HB 149, 89th Reg. Sess.)", "section": "Healthcare-provider AI disclosure provisions", "source_url": "https://capitol.texas.gov/tlodocs/89R/billtext/pdf/HB00149I.pdf", "publisher": "Texas Legislature Online" }, "effective_date": "2026-01-01", "last_verified": "2026-05-08", "template": { "plain": "An artificial intelligence system is being used in relation to your healthcare service or treatment. You may ask your provider for more information about the AI system's role in your care.", "formal": "Disclosure under the Texas Responsible Artificial Intelligence Governance Act (HB 149): an artificial intelligence system is being used in relation to the healthcare service or treatment provided to the recipient. The provider remains responsible for the service or treatment." }, "notes": "Texas HB 149 healthcare disclosure interacts with broader healthcare regulatory regimes (HIPAA, state medical-board rules, FDA Software-as-a-Medical-Device guidance). The disclosure under TRAIGA is the floor — additional sector rules may impose additional requirements. Texas SB 1188 (also 2025) imposes related healthcare AI obligations and should be reviewed alongside TRAIGA for any healthcare AI deployment in Texas." }, { "id": "us-ny-ai-companion-models-art47", "jurisdiction": "us-ny", "channels": [ "live-chat", "voice", "video-avatar" ], "use_cases": [ "b2c-customer-support", "b2c-marketing", "general" ], "severity": "mandatory", "short_title": "New York AI Companion Models — non-human nature notification (NY GBL Art. 47, A6767)", "summary": "An operator providing an AI companion model to a user in New York must provide notification at the beginning of any AI companion interaction and at least every three hours during continuing interactions. The notification must be either delivered verbally OR in bold-and-capitalized text in not less than 16-point type, with the substantive content: 'THE AI COMPANION (OR NAME OF THE AI COMPANION) IS A COMPUTER PROGRAM AND NOT A HUMAN BEING. IT IS UNABLE TO FEEL HUMAN EMOTION.' Additionally, the operator must implement crisis-response protocols for users expressing suicidal ideation, self-harm, or harm to others. Civil penalties up to $15,000 per day per violation. SCOPE: this rule applies only when the AI system is an 'AI companion model' under NY GBL Art. 47 — emotionally-responsive systems designed for ongoing interpersonal-style interaction. Standard customer-support chatbots are likely outside scope, but the boundary is unsettled.", "required_elements": [ { "id": "ai-companion-non-human-notice", "description": "The substantive notification: '[NAME] IS A COMPUTER PROGRAM AND NOT A HUMAN BEING. IT IS UNABLE TO FEEL HUMAN EMOTION.'", "required": true, "example": "AURA IS A COMPUTER PROGRAM AND NOT A HUMAN BEING. IT IS UNABLE TO FEEL HUMAN EMOTION." }, { "id": "format-or-verbal", "description": "Notification format must be either verbal (when interaction is verbal) or in bold and capitalized text of at least 16-point type. (Format rule, not text content.)", "required": false }, { "id": "every-three-hours", "description": "For continuing interactions, the notification must be repeated at least every three hours. (Cadence rule, not text content.)", "required": false }, { "id": "crisis-protocol", "description": "Operators must implement crisis-response protocols for suicidal ideation, self-harm, and threats of harm to others, including referral to crisis-response resources. (System-design requirement, not in-message disclosure.)", "required": false } ], "citation": { "statute": "New York General Business Law, Article 47 (Artificial Intelligence Companion Models), enacted by A6767", "section": "AI Companion Models — disclosure and crisis protocols", "source_url": "https://www.nysenate.gov/legislation/bills/2025/A6767", "publisher": "New York State Senate" }, "effective_date": "2025-11-05", "last_verified": "2026-05-08", "template": { "plain": "[NAME OF AI COMPANION] IS A COMPUTER PROGRAM AND NOT A HUMAN BEING. IT IS UNABLE TO FEEL HUMAN EMOTION.", "formal": "Notice under New York General Business Law, Article 47 (Artificial Intelligence Companion Models, A6767): [NAME OF AI COMPANION] IS A COMPUTER PROGRAM AND NOT A HUMAN BEING. IT IS UNABLE TO FEEL HUMAN EMOTION. This notification must be displayed in bold capitalized text of at least 16-point type, or delivered verbally if the interaction is verbal, at the start of the interaction and at least every three hours during continuing interactions." }, "notes": "Applicability is the harder question than text content. The law targets AI companion models — emotionally-responsive systems designed for ongoing interpersonal interaction. Customer-support chatbots, voice ordering bots, and transactional voice agents are likely outside scope; companion-style products designed for friendship, intimacy, mental-health-style support, or ongoing personality-driven dialogue are likely inside. The line is fuzzy and untested in litigation as of last verification. For autonomous AI ventures, if your product can be plausibly characterized as a companion (long-form, personality-driven, emotionally-engaged), comply by default. Crisis-protocol obligation is separate from the disclosure obligation and applies regardless of how the disclosure is delivered." }, { "id": "us-il-hb3773-ihra-ai-employment", "jurisdiction": "us-il", "channels": [ "email-transactional", "ai-generated-content", "live-chat" ], "use_cases": [ "employment-decisions" ], "severity": "mandatory", "short_title": "Illinois Human Rights Act — AI in employment notice (HB 3773)", "summary": "Illinois HB 3773 amended the Illinois Human Rights Act to prohibit employers from using AI in a way that subjects employees or applicants to unlawful discrimination, and to require notice when AI is used to influence or facilitate covered employment decisions. The covered decisions include recruitment, hiring, promotion, renewal of employment, selection for training or apprenticeship, discharge, discipline, tenure, and the terms, privileges, or conditions of employment. The Illinois Department of Human Rights has issued draft implementing rules detailing the notice and recordkeeping requirements.", "required_elements": [ { "id": "ai-use-notice", "description": "Employer must notify the employee or applicant that AI is being used to influence or facilitate the employment decision, and identify the type of decision and the general role of the AI in it.", "required": true, "example": "Notice: This employer uses an AI system to assist with recruitment and screening. Your application materials may be analyzed by the AI to identify qualifying candidates." }, { "id": "covered-decision-coverage", "description": "Notice obligation runs to AI use in recruitment, hiring, promotion, renewal of employment, selection for training/apprenticeship, discharge, discipline, tenure, or terms/privileges/conditions of employment. (Scope rule, not text content.)", "required": false }, { "id": "non-discrimination-substantive", "description": "Substantive prohibition: AI may not be used in a way that has the effect of discriminating against employees on the basis of classes protected by the IHRA — protected even if the discrimination is unintentional. (System-design requirement, not in-message disclosure.)", "required": false } ], "citation": { "statute": "Illinois Human Rights Act (775 ILCS 5/) as amended by HB 3773 (103rd General Assembly)", "section": "AI in employment provisions", "source_url": "https://www.ilga.gov/legislation/billstatus.asp?DocNum=3773&GAID=17&GA=103&DocTypeID=HB&LegID=&SessionID=112", "publisher": "Illinois General Assembly" }, "effective_date": "2026-01-01", "last_verified": "2026-05-08", "template": { "plain": "Notice: This employer uses an artificial intelligence system to influence or facilitate one or more employment decisions affecting you, including potentially recruitment, hiring, promotion, renewal of employment, selection for training, discharge, discipline, or other terms and conditions of employment. The AI system's role is to assist a human decision-maker, not replace one. You may request additional information from the employer about the AI system's role in any decision affecting you.", "formal": "Notice under the Illinois Human Rights Act (775 ILCS 5/) as amended by HB 3773: an artificial intelligence system is being used to influence or facilitate covered employment decisions affecting you. Covered decisions under HB 3773 include recruitment, hiring, promotion, renewal of employment, selection for training or apprenticeship, discharge, discipline, tenure, and terms, privileges, or conditions of employment. The use of AI in such decisions is subject to the substantive non-discrimination requirements of the IHRA." }, "notes": "The implementing regulations were issued in draft form by the Illinois Department of Human Rights ahead of the 2026-01-01 effective date and may be finalized with refined notice-content and recordkeeping specifics. Re-verify the rule's `last_verified` date and the IDHR's published final rules before relying on this rule for production deployments after Q1 2026. The substantive non-discrimination obligation is independent of the disclosure obligation — even a fully-disclosed AI hiring system can still violate the IHRA if it produces disparate-impact discrimination." }, { "id": "us-ny-nyc-local-law-144-aedt", "jurisdiction": "us-ny-nyc", "channels": [ "email-transactional", "ai-generated-content" ], "use_cases": [ "employment-decisions" ], "severity": "mandatory", "short_title": "NYC Local Law 144 — Automated Employment Decision Tools (AEDT)", "summary": "An employer or employment agency in New York City may not use an automated employment decision tool (AEDT) to substantially assist or replace discretionary decision-making for an employment decision unless: (a) the tool has been the subject of a bias audit conducted no more than one year prior; (b) a summary of the most recent bias audit and the distribution date of the tool is publicly available on the employer's website; AND (c) candidates and employees who reside in NYC have been given at least 10 business days' notice that the AEDT will be used to assess them, the job qualifications and characteristics that will be used by the AEDT, and information about how to request an alternative selection process or accommodation. Penalties: $500 per first violation, $500 to $1,500 per subsequent or continuing violation per day. Effective 2023-01-01; enforcement began 2023-07-05.", "required_elements": [ { "id": "aedt-use-notice", "description": "Notice that an AEDT will be used to assess the candidate or employee.", "required": true, "example": "Notice: This employer uses an automated employment decision tool to assess applications and may use it in evaluating yours." }, { "id": "qualifications-characteristics", "description": "Disclosure of the job qualifications and characteristics the AEDT will use to evaluate the candidate.", "required": true, "example": "The AEDT evaluates the following qualifications and characteristics: skills relevance, work history fit, communication style scoring." }, { "id": "alternative-process-info", "description": "Information about how to request an alternative selection process or a reasonable accommodation.", "required": true, "example": "To request an alternative selection process or a reasonable accommodation under the Americans with Disabilities Act, contact the employer's HR team at the address provided." }, { "id": "ten-business-days-lead-time", "description": "Notice must be provided at least 10 business days before the AEDT is used to assess the candidate or employee. (Timing rule, not text content.)", "required": false }, { "id": "annual-bias-audit", "description": "AEDT must have a bias audit conducted by an independent auditor no more than one year prior to use, with a public summary on the employer's website. (System / governance requirement, not in-message disclosure.)", "required": false } ], "citation": { "statute": "New York City Administrative Code §§ 20-870 through 20-873 (NYC Local Law 144 of 2021)", "section": "AEDT — Automated Employment Decision Tools", "source_url": "https://rules.cityofnewyork.us/rule/automated-employment-decision-tools-updated/", "publisher": "NYC Rules — Department of Consumer and Worker Protection" }, "effective_date": "2023-07-05", "last_verified": "2026-05-08", "template": { "plain": "Notice: This employer uses an automated employment decision tool (AEDT) to assess applications and employees. Job qualifications and characteristics the AEDT evaluates: [list — e.g., skills relevance, work history fit]. To request an alternative selection process or a reasonable accommodation, contact the employer at [contact address]. A summary of the most recent bias audit of the AEDT is available on the employer's website at [URL]. This notice is provided at least 10 business days before the AEDT is used in your evaluation.", "formal": "Notice under New York City Local Law 144 of 2021, codified at NYC Administrative Code §§ 20-870 through 20-873: An automated employment decision tool (AEDT) will be used to substantially assist or replace discretionary decision-making for the employment decision relating to your application or position. The job qualifications and characteristics evaluated by the AEDT are [list]. To request an alternative selection process or reasonable accommodation, contact the employer at [contact]. A bias-audit summary for the AEDT, dated [date] and including the source and type of data used, is published at [URL]. This notice is delivered at least 10 business days prior to the AEDT's use in your evaluation." }, "notes": "NYC Local Law 144 is a city-level rule (jurisdiction `us-ny-nyc`), narrower than IL HB 3773 (state-level). Both apply to employment AI use, but the bias-audit + public-summary requirements of LL 144 are unique to NYC. Note the jurisdictional cascade: candidates residing in NYC who apply for jobs anywhere — even outside NYC — are covered if the employer's AEDT is used in their assessment, per DCWP's interpretation. Bias audits must be conducted by independent auditors and follow the four-fifths rule disparate-impact standard. The DCWP has issued enforcement guidance and is expected to step up investigations in 2026." }, { "id": "us-ca-ab2013-training-data-transparency", "jurisdiction": "us-ca", "channels": [ "about-page", "terms-of-service" ], "use_cases": [ "general" ], "severity": "mandatory", "short_title": "California AB 2013 — Generative AI Training Data Transparency Act", "summary": "On or before January 1, 2026, and before each subsequent release or substantial modification, the developer of a generative AI system or service that is made publicly available to Californians (including any system released on or after January 1, 2022) must post on the developer's internet website a high-level summary of the datasets used to train the system. The disclosure must include the 12 enumerated categories of information set out in the statute, including dataset sources/owners, how the datasets further the system's intended purpose, the number of data points in general ranges (with estimates for dynamic datasets), copyrighted-material usage, and whether personal information is included. Enforceable via California's Unfair Competition Law (Bus. & Prof. Code § 17200), which permits both public-agency and private enforcement.", "required_elements": [ { "id": "dataset-sources", "description": "Sources or owners of the datasets used to train the system.", "required": true, "example": "Datasets were sourced from Common Crawl, a publicly licensed code repository, and the developer's own first-party logs." }, { "id": "purpose-fit", "description": "Description of how the datasets further the intended purpose of the AI system or service.", "required": true, "example": "The training corpus emphasizes legal and regulatory text to align the system with its disclosure-template generation purpose." }, { "id": "data-volume", "description": "The number of data points included in the datasets, in general ranges, with estimated figures for dynamic datasets.", "required": true, "example": "Approximately 1.2 billion text data points across all corpora; dynamic real-time data approximately 4 million additional points per day (estimated)." }, { "id": "copyrighted-material", "description": "Whether the datasets include copyrighted material and the developer's basis for using such material.", "required": true, "example": "Some datasets include copyrighted material accessed under fair-use rationales; others were licensed from third-party providers." }, { "id": "personal-information", "description": "Whether the datasets include personal information and the developer's basis and safeguards.", "required": true, "example": "Datasets include some personal information in publicly-posted online content; the developer applies redaction and tokenization filters during training." }, { "id": "twelve-category-completeness", "description": "Disclosure must cover all 12 categories enumerated in the statute (additional categories beyond those above include: data-collection time period; data point types; whether AI-generated synthetic data was used; dataset cleaning processes; whether inferences are drawn; whether biometric data is included). (Coverage rule, not single in-message disclosure.)", "required": false } ], "citation": { "statute": "California Business and Professions Code (added by AB 2013)", "section": "Generative Artificial Intelligence: Training Data Transparency Act", "source_url": "https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202320240AB2013", "publisher": "California Legislative Information" }, "effective_date": "2026-01-01", "last_verified": "2026-05-08", "template": { "plain": "Generative AI Training Data Disclosure (California AB 2013): The datasets used to train this generative AI system include the following categories of information: [sources / owners], [how datasets fit purpose], [data volume in general ranges], [copyrighted-material status and basis], [personal-information status and safeguards], [data collection time period], [data point types], [whether AI-generated synthetic data was used], [dataset cleaning processes], [whether inferences were drawn from data], [whether biometric data is included]. Last updated [date].", "formal": "Disclosure under California AB 2013 (Generative Artificial Intelligence: Training Data Transparency Act): Pursuant to the requirements applicable to developers of generative AI systems made publicly available to Californians, the developer publishes the following high-level summary of training datasets: [twelve enumerated categories]. This disclosure is updated upon each subsequent release or substantial modification of the system." }, "notes": "AB 2013 covers generative AI systems made available to Californians ANY TIME ON OR AFTER 2022-01-01 — so it applies retroactively to systems already in production. Compliance must be in place by 2026-01-01 even for legacy systems. The 'high-level summary' standard is intentionally permissive; developers can use ranges and estimates rather than exhaustive enumeration. Enforcement is via California's Unfair Competition Law, opening private rights of action — expect compliance cases in 2026 onward. Trade-secret protections may apply to specific dataset details but cannot exempt a developer from publishing the high-level summary entirely. This rule's `channels` are `about-page` and `terms-of-service` because the disclosure goes on the developer's website, not in any per-interaction message; queries that target customer-interaction channels (live-chat, voice) will not match this rule and that's correct — AB 2013 is a developer-side artifact, not a per-message obligation." }, { "id": "us-md-le-3-717-facial-recognition-interview", "jurisdiction": "us-md", "channels": [ "video-avatar" ], "use_cases": [ "employment-decisions" ], "severity": "mandatory", "short_title": "Maryland Labor & Employment § 3-717 — facial recognition in interviews requires written consent (HB 1202, 2020)", "summary": "An employer in Maryland may not use facial-recognition services during the interview of an applicant for employment to create a 'machine-interpretable pattern of facial features' unless the applicant signs a written waiver consenting to the use. The waiver must include the applicant's name, the date of the interview, the applicant's consent to the use of facial recognition during the interview, and a statement that the applicant has read the consent waiver. The statute applies to any AI-driven interview platform that performs face-shape analysis, micro-expression scoring, or other face-pattern processing — modern AI hiring/interview tools that scan faces are squarely covered.", "required_elements": [ { "id": "applicant-name", "description": "The waiver must include the applicant's name.", "required": true, "example": "Applicant: Pat Lee" }, { "id": "interview-date", "description": "The waiver must include the date of the interview.", "required": true, "example": "Date of interview: 2026-05-12" }, { "id": "consent-statement", "description": "The waiver must include the applicant's consent to the use of facial-recognition technology during the interview.", "required": true, "example": "I consent to the use of facial-recognition technology during my interview with [employer]." }, { "id": "read-acknowledgment", "description": "The waiver must include a statement that the applicant has read the consent waiver.", "required": true, "example": "I have read and understood this consent waiver." } ], "citation": { "statute": "Maryland Labor and Employment Article § 3-717 (added by HB 1202, Chapter 446 of the 2020 Laws of Maryland)", "section": "Use of facial recognition services during a pre-employment interview", "source_url": "https://mgaleg.maryland.gov/mgawebsite/Legislation/Details/HB1202?ys=2020RS", "publisher": "Maryland General Assembly" }, "effective_date": "2020-10-01", "last_verified": "2026-05-08", "template": { "plain": "Applicant: [NAME]. Date of interview: [DATE]. I consent to the use of facial-recognition technology during my interview with [EMPLOYER]. I have read and understood this consent waiver. Signed: ____________________ Date: ____________________", "formal": "Consent Waiver under Maryland Labor and Employment Article § 3-717 (HB 1202, Chapter 446 of the 2020 Laws of Maryland): The applicant identified by name and interview date below consents to the use of facial-recognition services by the employer during the pre-employment interview, and acknowledges having read this waiver. Applicant: [NAME]. Date of Interview: [DATE]. Employer: [EMPLOYER]. Signature: _______________ Date: ____________________" }, "notes": "The statute is narrow — it applies to facial-recognition services that build a machine-interpretable pattern of facial features, used during interviews. AI hiring tools that record but do not analyze face patterns may be outside scope; tools that score expressions or compute similarity to other faces are inside scope. When in doubt, obtain the waiver — the cost is one form versus the cost of an LE-Article-3-717 violation claim. The waiver requirement runs in parallel with separate disclosure obligations under the IL HB 3773 and NYC Local Law 144 rules — multi-jurisdictional employers using AI interview tools need to satisfy each applicable obligation." }, { "id": "us-eeoc-title-vii-ai-employment-2023", "jurisdiction": "us", "channels": [ "email-transactional", "ai-generated-content", "about-page" ], "use_cases": [ "employment-decisions" ], "severity": "recommended", "short_title": "EEOC Title VII technical assistance — AI selection procedures (2023)", "summary": "The U.S. Equal Employment Opportunity Commission issued technical assistance on May 18, 2023 addressing the application of Title VII of the Civil Rights Act of 1964 to automated systems and AI used in employment-related selection procedures. The guidance reaffirms that the Uniform Guidelines on Employee Selection Procedures (1978) apply to AI/algorithmic tools used to make hiring, promotion, transfer, or firing decisions: such tools are 'selection procedures' under the Uniform Guidelines and are subject to the four-fifths rule for measuring adverse impact. Employers remain liable for discriminatory outcomes from AI tools they use, even tools developed by third-party vendors. The EEOC recommends — but does not strictly mandate — that employers (a) audit AI tools for adverse impact before deployment and on an ongoing basis, (b) be transparent with applicants and employees about the use of AI tools, and (c) provide reasonable accommodations and alternative selection procedures on request. This is interpretive guidance, not a regulation; substantive Title VII liability for disparate-impact discrimination is the binding obligation.", "required_elements": [ { "id": "ai-tool-use-notice", "description": "Notice to applicants and employees that an AI or algorithmic tool will be used in the selection procedure (recommended).", "required": true, "example": "Notice: This employer uses an automated decision-making tool to assist in evaluating applications. Use of this tool will form part of the selection process for this role." }, { "id": "alternative-process-availability", "description": "Information about how to request an alternative, non-AI selection process or a reasonable accommodation under the Americans with Disabilities Act.", "required": true, "example": "If you would prefer an alternative selection process, or require a reasonable accommodation under the ADA, please contact the employer's human resources team." }, { "id": "four-fifths-adverse-impact-audit", "description": "Periodic adverse-impact audit of the AI selection tool against the four-fifths rule of the Uniform Guidelines (1978). (System / governance requirement, not in-message disclosure.)", "required": false } ], "citation": { "statute": "Title VII of the Civil Rights Act of 1964, 42 U.S.C. § 2000e et seq., interpreted via Uniform Guidelines on Employee Selection Procedures (1978), 29 CFR Part 1607", "section": "EEOC Technical Assistance: Assessing Adverse Impact in Software, Algorithms, and Artificial Intelligence Used in Employment Selection Procedures Under Title VII (May 18, 2023)", "source_url": "https://www.eeoc.gov/laws/guidance/select-issues-assessing-adverse-impact-software-algorithms-and-artificial-intelligence", "publisher": "U.S. Equal Employment Opportunity Commission" }, "effective_date": "2023-05-18", "last_verified": "2026-05-08", "template": { "plain": "Notice: This employer uses an automated decision-making (AI) tool to assist in evaluating applications and employment decisions. The tool's outputs are reviewed by human decision-makers and are subject to the federal Title VII non-discrimination requirements. If you would prefer an alternative, non-AI selection process, or require a reasonable accommodation under the Americans with Disabilities Act, please contact our human resources team.", "formal": "Notice under EEOC technical assistance applying Title VII of the Civil Rights Act of 1964 (42 U.S.C. § 2000e et seq.) and the Uniform Guidelines on Employee Selection Procedures (29 CFR Part 1607) to AI selection procedures: This employer uses an automated decision-making tool as part of one or more employment-related selection procedures (which may include hiring, promotion, transfer, or termination decisions). Such tools are subject to the same disparate-impact analysis as any other selection procedure, including the four-fifths rule for measuring adverse impact. Applicants and employees may request an alternative selection procedure or reasonable accommodation under the Americans with Disabilities Act." }, "notes": "EEOC technical assistance is interpretive guidance — not a regulation. The binding obligation is Title VII's prohibition on disparate-impact discrimination, which has been law since the 1971 Griggs v. Duke Power decision. The 2023 guidance simply confirms that AI/algorithmic selection tools are 'selection procedures' under the Uniform Guidelines and subject to the same scrutiny. Severity is `recommended` because the disclosure itself is best-practice, not mandated; the underlying disparate-impact obligation is non-negotiable. The state-level mandates (IL HB 3773, NYC Local Law 144, CO SB 24-205) are stricter than this federal guidance and supersede it where they apply. Employers using AI hiring tools across multiple states should treat the federal EEOC guidance as a floor and the strictest applicable state rule as the ceiling. Note that the EEOC also issued separate technical assistance under the ADA (May 12, 2022) addressing reasonable-accommodation obligations for applicants who cannot effectively interface with AI selection tools — that guidance complements this one and should be consulted alongside it." }, { "id": "eu-gdpr-art22-automated-decisions", "jurisdiction": "eu", "channels": [ "email-transactional", "ai-generated-content", "privacy-policy" ], "use_cases": [ "employment-decisions", "financial-services", "healthcare", "legal-services", "general" ], "severity": "mandatory", "short_title": "EU GDPR Article 22 — automated decision-making rights", "summary": "Under the EU General Data Protection Regulation (Regulation (EU) 2016/679), Article 22(1) gives data subjects the right not to be subject to a decision based solely on automated processing — including profiling — that produces legal effects concerning them or similarly significantly affects them. Exceptions in Article 22(2) permit such decisions if (a) necessary for entering into or performing a contract, (b) authorized by Union or Member-State law that provides safeguards, or (c) based on the data subject's explicit consent. Where one of these exceptions applies, the controller must implement suitable measures to safeguard the data subject's rights and freedoms, including at minimum the right to obtain human intervention, to express their point of view, and to contest the decision (Art. 22(3)). Articles 13(2)(f) and 14(2)(g) require the controller to provide, at the time data is collected, meaningful information about the logic involved in any such automated decision-making and the significance and envisaged consequences of such processing for the data subject. Penalties under Art. 83(5): up to €20 million or 4% of global annual turnover, whichever is higher.", "required_elements": [ { "id": "automated-decision-notice", "description": "Notice that the data subject is being subjected to automated decision-making, including profiling, that produces legal or similarly significant effects.", "required": true, "example": "Notice: This decision was made by an automated system, including profiling, and produces effects relating to your application or account that are significant to you." }, { "id": "logic-involved", "description": "Meaningful information about the logic involved in the automated decision (the type of inputs and the way they are weighted, not the underlying source code or proprietary model parameters).", "required": true, "example": "The decision is based on inputs you provided in your application, your prior interaction history with us, and a credit score from an authorized bureau, weighted to predict outcome likelihood." }, { "id": "significance-and-consequences", "description": "Information about the significance and envisaged consequences of the automated processing for the data subject.", "required": true, "example": "An adverse decision means your application will not proceed; you may reapply after 30 days, or request a human review now." }, { "id": "right-to-human-intervention", "description": "Right to obtain human intervention on the part of the controller, to express the data subject's point of view, and to contest the decision.", "required": true, "example": "You have the right to request that a human review this decision, to provide additional context for consideration, and to contest the decision. To exercise these rights, contact our data-protection team at [contact]." }, { "id": "lawful-basis-disclosure", "description": "Disclosure of the Article 22(2) lawful basis under which the automated decision is made (contract, EU/Member-State law, or explicit consent). (Information requirement, not single in-message text.)", "required": false } ], "citation": { "statute": "Regulation (EU) 2016/679 (General Data Protection Regulation)", "section": "Article 22 — automated individual decision-making, including profiling; in conjunction with Articles 13(2)(f) and 14(2)(g)", "source_url": "https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679", "publisher": "Publications Office of the European Union (EUR-Lex)" }, "effective_date": "2018-05-25", "last_verified": "2026-05-08", "template": { "plain": "This decision was made by an automated system. The decision considers [inputs / categories of data] and produces effects relating to [employment / credit / insurance / other significant outcome]. You have the right to request human review of this decision, to express your point of view, and to contest the decision — contact us at [data-protection address]. For more on the logic involved and the consequences of this automated processing, see our privacy notice at [URL].", "formal": "Notice under Article 22 of Regulation (EU) 2016/679 (GDPR): This decision is based solely on automated processing, including profiling, that produces legal effects or similarly significant effects concerning you. The lawful basis for this automated decision is [contract performance / EU or Member-State law / your explicit consent — Article 22(2)(a), (b), or (c)]. Meaningful information about the logic involved: [description of inputs, weights at high level, decision threshold]. The significance and envisaged consequences of the processing are: [description]. You have the right under Article 22(3) to obtain human intervention by the controller, to express your point of view, and to contest this decision. To exercise these rights, contact the data-protection team at [contact]. You also have the right to lodge a complaint with your supervisory authority." }, "notes": "Article 22 applies only to decisions based 'solely' on automated processing. Decisions where a human meaningfully reviews the AI output before it takes effect are NOT solely automated and are outside Article 22's scope, although other GDPR transparency obligations (Arts. 13–14) still apply. The EDPB's Guidelines on Automated Decision-Making (WP251rev.01) clarify that 'meaningful' human review must be substantive — rubber-stamping the AI's recommendation is not enough. The Schufa Holding judgment (CJEU C-634/21, 2023) confirmed that automated credit scoring constitutes a decision under Art. 22 even when the score is then passed to a human-operated lender — because the score itself drives the outcome. EU Member States may impose additional safeguards (e.g., France's Loi Informatique et Libertés, Germany's BDSG § 37); developers should layer Member-State requirements on top. Sectoral overlaps: in employment-decisions use, Article 22 stacks with the EU AI Act's Article 50 chatbot disclosure (where chat is used) and any Member-State implementations; in financial-services, with the EU AI Act's high-risk classification of credit-scoring systems." }, { "id": "us-tn-elvis-act-voice-likeness-2024", "jurisdiction": "us-tn", "channels": [ "ai-generated-audio", "ai-generated-video", "ai-generated-content" ], "use_cases": [ "b2c-marketing", "b2b-marketing", "civic-or-electoral", "general" ], "severity": "mandatory", "short_title": "Tennessee ELVIS Act — voice and likeness protection (HB 2091 / SB 2096, 2024)", "summary": "The Tennessee Ensuring Likeness, Voice, and Image Security Act of 2024 (the 'ELVIS Act') amends Tennessee Code Annotated Title 47, Chapter 25, Part 11 to extend Tennessee's right-of-publicity statute to a person's VOICE in addition to their name, photograph, and likeness. It is unlawful for any person, with knowledge that an individual's voice or likeness is being used without authorization, to publish, perform, distribute, transmit, or otherwise make available to the public an algorithm, software, tool, or other technology, service, or device the primary purpose or function of which is the production of a particular individual's voice or likeness without that individual's authorization. Civil remedies include injunctive relief, treble damages, and attorney's fees; the act creates a Class A misdemeanor for criminal violations and gives standing to the individual, their estate, or any person/entity holding exclusive license to the individual's voice or likeness. Effective July 1, 2024.", "required_elements": [ { "id": "ai-voice-likeness-authorization", "description": "Authorization (license, consent, or other express permission) from the individual whose voice or likeness is being synthesized, BEFORE the AI-generated voice or likeness is published, performed, distributed, or otherwise made available to the public. (Authorization-not-disclosure rule: the obligation is to obtain consent first; disclosure of the AI nature of the content is a parallel best practice but not the statutory cure.)", "required": true, "example": "I, [individual name or authorized rights-holder], grant [licensee] permission to use my voice / likeness in AI-generated audio / video for the purposes of [scope] for the period of [term]. Signed: __________ Date: __________" }, { "id": "ai-generated-content-label", "description": "Where authorization is granted, accompanying clear and conspicuous label that the published content includes AI-synthesized voice or likeness (best practice; complementary to EU AI Act Art. 50(2) and aligned with general FTC endorsement guidance).", "required": true, "example": "This audio (or video) includes an AI-synthesized voice of [individual] used with their permission." }, { "id": "no-tool-distribution-without-authorization", "description": "Prohibition on publishing or distributing tools whose primary purpose is producing a particular individual's voice or likeness without authorization. (System / product-design requirement, not per-message disclosure.)", "required": false } ], "citation": { "statute": "Tennessee Code Annotated, Title 47, Chapter 25, Part 11 (as amended by the Ensuring Likeness, Voice, and Image Security Act of 2024 — HB 2091 / SB 2096, Public Chapter 588)", "section": "Personal Rights Protection Act, as amended by the ELVIS Act", "source_url": "https://wapp.capitol.tn.gov/apps/BillInfo/Default.aspx?BillNumber=HB2091&ga=113", "publisher": "Tennessee General Assembly" }, "effective_date": "2024-07-01", "last_verified": "2026-05-08", "template": { "plain": "AI Voice / Likeness Notice (Tennessee ELVIS Act): The audio (or video) includes an AI-synthesized voice or likeness of [individual]. Use of that voice or likeness has been authorized in writing by [the individual / their authorized rights-holder] for the scope and term of this communication.", "formal": "Notice under the Tennessee Ensuring Likeness, Voice, and Image Security Act of 2024 (HB 2091 / SB 2096, codified at Tenn. Code Ann. Title 47, Chapter 25, Part 11): The published material includes AI-synthesized voice and/or likeness of [individual], used pursuant to written authorization from [the individual or the authorized exclusive rights-holder] dated [date]. The synthesis was performed by [system / service] for the limited purpose of [purpose]. Inquiries about the underlying authorization may be directed to [contact]." }, "notes": "The ELVIS Act is a CONSENT-BASED statute, not solely a disclosure statute. The legal cure for AI voice or likeness use is authorization from the individual; a disclosure label without authorization does NOT cure a violation. The act applies whenever the published content reaches the public AND the actor knew the voice or likeness was being used without authorization — the knowledge standard creates real exposure for any service publishing user-generated AI synthesis content. The act has both civil (treble damages, attorney's fees, injunctive relief) and criminal (Class A misdemeanor) liability tracks. Tool publishers (the providers of voice-cloning or face-swap tools) face independent liability where the tool's primary purpose is producing a particular individual's voice or likeness without authorization — generic voice-synthesis tools that allow the user to clone arbitrary voices may not be covered, but tools marketed around a specific celebrity's voice clearly are. ELVIS Act-style protection is also emerging in California (AB 2602, AB 2655, AB 1836) and at the federal level via the proposed NO FAKES Act; multi-jurisdictional rights-clearance workflows should consider Tennessee + California + (eventually) federal in parallel." }, { "id": "us-cfpb-circular-2023-03-ai-adverse-action", "jurisdiction": "us", "channels": [ "email-transactional", "ai-generated-content" ], "use_cases": [ "financial-services" ], "severity": "mandatory", "short_title": "CFPB Circular 2023-03 — adverse-action notices for AI credit decisions (ECOA / Regulation B)", "summary": "The Consumer Financial Protection Bureau, in Circular 2023-03 (issued September 19, 2023), confirmed that creditors using complex algorithms or artificial intelligence to make credit decisions must still provide statements of specific reasons for adverse actions as required by the Equal Credit Opportunity Act (ECOA, 15 U.S.C. § 1691(d)) and Regulation B (12 CFR § 1002.9). Creditors cannot use the technological complexity of an AI/ML model as a defense for failing to identify the specific principal reasons that adversely affected the applicant. Generic or boilerplate reasons (e.g., 'failed credit-decision model') are insufficient; the creditor must identify the particular factors specific to the applicant's situation. If a creditor cannot accurately identify the specific reasons for an AI-driven adverse decision, the creditor likely cannot lawfully use the model. ECOA penalties include actual damages, punitive damages up to $10,000 per individual action / 1% of net worth in class actions, and attorney's fees; ongoing enforcement priority for the CFPB through 2026.", "required_elements": [ { "id": "specific-principal-reasons", "description": "Statement of the specific principal reasons for the adverse credit action — the particular, applicant-specific factors that drove the decision; not generic or boilerplate explanations.", "required": true, "example": "Specific reasons your application was declined: (1) recent delinquencies on existing accounts; (2) high ratio of unsecured debt to monthly income; (3) short length of credit history. These factors most adversely affected the decision in your case." }, { "id": "right-to-statement-of-reasons", "description": "Notice of the applicant's right to a statement of specific reasons for the adverse action and the timing for requesting it.", "required": true, "example": "If you would like a written statement of the specific reasons for this adverse action, you must request it within 60 days. We will provide the statement within 30 days of your request." }, { "id": "ecoa-equal-credit-notice", "description": "ECOA equal-credit notice — the standard statement of the prohibited bases for credit discrimination.", "required": true, "example": "The federal Equal Credit Opportunity Act prohibits creditors from discriminating against credit applicants on the basis of race, color, religion, national origin, sex, marital status, age (provided the applicant has the capacity to enter into a binding contract), because all or part of the applicant's income derives from any public assistance program, or because the applicant has in good faith exercised any right under the Consumer Credit Protection Act. The federal agency that administers compliance with this law concerning this creditor is [agency and address]." }, { "id": "ai-driven-decision-explainability", "description": "If the adverse action was driven by an AI / ML model, the creditor's underlying obligation to be able to identify the specific reasons for the model's output (model explainability requirement, governance-side rather than per-message text).", "required": false } ], "citation": { "statute": "Equal Credit Opportunity Act, 15 U.S.C. § 1691(d); Regulation B, 12 CFR § 1002.9; interpreted via CFPB Circular 2023-03 (Adverse action notification requirements and the proper use of the CFPB's sample forms provided in Regulation B)", "section": "Adverse-action notices for AI/ML credit decisions", "source_url": "https://www.consumerfinance.gov/compliance/circulars/circular-2023-03-adverse-action-notification-requirements-and-the-proper-use-of-the-cfpbs-sample-forms-provided-in-regulation-b/", "publisher": "Consumer Financial Protection Bureau" }, "effective_date": "2023-09-19", "last_verified": "2026-05-08", "template": { "plain": "Adverse Credit Decision Notice. We have decided not to approve your application. Specific reasons for this decision: (1) [reason 1 specific to your application]; (2) [reason 2]; (3) [reason 3]. These factors most adversely affected the decision in your case. Note: Federal law prohibits creditors from discriminating against credit applicants on the bases listed below. The federal agency administering this creditor's compliance with the Equal Credit Opportunity Act is [agency, address]. Prohibited bases: race, color, religion, national origin, sex, marital status, age (where the applicant has contract-binding capacity), receipt of income from any public-assistance program, or good-faith exercise of any Consumer Credit Protection Act right. If you would like a written statement of the specific reasons for this adverse action, you must request it within 60 days; we will provide it within 30 days of your request.", "formal": "Notice of Adverse Action under the Equal Credit Opportunity Act (15 U.S.C. § 1691(d)) and Regulation B (12 CFR § 1002.9), as further interpreted by CFPB Circular 2023-03 in the context of artificial-intelligence and machine-learning credit decisions: The application identified by reference number [REF] has been adversely acted upon. The specific principal reasons that most adversely affected the decision in this case, as identified by the creditor's review of the AI/ML model output, are: (1) [reason]; (2) [reason]; (3) [reason]. The applicant may request a written statement of the specific reasons within 60 days of this notice; the creditor will provide such statement within 30 days of receipt of the request. Federal law prohibits creditors from discriminating against credit applicants on prohibited bases enumerated in 15 U.S.C. § 1691(a). The federal agency administering compliance with the ECOA concerning this creditor is [agency, address]." }, "notes": "CFPB Circular 2023-03 makes explicit a position the CFPB had taken in supervisory guidance for years: the technological complexity of an AI/ML model is not a defense for failing to provide ECOA-compliant adverse-action reasons. Creditors must identify the specific factors that affected THIS APPLICANT'S decision — not generic factors that influence the model in general. Practical implications for AI-credit fintechs: (1) the model itself must be explainable to a level that supports per-applicant reason codes — if the model cannot do this, the model cannot be deployed for credit decisions; (2) the reason codes must be checked for accuracy, not just plausibility — using post-hoc SHAP / LIME explanations as the source of reason codes is acceptable IF the creditor has validated that those explanations actually reflect what drove the decision in each case; (3) generic or boilerplate codes ('credit application incomplete', 'failed model threshold') are insufficient — the codes must point to applicant-specific factors. ECOA's statutory penalties combined with ongoing CFPB enforcement priority make this a high-stakes obligation. Note: Regulation B's adverse-action requirements run in parallel with the FCRA's adverse-action requirements (15 U.S.C. § 1681m) when the decision was based in whole or in part on a consumer report — both sets of obligations apply to the same notice." }, { "id": "us-finra-rn-24-09-ai-customer-communications", "jurisdiction": "us", "channels": [ "live-chat", "voice", "email-marketing", "ai-generated-content" ], "use_cases": [ "financial-services" ], "severity": "mandatory", "short_title": "FINRA Regulatory Notice 24-09 — AI in customer communications", "summary": "FINRA Regulatory Notice 24-09 (June 27, 2024) addresses member firm use of generative artificial intelligence and other large language model technologies in their securities business. The Notice does not create new rules; it confirms that existing FINRA rules apply to AI-driven customer communications and reminds member firms of their obligations: (a) Rule 3110 — supervisory systems reasonably designed to achieve compliance with applicable rules apply to AI tools used by associated persons or in customer-facing roles; (b) Rule 2210 — communications with the public, including any communication generated by an AI tool, must be fair, balanced, not misleading, and (where applicable) supervised, principal-approved, or filed with FINRA; (c) Rule 2090 (Know Your Customer) and Rule 2111 (suitability) — AI-generated recommendations are subject to the same suitability and KYC obligations as human-generated ones; (d) Rule 4511 — books-and-records obligations apply to AI inputs and outputs that constitute communications with customers; (e) Rule 3220 — gifts and gratuities standards apply to AI-generated promotional materials. Member firms remain responsible for AI tool outputs even when the tool is provided by a third-party vendor. Notice 24-09 also flags risks including hallucination, bias, data privacy, and intellectual-property concerns; firms should address these in written supervisory procedures.", "required_elements": [ { "id": "ai-communication-supervision", "description": "AI-generated communications with the public are subject to FINRA Rule 2210 standards (fair, balanced, not misleading) and the firm's existing principal-review / pre-approval / filing workflow as applicable to the communication type.", "required": true, "example": "All customer-facing communications generated by the AI assistant are reviewed by a qualified principal under FINRA Rule 2210 before delivery and retained per the firm's books-and-records policy under Rule 4511." }, { "id": "ai-recommendation-suitability", "description": "AI-generated investment recommendations or advice are subject to FINRA Rule 2111 suitability obligations on the same terms as human-generated recommendations; firm WSPs must address how AI-generated recommendations are reviewed for suitability.", "required": true, "example": "Any investment recommendation generated by the AI tool for a customer account is subject to a Rule 2111 suitability review against the customer's investment profile under the firm's written supervisory procedures." }, { "id": "third-party-vendor-responsibility", "description": "Firm responsibility for AI tool outputs persists when the tool is operated by a third-party vendor; vendor due diligence and oversight are part of the firm's Rule 3110 supervisory obligation.", "required": true, "example": "AI tools operated by third-party vendors are vetted, monitored, and supervised by the firm under FINRA Rule 3110; the firm remains responsible for any communications, recommendations, or records generated by those tools in connection with its securities business." }, { "id": "wsp-ai-coverage", "description": "Written supervisory procedures address AI tool use, including risk areas of hallucination, bias, data privacy, and IP. (System / governance requirement, not per-message text.)", "required": false } ], "citation": { "statute": "FINRA Rules 2210, 2090, 2111, 3110, 4511, 3220 (existing); FINRA Regulatory Notice 24-09, 'FINRA Reminds Member Firms of Their Obligations When Using Generative Artificial Intelligence and Large Language Models' (June 27, 2024)", "section": "Member-firm obligations when using AI in securities business", "source_url": "https://www.finra.org/rules-guidance/notices/24-09", "publisher": "Financial Industry Regulatory Authority" }, "effective_date": "2024-06-27", "last_verified": "2026-05-08", "template": { "plain": "Notice — Customer Communication via AI Tool: This message (or recommendation) was prepared with the assistance of an artificial-intelligence tool and is subject to the same review and supervision standards as any communication delivered by [Member Firm]. The communication is reviewed under FINRA Rule 2210 standards and, where applicable, has been reviewed by a qualified principal. Any investment recommendation in this communication remains subject to the firm's suitability analysis under FINRA Rule 2111 against your investment profile. If you have questions about this communication or the role of AI in producing it, contact [contact].", "formal": "Notice under FINRA Regulatory Notice 24-09 and Rules 2210, 2090, 2111, 3110, 4511, and 3220: This communication was generated, in whole or in part, with the assistance of artificial-intelligence technology. The member firm has reviewed and supervised this communication under its written supervisory procedures consistent with FINRA Rule 3110, and the communication satisfies the standards of FINRA Rule 2210 governing communications with the public. Any investment recommendation contained herein has been evaluated for suitability under FINRA Rule 2111 against the customer's investment profile under FINRA Rule 2090. The firm retains records of this communication under FINRA Rule 4511. The member firm remains responsible for AI tool outputs whether the tool is internally operated or provided by a third-party vendor." }, "notes": "FINRA Regulatory Notice 24-09 is reminder-and-clarification guidance — it does not create new rules. The binding obligations are the existing FINRA rules (2210, 2090, 2111, 3110, 4511, 3220), which apply by their existing terms to AI-driven communications, recommendations, and records. Member firms (broker-dealers and their associated persons) are bound; non-member firms are not directly bound by FINRA rules but may face parallel obligations under SEC rules (e.g., Rule 17a-4 books-and-records, Investment Advisers Act fiduciary duty for IA-registered firms) — this rule's `jurisdiction` is `us` because FINRA is a self-regulatory organization with national scope, not a single-state regulator. The 2023 SEC Staff Bulletin on conflicts of interest for AI/PDA-using broker-dealers and investment advisers (and the SEC's proposed PDA rule, Rel. No. 34-97990) layers additional obligations specifically around conflicts; firms with PDA / AI advisory tools should consult both. FINRA expects firms to update their WSPs to specifically address AI tool use; using AI without WSP coverage is an immediate Rule 3110 supervision deficiency. Firms should also be aware of state-level adverse-action and disclosure overlays (e.g., NYDFS's October 2024 cybersecurity / AI guidance for licensed entities)." }, { "id": "us-hhs-section-1557-pcdst-2024", "jurisdiction": "us", "channels": [ "ai-generated-content", "about-page", "privacy-policy" ], "use_cases": [ "healthcare" ], "severity": "mandatory", "short_title": "HHS Section 1557 — Patient Care Decision Support Tools nondiscrimination (2024 final rule)", "summary": "On May 6, 2024, the U.S. Department of Health and Human Services Office for Civil Rights published a final rule (89 Fed. Reg. 37522) implementing Section 1557 of the Affordable Care Act that imposes nondiscrimination obligations on covered entities' use of 'patient care decision support tools' (PCDSTs) — defined to include automated and non-automated tools, including artificial-intelligence and machine-learning-based clinical decision support. Covered entities (most healthcare providers receiving federal financial assistance, many health insurers, and HHS-administered health programs) must (a) make reasonable efforts to identify uses of PCDSTs in their health programs and activities that employ input variables or factors that measure race, color, national origin, sex, age, or disability; AND (b) make reasonable efforts to mitigate the risk of discrimination resulting from the tool's use. The compliance deadline for the PCDST nondiscrimination obligation was May 1, 2025; the obligation is now in effect and enforceable. Penalties for Section 1557 violations include loss of federal financial assistance, OCR-imposed corrective-action plans, and potential private-right-of-action claims for discrimination.", "required_elements": [ { "id": "pcdst-identification", "description": "Reasonable efforts to identify uses of PCDSTs (including AI/ML clinical decision support tools) in the entity's health programs and activities.", "required": false, "example": "Internal inventory and documentation of all AI/ML clinical decision support tools deployed in patient care, with notation of input variables and use cases. (System / governance requirement; does not require per-patient disclosure.)" }, { "id": "pcdst-mitigation", "description": "Reasonable efforts to mitigate the risk of discrimination resulting from PCDST use, including documentation of mitigation steps and ongoing monitoring.", "required": false, "example": "Documented mitigation procedures, periodic testing for adverse impact across protected classes, and a designated responsible person or office. (System / governance requirement.)" }, { "id": "patient-facing-pcdst-notice", "description": "Patient-facing notice that AI/ML decision-support tools may inform clinical decisions, where the entity's notice-of-availability obligations under § 92.11 apply (translation requirements + civil rights coordinator + grievance procedures).", "required": true, "example": "Notice: Some clinical decisions in your care may be informed by automated decision-support tools, including artificial intelligence. You have the right to discuss any care decision with your provider. If you believe you have experienced discrimination on the basis of race, color, national origin, sex, age, or disability in connection with these tools or any other aspect of your care, contact our Civil Rights Coordinator at [contact] or file a complaint with the HHS Office for Civil Rights." }, { "id": "civil-rights-coordinator-designation", "description": "Designation of a Civil Rights Coordinator responsible for the entity's Section 1557 compliance, including PCDST nondiscrimination obligations. (Governance, not per-patient text.)", "required": false } ], "citation": { "statute": "Section 1557 of the Patient Protection and Affordable Care Act (42 U.S.C. § 18116); 45 CFR Part 92, as amended by the May 6, 2024 final rule, 89 Fed. Reg. 37522", "section": "45 CFR § 92.210 (Discrimination through the use of patient care decision support tools)", "source_url": "https://www.federalregister.gov/documents/2024/05/06/2024-08711/nondiscrimination-in-health-programs-and-activities", "publisher": "U.S. Department of Health and Human Services, Office for Civil Rights" }, "effective_date": "2025-05-01", "last_verified": "2026-05-08", "template": { "plain": "Notice — Use of Decision-Support Tools in Your Care: Some clinical decisions in your care may be informed by automated decision-support tools, including artificial-intelligence and machine-learning systems. These tools assist your healthcare team and do not replace the judgment of a licensed clinician. You have the right to discuss any care decision with your provider. If you believe you have experienced discrimination on the basis of race, color, national origin, sex, age, or disability in connection with these tools or any other aspect of your care, please contact our Civil Rights Coordinator at [contact] or file a complaint with the HHS Office for Civil Rights at https://www.hhs.gov/ocr/.", "formal": "Notice under Section 1557 of the Patient Protection and Affordable Care Act (42 U.S.C. § 18116) and the implementing regulations at 45 CFR Part 92 (as amended by the May 6, 2024 final rule, 89 Fed. Reg. 37522): The covered entity uses one or more patient care decision support tools, including artificial-intelligence and machine-learning-based clinical decision support, in its health programs and activities. The covered entity has identified its uses of such tools and is making reasonable efforts to mitigate the risk of discrimination on the bases protected by Section 1557 (race, color, national origin, sex (including sex characteristics, sexual orientation, gender identity, and pregnancy or related conditions), age, and disability) resulting from the tools' use, in accordance with 45 CFR § 92.210. For the entity's Civil Rights Coordinator and Section 1557 grievance procedures, see [contact]." }, "notes": "Section 1557's PCDST obligation is governance-heavy — most of the compliance work is internal (identifying tools, documenting mitigation, designating coordinators) rather than patient-facing text. The patient-facing element is the Section 1557 notice-of-availability under § 92.11 plus, where the entity exposes AI-informed decisions to patients, a clear acknowledgment that automated tools may inform clinical decisions and a path to discuss with a clinician. Covered entities include most healthcare providers receiving any form of federal financial assistance (Medicare-participating providers, Medicaid-participating providers, federally-qualified health centers, etc.), all health insurers in HHS-administered marketplaces, and HHS itself. The 'reasonable efforts' standard is intentionally flexible — OCR has stated in commentary that what constitutes 'reasonable' will scale with the entity's size and resources, but documentation is essential. PCDSTs explicitly include AI/ML decision-support tools and (per OCR commentary) tools that produce or use clinical scores (e.g., Epic Sepsis Model, Beth Israel Discharge Risk score, etc.). Federal funding loss is the principal sanction; OCR can also impose corrective action plans. State-level overlays may apply (e.g., California SB 1120 — Physicians Make Decisions Act, requiring physician review of AI-driven coverage denials in health plans — effective 2025-01-01). Stack with HIPAA Privacy Rule (45 CFR Part 164) when patient information is processed; stack with state AI hiring/employment-decision laws when the PCDST is used in employment of healthcare workers." }, { "id": "us-ca-sb1120-physicians-make-decisions-2024", "jurisdiction": "us-ca", "channels": [ "email-transactional", "ai-generated-content" ], "use_cases": [ "healthcare", "financial-services" ], "severity": "mandatory", "short_title": "California SB 1120 — Physicians Make Decisions Act (utilization review)", "summary": "California SB 1120 (signed September 28, 2024; effective January 1, 2025) amends Health and Safety Code § 1367.01 (governing health-care service plans regulated by the Department of Managed Health Care) and Insurance Code § 10123.135 (governing health insurers regulated by the Department of Insurance) to limit the use of artificial-intelligence and algorithmic tools in utilization review and utilization management decisions for medical necessity. A health-care service plan or insurer that uses AI, algorithm, or other software tool for the purpose of utilization review or utilization management may not deny, delay, or modify health-care services based in whole or in part on medical necessity unless a licensed physician (or other licensed healthcare professional acting within the scope of practice) reviews the basis for the decision and the decision considers the enrollee's individual clinical circumstances. The AI tool must be fairly and equitably applied; bias must be avoided in design, training, and ongoing operation; the tool must not directly or indirectly cause harm to the enrollee. Information about the use of the AI tool must be disclosed to enrollees, regulators (DMHC and CDI), and the public. Penalties are administered through DMHC and CDI authority and may include corrective action plans, civil penalties, and (for willful or repeated violations) license-related sanctions.", "required_elements": [ { "id": "physician-review-of-denial", "description": "A licensed physician (or other licensed healthcare professional within scope of practice) must review the basis for any AI-driven denial, delay, or modification of medical-necessity coverage; the decision must consider the enrollee's individual clinical circumstances. (Procedural requirement; the consumer-facing element is disclosure that the review occurred.)", "required": true, "example": "This coverage decision was reviewed by [physician name and California license number], who considered your individual clinical circumstances, including [factors] in the determination." }, { "id": "ai-tool-use-disclosure", "description": "Disclosure to the enrollee that an AI, algorithm, or other software tool was used in the utilization review or utilization management process, including how it was used and how it informed the decision.", "required": true, "example": "An automated decision-support tool was used in evaluating your prior authorization request. The tool [analyzed claim history / scored medical necessity / surfaced relevant guidelines]; its output was reviewed by a licensed physician before this decision." }, { "id": "appeal-rights-notice", "description": "Notice of the enrollee's appeal rights, including the right to internal grievance, external independent medical review, and (for life-threatening conditions) expedited review.", "required": true, "example": "If you disagree with this decision, you have the right to file an internal grievance with [plan name] and to request an Independent Medical Review (IMR) through the California Department of Managed Health Care at https://healthhelp.ca.gov/ or 1-888-466-2219. For decisions involving an imminent and serious threat to your health, you may request an expedited review." }, { "id": "fair-and-equitable-application", "description": "The AI tool must be fairly and equitably applied; the plan or insurer must avoid bias in tool design, training data, and ongoing operation. (System / governance requirement; not a per-decision message.)", "required": false }, { "id": "regulator-disclosure", "description": "Disclosure to DMHC and CDI of the plan/insurer's use of AI tools in utilization review, including periodic reporting under regulator-issued guidance. (Regulator-facing, not enrollee-facing.)", "required": false } ], "citation": { "statute": "California Health and Safety Code § 1367.01 (DMHC-regulated plans) and Insurance Code § 10123.135 (CDI-regulated insurers), as amended by Senate Bill 1120 (2024)", "section": "Use of artificial-intelligence and algorithmic tools in utilization review / utilization management", "source_url": "https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202320240SB1120", "publisher": "California Legislative Information" }, "effective_date": "2025-01-01", "last_verified": "2026-05-08", "template": { "plain": "Notice — Use of Decision-Support Tool in This Coverage Decision: An automated decision-support tool was used in evaluating your prior authorization or coverage request. The tool's output was reviewed by [licensed physician or other healthcare professional] who considered your individual clinical circumstances before making this determination. If your request was denied, delayed, or modified, you have the right to appeal through [plan name]'s internal grievance process and to request an Independent Medical Review through the California Department of Managed Health Care at https://healthhelp.ca.gov/ or 1-888-466-2219. For health conditions that pose an imminent and serious threat to your health, expedited review is available.", "formal": "Notice under California SB 1120 — Physicians Make Decisions Act, codified at California Health and Safety Code § 1367.01 (or Insurance Code § 10123.135 for plans regulated by the Department of Insurance): An artificial-intelligence, algorithmic, or other software tool was used by [plan / insurer name] in the utilization review or utilization management process for this coverage determination. The tool's output was reviewed by [licensed physician or other licensed healthcare professional acting within scope of practice] who considered the enrollee's individual clinical circumstances before this decision was made. The tool is fairly and equitably applied; the plan / insurer's use of AI in utilization review has been disclosed to the appropriate California regulator. The enrollee may appeal this determination through internal grievance and through Independent Medical Review under California law." }, "notes": "SB 1120 is one of the first US state laws to specifically restrict AI use in health-coverage decisions. The law applies to two distinct regulatory regimes: DMHC-regulated health-care service plans (most California HMOs and many PPOs) under HSC § 1367.01, and CDI-regulated health insurers under Ins. Code § 10123.135. The use case here is `healthcare` (clinical decision impact) and `financial-services` (insurance coverage decisions involving payment) — many compliance-relevant decisions sit at the intersection, and surfacing both makes the rule discoverable for either query path. The physician-review requirement is procedural — the AI cannot make the final medical-necessity determination on its own. The disclosure obligation is the consumer-facing element. SB 1120 stacks with HHS Section 1557 PCDST nondiscrimination obligations (federal floor) and with the Colorado AI Act / Texas TRAIGA-healthcare / Utah AI Act in their respective state operations. ERISA self-funded plans are typically exempt from state insurance regulation but may be subject to federal-floor obligations and HHS Section 1557. Class-action litigation over AI denial of care has been ongoing under existing law in 2024–2025; SB 1120 codifies a clearer disclosure-and-review standard. Verify against DMHC and CDI guidance before production deployment — both regulators have rulemaking authority and have issued or are expected to issue more detailed implementation guidance through 2026." }, { "id": "us-fda-pccp-aiml-device-software-2024", "jurisdiction": "us", "channels": [ "ai-generated-content", "about-page", "terms-of-service" ], "use_cases": [ "healthcare" ], "severity": "mandatory", "short_title": "FDA Predetermined Change Control Plans for AI/ML-Enabled Device Software Functions (Final Guidance, December 2024)", "summary": "On December 4, 2024, the U.S. Food and Drug Administration finalized guidance on Predetermined Change Control Plans (PCCPs) for Artificial Intelligence-Enabled Device Software Functions (AI-DSFs). Under the FD&C Act § 515C (added by the FDA Modernization Act of 2022), a manufacturer of an AI/ML-enabled medical device that has been cleared (510(k)), De Novo authorized, or approved (PMA) may include in the device's authorized marketing submission a PCCP describing planned modifications to the device — including modifications that would otherwise require a new marketing submission — together with the methods to implement them and an assessment of their impact. Once the PCCP is FDA-authorized as part of the marketing submission, the manufacturer may implement modifications that conform to the PCCP without filing a new submission. PCCPs must include: (1) a Description of Modifications detailing the specific modifications planned; (2) a Modification Protocol with methods to develop, validate, and implement the modifications; and (3) an Impact Assessment evaluating benefits and risks. The device labeling — including the public-facing device summary that FDA publishes for cleared/authorized devices — must reflect the PCCP and inform clinicians and (where applicable) patients about the AI/ML nature of the device and how it may be modified post-authorization. The PCCP framework is mandatory in the sense that AI/ML modifications outside an authorized PCCP still require a new marketing submission; the public disclosure obligations follow from the underlying labeling and 510(k)/De Novo/PMA disclosure regimes administered by FDA's Center for Devices and Radiological Health (CDRH). Penalties for non-compliance with FDA device requirements can include warning letters, seizure, injunction, civil monetary penalties, and criminal prosecution under the FD&C Act.", "required_elements": [ { "id": "pccp-in-marketing-submission", "description": "Authorized PCCP in the device's marketing submission (510(k), De Novo, or PMA), comprising a Description of Modifications, a Modification Protocol, and an Impact Assessment. (Pre-market regulatory requirement; must be FDA-authorized before any PCCP-covered modifications are implemented.)", "required": false }, { "id": "device-labeling-aiml-disclosure", "description": "Device labeling must disclose that the device is an AI/ML-enabled device software function, summarize the PCCP (where present), and inform users that the device may be modified within the bounds of the authorized PCCP without a new marketing submission.", "required": true, "example": "This device incorporates an artificial intelligence / machine-learning algorithm. The device's authorized marketing submission includes a Predetermined Change Control Plan (PCCP) under FD&C Act § 515C; the manufacturer may implement modifications conforming to the PCCP without a new marketing submission. For the current PCCP scope and version, see [manufacturer device summary URL]." }, { "id": "user-facing-aiml-summary", "description": "Plain-language summary of the AI/ML nature of the device, intended use, performance characteristics, and the kinds of modifications anticipated under the PCCP, made available to clinicians and (where the device is patient-facing) to patients.", "required": true, "example": "This device uses machine learning to [intended task]. The model's performance has been validated for [population / indication]. Under our authorized PCCP, future updates may [list of anticipated modification types]. Users should consult the latest device summary at [URL] for the current model version and validation data." }, { "id": "post-implementation-transparency", "description": "Post-implementation transparency: when a PCCP-conforming modification is implemented, the manufacturer must update device labeling and the public-facing device summary to reflect the modification and its impact, and must document the modification under the PCCP's Modification Protocol.", "required": false } ], "citation": { "statute": "Federal Food, Drug, and Cosmetic Act § 515C (21 U.S.C. § 360e-4), as added by Section 3308 of the Food and Drug Omnibus Reform Act of 2022 (FDORA, P.L. 117-328, Division FF, Title III)", "section": "Predetermined Change Control Plans for Artificial Intelligence-Enabled Device Software Functions: Guidance for Industry and Food and Drug Administration Staff (Final, December 4, 2024)", "source_url": "https://www.fda.gov/regulatory-information/search-fda-guidance-documents/predetermined-change-control-plans-artificial-intelligence-enabled-device-software-functions", "publisher": "U.S. Food and Drug Administration, Center for Devices and Radiological Health" }, "effective_date": "2024-12-04", "last_verified": "2026-05-08", "template": { "plain": "Notice — AI/ML-Enabled Medical Device: This device incorporates an artificial intelligence or machine-learning algorithm. The device has been authorized for marketing by the U.S. Food and Drug Administration under [510(k) / De Novo / PMA number]. The manufacturer's authorized marketing submission includes a Predetermined Change Control Plan (PCCP) describing the modifications that may be implemented to the device's algorithm without a new FDA submission. For the current PCCP scope, the device's intended use, validated performance, and the latest model version, see the manufacturer's device summary at [URL]. Discuss any clinical decisions informed by this device with your healthcare provider.", "formal": "Notice under FD&C Act § 515C (21 U.S.C. § 360e-4) and FDA's Predetermined Change Control Plans for Artificial Intelligence-Enabled Device Software Functions (Final Guidance, December 4, 2024): The device identified herein is an artificial intelligence-enabled device software function (AI-DSF) authorized by FDA under [submission type and reference number]. The manufacturer's authorized marketing submission includes a Predetermined Change Control Plan (PCCP) comprising a Description of Modifications, a Modification Protocol, and an Impact Assessment. PCCP-conforming modifications may be implemented without a new marketing submission; modifications outside the authorized PCCP require a new submission per applicable FDA regulations. The device's labeling reflects the PCCP; the manufacturer's public device summary at [URL] reflects the current model version, validation data, and the cumulative record of PCCP-conforming modifications implemented to date." }, "notes": "PCCP is the FDA's response to the 'locked algorithm' problem for AI/ML medical devices: prior to FDORA § 515C (2022), any change to the algorithm of a cleared/authorized AI/ML device that affected safety or effectiveness typically required a new 510(k) / De Novo / PMA submission, which made iterative model improvement impractical. The PCCP framework lets manufacturers pre-authorize a bounded set of modifications and the validation methods for each. The December 2024 final guidance applies to all medical devices regardless of pathway (510(k), De Novo, PMA) and supersedes the April 2023 draft. Disclosure scope: the FDA-required labeling under 21 CFR Part 801 (device labeling) and the public-facing 510(k) summary / De Novo decision summary / PMA approval order published on FDA's website constitute the public disclosure surface; manufacturers typically also publish device-summary pages on their own websites with current model version and validation data. Use case is `healthcare`. Stack with HHS Section 1557 PCDST nondiscrimination obligations and with state-level rules like California SB 1120 — Physicians Make Decisions Act when the device is used in coverage decisions. The patient-facing element is conditional: most FDA-regulated AI/ML devices are clinician-facing tools, but where the device produces output that is shown to patients (e.g., consumer-facing diabetes risk estimators, certain digital health products), the AI/ML disclosure should be patient-facing. The 'mandatory' severity reflects that AI/ML modifications must be authorized — either through PCCP or through a new submission — and that labeling disclosure is required; the 'recommended' framing applies to design choices about how detailed to make the user-facing AI/ML summary. Verify against the current FDA guidance and any device-class-specific guidance before production deployment." }, { "id": "us-fcc-tcpa-ai-voice-robocall-2024", "jurisdiction": "us", "channels": [ "voice" ], "use_cases": [ "b2c-marketing", "b2c-sales", "b2c-customer-support", "civic-or-electoral", "general" ], "severity": "mandatory", "short_title": "FCC Declaratory Ruling — AI-generated voice in robocalls is an 'artificial or prerecorded voice' under TCPA (February 2024)", "summary": "On February 8, 2024, the U.S. Federal Communications Commission issued a Declaratory Ruling (CG Docket No. 23-362, FCC 24-17) confirming that AI-generated voice clones and other AI-synthesized voices used in calls to consumers are 'artificial or prerecorded voices' within the meaning of the Telephone Consumer Protection Act of 1991 (TCPA), 47 U.S.C. § 227(b)(1)(A)–(B), and the Commission's implementing rules at 47 CFR § 64.1200. The ruling means that any robocall to a wireless number that uses an AI-generated voice (or to a residential landline for a telemarketing purpose) requires the called party's prior express written consent (for telemarketing) or prior express consent (for non-telemarketing/informational) — and remains subject to the TCPA's identification-of-caller and opt-out requirements. Statutory damages under the TCPA are $500 per violation (per call), up to $1,500 per willful or knowing violation. State Attorneys General, the FCC, and a private right of action under § 227(b)(3) are all available enforcement paths.", "required_elements": [ { "id": "prior-express-consent", "description": "Prior express written consent (for telemarketing AI-voice calls to wireless numbers and residential landlines) or prior express consent (for non-telemarketing/informational AI-voice calls) before placing the call. (Pre-call consent requirement; the consumer-facing disclosure occurs at consent-collection time, not at call time.)", "required": false }, { "id": "caller-identification", "description": "At the beginning of the AI-voice call, the message must clearly state the identity of the business, individual, or other entity that is responsible for initiating the call.", "required": true, "example": "This is an automated call from [business name]." }, { "id": "callback-number", "description": "During or after the AI-voice message, the called party must be provided with a telephone number (other than that of the autodialer or prerecorded message player) that the called party can use to make a do-not-call request.", "required": true, "example": "To stop receiving calls from us, please call [phone number] or press [digit] now." }, { "id": "interactive-opt-out", "description": "For telemarketing AI-voice calls, an automated, interactive voice- and/or key-press-activated opt-out mechanism must be available throughout the duration of the call.", "required": false } ], "citation": { "statute": "Telephone Consumer Protection Act of 1991, codified at 47 U.S.C. § 227; 47 CFR § 64.1200", "section": "FCC Declaratory Ruling, CG Docket No. 23-362, FCC 24-17 (released February 8, 2024)", "source_url": "https://www.fcc.gov/document/fcc-makes-ai-generated-voices-robocalls-illegal", "publisher": "U.S. Federal Communications Commission" }, "effective_date": "2024-02-08", "last_verified": "2026-05-08", "template": { "plain": "Notice — Automated Call: This is an automated call from [business name]. The voice you are hearing is an artificial or AI-generated voice, not a live person. To stop receiving calls from us, please press [digit] or call [phone number].", "formal": "Notice under the Telephone Consumer Protection Act, 47 U.S.C. § 227, and the Federal Communications Commission's Declaratory Ruling FCC 24-17 (February 8, 2024) confirming that AI-generated voices in robocalls are 'artificial or prerecorded voices' under the TCPA: This call is being placed by [business name and contact information]. The voice in this call is artificially generated. The called party may opt out of future calls from this caller at any time by [opt-out instructions]. Calls placed in violation of the TCPA are subject to statutory damages of $500 per call, up to $1,500 per willful or knowing violation." }, "notes": "The FCC's February 2024 Declaratory Ruling closed an interpretive gap — TCPA's 'artificial or prerecorded voice' language predates AI voice cloning, and there had been arguments that AI-generated voices were not covered. The ruling makes clear they are. Practical consequences: (1) any AI-voice call to a wireless number for any purpose typically requires prior express consent; (2) AI-voice calls for telemarketing require prior express written consent; (3) every AI-voice call must include caller identification and an opt-out path. The ruling stacks with state-level robocall laws (e.g., Florida, Oklahoma, Pennsylvania, Washington) that may impose additional consent or disclosure requirements; with California's B&P § 17941 bot-disclosure rule when the caller is in or reaching California; and with EU AI Act Article 50 when the caller reaches EU residents. The FCC has paired this ruling with separate caller-ID authentication enforcement (STIR/SHAKEN) targeting AI-voice scam robocalls. Class actions under TCPA are common; the per-call statutory damages structure means even small-volume AI-voice campaigns carry significant exposure. Legal-services and political-campaign callers face additional state-law restrictions. The April 2024 FCC Notice of Proposed Rulemaking (CG Docket 23-362) proposed disclosure rules specific to AI-generated content in calls and texts; verify the latest rulemaking status before production deployment." }, { "id": "us-cms-medicare-advantage-ai-prior-auth-2024", "jurisdiction": "us", "channels": [ "ai-generated-content", "about-page" ], "use_cases": [ "healthcare" ], "severity": "mandatory", "short_title": "CMS Medicare Advantage — algorithms / AI in coverage and prior-authorization decisions (CMS-4201-F + Feb 2024 FAQ)", "summary": "On April 5, 2023, the Centers for Medicare & Medicaid Services published the final rule CMS-4201-F (88 Fed. Reg. 22120), which amended 42 CFR § 422.101(c) and § 422.202 to clarify that Medicare Advantage (MA) organizations making medical-necessity determinations for basic Medicare benefits must base each coverage decision on the individual patient's medical history and physician recommendations and on the applicable Medicare coverage criteria — not solely on the output of an algorithm or AI tool. CMS reinforced this with a public FAQ released February 6, 2024 (\"Frequently Asked Questions related to Coverage Criteria and Utilization Management Requirements in CMS Final Rule CMS-4201-F\"), which states explicitly that MA plans may use algorithms or AI to assist in coverage determinations only as a supplement to an individualized assessment, that an algorithm cannot deny or terminate coverage on the basis that the algorithm says so, and that the MA organization remains responsible for ensuring the algorithm complies with all rules governing how MA coverage determinations are made (including national coverage determinations, local coverage determinations, and traditional Medicare laws). The provisions took effect for CY2024 contracts on January 1, 2024 and remain in effect. Sanctions for noncompliance include CMS contract-action enforcement, civil monetary penalties under 42 CFR Part 422 Subpart O, and exposure to private-litigation risk under the False Claims Act and consumer-protection laws.", "required_elements": [ { "id": "individualized-assessment", "description": "Each coverage / prior-authorization decision must be based on an individualized assessment of the enrollee's medical history, physician recommendations, and clinical notes — not solely on an algorithm or AI tool's output.", "required": true, "example": "Each coverage decision is reviewed by a qualified clinician who considers the enrollee's medical history and physician recommendations. Algorithmic outputs are advisory only and do not, by themselves, deny or terminate coverage." }, { "id": "coverage-criteria-compliance", "description": "Any algorithm or AI tool used to assist in coverage determinations must comply with all rules governing how MA coverage determinations are made — including 42 CFR § 422.101(b) (compliance with national/local coverage determinations and traditional Medicare laws), § 422.566 (organization determinations), and § 422.568 (timeframes and notice).", "required": true, "example": "Internal documentation that the AI prior-authorization tool's training data, decision rules, and output thresholds are reviewed against published Medicare coverage criteria and are not more restrictive than traditional Medicare for any covered benefit." }, { "id": "denial-notice-with-clinician-review", "description": "Adverse organization determinations (denials, terminations, or reductions of coverage) must include a written notice that explains the specific reasons for the decision in language understandable to the enrollee. Where an AI / algorithmic tool informed the decision, the notice and underlying record must reflect that a qualified clinician reviewed the individual case before the adverse determination issued.", "required": true, "example": "We have reviewed your case, including your medical records and your physician's recommendations. Based on Medicare coverage criteria for [service], a [clinician title] reviewing your case has determined that [specific reason]. You have the right to appeal this decision; instructions are below." }, { "id": "ai-use-disclosure-in-evidence-of-coverage", "description": "MA organizations using algorithms or AI to assist in coverage determinations should disclose that practice in plan-level transparency materials (Evidence of Coverage, member website, or equivalent) so enrollees know that automated tools may be used and that an individualized clinical assessment is still required.", "required": false, "example": "Some prior-authorization and medical-necessity decisions in this plan are supported by automated decision-support tools, including artificial intelligence. These tools assist a qualified clinician who individually reviews each request against your medical history and Medicare coverage rules. No coverage decision is made by an algorithm alone. You may appeal any adverse decision; see your Evidence of Coverage for instructions." }, { "id": "appeal-rights-preserved", "description": "All standard MA appeal rights (reconsideration, independent review entity, ALJ, Medicare Appeals Council, federal court) remain available regardless of whether an algorithm or AI tool was involved in the underlying decision.", "required": true, "example": "If you disagree with this decision, you may request a reconsideration. See your Evidence of Coverage, Section [X], for the appeals process." } ], "citation": { "statute": "Social Security Act §§ 1852, 1854, 1856, 1857, 1860D-4 (42 U.S.C. §§ 1395w-22 et seq.); 42 CFR Part 422 (Medicare Advantage); CMS-4201-F final rule, 88 Fed. Reg. 22120 (April 5, 2023)", "section": "42 CFR § 422.101(c) (basis for coverage decisions); 42 CFR § 422.202(b) (consistent application); 42 CFR § 422.566 (organization determinations); 42 CFR § 422.568 (notice of organization determination); CMS FAQ \"Coverage Criteria and Utilization Management Requirements in CMS Final Rule (CMS-4201-F)\" (February 6, 2024)", "source_url": "https://www.cms.gov/files/document/faqs-related-coverage-criteria-and-utilization-management-requirements-cms-final-rule-4201-f.pdf", "publisher": "U.S. Centers for Medicare & Medicaid Services" }, "effective_date": "2024-01-01", "last_verified": "2026-05-09", "template": { "plain": "Notice — Use of Automated Tools in Your Medicare Advantage Coverage Decisions: Some prior-authorization and medical-necessity decisions in this plan are supported by automated decision-support tools, including artificial intelligence. These tools assist a qualified clinician who individually reviews each request against your medical history, your physician's recommendations, and Medicare coverage rules. No coverage decision is made by an algorithm alone. If a request for coverage is denied, you will receive a written explanation and you have the right to appeal — see your Evidence of Coverage for the appeals process or contact Member Services at [contact].", "formal": "Notice under 42 CFR § 422.101(c), § 422.202(b), § 422.566, and § 422.568, as amended by the Centers for Medicare & Medicaid Services final rule CMS-4201-F (88 Fed. Reg. 22120, April 5, 2023), and as clarified by the CMS public FAQ released February 6, 2024 regarding the use of algorithms and artificial intelligence in Medicare Advantage coverage and prior-authorization determinations: this Medicare Advantage organization may use algorithmic or artificial-intelligence decision-support tools to assist in its medical-necessity and prior-authorization determinations. Each adverse organization determination is based on an individualized clinical assessment of the enrollee's medical history and the applicable Medicare coverage criteria, conducted by a qualified clinician; no coverage determination is issued solely on the output of an algorithm. Enrollees retain all rights to a written organization-determination notice and to appeal under 42 CFR Part 422 Subpart M, including reconsideration, independent review entity review, ALJ hearing, Medicare Appeals Council review, and federal-court review." }, "notes": "CMS-4201-F clarified, rather than created, the rule that MA coverage decisions must rest on individualized clinical assessment against Medicare coverage criteria — but the February 2024 FAQ is the operative document for AI / algorithmic use, because it answered head-on the practice (highlighted in litigation against UnitedHealth and Humana over the naviHealth / nH Predict tool, and in the Senate Finance Committee inquiry of 2023) of MA plans using algorithmic length-of-stay or denial-recommendation tools to override clinician judgment. Practical compliance posture for an MA plan or its delegated utilization-management vendor: (1) document that every adverse determination has clinician sign-off before issue, with the clinician's reasoning visible in the file; (2) ensure the algorithm's output is treated as a recommendation, not a decision, and that clinician override paths are available and used in practice; (3) train the algorithm against published Medicare coverage criteria (NCDs, LCDs, traditional Medicare laws) and audit periodically for drift; (4) include the adverse-determination written notice required by § 422.568 in plain language; (5) preserve appeal-rights notices regardless of AI involvement. State overlays: California SB 1120 (Physicians Make Decisions Act) requires physician review of AI-driven coverage denials in state-regulated health plans; HHS Section 1557 PCDST nondiscrimination obligations stack on top whenever the MA plan is also a covered entity (most are); FDA PCCP framework applies if the algorithm is itself a regulated medical device. The rule is venue-neutral as to where the AI tool sits in the technical stack — internal model, vendor SaaS, or general-purpose LLM with prompted policy — the MA organization remains responsible. Penalties: CMS contract enforcement under 42 CFR Part 422 Subpart O includes warning letters, corrective-action plans, suspension of marketing or new enrollments, civil monetary penalties up to $25,000 per affected beneficiary, and contract termination. False Claims Act exposure can be material because submitting capitation claims to CMS while systematically denying covered services is a textbook FCA fact pattern." }, { "id": "us-hud-fheo-ai-tenant-screening-2024", "jurisdiction": "us", "channels": [ "ai-generated-content", "about-page" ], "use_cases": [ "housing" ], "severity": "mandatory", "short_title": "HUD FHEO — AI / algorithmic tenant screening under the Fair Housing Act (May 2024 guidance)", "summary": "On May 2, 2024, the U.S. Department of Housing and Urban Development (HUD) released two guidance documents addressing the application of the Fair Housing Act (42 U.S.C. §§ 3601-3631) to artificial-intelligence-driven decisions in housing. The first, \"Guidance on Application of the Fair Housing Act to the Screening of Applicants for Rental Housing,\" addresses tenant-screening AI / algorithmic systems used to predict tenancy success, evaluate criminal-record histories, eviction-record histories, and credit-screening data. The second, \"Guidance on Application of the Fair Housing Act to the Advertising of Housing, Credit, and Other Real Estate-Related Transactions through Digital Platforms,\" addresses targeted-advertising AI used by digital platforms in housing-related transactions. Together they reaffirm that the Fair Housing Act's disparate-impact framework (codified at 24 CFR § 100.500) applies to algorithmic and AI-based decisions the same as to human decisions: a tenant-screening tool that produces a disparate impact on a protected class is unlawful unless the housing provider can demonstrate that the tool is necessary to achieve a substantial, legitimate, nondiscriminatory interest AND that no less-discriminatory alternative is available. The guidance further establishes that housing providers cannot delegate Fair Housing Act compliance to a third-party AI vendor; the housing provider remains liable for the tool's outputs. Practical compliance requires (1) individualized assessment in any adverse decision, (2) applicant disclosure of the data sources and prediction targets the tool uses, (3) a meaningful dispute-and-correction process, and (4) ongoing monitoring for less-discriminatory alternatives. Sanctions for noncompliance include HUD administrative complaints (24 CFR Part 103), DOJ pattern-or-practice litigation (42 U.S.C. § 3614), state-level fair-housing enforcement, and private civil litigation under 42 U.S.C. § 3613 with attorneys' fees recoverable.", "required_elements": [ { "id": "individualized-assessment", "description": "Adverse tenant-screening decisions (denial, conditional approval, increased deposit, restricted unit options) must be supported by an individualized assessment of the applicant. AI / algorithmic outputs are advisory inputs only; the housing provider remains responsible for the determination and cannot rely solely on a numeric score, threshold, or recommendation produced by a screening tool. The assessment must consider mitigating circumstances, recency and relevance of any criminal or eviction record flagged, and disability-related context where applicable.", "required": true, "example": "This screening decision was reviewed by [provider/staff title]. Algorithmic outputs from [tool name] were one input; the final decision was based on an individualized assessment of your application materials." }, { "id": "data-sources-and-prediction-targets-disclosure", "description": "Before or at the time of an adverse action, the applicant must receive a disclosure identifying (a) the third-party tenant-screening or AI tool used, (b) the categories of data the tool consults (e.g., criminal records, eviction records, credit reports, income verification, third-party data brokers), and (c) the specific prediction targets the tool generates (e.g., predicted timely-rent-payment likelihood, predicted lease-violation risk). Generic phrases such as \"automated decisioning\" without identification of the tool and data sources do not satisfy this element.", "required": true, "example": "Your application was screened using [tool name], which evaluates [list: credit history; criminal history within prior X years; eviction filings within prior X years; income verification]. The tool produced a [prediction-target] score that was reviewed alongside your application materials." }, { "id": "dispute-and-correction-process", "description": "The applicant must be informed in writing of (a) the right to dispute any data input the screening tool used, (b) the procedure for requesting correction of inaccurate records, and (c) a reasonable period (consistent with FCRA where applicable, generally not less than 30 days) during which the applicant may submit corrections, mitigating evidence, or a request for individualized review before the decision becomes final. The dispute process must be documented and the housing provider must reconsider the decision in light of any corrections submitted.", "required": true, "example": "If any record cited above is inaccurate or you wish to provide additional context (such as evidence of rehabilitation, a record sealing or expungement, or a reasonable accommodation request), you may submit a dispute or supplemental documentation within 30 days. Send to [contact]. The decision will be reviewed in light of any submission received." }, { "id": "less-discriminatory-alternative-monitoring", "description": "The housing provider must be able to demonstrate that the AI / algorithmic screening tool is necessary to achieve a substantial, legitimate, nondiscriminatory interest AND that no less-discriminatory alternative would serve that interest. This is an ongoing obligation: as less-discriminatory alternatives become available (e.g., narrower lookback windows on criminal records, individualized-assessment-first workflows, alternative scoring inputs), the housing provider must reassess. Vendor-supplied claims of \"bias-tested\" or \"fair\" do not, by themselves, satisfy this element; the housing provider remains accountable for whether the tool's deployment in their specific context produces a disparate impact.", "required": true, "example": "[Provider] reviews the screening criteria and tool configuration annually to ensure they remain narrowly tailored to legitimate business interests and to assess whether less-discriminatory alternatives have become available. Documentation of this review is retained for [retention period]." }, { "id": "no-vendor-delegation", "description": "Fair Housing Act compliance cannot be delegated to a third-party tenant-screening or AI vendor. The housing provider remains the responsible party for any disparate-impact outcome, regardless of contractual indemnification or vendor representations. Provider must conduct its own diligence on the tool, validate its outputs against the provider's protected-class population, and retain the ability to intervene in or override individual outputs.", "required": true, "example": "This decision was reviewed by [provider name], which retains full responsibility for the outcome under the Fair Housing Act. [Vendor name]'s tool was used as one input but does not bind [provider]'s individualized determination." } ], "citation": { "statute": "Fair Housing Act, 42 U.S.C. §§ 3601-3631 (specifically § 3604(a)-(b) refusal-to-rent and terms-and-conditions; § 3605 financial-services discrimination; § 3614 pattern-or-practice; § 3613 private right of action); HUD disparate-impact rule, 24 CFR § 100.500", "section": "HUD Office of Fair Housing and Equal Opportunity, \"Guidance on Application of the Fair Housing Act to the Screening of Applicants for Rental Housing\" (May 2, 2024); companion guidance \"Guidance on Application of the Fair Housing Act to the Advertising of Housing, Credit, and Other Real Estate-Related Transactions through Digital Platforms\" (May 2, 2024)", "source_url": "https://archives.hud.gov/news/2024/pr24-098.cfm", "publisher": "U.S. Department of Housing and Urban Development, Office of Fair Housing and Equal Opportunity" }, "effective_date": "2024-05-02", "last_verified": "2026-05-09", "template": { "plain": "Your rental application was evaluated using [tenant-screening tool name], which considers [list: credit history, criminal records within X years, eviction filings within X years, income verification]. Algorithmic outputs were one input; the final decision was reviewed individually by [provider]. If any data the tool used is inaccurate, or you have additional context (rehabilitation, expungement, reasonable accommodation), you have 30 days to dispute or submit a supplement. Contact: [housing-provider]. [Provider] is responsible for this decision under the Fair Housing Act and cannot delegate that responsibility to a screening vendor.", "formal": "NOTICE OF ADVERSE TENANT-SCREENING DECISION. Pursuant to the Fair Housing Act (42 U.S.C. §§ 3601 et seq.) and HUD Office of Fair Housing and Equal Opportunity guidance (May 2, 2024), [housing-provider] discloses: (1) Tool used: [vendor name and tool identifier]. (2) Data sources: [enumerated categories]. (3) Prediction targets: [enumerated]. (4) The decision rests on an individualized assessment of your application; algorithmic outputs were advisory. (5) You have the right to dispute any data input or submit mitigating evidence within 30 days; submissions will be reviewed before the decision becomes final. Direct disputes to: [contact]. [Provider] retains full responsibility for this decision under 42 U.S.C. § 3604." }, "notes": "This rule is paired with the May 2, 2024 HUD/OFHEO companion guidance on digital advertising in housing transactions, which addresses Fair Housing Act compliance for ad-targeting AI used by digital platforms in housing, credit, and real-estate-related transactions (the second of the two May 2, 2024 documents). The advertising guidance is currently scoped under this same rule's framework — providers running both tenant-screening AI and targeted-housing-advertising AI should consult both documents. The HUD AI@HUD initiative (https://www.hud.gov/ai) is HUD's broader programmatic site; the FHEO press release at https://archives.hud.gov/news/2024/pr24-098.cfm is the canonical announcement." }, { "id": "us-ny-dfs-ai-insurance-underwriting-2024", "jurisdiction": "us-ny", "channels": [ "ai-generated-content", "about-page" ], "use_cases": [ "financial-services" ], "severity": "mandatory", "short_title": "NYDFS Insurance Circular Letter No. 7 (2024) — AI systems and external consumer data in insurance underwriting + pricing", "summary": "On July 11, 2024 the New York Department of Financial Services adopted Insurance Circular Letter No. 7 (2024), \"Use of Artificial Intelligence Systems and External Consumer Data and Information Sources in Insurance Underwriting and Pricing,\" applicable to all NY-authorized insurers, Article 43 corporations, HMOs, licensed fraternal benefit societies, and the New York State Insurance Fund. The Circular Letter operationalizes existing anti-unfair-discrimination provisions of New York Insurance Law (§§ 2303, 2606, 2616, 3221, 3425, 3426, 4224, 4305 and Articles 24, 26, 43, 45) for AI / Artificial Intelligence Systems (AIS) and External Consumer Data and Information Sources (ECDIS) used in insurance underwriting and pricing. Insurers are responsible for any AIS / ECDIS use regardless of whether the systems are developed in-house or licensed from third-party vendors. Five required-element clusters: (1) comprehensive documentation of AI/ECDIS development-deployment-retirement lifecycle including testing methodology and change tracking; (2) anti-discrimination testing under a three-step framework (detect disproportionate adverse effect → identify legitimate rationale → search for less discriminatory alternatives) using both quantitative metrics (adverse-impact ratio, odds ratio, marginal effects) and qualitative assessment; (3) board / senior-management governance with written policies, cross-functional management committee (legal, compliance, risk, actuarial, data science), and mandatory annual training; (4) third-party vendor oversight with contractual audit-rights and regulatory-cooperation clauses, vendor-output remediation procedures, and retained primary responsibility for vendor outputs; (5) consumer notice — disclose AIS / ECDIS use, external data sources used, consumer rights, specific reasons for adverse decisions within 15 days, and a data-accuracy review process. NYDFS examination authority is broad; Circular-Letter noncompliance is treated as evidence of unfair-discrimination violations under the underlying statutes.", "required_elements": [ { "id": "lifecycle-documentation", "description": "Maintain comprehensive written records of every AIS / ECDIS the insurer uses: development methodology, training-data provenance, validation testing, monitoring procedures, version history, and retirement decisions. Records must be preserved for the period required under 11 NYCRR 243 and produced on examination.", "required": true, "example": "Internal AI Model Card for [tool name]: version, training data sources, validation methodology (cross-validation + holdout), discrimination-test results, performance benchmarks, monitoring thresholds, change log, retirement criteria. Maintained by [internal team], retention 11 NYCRR 243." }, { "id": "three-step-disparate-impact-testing", "description": "Conduct disparate-impact analysis on every AIS / ECDIS before deployment and at regular intervals during use. Three-step framework: (1) test for disproportionate adverse effect on classes protected by NY Insurance Law (race, color, creed, national origin, age, sex, sexual orientation, gender identity, disability, marital status, prior victim status, lawful occupation); (2) if effect is detected, identify the legitimate underwriting rationale; (3) search for less-discriminatory alternatives that serve the same legitimate rationale and adopt one if available. Use quantitative metrics (adverse-impact ratio / four-fifths rule analogue, odds ratios, marginal effects) plus qualitative review.", "required": true, "example": "Pre-deployment disparate-impact analysis on [tool name]: tested against [classes]; AIR for [class]: [value]; identified legitimate rationale: [statement]; less-discriminatory alternatives reviewed: [list]; adopted alternative: [yes/no with rationale]." }, { "id": "board-governance-and-cross-functional-committee", "description": "Board of directors or senior management must oversee AIS / ECDIS use. Insurer must maintain written policies, a cross-functional management committee with legal, compliance, risk, actuarial, and data-science representation, and mandatory annual training for personnel involved in AIS / ECDIS development, deployment, or use. Governance must be documented and produced on examination.", "required": true, "example": "AIS Governance Charter — Board oversight: quarterly reporting; Management Committee: chaired by Chief Risk Officer with members from Legal, Compliance, Actuarial, Data Science; written policies covering [enumerated areas]; training: [date completed for each personnel cohort]." }, { "id": "third-party-vendor-oversight", "description": "Insurer retains primary responsibility for any AIS / ECDIS supplied or operated by a third-party vendor. Contracts must include audit rights, NYDFS-cooperation clauses, and remediation procedures for incorrect data or biased outputs. Insurer-level due diligence and ongoing monitoring of the vendor's compliance posture is required.", "required": true, "example": "Vendor MSA Section [X]: NYDFS audit / examination cooperation; on-site / remote audit rights; obligation to provide validation data, model cards, discrimination-test results on demand. Vendor remediation SLA: [time-frame] for incorrect-data corrections." }, { "id": "consumer-notice-and-15-day-adverse-action", "description": "Disclose AIS / ECDIS use to applicants and policyholders. For any adverse underwriting or pricing decision, provide the specific reasons within 15 days of the determination. Inform consumers of the right to review and dispute the data inputs used. Disclosures must identify the data sources consulted and the categories of AIS / ECDIS outputs that affected the decision.", "required": true, "example": "Adverse underwriting notice (within 15 days of determination): [Insurer] disclosure that AIS / ECDIS were used; tool name / categories: [enumerated]; external data sources: [enumerated]; specific reasons for adverse decision: [list]; right-to-review-and-dispute notice: [contact + procedure]." } ], "citation": { "statute": "N.Y. Insurance Law §§ 308, 309, 1501, 1503, 1604, 1702, 1717, 2303, 2606, 2616, 3221, 3425, 3426, 4224, 4305 (unfair-discrimination + governance); Articles 24, 26, 43, 45", "section": "NYDFS Insurance Circular Letter No. 7 (2024), \"Use of Artificial Intelligence Systems and External Consumer Data and Information Sources in Insurance Underwriting and Pricing\" (July 11, 2024); recordkeeping requirements 11 NYCRR 243", "source_url": "https://www.dfs.ny.gov/industry-guidance/circular-letters/cl2024-07", "publisher": "New York Department of Financial Services" }, "effective_date": "2024-07-11", "last_verified": "2026-05-09", "template": { "plain": "Your application was evaluated using [tool name] and external consumer data from [data sources]. The tool produced [enumerated outputs] that contributed to this decision. The specific reasons for the adverse determination are: [list]. You have the right to review the data we used, dispute inaccuracies, and request reconsideration. Contact: [insurer contact]. This notice is provided within 15 days of the determination per NYDFS Insurance Circular Letter No. 7 (2024). [Insurer] is responsible for this decision and retains responsibility for any AI / ECDIS use regardless of whether the tools are operated by [insurer] or a third-party vendor.", "formal": "NOTICE OF ADVERSE UNDERWRITING / PRICING DECISION. Pursuant to N.Y. Insurance Law §§ 2606, 2616, 4224 and NYDFS Insurance Circular Letter No. 7 (2024) dated July 11, 2024, [insurer name] discloses: (1) Artificial Intelligence System(s) used: [enumerated AIS]. (2) External Consumer Data and Information Sources consulted: [enumerated ECDIS]. (3) AIS / ECDIS outputs that contributed to the determination: [enumerated]. (4) Specific reasons for the adverse decision: [enumerated]. (5) Right to dispute: you may request a review of the data inputs and outputs used; submit written objections or corrections to [contact] within 30 days; [insurer] will reconsider the determination in light of submitted corrections before it becomes final. (6) [Insurer] retains primary responsibility for the AIS / ECDIS used regardless of vendor relationship per the Circular Letter. This notice is delivered within the 15-day requirement of the Circular Letter." }, "notes": "NYDFS Circular Letters are formal supervisory guidance binding on NY-authorized insurers; non-compliance is treated as evidence of unfair-discrimination violations under the underlying statutes. Stacks with NAIC AI Model Bulletin (adopted by ~25 states; NY's Circular is the most prescriptive jurisdiction-level implementation) and federal CFPB Circular 2023-03 where consumer credit overlaps with insurance products. The Circular Letter explicitly applies to insurers regardless of whether AIS / ECDIS are operated in-house or by third-party vendors; vendor-delegation as a defense is rejected. NYDFS also issued an October 16, 2024 Industry Letter on cybersecurity risks from AI which is operationally complementary — insurers using AI face both this Circular's underwriting / pricing requirements AND the cyber-controls requirements under 23 NYCRR 500." }, { "id": "us-hud-fheo-ai-housing-advertising-2024", "jurisdiction": "us", "channels": [ "ai-generated-content", "email-marketing" ], "use_cases": [ "housing" ], "severity": "mandatory", "short_title": "HUD FHEO — AI / algorithmic targeting of housing advertising under the Fair Housing Act (May 2024 guidance)", "summary": "On May 2, 2024 the U.S. Department of Housing and Urban Development (HUD) released a companion guidance document — \"Guidance on Application of the Fair Housing Act to the Advertising of Housing, Credit, and Other Real Estate-Related Transactions through Digital Platforms\" — paired with HUD's tenant-screening AI guidance issued the same day. The advertising guidance addresses AI / algorithmic systems used by digital platforms to target housing-related advertising. Statutory framework is Fair Housing Act § 3604(c) (advertising), § 3605 (financial-services-related advertising), § 3617 (interference / coercion), and the disparate-impact framework codified at 24 CFR § 100.500. Two parallel sets of obligations: (1) on digital advertising platforms — algorithmic ad-targeting systems for housing inventory must not use protected-class proxies; targeting algorithms must be tested for disparate impact; advertiser controls must allow suppression of fair-housing-risky targeting parameters; ad content must be screened for explicit protected-class language. (2) On advertisers (housing providers, real-estate agencies, mortgage lenders, screening services) — cannot direct platforms to use protected-class proxies; remain liable for targeting choices regardless of platform-provided automation. Sanctions for noncompliance include HUD administrative complaints (24 CFR Part 103), DOJ pattern-or-practice litigation under § 3614, state-level fair-housing enforcement, and private civil litigation under § 3613 with attorneys' fees recoverable. The 2024 guidance follows substantial enforcement action against Meta (2022 settlement) and codifies HUD's position that the disparate-impact framework reaches algorithmic ad targeting just as it reaches human-curated audience-segmentation.", "required_elements": [ { "id": "no-protected-class-proxies-in-targeting", "description": "AI / algorithmic ad-targeting systems for housing-related inventory must not use protected-class characteristics (race, color, religion, sex, national origin, disability, familial status) directly OR via proxies (ZIP code as a race proxy; school district as a familial-status proxy; geographic-coordinate buckets correlated to protected classes). Platforms must test their targeting algorithms for proxy-based disparate impact and remediate identified proxies before the inventory ships housing-related ads.", "required": true, "example": "Targeting parameters available for housing-inventory campaigns: [enumerated]. Suppressed because of fair-housing risk: [enumerated]. Last disparate-impact audit: [date]. Identified proxies remediated: [enumerated]." }, { "id": "audience-segmentation-disparate-impact-testing", "description": "Digital advertising platforms running housing-related ad inventory must test their audience-segmentation algorithms for disparate impact under 24 CFR § 100.500. Three-step framework: (1) detect disproportionate adverse effect on protected classes; (2) identify legitimate advertising-business interest; (3) search for less-discriminatory alternatives. Testing must occur before the segmentation algorithm is deployed for housing inventory AND at regular intervals (annual minimum).", "required": true, "example": "Audience-segmentation disparate-impact audit: tool [name]; tested classes [enumerated]; AIR for [class]: [value]; legitimate rationale: [statement]; less-discriminatory alternatives evaluated: [list]; adopted alternative: [yes/no with rationale]; audit frequency: [interval]." }, { "id": "advertiser-targeting-controls", "description": "Digital advertising platforms must provide housing-advertiser controls that suppress targeting parameters posing fair-housing risk. This includes (a) automatic detection of housing-related ad campaigns based on ad content / advertiser industry classification, (b) ad-policy enforcement that limits available targeting parameters for those campaigns, (c) advertiser-facing disclosure of which parameters are unavailable for housing inventory and why. Pre-checks must run before the ad starts serving.", "required": true, "example": "Housing-ad detection: triggered by [signals — ad creative containing housing terms; advertiser industry code; landing-page housing classification]. Suppressed targeting parameters in housing campaigns: [enumerated]. Advertiser disclosure: pre-flight modal / inline notice [example]." }, { "id": "content-moderation-for-protected-class-language", "description": "Platforms must screen housing-related ad creative for explicit protected-class language (\"adults only,\" \"no children,\" \"Christian household,\" \"singles only,\" \"Asian neighborhood,\" etc.). Detection must occur before the ad is approved for delivery; flagged ads must be returned to advertisers with the specific basis for rejection (per § 3604(c)). Moderation can use AI but the platform retains responsibility for false negatives.", "required": true, "example": "Ad creative reviewed by [tool/team]; flagged for protected-class language: [enumerated terms detected]; rejection notice to advertiser within [time]; appeal-and-resubmission process: [link/contact]." }, { "id": "advertiser-side-targeting-liability", "description": "Housing advertisers (housing providers, real-estate agencies, mortgage lenders, tenant-screening services) cannot direct platforms to use protected-class proxies as targeting parameters. The advertiser remains liable for the targeting choices it specifies regardless of whether the platform's automation made those choices appear acceptable. \"The platform suggested it\" is not a defense.", "required": true, "example": "[Advertiser] internal control: housing-campaign targeting parameters reviewed by [reviewer] before launch. Documented exclusion of [enumerated proxies]. Compliance training [date completed]." } ], "citation": { "statute": "Fair Housing Act, 42 U.S.C. §§ 3601-3631 (specifically § 3604(c) advertising-of-discriminatory-preference; § 3605 financial-services-related advertising; § 3614 pattern-or-practice; § 3617 interference / coercion; § 3613 private right of action); HUD disparate-impact rule, 24 CFR § 100.500", "section": "HUD Office of Fair Housing and Equal Opportunity, \"Guidance on Application of the Fair Housing Act to the Advertising of Housing, Credit, and Other Real Estate-Related Transactions through Digital Platforms\" (May 2, 2024); companion guidance \"Guidance on Application of the Fair Housing Act to the Screening of Applicants for Rental Housing\" (May 2, 2024)", "source_url": "https://archives.hud.gov/news/2024/pr24-098.cfm", "publisher": "U.S. Department of Housing and Urban Development, Office of Fair Housing and Equal Opportunity" }, "effective_date": "2024-05-02", "last_verified": "2026-05-09", "template": { "plain": "[Platform / Advertiser] runs housing-related advertising inventory under HUD/OFHEO guidance dated May 2, 2024 (Fair Housing Act 42 U.S.C. § 3604(c)). Algorithmic ad-targeting systems for housing inventory exclude protected-class proxies, are audited annually for disparate impact, and offer advertiser controls that suppress fair-housing-risky targeting parameters. Ad creative is screened for protected-class language before approval. Advertisers retain responsibility for the targeting choices they specify. Concerns: [contact].", "formal": "FAIR HOUSING ADVERTISING DISCLOSURE. Pursuant to the Fair Housing Act (42 U.S.C. §§ 3604(c), 3605, 3614, 3617) and HUD/OFHEO guidance dated May 2, 2024, [platform / advertiser] discloses: (1) Housing-related ad campaigns are detected by [enumerated signals] and routed through restricted-targeting workflow. (2) Targeting parameters suppressed in housing-inventory campaigns: [enumerated]. (3) Audience-segmentation algorithms used in housing inventory are audited under the three-step disparate-impact framework codified at 24 CFR § 100.500. Last audit: [date]. (4) Ad creative for housing campaigns is screened for protected-class language under § 3604(c) before delivery; rejection notices identify the specific basis. (5) Advertiser-side responsibility: housing advertisers cannot direct the platform to use protected-class proxies; advertisers remain liable for targeting choices regardless of platform automation. Submit complaints to [HUD complaint URL] or to [platform/advertiser contact]." }, "notes": "This rule is the May 2, 2024 companion to the HUD/OFHEO tenant-screening guidance encoded as `us-hud-fheo-ai-tenant-screening-2024`. Both rules share the same Fair Housing Act framework but reach different audiences: tenant-screening reaches housing providers + screening vendors; advertising reaches digital ad platforms + housing advertisers. The advertising guidance follows the 2022 Meta-DOJ settlement on housing advertising algorithms and codifies HUD's view that the disparate-impact framework applies to algorithmic ad targeting. Stacks with FTC § 5 unfair / deceptive enforcement when housing-ad targeting crosses into other consumer-protection violations, and with state-specific advertising laws (NY, CA, IL, NJ have analogues)." }, { "id": "us-me-chatbot-disclosure-1500-dd", "jurisdiction": "us-me", "channels": [ "live-chat", "voice" ], "use_cases": [ "b2c-customer-support", "b2c-marketing", "b2c-sales" ], "severity": "mandatory", "short_title": "Maine Chatbot Disclosure Act (10 MRS § 1500-DD)", "summary": "Maine prohibits using an artificial intelligence chatbot or other computer technology to engage in trade and commerce with a consumer in a manner that may mislead or deceive a reasonable consumer into believing the consumer is engaging with a human being, unless the consumer is notified in a clear and conspicuous manner that they are not engaging with a human being. \"AI chatbot\" is defined as a software application, web interface, or computer program that simulates human-like conversation and interaction through textual or aural communications. Violation of the disclosure requirement is a violation of the Maine Unfair Trade Practices Act. Enacted as PL 2025, c. 294, § 1; signed by Governor Janet Mills June 12, 2025; effective September 23, 2025.", "required_elements": [ { "id": "non-human-identity", "description": "Clear and conspicuous notification that the consumer is not engaging with a human being.", "required": true, "example": "You are chatting with an automated AI chatbot, not a human." }, { "id": "trigger-misleading", "description": "The disclosure is triggered when the chatbot's communication may mislead or deceive a reasonable consumer into believing they are engaging with a human. Best practice is to disclose by default on first contact regardless of intent, since the misleading-effect test is judged after the fact. (Meta-requirement; not validated by substring check.)", "required": false } ], "citation": { "statute": "Maine Revised Statutes Title 10, Chapter 239 (Communications with Consumers via Artificial Intelligence)", "section": "§ 1500-DD", "source_url": "https://legislature.maine.gov/statutes//10/title10sec1500-DD.html", "publisher": "Maine State Legislature" }, "effective_date": "2025-09-23", "last_verified": "2026-05-10", "template": { "plain": "You are chatting with an automated AI chatbot, not a human. If you'd prefer to speak with a person, [escalation path].", "formal": "Notice: This communication is being conducted by an artificial intelligence chatbot, not a human, in compliance with Maine Revised Statutes Title 10 § 1500-DD. The Maine Unfair Trade Practices Act (5 MRS § 207) applies to any failure to disclose." }, "notes": "Maine's chatbot disclosure mirrors California Business and Professions Code § 17941 in substance but reaches Maine consumers specifically and applies broadly to \"trade and commerce\" — not limited to commercial-transaction-or-electoral context as in California. The statute defines AI chatbot to include both textual and aural (voice) communications. Enforcement is via Maine UTPA (5 MRS § 207), which the AG enforces and which permits private rights of action. Disclosure must be clear and conspicuous; the agent's recommended pattern is a first-message announcement at the start of every chatbot session involving a Maine consumer." } ] }