Chapter 19 · companion worksheet

Which AI laws actually touch your firm

The laws don't care where your headquarters is — they care where your customers, employees, and data are. Work through this checklist before you spend anything on outside compliance counsel. Each trigger maps to the regime it implicates; only the ones you check are yours to worry about.

Note: This is an operator's map, not legal advice. Confirm current statute status with counsel before relying on any specific provision — state laws in particular have moved since enactment (see the Colorado example in the chapter).

Step 1 — Map your footprint

Step 2 — Trigger questions

Check every box that is true for your firm today. Each checked box activates the regime listed alongside it.

• ☐ Do we have EU customers, users, or staff? → EU AI Act (Art. 50 AI-disclosure rule, Aug 2, 2026; high-risk obligations for covered systems, Aug 2, 2026) + GDPR (Art. 22 human-review requirement for automated decisions with legal or significant effect)
• ☐ Does our AI interact directly with people — chat or voice — where EU residents could be on the other end? → EU AI Act Article 50: must disclose it's AI at first interaction, in a form the person understands, in the language of the call. No grandfather clause for existing voice systems; deadline Aug 2, 2026.
• ☐ Do we screen or evaluate job candidates or employees in New York City? → NYC Local Law 144 (in effect since July 5, 2023): annual independent bias audit, published results, advance notice to candidates.
• ☐ Do we have California customers or employees? → AB 2013 (training-data transparency for generative AI systems) + SB 53 (effective Jan 1, 2026, targets frontier-model developers — check if it reaches you) + California ADMT regulations (risk assessments phasing in Jan 1, 2026; notice and opt-out for significant automated decisions phasing in Jan 1, 2027 — confirm current adopted status).
• ☐ Do we operate in Colorado or have Colorado employees/customers? → Colorado AI Act SB 24-205 / successor SB 26-189 (effective Jan 1, 2027 under the current successor framework; confirm status — this law has moved multiple times; see chapter for history).
• ☐ Do we use facial recognition or voice biometrics anywhere, and do we have employees or customers in Illinois? → Illinois BIPA (in effect since 2008; private right of action): requires written consent and strict handling for biometric data including voice prints.
• ☐ Do we process data of Brazilian residents? → LGPD (Brazil's national privacy law, GDPR analog).
• ☐ Do we process data of Canadian residents? → PIPEDA (Canada's operative federal privacy law — the proposed AIDA remained pending as of writing; confirm).
• ☐ Does our AI make or materially influence hiring, firing, credit, or other consequential decisions about people? → Treat as high-risk regardless of which single statute applies: bias audit + meaningful human review + documentation. This spine runs through every jurisdiction above.
• ☐ Do we operate in Texas or other states with employees/customers? → Growing state-level patchwork; Texas enacted a broad AI law effective start of 2026. Apply the four principles below to stay compliant across all of them.

Step 3 — Your short list

Copy only the regimes you checked above. These are the ones that require action; the rest you can set aside for now.

The four principles every one of these laws is reaching for

Build to these and the patchwork mostly takes care of itself, even as specific statutes change.

1. Disclosure — tell people when they're dealing with AI.
2. Human review — a person can check and override consequential decisions.
3. No discrimination — the system doesn't produce biased outcomes against protected groups, and you can show it.
4. Transparency — you can explain what the system does, on what data, and keep a record.