A practitioner's guide to the diverging state regulatory frameworks governing high-risk AI systems, training-data transparency, and the litigation exposure those frameworks create for cross-jurisdictional AI products.
I. Why This Matters Now
The federal government has not enacted comprehensive AI legislation. The executive orders that have issued reflect policy aspiration more than enforceable private rights. Into that vacuum, state legislatures are moving at speed — and the results are anything but uniform. For practitioners counseling plaintiffs or defendants in AI-related injury cases, the operative question is no longer whether a product is covered by some state AI statute, but which state's statute applies and what private remedy, if any, it creates.
Two states — Colorado and California — have enacted the most consequential general-purpose AI obligations to date. Florida and Alabama present a different picture: narrower legislation around specific harms (principally deepfakes and AI-generated child sexual abuse material) without the broader algorithmic-discrimination framework. The patchwork is already legally significant, and it will become more so as effective dates arrive.
II. Colorado: The First Comprehensive High-Risk AI Act
A. The Statute
Colorado S.B. 24-205, signed by Governor Polis on May 17, 2024, establishes what is arguably the most ambitious state AI consumer-protection regime in the United States. The Act applies to "developers" and "deployers" of "high-risk artificial intelligence systems" — defined as systems that make, or are a substantial factor in making, "consequential decisions" affecting consumers in areas such as education, employment, financial services, housing, healthcare, insurance, and legal services.
The core obligation is a "reasonable care" duty: both developers and deployers must use reasonable care to protect consumers from "any known or reasonably foreseeable risks of algorithmic discrimination" in high-risk systems. "Algorithmic discrimination" is defined as an unlawful differential treatment or impact that disfavors any person based on protected characteristics.
The Act requires, among other things: (1) an impact assessment prior to deployment; (2) disclosure to consumers when a high-risk system has made or substantially contributed to a consequential decision; (3) the right to appeal such decisions or seek human review; and (4) disclosure by deployers to developers regarding the deployer's use case. Developers must make publicly available a general statement of the intended uses, known risks, and steps taken to mitigate algorithmic discrimination.
B. The Delayed Effective Date
Although signed in May 2024, the Act's substantive obligations do not take effect on February 1, 2026 as originally scheduled — the Governor convened a special legislative session in mid-2025 to address implementation concerns, and lawmakers amended the effective date to June 30, 2026. The substance of the Act's obligations was not materially altered in that session, but practitioners should monitor whether further amendments issue before that date. The pressure campaign against the Act from technology companies has been substantial.
C. Private Rights and Enforcement
The Act does not create an express private right of action for consumers. Enforcement authority rests with the Colorado Attorney General. This is not, however, the end of the litigation story: a finding of algorithmic discrimination in a regulated domain may be probative in a parallel unfair-discrimination claim under existing state statutes or in a disparate-impact claim under the Fair Housing Act or Equal Credit Opportunity Act. Practitioners should treat the Act's impact-assessment requirements as a discovery roadmap — a defendant who produced high-risk AI decisions without complying with assessment obligations faces damaging document requests.
III. California: Transparency Without Prohibition
California's 2024 AI legislative cycle produced two enacted statutes of note for practitioners.
A. A.B. 2013 — Training Data Transparency
California A.B. 2013, effective January 1, 2026, requires developers of generative AI systems or services made publicly available to Californians — including those released as far back as January 1, 2022 — to post on their website documentation about the training data used. Required disclosures include: high-level summaries of datasets; sources or owners of the datasets; whether the data was synthetic, derived from licensed sources, or scraped from the web; and whether the datasets contained personal information or data from social media platforms. The obligation runs to each subsequent substantial modification.
For plaintiffs' counsel, A.B. 2013 is primarily a disclosure lever. In cases involving generative AI outputs — hallucinations that defame individuals, synthetic media used in fraud, discriminatory outputs — the training data documentation required by A.B. 2013 should be an early discovery target. Defendants who cannot produce documentation required by their own statute are in a poor position to resist preservation and disclosure obligations.
B. S.B. 942 — The California AI Transparency Act
California S.B. 942, also effective January 1, 2026, imposes output disclosure requirements on large providers of generative AI. Covered providers must offer detection tools allowing users and third parties to determine whether content was AI-generated; must implement content provenance standards (watermarking or metadata); and must enable users to request that AI-generated content they create be labeled as such. The enforcement mechanism relies primarily on the Attorney General, but the statute's requirements interlock with the California Consumer Privacy Act's existing private-rights framework in ways that creative pleading may exploit.
S.B. 942 joins Colorado, Utah, and Illinois in establishing AI-transparency obligations. The California legislature's approach — transparency and provenance rather than ex ante impact assessments — represents a philosophically different regulatory choice from Colorado's reasonable-care model. Cross-jurisdictional products must comply with both.
IV. Florida: Targeted Legislation, No Comprehensive Framework
Florida has not enacted a general-purpose AI consumer-protection statute analogous to Colorado S.B. 24-205. Comprehensive AI legislation — including a proposed "Artificial Intelligence Bill of Rights" (S.B. 482) championed by Governor DeSantis in the 2025-2026 legislative cycle — died in the 2026 session when the bill died in the House after passing the Senate 35-2.
What Florida has enacted is targeted. Florida Fla. Stat. § 827.072 (effective January 1, 2025) criminalizes the creation, possession, or intentional viewing of AI-generated child pornography — specifically, images "created, altered, adapted, or modified by electronic, mechanical, or other computer-generated means to portray a fictitious person, who a reasonable person would regard as being a real person younger than 18 years of age, engaged in sexual conduct." Penalties track Florida's existing child pornography framework.
Florida's "Brooke's Law" (H.B. 1161, signed June 2025) addresses deepfake intimate images of adults, requiring platforms to establish 48-hour removal processes; and H.B. 757 (effective October 1, 2025) creates criminal liability and a civil cause of action for the creation of AI-generated non-consensual sexual images of identifiable individuals. These statutes matter for plaintiffs pursuing sexual privacy torts, but they do not address algorithmic underwriting, automated employment decisions, or the broader AI-fairness concerns that Colorado's statute targets.
V. Alabama: Narrower Still
Alabama similarly lacks a general AI statute. Its notable AI-adjacent legislation is the Alabama Child Protection Act (effective October 1, 2024), which criminalizes the use of AI to create sexual depictions of children, aligns penalties with existing child pornography law, and — uniquely — grants families a civil cause of action against violators. Alabama school districts are required to update codes of conduct to address these AI-generated images.
Beyond the child-safety space, Alabama has not legislated on algorithmic discrimination, AI transparency, or automated decision-making. Practitioners in Alabama must rely on existing consumer protection frameworks (the Alabama Deceptive Trade Practices Act, Ala. Code § 8-19-1 et seq.), federal civil rights statutes, and common law negligence and products liability theories to challenge AI-enabled harms.
VI. Cross-Jurisdictional Practitioner Implications
The patchwork creates several structural problems for AI products deployed across state lines.
Compliance architecture conflicts. A generative AI developer compliant with California A.B. 2013's training-data disclosure regime may nonetheless face Colorado liability for deploying a system used to make employment decisions without the required impact assessment. The statutes are not duplicative; they address different aspects of the AI lifecycle.
Forum selection in AI injury cases. Where a plaintiff resides in Colorado or California, state AI statutes may create a regulatory violation that strengthens common law claims (negligence per se in jurisdictions recognizing the doctrine), expands discovery, and supplies damages-multiplying bad-faith evidence. The same AI product deployed in Alabama triggers no analogous statutory obligations, though federal civil rights claims remain available.
Discovery of algorithmic models. Colorado's impact assessment requirement creates a documented paper trail. In cross-jurisdictional litigation, plaintiffs should seek production of any Colorado-compliance documentation regardless of the state of the injury, because the Colorado AIA may have required the defendant to evaluate exactly the discriminatory risk at issue in the litigation.
Preemption risks. The Trump Administration's January 2025 executive order directing federal agencies to promote AI development and limit burdensome regulation created early uncertainty about whether federal action might preempt state AI laws. To date, no federal statute preempts state AI consumer-protection legislation in the manner the executive order suggested, and Colorado and California statutes remain operative. Practitioners should monitor Congressional AI legislation closely; any enacted federal framework will likely include an express or implied preemption provision that reshapes the landscape.
VII. Open Questions
Several doctrinal and policy questions remain unresolved:
- Whether Colorado's "reasonable care" standard creates implied private rights of action through negligence per se — no appellate court has addressed this yet.
- Whether California's A.B. 2013 training-data disclosures are sufficient to establish a duty to warn in products liability litigation over AI-generated harmful outputs.
- Whether the Alabama and Florida child-safety civil causes of action cover platforms that host third-party-generated AI CSAM, or only the originators of that content.
- The extent to which state AI statutes survive First Amendment challenge as applied to generative content.
VIII. Closing
For plaintiffs' counsel, the present state AI patchwork is simultaneously an obstacle and an opportunity. The obstacle is jurisdictional complexity: knowing which regime governs requires careful threshold analysis of where the AI product is developed, where it is deployed, and where the consumer is located. The opportunity is documentary: the compliance artifacts required by Colorado and California statutes — impact assessments, training data disclosures, provenance records — are precisely the materials that illuminate systemic discriminatory risk. The practitioner who understands how these statutes generate discovery leverage will be ahead of counsel who treats them as purely regulatory compliance problems.
Talk to Yates Anderson
If you are litigating a matter in this area — or weighing whether to — the working analysis above only goes so far. Request a case evaluation and a Yates Anderson attorney will respond within one business day.
Informational only. Not legal advice. No attorney-client relationship is created by reading this post. Consult a licensed attorney in your jurisdiction.