Below is your latest update, law by law, detailing what the latest laws generally state and how they break new ground.

‍

Italy’s National AI Law

Effective: October 2025

When the EU AI Act was introduced, it was only a matter of time before European states took the next steps. Sure enough, Italy’s law is the first in the EU to go beyond the AI Act baseline in a national statute. The law provides clarity on several areas that have become vague regarding the use of AI, such as copyright and the lack of traceability. It requires human oversight across various sectors, parental consent for individuals under 14 using AI, and additional measures. The law also adds criminal penalties for the use of deepfakes or AI in fraud and identity theft. 

‍

California Regulations

California is introducing multiple new rules:

‍

AB 1043: Digital Age Assurance Act

Effective: January 2027

Requires OS providers and App Stores to verify users' ages before granting access, limits the data collection process, and generally places the burden on platforms to gate by design.

‍

SB 243: AI Chatbot Disclosure
Effective: January 2026

This fascinating law addresses the risks associated with “emotional AI” and companion chatbots. AI systems must remain transparent about the use of AI and clearly state, “You’re speaking to an AI,” especially in contexts such as mental health issues.

AI in Employment Regulations
Effective: October 2025

To ensure that the use of AI doesn’t damage recruitment journeys, the law states that when AI is used for hiring, employers must implement measures to prevent bias, document the process, and enable human review when requested.

CPPA Regulation

Effective: January 2026

The California Privacy Protection Agency (CPPA) has approved new regulations for specific areas, including automated decision-making, risk assessments, cybersecurity audits, and oversight of insurers.

Colorado’s Privacy & AI Regulations

‍

SB 25-276: CPA Amendments
Effective: July 2025

The new law protects the families of immigrants from having their personal information collected and disclosed while visiting educational or health facilities.

Minors’ Data Rules (CPA)
Effective: Pending (expected late 2025)

Data Controllers must obtain consent when minors’ data is involved, either from a parent if their minor is under 13 or from the user if they are under 18. This applies both to services intended for minors and to those that are not, but know that a minor is using them. 

‍

Texas Data Broker Act Amendments & Cybersecurity Safe Harbor Law

Effective: September 2025

‍

SB 2121: This amendment mainly expands the definition of “data broker,” making it applicable to businesses collecting, processing, or transferring data instead of only those who make it their central activity. 

‍

SB 1343: Under this new legislation, data brokers must inform website visitors or anyone registering for their service regarding their privacy rights and how they can be exercised under the Texas Data Privacy and Security Act (TDPSA).

‍

Cybersecurity Safe Harbor Law (SB 2610): This law excluded many SMBs with under 250 employees from data breach punitive damages, as long as they have a proper cybersecurity program in place.

‍

Minnesota Consumer Data Privacy Act (MCDPA)

Effective: July 2025

‍

Minnesota’s new law grants consumers various rights, including the right to delete or correct their data, opt out of profiling, and challenge automated decisions. It also allows users to question the online profiles created by businesses based on their data. 

‍

Montana’s SB 297

Effective: October 1, 2025

‍

Montana’s amended law offers broader protection to minors’ data, limiting processing and demanding parental consent. The upgraded law has a lower threshold and applies to financial institutions that were previously exempted. And while private lawsuits cannot be taken under this law, civil penalties can reach up to $7,500 per violation. 

‍

Maryland Online Data Privacy Act

Effective: October 1, 2025 (enforcement begins April 2026)

‍

Maryland’s law is considered relatively strict among US state laws. The new regulation demands data minimization and documentation practices, prohibits geofencing around sensitive locations, bans targeting of minors for advertising purposes, and more.  

‍

Israel: Amendment No. 13

Effective: August 2025

‍

This is Israel’s most significant data privacy reform in decades. It enhances the enforcement powers of the privacy authority, introduces higher damages, mandates the appointment of privacy officers, and explicitly addresses emerging technologies such as AI and automated processing. If you wish to dive deeper and learn about the new law, you can read all about it in our detailed article. 

‍

Dubai’s Amended Data Protection Law 

Effective: July 2025

‍

The Dubai International Financial Centre (DIFC) introduced significant amendments to the local Data Protection Law. The new law grants a Private Right of Action to individuals, details the application of the law, including extraterritoriality when the data processed belongs to individuals within the DIFC jurisdiction, explains the degree of data protection considered up to standard for countries outside the jurisdiction, and more. 

‍

New Zealand Privacy Amendment Act

Effective: May 2026

‍

The Privacy Amendment Act 2025 is New Zealand’s recent data privacy update, adding a new principle (IPP3A) that requires organizations to inform individuals when their information is collected indirectly. The notification must detail the purpose of the data collection process, their right to access or correct this information, and more. 

‍

What We Can Learn

‍

Roles are under the spotlight: Many laws target specific actors: Italy holds AI deployers criminally liable, CPPA treats insurers differently, Colorado regulates AI system providers, and more. We can expect more role- and sector-specific regulations, as the responsibilities of each stakeholder become clearer. 

‍

Decision-making is humans’ responsibility, even when it is automated: Laws focus on how decisions are made, not just what data is held. For instance, California demands disclosure when AI is used for hiring. The people and organizations using processed data for their decision-making process must review these conclusions and ensure they are based on non-biased journeys.  

‍

Overlapping windows raise collision risk: Multiple laws take effect simultaneously across major states. Companies that treat compliance as a one-time effort will be overwhelmed. Instead, you must build systems that adapt continuously to new obligations.

‍

Organizations face a complex task in balancing innovation and privacy regulations. To stay ahead, companies need solutions that automate compliance, simplify visibility, and ensure alignment with evolving laws worldwide. 

‍

Schedule a demo to see how Mine’s platform helps organizations stay ready for what’s next.

‍