U.S. Privacy Law Trends, AI Regulation, Employment Laws

Science & Technology Law Section

Privacy law is no longer a single-statute problem. This was the central message of the panel, which examined how the rapid evolution of AI and digital technology forces regulators, employers, and practitioners to navigate an increasingly fragmented and layered compliance landscape.

The U.S. Patchwork: Employment AI Under the Microscope

Karla Grossenbacher began by reviewing the handful of U.S. state laws limiting AI use in employment. California's CPRA regulations on automated decision-making technology, set for January 2027, will give employees the right to opt out, appeal to a human, and mandate risk assessments. New York City's Local Law 144 requires employers to notify candidates ten days before using automated employment decision tools. Illinois has made employers responsible for discrimination caused by AI, while Maryland requires notice and consent before using facial recognition in hiring. Colorado's AI Act, though signed into law, remains in limbo; Grossenbacher noted the governor signed it only on the assurance that legislators would amend it post-enactment. Even where comprehensive state laws exist, the practical challenge remains. "Fifty states, but not a lot of regulation in employment," she observed, urging employers to think carefully about guardrails as AI intersects with other areas of law, from electronic monitoring to anti-discrimination statutes.

Children's Privacy: Federal Law Stuck in 1998

Andrew Zack traced the evolution of online risks for children, from concerns about data collection to mental health harms driven by addictive design features like infinite scrolling and autoplay. He emphasized that federal laws have not kept up: COPPA (enacted

in 1998) remains the only federal law protecting children's online privacy. Although the FTC has updated the COPPA Rule, Zack argued that legislative reform is essential. He noted a recent breakthrough: the Senate passed COPPA 2.0 by voice vote with no objection, and the House is now considering an identical version. Meanwhile, states are continuing to fill the gaps, resulting in a complicated patchwork of laws. "Federally, we are trying to fix yesterday's problems," Zack said, underscoring the need for a comprehensive federal solution.

International Developments: GDPR Is No Longer Enough

Felicity Fisher provided a view from Europe, where GDPR is now just one layer in a growing stack of digital regulations, including the Digital Services Act, the EU AI Act, and the Data Act. "Being GDPR compliant is no longer enough," she observed. The EU AI Act, with phased implementation through 2026–2027, classifies many AI tools used in hiring as high-risk and bans practices like workplace emotion recognition. The EU Parliament recently approved additional prohibitions on deepfakes and may extend compliance deadlines for high-risk AI systems to December 2027. Meanwhile, the UK is charting its own path after Brexit: the Data Use and Access Act 2025 tweaks UK GDPR and places the Age-Appropriate Design Code on a statutory footing. Recent enforcement activity, such as the

£14.5 million fine against Reddit, underscores the trend.

Key Tension: Age Assurance Without Excess Data Collection

A recurring theme in the Q&A was age verification. Panelists agreed that self-declaration of age is insufficient but acknowledged the tension between verifying age and collecting unnecessary personal data. Zack noted that not every app requires the same level of verification, and that risk-proportionate approaches are preferable. Fisher added that regulators are actively consulting on technological solutions that balance safety with data minimization.

Practical Takeaway

The panel called for improved governance frameworks. Fisher urged practitioners to incorporate risk assessment into AI from the start, emphasizing it's not just for law compliance but to evaluate risks. The message was clear: privacy law is no longer isolated. Practitioners in AI, employment, or children's data must now manage overlapping regimes, a compliance challenge that will grow.

Veselko Brkic is an LL.M. candidate in National Security and Cybersecurity Law at George Washington University Law School, graduating May 2026. He holds two law degrees from the University of Mostar and works as a Cyber Law & Policy Analyst at the Cyber Security Forum Initiative in Washington, D.C.

Scientific Notations is a series of articles authored by law student members of the ABA Science & Technology Law Section, highlighting their experiences at section events, programs, and activities. Law student members of the SciTech Section who are interested in contributing are encouraged to contact Section Staff at stserve@americanbar.org.

Authors

View Bio →

Author

Veselko Brkic

Committees

This content was produced by:

• Law Student Engagement Committee

Related Content