Law360 (June 12, 2026, 11:05 PM EDT) -- States are continuing to keep the heat on how companies are using a wide range of consumer data and artificial intelligence models, with Connecticut enacting new laws in both arenas and one Midwest locale eyeing what could become the nation's most stringent AI auditing rules.

Another state also recently added to the growing patchwork of laws that give consumers more access to and control over their personal information, and at least two others are poised to soon follow.

Here are some recent policy developments at the state level that may have flown under the radar.

Connecticut Finalizes AI, Data Broker Laws

In the waning days of its legislative session last month, the Connecticut legislature made good on one leading lawmaker's pledge to pass a pair of bills to regulate data brokers, surveillance pricing, chatbots and the use of artificial intelligence in the employment context.

Senate Bill 5, which was signed into law by Gov. Ned Lamont on May 27, establishes a sweeping online safety and AI regulatory regime, with significant provisions targeting the use of AI in hiring and employment decisions and requiring operators of chatbots and companion models to implement protocols to detect suicidal ideations or indicators of self-harm expressed by children and adults. The bill also requires social media companies to take actions to protect children from social media addiction, including restricting their access to addictive personalized feeds.

In announcing the enactment of the bill, also known as the Connecticut Artificial Intelligence Responsibility and Transparency Act, state officials said it was important to move forward on these issues as Congress hadn't put in place federal online safety or AI rules and the executive branch had intensified its push for states to back off AI regulation.

"This law is a major bipartisan step towards reclaiming parental control over our kids' exposure to dangerously addictive and deeply destructive social media platforms, and an important first step towards harnessing and containing the possibilities and risks of artificial intelligence," Attorney General William Tong said in a June 2 statement. "Connecticut is done waiting for the tech elites and Washington to do right by our families."

Several Ropes & Gray LLP data privacy attorneys wrote June 3 on the law firm's website that for businesses operating in Connecticut, the "most immediate operational impact" of the new bill — which creates several compliance tracks with their own obligations and staggered compliance dates ranging from Oct. 1, 2026, to Jan. 1, 2028 — would likely be in employment and workforce decision-making contexts.

"Employers using AI in hiring or personnel management will face new disclosure obligations and, when issuing mass-layoff notices, must disclose whether AI informed the decision," the Ropes & Gray attorneys wrote.

Robert E. Braun, partner and co-chair of the cybersecurity and privacy group at Jeffer Mangels & Mitchell LLP, told Law360 recently that the law's focus on hot topics such as the use of AI to make employment-related decisions and companion bots reflects the "classic way" that legislatures tend to tackle complex and socially important issues.

"We commonly legislate by anecdote," Braun said. "If you think about it, one of the topics we hear the most about on the news when it comes to AI is about chatbots, so when legislatures see those reports, they say that they ought to do something about that."

Connecticut lawmakers' decision to focus on certain high-risk and much-discussed uses of AI rather than establish a comprehensive governance regime is also consistent with a trend across the country to keep obligations and protections related to the technology relatively narrow, Braun said.

"Even when these issues are taken on a very narrow basis, they're still complex," Braun said. "So it's a lot easier to say, here's one context we can get our arms around where we don't want AI to take the place of human beings, and we can figure out where the guardrails should be as opposed to establishing a rule that works more broadly."

In addition to the AI and online safety bill, Lamont last month also agreed to sign Senate Bill 4, a proposal also pushed by Senate Deputy Majority Leader James Maroney that expands the state's consumer privacy framework in several ways, including by making it the second state, after California, to require data brokers to register with the state and to comply with requests consumers will be able to make through a centralized database to delete their data.

The measure, which takes effect on Oct. 1, also prohibits the sale of precise geolocation data, following in the footsteps of Maryland, Oregon and Virginia in establishing heightened protections for this sensitive information that can be used to monitor and track individuals to specific locations.

"S.B. 4's data broker provisions will make it much easier for consumers to delete their data and protect themselves from harms like stalking, identity theft, and unwanted marketing," Matt Schwartz, senior policy analyst at Consumer Reports, said in a statement issued shortly before the bill was enacted on May 29. "Meanwhile, S.B. 4 will also ensure that consumers' location data is protected by default and cannot be auctioned off to the highest bidder. We hope to see more states pass these critical protections."

Illinois Closing In on AI Auditing Rules

As in Connecticut, lawmakers in Illinois have taken a strong interest in the regulation of AI models and broader consumer data privacy concerns during its latest session.

The Illinois Consumer Data Privacy Act was unable to make it out of the legislature before its session ended on June 1, but lawmakers did send to Gov. J.B. Pritzker's desk a separate landmark bill requiring AI developers to publish annual safety plans and undergo independent third-party audits focused on catastrophic risks. The bill passed the Illinois House 110-0 and the Senate 52-5.

On the day it cleared the legislature, Pritzker wrote on social media that he looked forward to signing the bill, S.B. 315, and "working with the legislature so that AI, when used, is used responsibly."

"Illinois is leading the nation in holding Big Tech accountable," Pritzker wrote. "As AI systems impact people's lives, we need safeguards in place."

The bill, also known as the Artificial Intelligence Safety Measures Act, will require large frontier developers such as OpenAI Inc. and Anthropic PBC to get annual, independent third-party audits and address third-party evaluations, along with risks and mitigations, in an annually updated AI framework.

The bill also requires developers to publish transparency reports before deploying new models or substantially modifying existing ones, and to report critical safety incidents within 72 hours of learning sufficient facts about the incident, or within 24 hours if the incident poses an imminent risk of death or serious physical injury. It also includes whistleblower protections.

California and New York have recently approved regulations on frontier AI developers with transparency and reporting requirements, and Colorado moved to amend its landmark AI law to focus more on transparency obligations surrounding these models, but the Illinois law would likely become the most aggressive state-level AI regulation in the nation because of its external auditing requirements.

OpenAI has welcomed the passage of the Illinois law, saying on X last month that Illinois "passed one of the strongest frontier AI safety laws in the country."

"OpenAI was proud to endorse S.B. 315 because it takes a thoughtful approach to issues like transparency, audits, and incident reporting," the post said, adding that the state AI laws appear to be "aligning around a common approach" and "are beginning to create a de facto national framework."

However, trade groups such as the Computer & Communications Industry Association have come out against the Illinois bill. The CCIA urged lawmakers in a May 26 post on X to "revise S.B. 315's audit provisions and instead follow the more measured approaches adopted in Virginia and Connecticut, studying how independent #AI verification can work before imposing sweeping compliance mandates."

The CCIA linked to a letter to the Illinois House Executive Committee dated May 22 that said "no credible or standardized ecosystem currently exists to conduct the type of independent audits envisioned under the legislation."

Louisiana Adds to Privacy Patchwork, With Others Close Behind

Following a year when no new comprehensive state data privacy laws were put on the books, 2026 has been a different story so far, as Louisiana last month became the third state this year and 22nd overall to enact such a measure.

Senate Bill 386, the Louisiana Data Privacy Act, shares the core principles of its predecessors, requiring companies that have annual gross revenues over $25 million, annually acquire or share for commercial purposes the personal data of at least 75,000 individuals or derive at least half their annual revenues from selling personal data to let consumers correct or delete their data and opt out of its sale and sharing, including for targeted advertising and profiling.

The law, which takes effect on Jan. 1, also requires companies to limit the data they collect to what is "adequate, relevant and reasonably necessary" for their stated purposes; obtain consent to process sensitive data such as biometric, location, racial or ethnic origin and children's data; conduct data protection assessments for targeted advertising and other processing; and give consumers reasonably clear and accessible privacy notices that disclose what personal data they're processing and why, who they're sharing it with and how consumers can address these practices.

The measure mandates companies that sell sensitive or biometric personal data to post a notice that clearly alerts consumers that the business may sell their information.

As with every active privacy law except California's, the Louisiana attorney general would be solely responsible for enforcing the law, and companies would be given 30 days to address any potential violation through July 31, 2027.

In a blog post Friday about the new law, data privacy attorneys at Hunton Andrews Kurth LLP wrote that, while the measure is fairly consistent with other state laws, it was notable that unlike many of its predecessors it does not apply to entities that merely "target" Louisiana residents with their products and services.

"Rather, it applies to entities that 'do business' in the state, which may narrow the law's reach," the Hunton attorneys said.

While Louisiana is the latest state this year, after Oklahoma and Alabama, to finalize a comprehensive data privacy framework, it's unlikely to be the last.

The Massachusetts House on June 4 passed the state's Consumer Data Privacy Act 146-0, months after the Senate unanimously approved the bill, which is expected to soon be sent to the governor.

In addition to allowing Massachusetts residents to correct or delete their data and opt out of its sale and sharing, the law would also ban covered businesses that handle or process the personal data of more than 100,000 people from selling their users' precise location data without explicit consent.

Vermont is also nearing enactment of comprehensive consumer data privacy legislation; the legislature late last month approved a framework that consumer advocates have criticized as significantly weaker than a proposal for regulating companies' handling of personal information that the governor vetoed two years ago.

The bill would require covered entities that control or process the personal data of at least 35,000 people, or that handle sensitive data or sell information of more than 3,000 people, to be transparent with users about how they're using this data and to put in place enhanced protections for sensitive information, including health, biometric, location and children's data.

The legislation would also ban manipulative "dark patterns" that are designed to trick consumers into taking certain actions and would "give Vermonters real tools to fight back" against potential data abuses, including by establishing the rights for them "to correct their data, opt out of collection, obtain a personal copy, and know exactly which third parties have received their data," according to its sponsors.

However, the Vermont measure, which was delivered to the governor on June 10, has faced significant opposition from consumer privacy advocates that say it lacks vital safeguards.

In a statement released shortly after the Senate signed off on the bill, Consumer Reports argued that the basic consumer rights to access, correct and delete their data, as well as to limit some data disclosures, were undercut by the measure's weak definitions of key terms like "targeted advertising," inadequate provisions related to sensitive data and data minimization, and "insufficient" enforcement mechanisms.

"While consumer and public interest advocates recognized that we'd need to compromise with industry in order to get a bill over the line this year, we had hoped to prevent the legislation from backsliding this far," said Consumer Reports' Schwartz. "Instead, this legislation reflects industry's favored model of legislation with no compromises on any of the key issues. That will leave consumers vulnerable across a number of areas."

--Additional reporting by Rae Ann Varona. Editing by Brian Baresch.

For a reprint of this article, please contact reprints@law360.com.