Notable AI, privacy bills hit finish line in Illinois, Connecticut and New York

A new frontier AI transparency bill is coming to Illinois, and it might be the most stringent statute yet among U.S. states. Senate Bill 315, approved by the Illinois General Assembly and awaiting enactment, shares common threads with transparency laws on the books in California and New York while raising a first-of-its-kind requirement for annual third-party auditing.

The yearly reviews are one component of a transparency framework that also includes mandatory governance, risk mitigation and cybersecurity undertakings. Pre-deployment reports are another key aspect of SB 315, with covered entities staked to issuing reports outlining model capabilities, intended use and risk disclosures.

"This piece of legislation is designed to put up some guardrails and make sure we have some safeguards in place to protect against some of the worst catastrophic risks," state Rep. Daniel Didech, D-Ill., told NBC News. He added addressing frontier models through a "federal approach" is preferred, but "the technology is developing at such a rapid pace that states have had no choice but to step in."

Enactment is expected soon after the bill is transmitted by lawmakers, with Gov. JB Pritzker, D-Ill., indicating he will sign SB 315 when it hits his desk. In a post on the social platform X, Pritzker said AI safeguards are necessary and plans to keep "working with the legislature so that AI, when used, is used responsibly."

Once Pritzker acts, the bill will take effect 1 Jan. 2027.

Another notable aspect of the bill is the definition of "catastrophic risk," a linchpin to many of the risk requirements. The criteria for that level of risk includes models capable of mass harm or creating damages totaling more than USD1 billion through cyberattacks or malfunction beyond human control.

OpenAI and Anthropic, which both supported the bill, are among the covered entities. In a public statement, Anthropic Head of U.S. State and Local Government Relations Cesar Fernandez said, "enforceable accountability matters more than ever" with the proliferation of AI and SB 315 sets "a new standard" for state and federal lawmakers to consider in ongoing safety and transparency debates.

Connecticut's governor signs bills tackling data sales, broad AI concerns

Gov. Ned Lamont, D-Conn., enacted a pair bills adding to Connecticut's expansive AI and privacy rulebook.

Senate Bill 4 introduces new data broker registration rules mirroring California's Delete Act while amending Connecticut's Data Privacy Act to ban geolocation data sales and add specific provisions for facial recognition technology. Senate Bill 5 is a broad law covering a range of AI issues, including automated decision-making technology and AI companions.

SB 4 marks the latest wave comprehensive privacy modifications by state Sen. James Maroney, D-Conn., the author of the original CTDPA.

The data broker statute prohibits brokers from processing state residents' data without annual registration beginning 1 Jan. 2027. The state's Commissioner of Consumer Protection is tasked with creating a consumer mechanism for streamlined single opt-out and deletion from data broker lists before 1 July 2028.

As of May, more than 285,000 California residents are utilizing the California Privacy Protection Agency's Delete Request and Opt-out Platform after it launched 1 Jan. Connecticut officials could consult CalPrivacy for technical expertise on building out the deletion system, as the states have previously collaborated on privacy enforcement matters through The Consortium of State Privacy Regulators. 

"I have seen firsthand the devastating consequences that can follow when personal data falls into the wrong hands," state Senate Majority Leader Bob Duff, D-Conn., said in a statement after the bill cleared the legislature 4 May. "Connecticut residents deserve to know their personal information cannot be bought and sold without their knowledge."

SB 5 represents an AI compromise between Maroney, fellow lawmakers and Gov. Lamont after three years of debate and a veto threat on a separate framework that nearly passed in 2024.

The bill carries frontier model requirements with coverage thresholds similar to Illinois SB 315. It mandates covered developers must create reporting systems for employees to anonymously disclose risks or malfunctions discovered while drafting regular updates on the handling of those potential risks to company leadership.

With ADMT, SB 5 requires disclosure when automated decisions play a prominent role in consequential decisions related to employment while making clear anti-discrimination laws apply to those technologies. AI companion requirements include disclosure and transparency regarding nonhuman interactions and a prohibition on use by minors under age 18.

There are AI innovation components built into the bill as well, including the creation of a regulatory sandbox by 1 Jan. 2028.

"It is a start, it's not an end point,” Maroney told Pluribus in a recent interview. "There's additional work I’d like to do, but I think this bill positions us well — particularly with the workforce development and training programs that we’re building in here — to make sure our residents are prepared to compete in the AI economy."

New York includes Safe By Design Act in 2027 budget

Gov. Kathy Hochul, D-N.Y., announced the inclusion of the Safe By Design Act in the state's fiscal year 2027 budget agreement, advancing new children's online safety requirements for social media, gaming and digital messaging platforms.

The children's online safety provisions require covered platforms to implement safeguards to restrict adults from interacting with underage users while preventing children's geolocation information from being accessed by users they are not connected to. Minors under age 13 will need parental consent to access platforms and those under 17 will be protected by default design measures, none of which require age verification.

The new rules also limit AI companion use by minors on covered platforms, requiring entities to set companion access off by default.

State Sen. Andrew Gounardes, D-N.Y., sponsored the Safe By Design Act's consideration in the legislature before it was attached to the budget. In a statement, he said the provisions place responsibility on platforms "to implement real privacy protections and meaningful safeguards so their platforms are no longer a place for rampant grooming of children."

The budget provision comes as New York Attorney General Letitia James joined 43 state attorneys general in opposition of U.S. Congress' Kids Internet and Digital Safety Act, which carries similar provisions to the Safe By Design Act.

In a letter to congressional leaders, James and the coalition argued the KIDS Act could prevent states from enforcing their children's privacy laws while potentially shielding technology companies from accountability under existing state frameworks.

"Online platforms are fueling a mental health crisis among young people, and New York has led the way to enact new measures to protect our kids," James said in a statement. "The KIDS Act would strip states of their ability to protect our children online. I am proud to join a bipartisan coalition of my fellow attorneys general in sending a clear message to Congress: the KIDS Act should not become law."