Making sense of AI policy, one week at a time. Breaking down new regulations, explaining governance frameworks, and tracking the global effort to govern artificial intelligence responsibly.
Subscribe to the newsletter
A filterable timeline of AI and privacy-related laws, regulations, frameworks and policies worldwide.
RBI Committee Report setting out seven guiding ‘Sutras’ and 26 recommendations under six strategic pillars for responsible and ethical AI adoption in the financial sector.
Texas AI law signed (effective Jan 1, 2026), covers biometric identifiers, bans AI social scoring.
NY Senate bill passed requiring provenance data on AI-generated media (awaiting signature).
Japan's first AI promotion law passed by Diet (soft-law framework).
Biden EO on protecting democracy from AI risks (revoked 20 Jan 2025).
FDA guidance for "predetermined change control plans" in AI/ML medical device software.
First international AI treaty opened for signature.
EU law regulating AI (all uses) by risk level; came into force 1 Aug 2024. Key timeline: 21 Apr 2021 – European Commission formally proposed the regulation 9 Dec 2023 – European Parliament and Council reached provisional agreement 12 Jul 2024 – Act published in the Official Journal of the European Union 1 Aug 2024 – Act entered into force 2 Feb 2025 – Prohibitions on 'unacceptable risk' AI systems (e.g., social scoring, real-time biometric ID, emotion recognition in workplaces) take effect 2 Aug 2025 – Obligations for general-purpose AI (GPAI) models (transparency, risk governance) apply 2 Aug 2026 – General application date for most provisions 2 Aug 2027 – Certain obligations for high-risk AI systems embedded in regulated products/infrastructures become applicable.
Effective Jan 1, 2026.
Effective July 31, 2025 (staggered for some sectors).
State AI consumer protection law (effective Feb 1, 2026).
Effective Nov 1, 2025.
Effective Apr 17, 2024; cure period ends Dec 31, 2025.
Effective Jan 1, 2026.
State law requiring disclosures on generative AI (effective May 1, 2024).
Parliament approval; Council approval followed (21 May 2024); in force 1 Aug 2024.
Comprehensive privacy law (effective 2025).
Effective Jan 15, 2025.
Biden EO advancing coordinated US AI governance.
Expands data-broker registry; creates one-stop deletion mechanism (DROP) with phased rollout (2026+).
Comprehensive privacy law; staged effective dates beginning 2025.
Effective July 1, 2024 (later for certain nonprofits).
Effective July 1, 2024; additional opt-out agent provisions phased in 2025.
Consumer rights + platform duties; various effective dates from July 2023.
Effective Oct 1, 2024 (some provisions/assessments 2025+).
Comprehensive privacy law; effective July 1, 2025.
Effective Jan 1, 2026.
Covers consumer health data outside HIPAA; key provisions effective 2024 (later for small businesses).
Effective Jan 1, 2025.
Impose self-assessment and disclosure requirements on online AI services. Bans harmful deepfake uses.
Signed Sept 15, 2022; enforcement enjoined by federal courts pending litigation.
State privacy law (Jan 2023) includes enhanced oversight of automated decision-making.
Comprehensive privacy law; effective July 1, 2023.
Effective Dec 31, 2023.
City law requiring bias audits of automated employment decision tools (AEDTs).
First global AI ethics standard (193 Member States).
Comprehensive privacy law; effective July 1, 2023.
European Commission unveils first comprehensive AI regulation.
Comprehensive consumer data privacy law; effective Jan 1, 2023.
Law establishing a coordinated federal AI R&D and governance program.
Amends/expands CCPA; creates CPPA; effective Jan 1, 2023 (with lookback to Jan 1, 2022).
Opt-out of “sale” of certain personal information; effective Oct 1, 2019.
Council Recommendation on AI (47 countries) encouraging trustworthy AI.
Trump EO directing federal AI strategy and coordination across agencies.
EU data protection law with implications for AI (data fairness, automated decision-making rules).
First comprehensive U.S. state privacy law; effective Jan 1, 2020.
Introduced under the Privacy Act; requires entities to notify individuals & the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to cause serious harm. :contentReference[oaicite:2]{index=2}
Includes requirements on algorithmic transparency (e.g. explainability in public algorithms).
Under the Competition and Consumer Act 2010, the Consumer Data Right (CDR) includes legal privacy & security safeguards for consumer data. :contentReference[oaicite:5]{index=5}
Notice/consent, retention policy; private right of action (amended in 2024).
Commercial email rules; opt-out and identification requirements.
Privacy Rule, Safeguards Rule; regulates financial institutions’ handling of nonpublic personal information.
Parental notice/consent for collecting data from children under 13.
Privacy/Security Rules for protected health information (PHI).
Restricts disclosure of personal data from state DMV records.
Consent/opt-out rules for calls, texts, faxes; Do-Not-Call.
Federal law regulating the handling of personal information by Australian Government agencies and private sector organisations (APP entities). :contentReference[oaicite:0]{index=0}
Limits disclosure of video-viewing records.
Wiretap Act + Stored Communications Act; access rules for electronic communications.
Governs federal agencies’ collection/use of PII; access, amendment, and fair information practices.
Student education records privacy; access/correction rights.
Regulates consumer reporting agencies; accuracy, access, correction rights.