Emerging Risks: State Regulatory Divergence

Polarization within the U.S. is driving a continued influx of state legislative and regulatory activity. Given difficulties to reach bipartisan accord at the federal level, this patchwork of state actions will only continue to grow – putting business at times in the crosshairs of public policy, adding to operational costs, and forcing companies to invest to most effectively scan, assess and comply with new requirements.

In this article, we preview state legislative activity across a few key regulatory areas, including: 1) AI/GenAI, 2) Cybersecurity and Privacy, and 3) “Fair Access”.

AI/GenAI

Almost every state is actively looking at enacting AI-oriented laws and regulations. In the 2024 legislative session, at least 45 states introduced AI bills with about 30 of them adopting resolutions or enacting legislation. Notable provisions cover a range of concerns:

• Disclosures, risk management practices, and consumer protection requirements for developers or deployers of high-risk AI systems.
• Requirements for state agencies to inventory and assess AI systems used.
• Consumer protections requiring entities and individuals using AI/GenAI to disclose the use of AI when interacting with customers (e.g., “watermarking”).
• Protections against deepfakes, AI generated misinformation, and children’s privacy.

Watch for more state activities intended to set safeguards around AI design, development, deployment, use, and ongoing monitoring and testing as well as protections for consumer privacy and workers (e.g., whistleblower protections).

Cybersecurity and Privacy

Taken together, at least 40 states introduced more than 800 cyber- and privacy-related bills in 2024. These laws and related regulations include a combination of broad applications (across all industries) and targeted requirements. Key features include:

• Limitations of the collection, processing, and sharing of sensitive consumer data such as consumer health data.
• Requirements focused on specific business sectors (e.g., healthcare, insurance) to implement cybersecurity programs/controls and incident reporting processes.
• Protections related to data breach notifications, children's data security, certain data collections (e.g., facial recognition).

Seven states adopted comprehensive data privacy laws (establishing both privacy rights and business obligations) in 2024, bringing the total number of state privacy laws to 20. Watch for more cybersecurity and data privacy laws to be enacted in the future inclusive of parameters around consent/authorization, opt in/opt out provisions, auditability, and testing requirements.

Fair Access

Referred to as “fair banking” but with increasing use both across financial services and across industries, an increasing number of states are introducing and passing laws aimed at protecting consumer rights related to access to services. For example, recently enacted laws include provisions that prohibit a financial institution from denying, canceling, suspending, or terminating services to a person or discriminating in the provision of services based on any factor other than a “quantitative, impartial, risk-based standard” including factors such as political opinions or affiliations, religious beliefs or affiliations, or participation in certain business sectors.

As more states consider similar laws, watch for heightened regulatory focus on a broad application of consumer protections and enhanced fair access.

In closing, irrespective of election outcomes, the trend in rising numbers of new state laws and regulations and related enforcement is growing and will continue to do so. More to come in 2025!

Want more from Regulatory Insights? See The Empowerment of State Law and Regulation (kpmg.com) and Regulatory Shift 2025 (kpmg.com).

Follow us and subscribe to our monthly newsletter: Regulatory Insights Monthly Newsletter