The U.S. regulatory landscape for AI and data governance is fragmenting fast. While Congress continues to debate comprehensive federal frameworks, states are moving ahead with their own privacy statutes, AI transparency mandates, and industry-specific disclosure obligations — and federal regulators are increasingly using existing laws to target misleading AI claims.

For startups, AI companies, healthcare platforms, and founders raising capital, this is no longer just a policy conversation. It is an operational compliance issue that touches product design, investor communications, marketing, consumer disclosures, and internal governance.

Three More States Added to the Privacy Law Patchwork

The U.S. now operates under a rapidly expanding state-by-state privacy framework, with additional comprehensive privacy laws taking effect in 2026.

The result is a growing compliance burden for companies handling consumer data across multiple jurisdictions. Businesses are increasingly expected to:

• Provide clear consumer disclosures regarding data collection and use

• Offer opt-out rights for targeted advertising and profiling

• Maintain internal data governance procedures

• Conduct risk assessments for sensitive processing activities

• Implement stronger vendor and data-processing agreements

For startups scaling nationally, the “we’ll fix compliance later” approach is becoming significantly riskier. A company operating in multiple states may now face overlapping obligations with slightly different definitions, disclosure requirements, and enforcement mechanisms.

This is especially important for:

• AI-driven consumer platforms

• Health and wellness applications

• Fintech and embedded finance products

• SaaS companies collecting behavioral or biometric data

• Startups relying heavily on personalized advertising or profiling

The absence of a single federal privacy law does not mean the absence of regulation. In practice, it means navigating a patchwork of state-level requirements that continues to expand.

Healthcare AI Disclosure Is No Longer Optional

One of the clearest regulatory trends emerging in 2026 is mandatory disclosure when AI is used in healthcare-related interactions.

Several states have now enacted laws requiring businesses and providers to disclose when patients or consumers are interacting with AI systems rather than licensed professionals.

For example:

• Utah’s amended AI law requires disclosure in higher-risk interactions involving healthcare, legal, financial, and biometric matters.

• Texas’s TRAIGA framework requires healthcare providers to disclose AI use to patients at or before treatment.

• California enacted healthcare AI disclosure requirements restricting systems from implying human medical involvement where none exists.

This trend matters well beyond hospitals.

Companies building:

• AI symptom checkers

• Mental health chatbots

• Wellness and coaching applications

• Medical intake automation

• AI-enabled telehealth workflows

• Healthcare customer support systems

…should assume regulators are paying attention to how AI interactions are presented to users.

The core legal issue is not simply whether AI is being used. It is whether consumers are being misled into believing they are interacting with a licensed professional, receiving human-reviewed guidance, or obtaining clinically validated advice when they are not.

Founders should review:

• Product UX and disclosure flows

• Website and marketing language

• AI-generated recommendation disclaimers

• Terms of service and informed consent language

• Escalation procedures to human professionals

In many cases, the legal risk is no longer theoretical.

The SEC’s “AI Washing” Focus Is Intensifying

At the federal level, regulators are increasingly targeting what has become known as “AI washing” — overstating, exaggerating, or misrepresenting AI capabilities to investors or consumers.

The SEC has made clear that existing securities laws already apply to AI-related statements, particularly when companies:

• Inflate AI capabilities in fundraising materials

• Misrepresent automation levels

• Overstate model sophistication

• Fail to disclose operational limitations or human involvement

• Market conventional software as “AI-powered” without meaningful AI functionality

Recent federal enforcement actions demonstrate that regulators are willing to use traditional fraud and disclosure theories against AI companies.

This becomes particularly important for:

• Venture-backed startups

• Companies preparing for fundraising rounds

• AI infrastructure companies

• Public companies discussing AI roadmaps

• Founders pitching “AI-enabled” products

The compliance issue is not whether a company uses AI. The issue is whether its public statements accurately describe what the technology actually does.

Investor decks, websites, sales materials, and customer onboarding flows should all be reviewed carefully for:

• Unsupported performance claims

• Ambiguous references to automation

• Misleading descriptions of proprietary models

• Claims regarding accuracy, bias mitigation, or human oversight

• Statements implying regulatory approval or validation

In short: if your product still depends heavily on manual workflows, human review, or third-party models, your disclosures should reflect that reality.

What Founders Should Be Doing Now

The regulatory environment is shifting from broad AI policy discussions to enforceable operational requirements.

Founders should consider:

• Conducting AI governance and disclosure audits

• Reviewing investor-facing AI claims

• Updating privacy policies and consumer disclosures

• Evaluating whether state AI laws apply to current workflows

• Implementing internal documentation for AI decision-making systems

• Building cross-functional compliance processes between legal, product, and engineering teams

The companies that treat compliance as infrastructure — not an afterthought — will likely be in a stronger position as enforcement accelerates.

Learn more

Holland& Knight

Troutman Pepper Locke