AI Regulation & Policy: Initial Baseline Report — March–April 2026
今回の要点
- 1.Washington State became one of the first US states to directly regulate a specific AI application category, with Governor Bob Ferguson signing House Bill 2225 on March 24, 2026, establishing rules for AI companion chatbots and including a private right of action [2].
- 2.On April 22, 2026, the House Energy & Commerce Committee introduced the SECURE Data Act, a comprehensive federal privacy bill aimed at replacing the existing patchwork of US state consumer privacy laws with a unified federal standard — though preemption scope and private right of action remain historically contentious obstacles [2] and [3].
- 3.Alabama became the twenty-first US state to enact a comprehensive consumer privacy law when Governor Kay Ivey signed the Alabama Personal Data Protection Act on April 17, 2026, effective May 1, 2027 [2].
- 4.On April 15, 2026, the European Data Protection Board published draft Guidelines 1/2026 clarifying how the GDPR applies to personal data in scientific research contexts, including AI-driven research and large dataset reuse, with a public consultation period open until June 25, 2026 [1].
- 5.As of April 22, 2026, organizations subject to COPPA must comply with the FTC's 2025 amendments to the COPPA Rule, marking a significant enforcement milestone with direct implications for AI platforms interacting with minors [2].
エグゼクティブサマリー
- •This is the initial baseline report, compiled from sources collected during the reporting period. Future reports will track changes and trends relative to this baseline.
- •The reporting period captures an exceptionally active regulatory moment: multiple US states enacted or amended privacy and AI-specific laws, the federal government introduced a comprehensive privacy bill, and the EU's primary data protection body issued significant draft guidance covering AI research applications.
- •A notable divergence is emerging in US state regulatory strategy: Washington State enacted targeted AI-specific legislation, while the Connecticut Attorney General opted to apply existing state laws to AI systems via advisory guidance — reflecting competing approaches to AI governance without new dedicated legislation [3].
- •California is transitioning from rulemaking to active enforcement, with the California Privacy Protection Agency signaling CCPA compliance audits in 2026 and issuing new rules around Automated Decision-Making Technology pre-use notices and opt-outs, raising the stakes for organizations using AI in consumer-facing applications [2] and [4].
- •At the enterprise level, organizations are shifting from periodic AI risk reviews to continuous risk management models, with AI governance increasingly embedded as a core component of privacy program operations [4].
市場動向
AI Governance Frameworks Expand Across Jurisdictions
Regulatory and legislative activity targeting AI governance is intensifying across multiple jurisdictions. In Washington State, Governor Bob Ferguson signed House Bill 2225 on March 24, 2026, establishing regulations for artificial intelligence companion chatbots, including a private right of action [2]. In Connecticut, the state Attorney General issued an advisory clarifying how existing Connecticut laws apply to artificial intelligence, signaling that regulators are increasingly applying legac…
競合動向
EDPB Draft Guidelines on Personal Data in Scientific Research
On April 15, 2026, the European Data Protection Board published draft Guidelines 1/2026 addressing how the GDPR applies to academic, public-sector, and commercial research activities, including those relying on AI and large datasets. The guidelines are open for public consultation until June 25, 2026. This represents a significant regulatory clarification effort for organizations conducting AI-driven research in the EU, as it directly addresses the reuse of personal data in AI contexts. Notably,…
US Federal and State Privacy Legislation Surge
A wave of new privacy legislation is reshaping the US regulatory landscape. On April 22, 2026, House Republicans introduced the SECURE Data Act, a comprehensive federal privacy bill aimed at replacing the existing patchwork of state consumer privacy laws with a single federal standard, announced by the House Energy & Commerce Committee [2]. Separately, Alabama became the 21st state to enact a comprehensive consumer privacy law when Governor Kay Ivey signed the Alabama Personal Data Protection Ac…
AI Governance and Regulatory Scrutiny Intensifying Globally
Multiple regulatory and policy developments signal intensifying global scrutiny of AI governance. Washington State enacted a law regulating AI companion chatbots, signed by Governor Bob Ferguson on March 24, 2026, including a private right of action [2]. Tech Policy Press published analysis on April 24, 2026 examining governance challenges including 'The Denominator Problem in AI Governance' and perspectives on how the EU and UK can learn from AI model deployment practices [5]. OneTrust's blog h…
制度・規制動向
EDPB Draft Guidelines on Personal Data in Scientific Research
On April 15, 2026, the European Data Protection Board published draft Guidelines 1/2026 addressing how the GDPR applies to personal data processing in scientific research contexts, including academic, public-sector, and commercial research that relies on AI and large datasets. The guidelines are open for public consultation until June 25, 2026. Notably, the guidelines explicitly cover AI-driven research and the reuse of personal data, signaling the EDPB's intent to bring AI-related data practice…
US Federal Consumer Privacy Bill: SECURE Data Act Introduced
On April 22, 2026, the House Energy & Commerce Committee announced the introduction of the SECURE Data Act, a comprehensive federal privacy bill intended to replace the existing patchwork of U.S. state consumer privacy laws with a single federal framework. According to [2], the Committee also announced its intention to advance the bill. This development follows a parallel introduction reported by House Republicans, with commentary noting that two recurring obstacles — preemption scope and privat…
Accelerating State-Level Privacy Legislation Across the US
The reporting period saw a notable acceleration in state-level consumer privacy law enactments. On April 17, 2026, Alabama Governor Kay Ivey signed the Alabama Personal Data Protection Act, making Alabama the twenty-first state to enact a comprehensive consumer privacy law, effective May 1, 2027 [2]. Additionally, on April 13, 2026, Kentucky Governor Andy Beshear signed HB 692, classifying certain Smart TV data as sensitive under the Kentucky Consumer Data Protection Act, effective July 1, 2027.…
COPPA Rule Amendment Compliance Deadline and Children's Data Regulation
As of April 22, 2026, organizations subject to the Children's Online Privacy Protection Act became required to comply with the FTC's 2025 amendments to the COPPA Rule, marking a significant enforcement milestone for children's online data protection [2]. This coincides with broader international momentum on youth data regulation, including Australia's Exposure Draft Children's Online Privacy Code, which was noted as having potential implications for businesses operating in that jurisdiction [3].…
Washington State Enacts AI Companion Chatbot Regulation
On March 24, 2026, Washington Governor Bob Ferguson signed House Bill 2225, an Act specifically regulating artificial intelligence companion chatbots, making Washington one of the first US states to directly legislate a specific category of AI application [2]. This targeted regulation reflects a growing trend of legislators moving beyond general AI governance frameworks to address specific high-risk AI use cases. The law's existence alongside broader state privacy frameworks suggests regulators …
California Privacy Enforcement Ramps Up with CCPA Audits and ADMT Rules
The California Privacy Protection Agency signaled an intensification of enforcement activity, with its Executive Director Tom Kemp indicating the agency expects to conduct CCPA compliance audits in 2026 as it builds out its newly created Audits Division [2]. On April 20, 2026, CalPrivacy also issued an invitation for preliminary comments on potential regulatory changes concerning notices, disclosures, and employee data under the CCPA. Separately, commentary from compliance-focused sources highli…
Connecticut AG Issues AI Guidance Under Existing State Laws
The Connecticut Attorney General issued an advisory clarifying how existing Connecticut laws apply to artificial intelligence, representing a notable regulatory approach of extending current legal frameworks to AI without enacting new AI-specific legislation [3]. This approach, reported in early April 2026, contrasts with the targeted AI legislation seen in Washington State and reflects a divergence in regulatory strategy among US states. For organizations deploying AI systems, this signals that…
重要な変化の整理
EDPB Publishes Draft Guidelines on Personal Data in Scientific Research
新規On April 15, 2026, the European Data Protection Board published draft Guidelines 1/2026 clarifying how the GDPR applies to academic, public-sector, and commercial research, including AI-driven research and large dataset reuse. The guidelines are open for public consultation until June 25, 2026. They do not cover genetic, biometric, or health data specifically. [1]
SECURE Data Act Introduced to Replace U.S. State Privacy Patchwork
新規On April 22, 2026, the House Energy & Commerce Committee announced the introduction of the SECURE Data Act, a comprehensive federal privacy bill intended to replace the existing patchwork of U.S. state consumer privacy laws with a single federal law. According to [2] and [3], House Republicans introduced this federal consumer privacy bill, with prior congressional attempts having repeatedly stalled over preemption and enforcement issues.
Alabama Enacts 21st State Comprehensive Consumer Privacy Law
新規On April 17, 2026, Alabama Governor Kay Ivey signed the Alabama Personal Data Protection Act into law, making Alabama the twenty-first state to enact a comprehensive consumer privacy law. The law takes effect on May 1, 2027. [2]
COPPA Rule Amendment Compliance Deadline Reached
新規As of April 22, 2026, organizations subject to the Children's Online Privacy Protection Act must comply with the FTC's 2025 amendments to the COPPA Rule, marking a significant children's privacy compliance milestone. [2]
Washington State Enacts AI Companion Chatbot Regulation with Private Right of Action
新規On March 24, 2026, Washington Governor Bob Ferguson signed House Bill 2225, regulating artificial intelligence companion chatbots and notably including a private right of action. This represents an early state-level AI-specific regulatory measure targeting consumer-facing AI products. [2]
示唆・見るべき論点
- 1.The simultaneous introduction of a federal privacy bill (SECURE Data Act) alongside accelerating state-level legislation creates a critical compliance inflection point: organizations must determine whether to invest in state-by-state compliance infrastructure or anticipate federal preemption — a strategic bet that has historically proven premature given prior congressional failures on similar bills [2] and [3].
- 2.Washington State's AI companion chatbot law — including a private right of action — signals that legislators are willing to create enforcement mechanisms that bypass regulatory agencies entirely for AI-specific harms, a development that could meaningfully increase litigation risk for consumer-facing AI product developers [2].
- 3.The EDPB's draft Guidelines 1/2026 explicitly address AI-driven research and personal data reuse, indicating that EU regulators are actively extending GDPR scrutiny to AI workflows without waiting for EU AI Act implementing measures — organizations conducting AI research in the EU should engage with the public consultation process before June 25, 2026 [1].
- 4.The Connecticut Attorney General's approach of applying existing consumer protection and privacy statutes to AI systems — rather than enacting new AI-specific laws — suggests that AI compliance obligations may already exist under legacy legal frameworks in many jurisdictions, even absent dedicated AI legislation [3].
- 5.Tech Policy Press analysis from April 2026 identifies structural governance gaps, including 'the denominator problem in AI governance,' suggesting that current regulatory frameworks may lack the conceptual tools to address scale and population-level AI risks — a challenge that neither the US state-level approach nor current EU guidelines directly resolves [5].
ソース
Reports on EDPB draft Guidelines 1/2026 published April 15, 2026, covering GDPR application to scientific research including AI-driven research and large dataset reuse, with public consultation open until June 25, 2026.
関連: Regulatory TrendsCovers a range of US regulatory developments including the SECURE Data Act introduction, Alabama privacy law enactment, Washington State AI chatbot regulation, COPPA compliance deadline, Virginia geolocation ban, Kentucky Smart TV data classification, and California Privacy Protection Agency enforcement signals.
関連: Regulatory TrendsReports on Connecticut Attorney General AI advisory, SECURE Data Act introduction context including historical obstacles, and Australia's Exposure Draft Children's Online Privacy Code.
関連: Regulatory TrendsDiscusses enterprise shift to continuous AI risk management, CCPA 2026 updates affecting AI governance including Automated Decision-Making Technology rules, and AI governance as a core privacy program component. (Company blog — may reflect promotional framing.)
関連: Market TrendsPublished analysis on structural AI governance challenges including 'The Denominator Problem in AI Governance' and perspectives on EU and UK approaches to AI model deployment.
関連: Market Trends