Illinois, Connecticut, NY Pass 4 AI Privacy Laws

For two years the federal AI conversation has stalled while states moved at very different speeds. Colorado spent two years building the first comprehensive state AI law and then gutted it on May 12. While that retreat was still fresh, IAPP reported on May 28 that three other states had quietly pushed four major privacy bills across the line. Together they are the most consequential state AI and privacy enactments of the year.

Key Takeaways

• Illinois SB 315, expected to be signed by Governor JB Pritzker and effective January 1, 2027, is the first state law to require annual third party audits of frontier AI models, naming OpenAI and Anthropic among covered entities.
• Connecticut Governor Ned Lamont enacted SB 4, mirroring California's Delete Act with a data broker registry effective January 1, 2027, a one shot consumer deletion mechanism by July 1, 2028, and an outright ban on selling geolocation data.
• Connecticut SB 5 covers automated decision making in employment, requires AI companion access to be off by default, and prohibits AI companion use by anyone under 18.
• New York's Safe By Design Act, signed by Governor Kathy Hochul as part of the fiscal year 2027 budget, requires default privacy protections for users under 17 with no age verification, parental consent for users under 13, and the same AI companion lockout for minors.
• Illinois SB 315 defines catastrophic risk to include AI models capable of mass harm or damages exceeding $1 billion through cyberattacks or malfunction beyond human control.

What Does Illinois SB 315 Actually Force AI Labs to Do?

Illinois SB 315 is a first in the nation requirement that frontier AI developers submit to annual third party audits of their largest models. Per IAPP's May 28 coverage, the bill obligates covered companies to publish pre deployment reports that document model capabilities, intended use, and risk disclosures before they can be released into Illinois.

The threshold definition is what gives the bill teeth. SB 315 names "catastrophic risk" as the category that triggers full audit and governance obligations, and the statutory floor is a model capable of mass harm or damages exceeding $1 billion through cyberattacks or malfunction beyond human control. That language reaches OpenAI, Anthropic, Google DeepMind, Meta's Llama, and any other lab whose flagship model can plausibly be argued into that envelope. State Representative Daniel Didech (D), one of the sponsors, framed the bill as state level emergency action: "the technology is developing at such a rapid pace that states have had no choice but to step in."

How Does Connecticut SB 4 Change the Data Broker Map?

Connecticut SB 4 is the second state level adoption of the deletion model California pioneered in the Delete Act and Connecticut becomes the second state with a one stop deletion mechanism. Starting January 1, 2027, every data broker processing Connecticut residents' data must register annually with the state. By July 1, 2028, the state has to operate a centralized deletion system that lets a resident submit one request and have it propagated across every registered broker.

The bill goes farther than California in two places. It outright bans the sale of geolocation data, and it adds specific provisions covering facial recognition. We covered Connecticut's earlier SB4 surveillance pricing ban when it cleared the legislature in early May. The version signed by Governor Lamont keeps both the deletion architecture and the surveillance pricing prohibition. State Senate Majority Leader Bob Duff (D) framed the law in consumer terms: residents "deserve to know their personal information cannot be bought and sold without their knowledge."

What Does Connecticut SB 5 Do About AI Companions and Employment?

SB 5 is the AI half of the Connecticut package. The bill covers automated decision making technology in consequential employment decisions, requiring that an employee be informed when an algorithm plays a prominent role in hiring, firing, or promotion, and that employers maintain a risk disclosure system with regular updates to leadership. It also requires disclosure when a user is interacting with a nonhuman system, closing the loophole that lets a "support agent" be either a person or a large language model with no notice.

The AI companion provisions are sharper. SB 5 prohibits AI companion use by anyone under 18 and requires that companion access be off by default for all users. The state must also establish a regulatory sandbox by January 1, 2028 so smaller developers can test compliance without taking on full enforcement risk. The coverage thresholds for frontier AI mirror Illinois SB 315 closely enough that a model audit prepared for one state should largely satisfy the other.

What Is New York's Safe By Design Act?

The Safe By Design Act is the New York entry, sponsored by State Senator Andrew Gounardes (D) and folded into the fiscal year 2027 budget that Governor Kathy Hochul signed in May. The Act restricts adults from initiating interactions with underage users on social media, gaming, and digital messaging platforms, and prevents non connected users from accessing a child's geolocation information.

Where the New York approach diverges from the federal Kids Online Safety Act and from many other state proposals is in how it handles age. The Safe By Design Act implements default design protections for users under 17 without requiring any age verification. Parental consent is required only for users under 13. New York Attorney General Letitia James, who is enforcing the new law, said the Act places responsibility on platforms "to implement real privacy protections and meaningful safeguards." James and 43 other state attorneys general opposed the federal Kids Internet and Digital Safety Act, arguing it would prevent states from enforcing their own children's privacy laws while shielding technology companies from state accountability.

What Compliance Teams Need to Do Now

For privacy programs operating in multiple US states, the practical effect of this week is that the patchwork got both denser and more enforceable:

• Inventory frontier model usage. If your organization deploys an OpenAI, Anthropic, Google, or Meta flagship model, confirm with the vendor whether they expect to register as a covered entity under Illinois SB 315 and what pre deployment reports they will publish.
• Map your data broker exposure. If your business sells or shares Connecticut resident data with any third party, confirm whether registration is required by January 1, 2027 and whether geolocation flows are now prohibited outright.
• Audit automated employment decisions. Any algorithmic step in Connecticut hiring, promotion, or termination workflows now needs employee disclosure and a maintained risk register.
• Disable AI companion features for minors. Both Connecticut SB 5 and New York Safe By Design require companion access to be off by default for users under 18, with parental consent thresholds for under 13.
• Plan for the deletion mechanism deadline. The Connecticut consumer deletion system must be operational by July 1, 2028, which means data brokers should begin building the propagation pipeline now.

Where This Leaves the Federal Conversation

A federal AI safety bill remains stuck. The federal Kids Internet and Digital Safety Act has drawn open opposition from 44 state attorneys general. As state laws stack, the legal exposure for AI labs and data brokers operating nationally is now shaped by Illinois, California, Texas, and Connecticut, not Washington. Colorado retreating two weeks ago and three other states pushing four bills across the line in the same week tells the rest of the country which direction the gravity points.