Skip to main content
state legislationCalifornia, Texas, Colorado, New York

Which State AI Laws Affect Law Firms in 2026?

Multiple state AI laws took effect on January 1, 2026, imposing compliance duties on law firms that develop, deploy, or use covered AI systems. This guide identifies the key laws — including California AB 2013, SB 243, and Texas TRAIGA — and the operational steps firms must take to remain compliant.

Entry details

Who it applies to
Law firms in California, Texas, Colorado, and New York that develop, deploy, or use covered AI systems
Last reviewed
2026-07-09

A law firm can no longer treat the phrase laws for ai as shorthand for client alerts about technology companies. In 2026, the practical question is narrower and less comfortable: which of the firm’s own systems make the firm a developer, deployer, provider, or user of a covered AI system?

The distinction matters because several state AI laws are already effective or imminent in 2026. MultiState’s tracker reports 1,561 AI-related bills introduced in 45 states, with 145 enacted in 2025 alone.[1] That volume is useful context, but it is not the operating problem. The operating problem is that a firm’s intake chatbot, recruiting screen, client portal, internally built research assistant, AI-generated marketing workflow, or vendor-provided drafting tool may now sit inside a statutory category that was not written with law firms as the headline audience.

Timeline of 2026 state AI compliance dates for California and Texas laws

This article is a compliance map, not jurisdiction-specific legal advice. The point is to identify the state AI laws that deserve immediate internal routing in Q3 2026, distinguish current obligations from watch items, and tie each law to the law firm function likely to own the next action.

The 2026 Date Scan: What Is Live, Imminent, or a Tracker Item

The first sorting exercise is temporal. A statute that is effective, a compliance obligation that is operative, a provision delayed by amendment, and a law being challenged in court should not be put in the same internal memo as though they create the same work today.

Law2026 statusPrimary targetLikely law firm touchpoint
California AB 2013Effective January 1, 2026; constitutional challenge pending in xAI v. Bonta.[2]Developers of generative AI systemsFirm-built generative AI tools; vendor diligence for systems trained or customized with firm or client data
California SB 243Effective January 1, 2026.[3]Companion chatbot operators and covered chatbot interactionsClient-facing intake bots, website chatbots, and any bot designed to sustain emotionally dependent user engagement
Texas TRAIGA, HB 149Effective January 1, 2026.[2]Certain prohibited AI uses, with government AI use as the primary regulatory focusUse restrictions, acceptable-use controls, and Texas-facing AI governance review
California TFAIA, SB 53Effective January 1, 2026.[3]Developers of advanced frontier modelsUsually vendor diligence unless the firm develops or materially controls an advanced model
California SB 942 / AB 853AI detection tool requirements delayed to August 2, 2026 by AB 853.[4]Covered providers with more than 1 million monthly California usersAI-generated content workflows; vendor representations; latent disclosure and detection-tool review
Colorado SB 205 / SB 189Original SB 205 repealed and replaced by SB 189 in Q2 2026; SB 189 effective January 1, 2027, subject to current-status confirmation.[2]Automated decision-making technologyTracker item for hiring, employment, intake, and other decision-support systems
New York RAISE ActEffective January 1, 2027.[4]Frontier model developersTracker item, mainly for vendor diligence and any firm-built frontier-model activity

The table deliberately separates direct 2026 work from near-term monitoring. Colorado and New York are not irrelevant; they are just not the same kind of Q3 2026 obligation as California AB 2013, California SB 243, Texas TRAIGA, or California TFAIA. That distinction is what keeps a compliance calendar from becoming an unreadable list of AI headlines.

Where Law Firms Stop Being Bystanders

A law firm’s risk does not begin when it sells AI software. It can begin when the firm operates a chatbot, relies on an AI tool in hiring, builds an internal generative system, publishes AI-generated content, or sends firm and client data into a vendor environment without knowing how the tool was trained, logged, retained, or disclosed.

The professional responsibility baseline already requires attention. ABA Formal Opinion 512 and state ethics rules make AI use a competence, confidentiality, supervision, communication, and fee issue for lawyers. A useful statutory review should not replace that ethics analysis; it should sit beside it. The same inventory that supports a firm’s AI governance policy should also identify whether a state law treats the firm as a regulated actor.

The intake bot is a good example because it crosses so many internal lines. Marketing may own the website. Business intake may own the workflow. IT may own integration and logging. The general counsel may own privilege, confidentiality, and unauthorized practice concerns. If the bot is also capable of extended personal engagement or appears in a California-facing environment, SB 243 becomes a statutory scoping question rather than a general AI concern.

California AB 2013: Training-Data Transparency Is a Developer Question First

California AB 2013 took effect January 1, 2026 and requires developers of generative AI systems to publicly disclose information about training data sources, ownership, volume, the use of synthetic versus non-synthetic data, whether copyrighted or personal information was used, and how data was processed.[2] For most law firms, the first question is not whether the firm uses generative AI. It is whether the firm develops a generative AI system in a way that brings it into the statute’s developer-facing obligations.

That is a narrower question than many internal AI surveys ask. A firm that simply licenses a commercial drafting assistant may need vendor diligence and client-confidentiality controls, but AB 2013’s public disclosure duty is framed around developers. A firm that builds its own generative research assistant, fine-tunes a model, or materially controls a system trained on firm-selected data has a different scoping exercise. Legal, IT, knowledge management, and innovation teams should be able to answer who selected the training corpus, whether client data entered it, who owns the model or derivative system, and whether any public training-data disclosure has been made or is required.

The pending constitutional challenge in xAI v. Bonta matters, but it does not remove the need for records.[2] If the obligation changes, the firm will still need to know which systems were potentially in scope. A dated file showing the system owner, training-data sources, vendor role, data processing assumptions, and legal review is more useful than a generic statement that the firm “uses AI responsibly.”

California SB 243: Chatbots Need Product Owners, Not Just Disclaimers

California SB 243 also took effect January 1, 2026. The law addresses companion chatbot safety, creates a private right of action, and provides statutory damages of at least $1,000 per violation. It requires suicide prevention protocols, age-verification design, and limits on emotionally dependent user interactions.[3]

For a law firm, the immediate review should begin with every public or semi-public chatbot, not with a theoretical debate about companion AI. The firm should identify website intake bots, client portal assistants, recruiting chat tools, alumni or community bots, and any third-party widget embedded on a firm-controlled page. The question is whether the tool’s design, audience, and interaction pattern place it near SB 243’s covered conduct. A brief pop-up disclaimer is not a substitute for knowing what the bot is designed to do, what it can say, how it escalates risk, and who reviews transcripts or incident reports.

The owner should not be left implicit. Marketing can confirm placement and copy. IT can confirm integration, data capture, vendor configuration, and access logs. The general counsel or risk function can review privilege, confidentiality, engagement formation, and statutory exposure. HR should be involved if the chatbot appears in recruiting. If the system interacts with minors or vulnerable users, the review should not wait for an annual vendor cycle.

  • Inventory every chatbot visible to California users, including embedded vendor widgets.
  • Document the bot’s intended purpose, audience, escalation path, transcript retention, and human-review process.
  • Confirm whether the design encourages extended emotional dependency or personal companionship.
  • Review vendor contract terms for safety protocols, age-related controls, audit support, and incident notice.
  • Route any materially changed chatbot through legal, IT, and the business owner before launch.

Texas TRAIGA: Narrower Private-Sector Duties Still Require Use Controls

Texas TRAIGA, enacted as HB 149, became effective January 1, 2026. The law categorically prohibits AI systems developed to produce child pornography, unlawful deepfakes, or behavioral manipulation that causes physical or financial harm, while most private-sector obligations are limited and government AI use is the primary regulatory target.[2]

That narrower scope should be respected. A Texas office using a mainstream document review tool is not automatically facing the same operational burden that a public agency may face. But the prohibited-use categories still belong in a firm’s acceptable-use policy, vendor diligence questions, and incident escalation procedure. A firm should be able to show that its AI systems are not developed, configured, or instructed for unlawful deepfake generation, prohibited sexual content, or manipulative conduct that causes physical or financial harm.

The practical owner is usually a combination of IT security, procurement, and the general counsel’s office. If the firm uses generative AI in investigations, employment matters, litigation graphics, or synthetic media review, the controls should be more explicit. “We do not do that” is not a control unless someone has translated it into tool permissions, user guidance, monitoring, and vendor restrictions.

California TFAIA and SB 942: Mostly Vendor Diligence, Until They Are Not

California’s TFAIA, SB 53, took effect January 1, 2026 and imposes frontier model safety requirements on developers of advanced AI models, including safety protocols, pre-deployment testing, and incident reporting obligations.[3] Most law firms will not be frontier model developers. That conclusion should be documented, not assumed.

The line can matter for large firms with innovation labs, proprietary platforms, or deeply customized generative AI environments. If the firm is simply procuring access to a vendor’s model, TFAIA is primarily a vendor diligence issue. If the firm is developing or materially controlling an advanced model, the analysis changes. The file should identify the model provider, the firm’s role, the nature of customization, who conducts testing, and who receives safety or incident information from the vendor.

SB 942 requires separate attention because its operative timing shifted. As modified by AB 853, AI detection tool requirements for covered providers with more than 1 million monthly California users are delayed to August 2, 2026.[4] The monthly-user threshold means many law firms will not be covered providers. Still, firms that publish AI-generated client alerts, marketing content, images, videos, or chatbot responses should review whether latent disclosures, provenance features, or detection-tool commitments are being handled by a vendor rather than by the firm itself.

The immediate control is not to label every AI-assisted sentence. It is to assign ownership for generated-content workflows. Communications, marketing, knowledge management, and practice groups should know when AI-generated content is used, whether human review is required, whether metadata or latent disclosure is preserved or stripped, and whether vendor representations cover the August 2026 requirements if the vendor is the covered provider.

Colorado, New York, and Federal Pressure Belong on the Tracker

Colorado is a cautionary example for anyone maintaining an AI compliance calendar. The original Colorado AI Act, SB 205, was repealed and replaced by SB 189 in Q2 2026. The replacement reorients the regime from “high-risk AI” to automated decision-making technology, eliminates formal risk management program requirements, and is effective January 1, 2027, subject to current-status confirmation at the time a firm relies on the tracker.[2]

That is not a reason to ignore Colorado. It is a reason to mark Colorado as a monitored jurisdiction rather than a fixed 2026 control set. The law firm systems most likely to matter are employment screening tools, promotion or compensation decision-support systems, intake triage systems, and other tools that influence consequential decisions. HR, legal ops, and procurement should preserve enough information now to avoid reconstructing the tool history in late 2026.

New York’s RAISE Act is also a 2027 item. It becomes effective January 1, 2027 and imposes safety protocols on frontier model developers, with penalties up to $3 million for subsequent violations.[4] For law firms, the near-term consequence is again role classification. If the firm is not a frontier model developer, the statute still belongs in vendor diligence for model providers and in any review of firm-built advanced AI systems.

Federal activity adds another monitoring layer. The research record identifies a DOJ AI Litigation Task Force established under a December 2025 AI National Policy Framework executive order and notes intervention in Colorado AI Act litigation. Federal preemption efforts could reshape parts of the state-law landscape. That uncertainty should be tracked in the same dated source file as state effective dates, amendments, litigation, and agency guidance.

The Internal Map a Firm Should Have in Q3 2026

The useful deliverable is not a slide that says the firm is monitoring AI regulation. It is a working map that connects a jurisdiction, a statutory role, a system, an owner, and a record. A firm can build that map without pretending every legal question has been resolved.

Firm activityPossible statutory issueOwner to alertRecord or control to create
Website intake chatbotCalifornia SB 243 scoping; client communication and confidentiality overlayGeneral counsel, marketing, IT, intake teamBot purpose, audience, scripts, escalation rules, vendor safety controls, transcript policy
AI-assisted recruiting or screeningColorado 2027 tracker; state employment and discrimination overlaysHR, employment counsel, procurementTool inventory, vendor model description, decision role, human review process, adverse-impact monitoring plan
Firm-built generative research assistantCalifornia AB 2013 developer analysis; confidentiality and supervision dutiesInnovation, knowledge management, general counsel, IT securityTraining-data source file, vendor role, data processing notes, access controls, public disclosure analysis
AI-generated marketing or client-alert contentCalifornia SB 942 / AB 853 vendor or provider analysisCommunications, marketing, practice group leadersHuman review rule, provenance handling, metadata policy, vendor disclosure representations
Use of frontier model vendorsCalifornia TFAIA and New York RAISE Act vendor diligenceProcurement, IT security, general counselSafety-protocol questions, testing and incident-reporting commitments, audit rights, notice obligations
Texas-facing AI deploymentsTRAIGA prohibited-use controlsGeneral counsel, IT security, procurementAcceptable-use policy, restricted features, user training, incident escalation path

This is where statutory compliance and lawyer ethics start to use the same evidence. The inventory that tells the firm whether AB 2013 might apply also helps evaluate confidentiality risks. The vendor diligence that asks about TFAIA safety protocols also supports supervision obligations. The chatbot review that routes SB 243 issues also helps prevent accidental attorney-client relationship confusion. For a deeper ethics baseline, firms can connect this work to ABA Formal Opinion 512 compliance planning and to the firm’s broader analysis of lawyer duties when using artificial intelligence.

Vendor Diligence Has to Become Statute-Specific

Generic AI vendor questionnaires are starting to show their age. A questionnaire that asks whether the vendor “complies with applicable AI laws” does not tell the firm whether the vendor is a covered provider under SB 942, a developer under AB 2013, a frontier model developer under TFAIA, or a tool provider whose system may affect a Colorado automated decision-making workflow in 2027.

The diligence should be tied to the use case. For a chatbot vendor, ask about safety protocols, age-related design, escalation, transcript review, incident notice, and whether the tool is designed for companionship or emotional dependency. For a generative AI platform, ask about training-data disclosures, customer-data use, copyrighted and personal-data handling, and whether the vendor has made or plans to make AB 2013 disclosures. For model providers, ask about safety testing, incident reporting, and whether California or New York frontier-model obligations are being addressed.

Procurement should not carry this alone. The business owner knows what the tool is supposed to do. IT knows how it is integrated. Legal knows what statutory role matters. Records management knows how long prompts, outputs, and logs are retained. If any one of those functions is missing, the contract file will look complete while the operational file remains thin.

A 2026 Monitoring Calendar Should Record Status, Not Just Deadlines

State AI laws are moving too quickly for a static annual memo. The calendar should record the date checked, the source reviewed, the current status, the systems affected, the owner, and the next review date. That matters for AB 2013 litigation, SB 942’s shifted August 2, 2026 timing, Colorado’s replacement statute, New York’s January 1, 2027 effective date, and possible federal preemption activity.

  • Use a dated tracker for state AI laws, amendments, litigation, agency guidance, and federal preemption developments.
  • Classify each firm AI system by jurisdiction, statutory role, business owner, vendor, and data category.
  • Separate “effective,” “operative,” “delayed,” “challenged,” “repealed,” and “future effective” statuses.
  • Tie each law to a control: disclosure file, chatbot review, prohibited-use rule, vendor covenant, incident notice, or human-review process.
  • Review the tracker before launching or materially changing any client-facing bot, hiring tool, generative platform, or AI content workflow.

For teams that need a separate deadline view, a companion AI compliance deadlines tracker can sit beside the system inventory. The important point is that deadlines alone do not show who owns the action.

The Operational Judgment for Q3 2026

In Q3 2026, law firms should treat state AI compliance as an internal governance obligation, not merely a client advisory topic. California AB 2013 can require training-data transparency analysis when the firm develops generative AI systems. California SB 243 can turn a chatbot review into a statutory safety and private-action issue. Texas TRAIGA belongs in prohibited-use controls. California TFAIA and New York’s RAISE Act belong in frontier-model role classification and vendor diligence. SB 942, as delayed by AB 853, belongs in generated-content and provider-status review before August 2, 2026.

Some obligations may shift through litigation, repeal, replacement, amendment, or federal intervention. That uncertainty is not a reason to wait. It is a reason to maintain a dated regulatory tracker, preserve primary-source review notes, and make sure every AI system has an internal owner before the question becomes urgent.

References

  1. MultiState AI Legislation Tracker, MultiState.
  2. State AI Laws: Where Are They Now, Cooley, April 2026.
  3. 2026 AI Laws Update: Key Regulations and Practical Guidance, Gunderson Dettmer, February 2026.
  4. AI Watch: Global Regulatory Tracker - United States, White & Case.

Corrections & feedback

Submit corrections, report new regulatory developments, or flag jurisdiction-specific clarifications. Comments are moderated. Nothing in comments constitutes legal or compliance advice.

Comments

Join the discussion with an anonymous comment.

Loading comments...
Blogarama - Blog Directory