The FTC settled with Cox Media Group and two smaller marketing firms for just under $1 million this week. The charge: CMG told clients its AI service could target ads using conversations captured through customers’ phones and smart home devices. It couldn’t. The actual product was resold email lists from data brokers, sold at a markup, with an AI story bolted on top.

That’s a fraud case on the surface. The FTC’s explanation of what went wrong makes it an AI case for you.

CMG’s pitch relied on two claims: that the AI genuinely did what it said, and that consumers had opted in to voice data collection by accepting app terms of service. The FTC called both false. On the consent point, the agency was specific: clicking through mandatory terms of service doesn’t constitute opt-in consent for AI-based data collection happening inside consumers’ homes.

That second point is the one to note. A lot of AI products are built on consent frameworks where users accepted broad terms and the operator concluded that’s good enough. It may not be. When the FTC looks at AI capability claims, it asks whether consumers could reasonably understand what they were agreeing to. Terms buried in click-wrap don’t answer that question.

The FTC doesn’t need a dedicated AI statute to act on this. Section 5 of the FTC Act prohibits unfair or deceptive practices. That’s what CMG was hit with. It applies to any company making AI capability claims that can’t be backed up, or relying on consent mechanisms that don’t cover what you think they cover.

Spend an hour this week looking at your marketing copy, your product claims and your consent flows. If you’re claiming your AI does something specific, you need to be able to demonstrate it. If your privacy consent relies on users accepting general terms, get clear on what that actually covers and where the gap is.

🟡 Heads up

🇪🇺 EU | Article 50 transparency guidelines consultation closes in six days

The Commission’s draft transparency guidelines under Article 50 of the AI Act close for consultation on June 3. The 40-page document is the first official interpretation of what disclosure obligations the AI Act actually requires when users interact with AI systems or encounter AI-generated content. The final version guides enforcement from August 2. If your product runs a chatbot, generates content or powers any interface where users might not know they’re talking to AI, the guidelines apply to you. Read the draft and submit a response if the Commission has got something wrong for your use case. The consultation form is on the Commission’s digital strategy site.

🇪🇺 EU | The Omnibus formal adoption is a race, not a done deal

The Council confirmed the provisional Digital Omnibus agreement on May 13. Parliament and Council still need to formally vote, then the text needs to be published in the Official Journal. That has to happen before August 2 for high-risk AI companies to benefit from the December 2027 extension. Both institutions appear to be moving quickly, and formal adoption in June or July looks plausible. But “plausible before August 2” isn’t the same as “guaranteed before August 2.” Don’t stand down your compliance work on the assumption that the delay is already effective. GPAI obligations under Articles 51-55 weren’t moved by the Omnibus in any case. August 2 is your date, regardless.

In focus

🇺🇸 | The executive order Trump killed, and what it means for founders trying to plan

On May 21, the White House pulled a landmark AI executive order hours before it was scheduled to be signed. Trump told reporters he “didn’t like certain aspects of it.” The order would have directed federal agencies to collaborate with AI companies on voluntary pre-release model testing and set up cybersecurity frameworks around AI infrastructure. It was killed after objections from key tech executives and Trump’s AI adviser, David Sacks.

The immediate reaction was confusion, and some of that confusion was justified. The order wasn’t a crackdown. It was a framework for voluntary government engagement with the AI industry. That’s the kind of structured federal relationship the industry has asked for. It got killed anyway.

What makes this consequential isn’t the specific provisions that were rejected. It’s the signal it sends about the White House’s ability to produce a coherent federal AI framework.

For the past several months, the administration has been building toward federal preemption of state AI laws. The pitch to industry was: accept a federal framework, avoid the patchwork. That argument only holds if a federal framework actually materialises. Without an executive order and without federal legislation, states are filling the gap faster. Connecticut’s employment notification law takes effect October 1. Colorado’s replacement framework takes effect January 1. Texas TRAIGA is already in force. California continues doing its own thing. None of those states are waiting.

The internal dynamics at the White House matter here. This order went through a full review process. It was hours from being signed. Then it wasn’t. That kind of last-minute collapse doesn’t happen over a sentence. It reflects a genuine, unresolved disagreement about what federal AI policy should look like. One faction wants voluntary industry engagement and light federal oversight. Another, led by some of the biggest players in the industry, doesn’t want any federal oversight structure that could become a template for something heavier later.

The result is a federal AI policy posture that’s internally contradicted and hard to plan around. Last Tuesday the administration was reportedly considering mandatory pre-release government vetting of new models. By Thursday it was distancing itself from that idea. That kind of reversal within a single week is not typical policy turbulence.

For founders, the practical planning question is whether to build compliance programs around a potential federal framework or around state law. The answer, right now, is state law. Federal preemption is a real possibility over the next 12-18 months, but it’s not a planning assumption for your next compliance deadline. Connecticut’s October 1 date and Colorado’s January 1 date are both real. They’re coming. A federal framework that would preempt them hasn’t been signed and may not be.

Build the state compliance program. If federal preemption lands and simplifies the picture, that’s a nice problem to have.

🟢 On the radar

• 🇬🇧 UK | ICO automated decision-making consultation closes tomorrow. May 29 at 23:59. If you use AI in decisions about individuals for UK users and haven’t engaged with this, you’re out of time as of tomorrow. Final ICO guidance on what the Data (Use and Access) Act requires is expected this summer.

• 🇺🇸 USA | TAKE IT DOWN Act enforcement began May 19. The FTC is enforcing new rules requiring covered platforms to remove non-consensual intimate images, including AI-generated deepfakes, within 48 hours of a valid request. Penalties up to $53,088 per violation. The FTC sent warning letters to 12 large platforms, but the law covers any platform hosting user-generated content.

• 🇺🇸 USA | Bartz v. Anthropic awaiting final approval order. Fairness hearing was May 14. Judge Martínez-Olguín took the matter under submission. Distribution calculations expected by June 11. The ~$3,000-per-book benchmark applies once the order issues, with an appeals window remaining open.

• 🇺🇸 USA | Colorado SB189 heading to Governor Polis. The replacement AI disclosure framework passed May 12. Polis is expected to sign. Effective January 1, 2027. Original Colorado AI Act repealed and replaced.

• 🇪🇺 EU | August 2 is now 66 days away. Commission enforcement powers over GPAI providers activate on that date, along with Article 50 transparency obligations. If you’re a GPAI provider who hasn’t signed the Code of Practice, the AI Office has been explicit that Code adherence is the first thing it will examine.

The one thing to do this week

Read your AI marketing copy and your consent flows. The Cox Media settlement describes exactly the kind of claim that draws a Section 5 complaint. An hour of review now is cheaper than explaining yourself to the FTC later.

Deadline tracker

EU | Article 50 transparency guidelines consultation | 3 June 2026 | 6 days remaining; respond via EC digital strategy portal

EU | GPAI enforcement and Article 50 transparency obligations go live | 2 August 2026 | 66 days; confirmed unchanged by Omnibus deal

EU | High-risk AI classification guidelines consultation | 23 June 2026 | Published May 19; 148-page draft under Article 6; respond via EC portal

EU | Digital Omnibus Official Journal publication | Estimated June/July 2026 | Council endorsed May 13; formal Parliament and Council votes pending; must publish before 2 August for deadline relief to take effect

EU | AI-generated content watermarking and labeling (Article 50) | 2 December 2026 | Moved by Omnibus from August 2; transitional period for systems already on market

EU | Nudification app ban | 2 December 2026 | Omnibus prohibition; AI systems generating non-consensual intimate imagery must cease or comply

EU | Annex III high-risk AI systems (employment, credit, biometrics, education) | 2 December 2027 | Subject to Official Journal publication of Omnibus; August 2, 2026 remains legally binding until then

EU | High-risk AI embedded in regulated products (Annex I: medical devices, machinery) | 2 August 2028 | Moved by Omnibus; same publication caveat applies

USA | Connecticut AI Responsibility and Transparency Act: employment notification obligations | 1 October 2026 | Signed; hiring AI in scope; disclosure and opt-out rights required

USA | Connecticut AI Responsibility and Transparency Act: companion chatbot and frontier model obligations | 1 January 2027 | Same bill; age verification, manipulative design prohibitions, minor access controls

USA | Colorado SB189 (replacement AI disclosure framework) | 1 January 2027 | Passed May 12; awaiting Polis signature; original Colorado AI Act repealed

USA | Texas TRAIGA high-risk AI obligations | 1 January 2026 | In force

USA | Bartz v. Anthropic copyright settlement | Final approval imminent | Fairness hearing May 14; ~$3,000/book benchmark; distributions expected from June

UK | ICO automated decision-making consultation | 29 May 2026 | Closes tomorrow at 23:59; final guidance expected summer 2026

UK | ICO Code of Practice on ADM | Late 2026 (estimated) | Draft expected after May 29 consultation closes; will interpret Data (Use and Access) Act obligations

UK | FCA Mills Review report | Summer 2026 | Incoming; AI in financial services

NOT ADVICE

The information is intended to be helpful, but is in no way a substitute for seeking professional advice for your specific situation or intent. This applies to business, financial, legal, or other matters discussed herein. Please read the full DISCLAIMER

Read more

Issue 04 is now available: AI governance in HR and Hiring

Most agencies using AI to screen candidates have not run a bias audit. Most have not mapped where candidate data goes when it hits a third-party LLM. Most have not built the contestation routes the UK’s DUAA required from February 2026.

And that’s just the hiring side.

AI tools used to monitor placed workers, allocate tasks, evaluate performance, or influence contract renewals sit in exactly the same high-risk category under the EU AI Act as CV screening tools. Annex III covers both. The obligations, risk management, human oversight, audit trails, candidate and worker notification, apply to the full employment lifecycle, not just the point of hire.

The ICO’s March 2026 recruitment ADM report named 16 organisations that have since committed to change how they operate. The New York Comptroller’s audit found at least 17 instances of potential non-compliance at companies DCWP had already reviewed and cleared. Both reports looked at hiring. The next wave of regulatory attention is likely to look further along the employment chain.

The AI Governance Playbook’s HR edition covers what the rules require across the EU, US, and UK, for agencies and in-house teams running the process, and for the founders building the tools.

The PDF is linked below [if you are a free subscriber, you can upgrade to access the report.]

Previous Reports…

1. AI Regulation for Creators - Spring 2026

2. AI Governance in EdTech - Spring 2026

3. AI governance in FinTech

Note that this briefing is for informational purposes only and doesn’t constitute advice of any kind. For questions specific to your work, talk to a qualified lawyer in your jurisdiction.

Here is the link ….

Read more

The ICO’s consultation on automated decision-making closes in eight days, at 23:59 on May 29.

Two editions ago, this was in “Heads up” with 22 days to go. It’s here now because eight days go fast if you haven’t started.

This is the first detailed interpretation of what the Data (Use and Access) Act actually requires from companies using AI to make or assist decisions about individuals. Whatever the ICO finalises becomes your compliance floor for UK data protection on automated decisions. Hiring tools, credit scoring, content moderation, benefits assessment, and customer pricing. If your product touches individual-level decisions for UK users, this guidance addresses you.

The ICO’s own “Recruitment Rewired” research, published alongside the consultation, found that many employers using AI hiring tools are making “solely automated decisions” without realising it. The definition is broader than most people expect. A CV-scoring system that shortlists candidates without meaningful human involvement qualifies. That triggers rights to explanation and human review under the reformed UK GDPR. If you’re building in hiring or similar contexts, you need to know which category your product falls into before final guidance lands.

The draft guidance covers three things in practice: what transparency notices you need to give users when AI is making or informing decisions, when you’re required to offer human review and what documentation you’re expected to keep. None of this is impossible to comply with. Most of the work is about being explicit in your product design and maintaining records of how decisions are made.

Responding to a consultation isn’t a big lift. Reading the draft takes a few hours. Submitting a response through ico.org.uk takes a bit more. The window is eight days. If you use AI in decisions about individuals and you haven’t engaged with this, that’s the thing to do this week.

🟡 Heads up

🇪🇺 EU | Article 50 transparency guidelines consultation closes June 3

On May 8, the Commission published its draft guidelines on transparency obligations under Article 50 of the AI Act. Thirteen days until the consultation closes. The 40-page document from the AI Office is the first official interpretation of what Article 50 actually requires: disclosure when users interact with AI systems, machine-readable labelling for AI-generated content and what deployers must tell individuals exposed to deepfakes or emotion recognition systems. Non-binding, but it will guide enforcement from August 2 and set expectations for market surveillance authorities. If your product generates content, powers chatbots or interfaces with individuals, read it. Respond if you think the Commission has got something wrong. The targeted consultation form is on the Commission’s digital strategy site.

🇪🇺 EU | The Omnibus delay still isn’t law

The political agreement reached on May 7 has not been published in the Official Journal. Until it is, none of the amended dates is legally operative. Formal Parliament and Council endorsement, then publication, takes two to three months from a provisional agreement. A May 7 deal lands in the Official Journal in July or August at the earliest. For high-risk AI companies counting on the December 2027 extension to protect them from August 2, that extension needs to be in the Official Journal before August 2. Don’t stand down your compliance work on the assumption that the delay is already in force. And GPAI obligations under Articles 51-55 weren’t moved by the Omnibus at all. That August 2 date was always yours.

In focus

🇪🇺 | The EU’s new high-risk classification guidelines: the 148-page answer to the question founders keep getting wrong

On May 19, two days ago, the Commission published its draft guidelines on classifying high-risk AI systems under Article 6 of the AI Act. The consultation runs until June 23. If you haven’t determined whether your product is high-risk under EU law, this is the document that helps you do it. August 2 is 73 days out. The timing matters.

The classification shapes everything. High-risk AI systems face conformity assessments, human oversight requirements, registration in the EU database, and detailed record-keeping obligations. The December 2027 deadline from the Omnibus deal applies to these obligations, but only once the Omnibus is published in the Official Journal, which still hasn’t happened. Until it does, August 2 is the live date.

There are two routes into high-risk status under Article 6. The first is if your AI is a safety component of a regulated product under Annex I (medical devices, machinery, aviation equipment). The second, and more relevant for most founders, is if your system falls into one of the eight Annex III use-case categories: biometric identification, critical infrastructure, education, employment, access to essential services, law enforcement, migration, or administration of justice.

Those categories sound clear until you try to apply them. An AI tool that filters job applications is high-risk. An AI writing assistant used in an HR department that doesn’t inform hiring decisions probably isn’t. A credit-scoring model that feeds into a lending decision is high-risk. A customer segmentation model used for marketing probably isn’t, even if it processes financial data. The line runs through whether the AI influences a decision with significant effects on a specific individual.

The Commission’s draft introduces a structured three-step approach: identify your system’s intended purpose and outputs, assess whether that purpose falls within an Annex III category, then determine whether the system contributes to decisions with legal or similarly significant effects. If all three, you’re high-risk.

That’s the test. Most of the grey area lives in step three.

What the guidelines also address is the “solely a narrow procedural tool” carve-out. Data extraction layers, notification systems, and narrow infrastructure tools that don’t themselves contribute to a consequential decision may sit outside high-risk classification even when used within a high-risk workflow. The guidelines give examples, but they’re carefully hedged, and the examples tend to be industry-specific rather than universally applicable.

Getting classification wrong in either direction creates problems. Under-classify and you skip conformity assessments that the AI Office will check for when its supervisory mandate starts in August. Over-classify and you impose unnecessary compliance burden, potentially misrepresent your product’s risk profile to customers and waste runway that could go elsewhere.

The June 23 consultation deadline is worth engaging with if your product sits in an ambiguous Annex III category. The Commission does use these responses and the guidelines that come out the other side are more useful when they address the edge cases that real products encounter. A brief submission on where the current drafting creates uncertainty for your specific use case costs relatively little and might produce clearer guidance that benefits your entire sector.

🟢 On the radar

• 🇺🇸 USA | Bartz v. Anthropic approaching final approval. Anthropic’s supplemental brief on late opt-outs was due today. Judge Martínez-Olguín is expected to issue final approval shortly after reviewing it. The ~$3,000 per book benchmark becomes the operative reference point for training data copyright disputes once she does. Claims rate has reached 92.77%.

• 🇬🇧 UK | Children’s online safety consultation closes May 26. Five days. AI chatbots and generative tools accessible to under-16s are in scope. Final obligations land in 2027, but if your product reaches minors, the window to respond is almost closed.

• 🇺🇸 USA | Connecticut SB5 awaiting governor signature. Lamont has confirmed he’ll sign. Employment notification obligations kick in October 1, 2026. If you’re selling hiring automation to US customers, this has been covered across the last three editions — it’s effectively law now.

• 🇺🇸 USA | Colorado SB189 heading to Governor Polis. The legislature passed the replacement AI Act on May 12. Polis has said he’ll sign. The original Colorado AI Act is dead. The new framework, requiring disclosure and human review rights when AI informs adverse decisions, takes effect January 1, 2027.

• 🇪🇺 EU | GPAI Code of Practice: sign it if you haven’t. The AI Office has been clear that supervisory activity from August 2 will focus first on whether GPAI providers are adhering to the Code. Signatories get increased regulatory trust. If you’re a GPAI provider who hasn’t signed, fix that now.

The one thing to do this week

If your product makes or informs decisions about individuals for UK users, read the ICO’s draft ADM guidance and respond by May 29. Eight days.

Deadline tracker

EU | GPAI model enforcement (Articles 51-55: documentation, copyright compliance, training data summaries) | 2 August 2026 | 73 days; confirmed unchanged by Omnibus deal

EU | Article 50 transparency guidelines consultation | 3 June 2026 | 13 days remaining; respond via EC digital strategy portal

EU | High-risk AI classification guidelines consultation | 23 June 2026 | Published May 19; 148-page draft under Article 6; respond via EC portal

EU | AI-generated content watermarking and labelling (Article 50) | 2 December 2026 | Moved by Omnibus from August 2; transitional period for systems already on market

EU | Nudification app ban | 2 December 2026 | New Omnibus prohibition; AI systems generating non-consensual intimate imagery must cease or comply

EU | Annex III high-risk AI systems (employment, credit, biometrics, education) | 2 December 2027 | Subject to Official Journal publication of Omnibus; August 2, 2026 remains legally binding until then

EU | High-risk AI embedded in regulated products (Annex I: medical devices, machinery) | 2 August 2028 | Moved by Omnibus; same publication caveat applies

EU | Digital Omnibus Official Journal publication | Estimated July/August 2026 | Political agreement reached May 7; formal endorsement and publication required before new dates take legal effect

USA | Bartz v. Anthropic copyright settlement | Final approval imminent | Supplemental brief due May 21; ~$3,000/book benchmark; 92.77% claims rate

USA | Connecticut AI Responsibility and Transparency Act: employment notification obligations | 1 October 2026 | Awaiting governor's signature; effectively law; hiring AI in scope

USA | Connecticut AI Responsibility and Transparency Act: companion chatbot and frontier model obligations | 1 January 2027 | Same bill; age verification, manipulative design prohibitions, minor access controls

USA | Colorado SB189 (replacement AI disclosure framework) | 1 January 2027 | Passed May 12; awaiting Polis signature; original Colorado AI Act repealed and replaced

USA | Texas TRAIGA high-risk AI obligations | 1 January 2026 | In force

USA | Oregon SB 1546 / Washington HB 2225 (AI companion chatbots) | 1 January 2027 | Advancing

UK | ICO automated decision-making consultation | 29 May 2026 | 8 days remaining; respond at ico.org.uk

UK | Children’s online safety consultation | 26 May 2026 | 5 days remaining; AI tools accessible to under-16s in scope

UK | ICO Code of Practice on ADM | Late 2026 (estimated) | Draft expected after May 29 consultation closes; will interpret Data (Use and Access) Act obligations

UK | FCA Mills Review report | Summer 2026 | Incoming; AI in financial services

NOT ADVICE

The information is intended to be helpful, but is in no way a substitute for seeking professional advice for your specific situation or intent. This applies to business, financial, legal, or other matters discussed herein. Please read the full DISCLAIMER

Three questions every business leader should ask before going all-in on AI

There’s a pattern I keep seeing in boardrooms right now. Someone presents a slide deck showing what a competitor is doing with AI. The room gets uncomfortable. A decision gets made. Six months later, the organisation has a shiny new tool that nobody quite knows how to measure, a change management problem nobody anticipated, and a vendor invoice that felt more reasonable before the results came in.

AI adoption pressure is real. I’m not dismissing it. But pressure is a terrible basis for a capital decision, and right now a lot of organisations are confusing movement with progress.

Before you green-light a rollout, three questions are worth sitting with properly. Not as a checkbox exercise, but as genuine tests of whether the deployment makes sense.

1. What specific metric are we actually trying to move, and is AI the right tool to move it?

This sounds basic. It isn’t. Most AI business cases I’ve seen are built around capability (”we could automate X”) rather than outcome (”we need to reduce X cost by Y amount, and here’s why AI does that better than the alternatives”).

The arms-race dynamic makes this harder to see clearly. Every competitor announcement, every conference keynote, every LinkedIn post about someone’s 10x productivity gain creates a pull toward doing something rather than asking whether this particular something makes sense for your particular organisation.

So ask it plainly: what KPI are we moving, by how much, and by when? Then ask whether AI is genuinely the most efficient way to move it. Sometimes a better process does the job. Sometimes a cleaner spreadsheet gets you further than a six-figure contract. Sometimes the answer really is AI, but it’s a different tool than the one currently on the table.

If you can’t pass that test before signing, you’re spending money on the trend, not the outcome. And that tends to show up in the post-implementation review in ways that are hard to explain to a board.

2. Who in this organisation owns the hallucination problem?

This is the question I see skipped most often, and it’s the one that creates the most expensive problems down the line.

When a human employee makes a mistake, there’s a chain of accountability you can follow: a manager, a sign-off process. When an AI system produces a confident, detailed, completely wrong answer that ends up in a client report or a regulatory submission, that chain gets murky fast. And these systems do produce wrong answers. Not occasionally. Regularly. With no obvious tell that anything is amiss.

Two things need to be decided before deployment, not after an incident forces the conversation.

First: which department head carries the liability if the AI misleads a client, produces a biased output, or feeds incorrect data into a decision? “The vendor is responsible” is not an answer your regulator or your client will accept.

Second: does your team have the internal expertise to spot when the system is drifting or producing biased results, or have you effectively handed your critical thinking to a black box? This isn’t a theoretical concern. Models degrade over time. Data inputs shift. Outputs that were accurate in month one may not be accurate in month six, and if nobody is checking, nobody knows.

I’ve seen both questions left unanswered until something goes wrong. That’s a very bad time to start working them out.

3. What do your people actually do with the time AI gives back?

This is the question that separates organisations that get lasting value from AI from the ones that get a short-term efficiency spike and a morale problem they can’t quite explain.

If AI takes over 70% of a job that was previously repetitive, the freed-up time doesn’t automatically get redirected somewhere useful. It needs a plan. What does that person focus on now? Higher-judgment work? Client relationships? Problems that actually need human attention and experience? Or do they sit in a slightly reduced role, doing less of the thing that gave their work meaning, with no clear sense of what the organisation expects from them instead?

The engagement dip that follows poorly planned AI rollouts is real, and it’s predictable. People aren’t opposed to AI taking over repetitive tasks. Most of them would be relieved. What creates disengagement is the feeling that the human element of their work has been quietly removed with nothing put in its place.

The organisations that handle this well treat AI deployment as a reallocation decision from day one. They map out where freed-up human capacity will go before the tool goes live, not after. They’re explicit with staff about what changes, what doesn’t, and what the new shape of the role looks like. It’s not a complicated process. It just requires doing it on purpose rather than assuming it’ll sort itself out.

There’s a case for what some researchers call “slow AI” thinking here: the idea that the goal isn’t to replace human output as fast as possible, but to protect human judgment and redirect it toward the work that machines genuinely can’t do. Faster rollout doesn’t mean better outcome. The organisations that move carefully tend to show the most durable returns.

AI adoption in the right context makes strong commercial sense, and the performance gap between organisations that use it well and those that fumble the rollout is already measurable in some sectors. These three questions aren’t intended to slow things down. They’re the minimum due diligence that separates a deployment with a real return from one that looks good in a Q3 update and quietly gets deprioritised by Q1.

Ask them before you commit. It’s much easier than explaining the answers afterward.

NOT ADVICE

The information is intended to be helpful but is in no way a substitute for seeking professional advice for your specific situation or intent. This applies to business, financial, legal, or other matters discussed herein. Please read the full DISCLAIMER

If your app lets users post things and an AI decides what stays up, you're regulated. Here's what that means in the US, UK and EU.

If your product lets users post things, you’re probably already doing automated content moderation. An AI flags a comment, the system removes it, the user never sees why. That process is now regulated, and three different regimes have teeth.

The EU’s Digital Services Act (the DSA, which governs online platforms operating in Europe) has required moderation transparency reports since February 2024. The UK’s Online Safety Act (OSA) started being actively enforced by Ofcom in March 2025. Neither of these is a future problem.

The trap here is assuming this only applies to big social networks. It doesn’t. If your platform hosts user-generated content and your system makes automated calls about that content (flagging, demoting, removing or restricting it), you’re in scope. That covers review sites, marketplaces, community features, forums, apps with a comment section. The size thresholds matter for some obligations, but the baseline rules catch almost everyone.

The Map

🇺🇸 USA

The US position is basically: you can do what you want, but don’t lie about it. Section 230 of the Communications Decency Act 1996 gives platforms immunity from liability for both hosting third-party content and for their moderation decisions. That means no federal law forces you to disclose how your automated system works, give users an appeal, or explain why their post was removed. Platforms have wide latitude.

The FTC Act (Section 5, the general prohibition on deceptive and unfair commercial practices) applies if your moderation is being used deceptively. If you claim your AI is neutral and it systematically targets certain users based on protected characteristics, that’s an FTC risk. It’s an enforcement framing, not a compliance checklist, and no FTC rules specific to content moderation AI exist as of May 2026.

At state level, California’s AB 587 (live since July 2023) requires large social media platforms (over one million California users) to publish semi-annual reports on their content moderation policies, including how automated tools are used. It’s enforced by the California Attorney General. Other states are watching.

What’s clear: Section 230 protects US platforms from liability for their moderation decisions, with no federal disclosure mandate in force.

What’s ambiguous: Whether state transparency laws like California’s AB 587 will survive First Amendment challenges is still being litigated.

🇬🇧 UK

The Online Safety Act 2023 requires platforms that host user content to assess the risk of illegal content appearing on their service, put in proportionate systems to deal with it, and keep records showing they’ve done this. Ofcom started enforcing these duties in March 2025. The Act doesn’t care whether you’re using humans, AI or some combination, the obligations are the same either way.

Ofcom’s Codes of Practice (the published guidance setting out what compliance looks like in practice) recommend that high-risk file-sharing services use automated detection tools for known illegal content. You’re not required to use AI. But Ofcom will look at whether your moderation setup is “adequately resourced and well trained” when it investigates, and a system that misses obvious illegal content because it was never properly built will not survive scrutiny.

The ICO published specific guidance on content moderation and data protection in February 2024. The key message: UK GDPR (the UK’s data protection law) applies to any automated processing of personal data in your moderation system. That means you need a lawful basis for processing, you can’t keep more data than you need, and you have to tell users what you’re doing with it. If the AI makes a decision with a significant effect on a user (removing their account, say, or blocking their content), Article 22 of the UK GDPR (the rule restricting fully automated decisions that significantly affect people) may require you to give them a route to human review.

What’s clear: Platforms in scope of the OSA need documented risk assessments and functioning moderation systems, and UK GDPR applies to any personal data processed in that system.

What’s ambiguous: The ICO describes its content moderation guidance as a first instalment, with more to follow, so the standard for explaining automated decisions to users isn’t fully settled yet.

🇪🇺 EU

The Digital Services Act is the main event for content moderation in Europe. Any platform that hosts user content must explain its moderation policies and use of automated tools in its terms of service, give users the right to challenge moderation decisions through an internal complaints process, and provide access to out-of-court dispute resolution. These obligations have applied since February 2024.

Very large online platforms (known as VLOPs, meaning any platform with over 45 million monthly active EU users) face heavier requirements, including annual transparency reports with data on the accuracy and error rates of their automated moderation systems. A standardised reporting format has been mandatory since July 2025. If you’re a VLOP, you already know about this. If you’re not, the baseline obligations still apply.

The EU AI Act (which came fully into force in August 2024 and applies in stages through to August 2026) doesn’t name automated content moderation as a high-risk use case. That’s actually less reassuring than it sounds. If your moderation system does biometric categorisation, processes health or political data, or makes decisions that overlap with employment or education, it may already sit inside an existing high-risk category under the Act’s Annex III. EU GDPR sits on top of all of this, as it always does.

What’s clear: DSA transparency and user redress obligations apply to all hosting services in the EU right now, with heavier reporting requirements for very large platforms.

What’s ambiguous: Whether a content moderation AI system triggers the EU AI Act’s high-risk rules depends on how it’s designed and what data it touches, and the Commission has not published guidance on this intersection.

The Practical Minimum

Write down how your moderation system works before a regulator asks. What signals trigger automated removal? What data does the system use? Is there a human in the loop, and does that human actually review things or just approve what the AI flags? In the UK, Ofcom will ask for this if they investigate, and the ICO expects a DPIA (Data Protection Impact Assessment, a documented analysis of data protection risks) to exist before the system goes anywhere near personal data.

Give users a way to appeal. The DSA makes this a hard requirement for EU users. The OSA expects it for UK users. One functional internal complaints process covers both. Make it findable and make it work. A buried form that generates no response is worse than nothing, because it shows you knew the obligation existed.

Put a plain-language description of how automated moderation works in your terms of service and privacy notice. DSA Article 14 requires this for EU platforms. UK GDPR Articles 13 and 14 require it for any personal data processing. California’s AB 587 requires large platforms to publish their moderation policies including the role of automated tools.

If your system uses biometric signals, behavioural profiling or special category data (health information, religious beliefs, political views), don’t assume it falls outside the EU AI Act’s high-risk classification. Get a legal opinion before you ship.

The Grey Zone

The EU AI Act’s silence on content moderation as a named category is a source of real confusion. A moderation system using language models trained on demographic data, image recognition, or behavioural signals could slot into an existing high-risk category (biometric categorisation, for instance) without the operator realising it. No Commission guidance addresses this overlap directly, which means you’re making a judgement call with no official safety net.

Section 230 in the US is not stable. The Supreme Court declined to narrow it in the 2023 Gonzalez v. Google and Twitter v. Taamneh cases, but congressional appetite for reform hasn’t gone away. Building your entire compliance posture around Section 230 immunity is a reasonable position today and a risky one if the law changes.

The OSA’s “proportionality” standard gives Ofcom discretion that’s hard to predict. What counts as an adequately resourced moderation system for a startup with 50,000 users is not the same as for a platform with 5 million, but the obligations apply at both scales, and Ofcom hasn’t published thresholds. Smaller platforms are largely uncharted territory in enforcement terms.

Article 22 of the UK and EU GDPR restricts “solely automated decisions” that significantly affect people. Whether your moderation system crosses that threshold turns on what your human review actually does. A moderator who clicks approve on every AI flag without reading the content doesn’t provide the meaningful oversight the law requires. Nobody has tested exactly where that line is.

Not Advice

Not legal advice. The information is intended to be helpful but is in no way a substitute for seeking professional advice for your specific situation or intent. This applies to business, financial, legal, or other matters discussed herein. Please read the full DISCLAIMER

The EU Digital Omnibus deal closed on May 7. After months of failed trilogues, the European Parliament and Council reached a provisional agreement. A lot changed. But one thing didn’t: if you’re a GPAI provider, your obligations under Articles 51 to 55 still kick in on August 2. That’s 80 days.

Those obligations include maintaining and publishing technical documentation, complying with copyright law requirements, and publishing summaries of training data. If you put any general-purpose AI model into the EU market, or access the EU market via an API, you’re covered. The GPAI category isn’t something that only applies to the GPT-4 tier. A smaller model with broad capability can qualify. If your model can do a reasonable range of tasks and you make it available to others, read the GPAI chapter.

The practical gap most founders have is training in data documentation. The AI Office expects a summary of what you trained on and where copyright clearance comes from. If you don’t have that now, you can’t generate it retroactively. Commissioning that work in week eleven isn’t a strategy.

The watermarking obligation for AI-generated content under Article 50 did move. It’s now December 2, 2026, with a transitional period for systems already on the market. That’s meaningful relief. But it doesn’t shift the August 2 date for GPAI documentation.

If you’ve been watching the Omnibus saga and telling yourself the delay means your August deadline got pushed, check whether you’re actually in GPAI scope. If you are, you got nothing from this deal. Start the documentation work this week.

🟡 Heads up

Colorado’s legislature passed SB 189 on May 12, repealing and replacing the original AI Act with something far less demanding. The duty of care, risk management programs, and algorithmic impact assessments are gone. What replaced them is a disclosure framework: when your automated decision-making system contributes to an adverse decision, the affected person gets a plain-language explanation within 30 days and the right to request human review. Effective date is January 1, 2027. Governor Polis has said he’ll sign. The court-imposed enforcement pause on the original Act runs through June 30, so the original law is effectively dead before the new one arrives. If you’re building automated decision-making tools for US customers, update your compliance roadmap. Colorado’s obligations are simpler than what they replaced, but they’re real and coming.

The ICO’s consultation on automated decision-making and profiling closes May 29. That’s 15 days. This is the first detailed interpretation of the Data (Use and Access) Act’s changes to UK GDPR, and it sets out what the ICO expects from companies using AI to make or assist decisions about individuals. The guidance covers transparency requirements, the right to human review, and documentation standards. Whatever lands in final guidance becomes your compliance floor. If you use AI in hiring, credit, content moderation, or any context where individual-level decisions are made, the guidance addresses your product directly. Reading the consultation and submitting a response takes a few hours and costs nothing. The form is at ico.org.uk.

In focus

🇪🇺 | The EU AI Omnibus deal: who got the reprieve and who didn’t

The May 7 deal was greeted with headlines about delays and simplification. That’s accurate but incomplete. The benefit is not evenly distributed, and understanding who’s actually better off matters a lot if you’ve been building compliance plans around assumptions that might not apply to your product.

The clear winners are companies deploying high-risk AI in the Annex III categories: employment, education, credit, biometrics, and similar. Their deadline moved from August 2, 2026, to December 2, 2027. That’s 16 months of additional runway. If you’ve been sweating your AI hiring product or credit-scoring model under EU law, this is a genuine reprieve.

Companies deploying AI embedded in CE-marked products like medical devices get even more time, until August 2, 2028.

The losers, in relative terms, are GPAI providers. The Omnibus explicitly did not move the GPAI obligations in Articles 51 to 55. Those still apply from August 2. The AI Office has been consistent about this throughout the negotiations. If you’re a GPAI provider, the deal changed nothing about your timeline.

There’s a subtler problem too: the political agreement isn’t law yet. It still needs formal endorsement from Parliament and Council, then publication in the Official Journal. That process takes two to three months. A deal from May 7 probably doesn’t appear in the Official Journal until July or August. For Annex III companies, the delay needs to be in force before August 2 to actually protect you. If publication slips, August 2 is still legally binding. Don’t stand down your compliance work on the assumption that the delay is already operative.

The watermarking story is separately worth explaining because it’s genuinely confusing. The Omnibus moved the general content labeling obligation under Article 50 to December 2, 2026. But GPAI providers still face watermarking requirements as part of their GPAI obligations from August 2. If you’re a GPAI provider and you’re thinking the watermarking grace period helps you, it doesn’t. That transitional window is for deployers using generative AI in content creation, not for providers of the underlying models.

One thing nobody predicted: a full EU ban on “nudification apps,” meaning AI systems whose primary purpose is generating non-consensual intimate images. These products have until December 2, 2026, to comply or shut down. It’s a narrow category, but any founder operating anywhere adjacent to that space should read the prohibition text directly.

The practical conclusion is that this deal requires you to know which category you’re in before you can know how much it helps you. If you haven’t classified your AI systems against the GPAI and Annex I/III frameworks yet, the Omnibus deal isn’t a reason to delay that classification. It’s a reason to do it now.

🟢 On the radar

• 🇺🇸 USA | Bartz v. Anthropic fairness hearing held today. No confirmed outcome at time of writing. Judge Martínez-Olguín heard arguments on the $1.5 billion settlement this afternoon. If approved, the ~$3,000 per book benchmark becomes the operative reference point for future training data copyright disputes. Check anthropiccopyrightsettlement.com for updates.

• 🇬🇧 UK | Children’s online safety consultation closes May 26. If your product can reach under-16s, 12 days remaining. AI chatbots and generative tools accessible to minors are in scope. Final obligations land in 2027, but the window to respond is closing.

• 🇺🇸 USA | Colorado original AI Act enforcement pause holds through June 30. SB 189 now awaits Polis’s signature. Once signed, the original Act is dead and the new disclosure framework is the operative one. Effective January 1, 2027.

• 🇪🇺 EU | GPAI Code of Practice expected in June. The AI Office’s Code of Practice covering transparency and watermarking for GPAI providers is due to be finalised this month or next. This is the document that explains in practical terms what your August 2 obligations actually require. GPAI providers should be tracking the drafts.

• 🇺🇸 USA | Connecticut governor expected to sign AI Responsibility and Transparency Act imminently. Employment notification obligations from October 1, 2026. If you’re selling hiring automation to US customers and covered this last week, the clock is ticking.

The one thing to do this week

If you put a general-purpose AI model into the EU market, check right now whether the Omnibus delay applies to you. It probably doesn’t. GPAI obligations hit August 2 regardless.

Deadline tracker

EU | GPAI model enforcement (Articles 51-55: documentation, copyright compliance, training data summaries) | 2 August 2026 | 80 days; Omnibus deal does not apply; confirmed unchanged

EU | AI-generated content watermarking and labeling (Article 50) | 2 December 2026 | Moved by Omnibus from August 2; transitional period for existing systems on market

EU | Annex III high-risk AI systems (employment, credit, biometrics, education, law enforcement, borders) | 2 December 2027 | Moved from August 2, 2026, by Omnibus deal; requires Official Journal publication to take legal effect. August 2, 2026 still binding until then

EU | High-risk AI embedded in regulated products (Annex I: medical devices, machinery, etc.) | 2 August 2028 | Moved by Omnibus deal; same publication caveat applies

EU | Nudification app ban | 2 December 2026 | New prohibition added by Omnibus; AI systems generating non-consensual intimate imagery must cease or come into compliance

EU | Digital Omnibus Official Journal publication | Estimated July/August 2026 | Political agreement reached May 7; formal endorsement and publication required before new dates take effect

USA | Colorado original AI Act enforcement pause | 30 June 2026 | Court order holds; SB 189 now passed; Polis expected to sign; original Act effectively superseded

USA | Colorado SB 189 (replacement disclosure framework for ADM) | 1 January 2027 | Passed May 12 with bipartisan majority; governor to sign; replaces duty-of-care model with disclosure and human review rights

USA | Connecticut AI Responsibility and Transparency Act: employment notification obligations | 1 October 2026 | Passed House May 1; governor signature pending; hiring AI affected

USA | Connecticut AI Responsibility and Transparency Act: companion chatbot and frontier model obligations | 1 January 2027 | Same bill; age verification, manipulative design prohibitions, minor access controls

USA | Bartz v. Anthropic copyright settlement | Fairness hearing 14 May 2026 | $1.5B settlement; ~$3,000/book benchmark; outcome pending at time of writing

USA | Texas TRAIGA high-risk AI obligations | 1 January 2026 | In force

USA | Oregon SB 1546 / Washington HB 2225 (AI companion chatbots) | 1 January 2027 | Advancing

UK | SI 2026/425: ICO Code of Practice regulations | 12 May 2026 | In force; ICO now has a statutory obligation to draft ADM Code of Practice

UK | ICO automated decision-making consultation | 29 May 2026 | 15 days remaining; respond at ico.org.uk

UK | Children’s online safety consultation | 26 May 2026 | 12 days remaining; AI tools accessible to under-16s in scope

UK | FCA Mills Review report | Summer 2026 | Incoming; AI in financial services focus

NOT ADVICE

The information is intended to be helpful, but is in no way a substitute for seeking professional advice for your specific situation or intent. This applies to business, financial, legal, or other matters discussed herein. Please read the full DISCLAIMER

When a lender runs an application through an AI model, and that model says no, three things are supposed to happen: the applicant gets told why, the reason has to be specific enough to be useful, and the decision has to be one the lender can actually explain.

That requirement isn’t new. What’s changed is that regulators in all three jurisdictions are now actively testing whether companies running black-box models are meeting it, and finding they’re not.

Credit AI sits at a corner where consumer protection law, anti-discrimination law, and data protection law all arrive at once. Using AI to make credit decisions is legal. What regulators care about is whether you can explain what the model is doing, prove it isn’t discriminating, and give applicants something they can actually act on when they’re denied.

Enforcement is moving. The CFPB’s 2025 supervisory findings named model explainability failures explicitly. The EU AI Act’s high-risk rules start applying to credit scoring in August 2026. The UK ICO is updating its guidance following the Data (Use and Access) Act.

If you’re building or deploying a credit AI model in any of these markets and you haven’t audited your adverse action process, this is the year to do it.

The Map

🇺🇸 USA

Read more

24 pages. Six regulatory frameworks. Separate 90-day action plans for founders and institutions, because their obligations differ even when they’re running the same tool.

Issue 03 is out: AI governance in FinTech

FinTech sits inside the most regulated AI category there is. Credit decisions, fraud scoring, AML profiling, insurance pricing. Regulators didn’t write the rules for education first or healthcare first. They wrote them for financial services first, and in the most detail.

The EU AI Act names financial services by name in Annex III. The CFPB has told the industry in writing that there are no carve-outs for algorithms. The FCA has confirmed that Consumer Duty and SM&CR apply fully to AI-driven decisions. The hard EU deadline is 2 August 2026. That’s roughly 90 days away.

Issue 03 covers all of it.

What’s inside

• The compliance stack. FinTech AI has to answer to six parallel frameworks simultaneously: AI risk classification, data protection, fair lending, model governance, consumer protection, and operational resilience. Most sectors deal with one or two. FinTech gets all six, and several interact in ways regulators are still figuring out.

• The trigger matrix. Credit scoring, fraud detection, insurance pricing, KYC, AI chatbots, algorithmic trading, each mapped against regulatory triggers across the EU, US, and UK. Social scoring for creditworthiness gets its own row, in red. It’s prohibited under Article 5. No compliance pathway exists.

• The EU section. Everything that needs to be in place by 2 August: risk management system, data governance, Annex IV technical documentation, logging, human oversight, conformity assessment, CE marking, EU AI database registration. Plus the five deployer duties institutions carry alongside the vendor, regardless of what’s on the CE mark.

• The US section. ECOA and the adverse action problem. The CFPB has confirmed zero “AI decided” defences are valid under the law. State-level obligations in Colorado, Illinois, and California are already in force. The Massachusetts AG settlement tells you what four years of record retention looks like in practice.

• The UK section. No AI Act, but Consumer Duty, SM&CR, FCA PS7/24, and the Mills Review all apply right now. The gap between “no AI law” and “no AI obligations” is large, and the FCA has been direct about it.

• The 90-day plan. Two tracks: one for founders, one for institutions. Three phases each. Ends with one named owner, documented governance, and a defensible answer to the question regulators ask on both sides of the Atlantic: what did you know about what your AI was doing to customers, and what did you do about it?

Who should read it

• FinTech founders with AI in credit, fraud, insurance, or KYC products

• Compliance and product teams at banks licensing AI tools

• Anyone with August 2 on their radar who hasn’t started the compliance build yet

Informational only, not legal advice. For decisions with real legal consequences, get a lawyer. For understanding what those decisions are, this is what the Playbook is for.

The PDF is linked below [if you are a free subscriber, you can upgrade to access the report.]

Note that this briefing is for informational purposes only and doesn’t constitute advice of any kind. For questions specific to your work, talk to a qualified lawyer in your jurisdiction.

Here is the link ….

Read more

Connecticut’s AI bill passed the House 131-17 on May 1. Governor Lamont has said he’ll sign it. That changes the status of October 1, 2026, employment notification obligations from “might happen” to “will happen.”

From October 1, any employer using AI to make or inform decisions about hiring, firing, promotions, or scheduling in Connecticut must notify employees and job applicants that AI is in use. The notice has to be given before the decision and has to be specific enough that the person understands which decisions are being influenced by automated systems. If you build hiring AI or HR automation that Connecticut employers use, you have 147 days.

The bill is broader than employment. Companion chatbot operators face obligations from January 1, 2027, including age verification, access controls for under-16s, and a prohibition on manipulative engagement patterns designed to foster emotional dependence. Frontier model providers face new safety requirements. Synthetic content labeling obligations cover anyone generating images, audio, or video for distribution.

The employment piece is the one with the most immediate clock. If you’re selling hiring automation to US customers, Connecticut is probably in your customer base. Your enterprise customers there will be looking to you for documentation, audit trails, and notification infrastructure by Q3.

Check your contracts this week. Then figure out whether your product can surface the information that a proper notification would need to contain. If it can’t produce that information today, you’ve found the gap. Sixty days to close it is fine. 140 days isn’t very different, but it feels like it is, and that feeling has a way of eating time.

🟡 Heads up

🇪🇺 EU | May 13 trilogue and the publication problem

The third Digital Omnibus trilogue is scheduled for May 13. April 28’s failure came down to conformity assessment architecture for AI embedded in regulated products, like medical devices, not the headline delay. The postponement of Annex III high-risk obligations to December 2027 was essentially agreed. So May 13 might actually close it.

But even if it does, the math is difficult. A political deal still needs formal Parliament endorsement, Council endorsement, and publication in the Official Journal before new dates take legal effect. That process takes two to three months minimum. A May 13 agreement gets published in July or August at the earliest. GPAI enforcement starts August 2, regardless. High-risk companies might get December 2027 confirmed before enforcement catches them, but it’s tight, and it’s not guaranteed. Watch May 13. Keep your documentation work running while you do.

🇬🇧 UK | ICO ADM consultation closes May 29

The ICO’s draft guidance on automated decision-making and profiling closes at 23:59 on May 29. Twenty-two days. This matters if you use AI to make or assist decisions about individuals, which covers more products than founders typically think. The guidance covers transparency requirements, the right to explanation and human review, and what documentation you’re expected to keep. Whatever gets finalised becomes your compliance floor for UK data protection. Responding to consultations where you have a stake in the rules is one of the cheapest things you can do. The response form is at ico.org.uk.

In focus

🇺🇸 | Bartz v. Anthropic: what the settlement benchmark actually means

The fairness hearing is on May 14. Judge Martínez-Olguín will hear objections and decide whether to approve the $1.5 billion settlement. If she does, roughly $3,000 per book becomes the established going rate for unlicensed use of copyrighted text in model training.

That number matters beyond the immediate parties. It isn’t a legal precedent in a strict sense, but it functions like one. Copyright clearance lawyers who negotiate training data licensing deals now have a courtroom-endorsed figure to work with. Plaintiffs’ attorneys in future cases will cite it. Insurers pricing IP risk for AI companies will price against it.

The claim rate is striking. 91.3% of eligible works were claimed. The typical class action claim rate is around 10%. That number reflects an organised effort from authors and publishers who clearly understood their rights and participated. It also reflects the fact that $3,000 a book is meaningful money to many individual authors, even if the Authors Guild has publicly described the claims process as Kafkaesque and the compensation as inadequate.

The more complicated problem is what the settlement doesn’t cover. It only applies to US-registered works. Foreign rightsholders, works without US copyright registration, and works outside the class definition don’t get paid and don’t release their claims. That’s a substantial body of ongoing exposure that $1.5 billion doesn’t close. Future plaintiffs whose works weren’t in this class can still sue, and they’ll have the Bartz figure as their floor.

There’s also the scope creep question. Books are a relatively clean category. But the same legal theory that produced this settlement applies to web scraping, code repositories, academic papers, and private documents ingested through integrations. Each of those has its own ownership structure and legal exposure profile. This settlement doesn’t speak to them directly. It demonstrates what a well-organised class can extract.

For founders: if your product was trained on unlicensed copyrighted material, or if you’re building on top of a base model that was, this settlement doesn’t resolve your exposure. It quantifies part of it. The question to put to your legal team now is whether you have documented what’s in your training data and what licenses cover it. Because the next case will negotiate against $3,000 a book. That’s now the reference point.

The judge could approve it, request modifications, or reject it. Rejection is unlikely given the claim rate and how far the parties are invested. But watch what she says about the exclusion of foreign works. If there’s judicial discomfort there, future international cases get more favorable treatment from plaintiffs than anyone expected.

🟢 On the radar

• 🇺🇸 USA | Colorado enforcement pause holding. The federal court’s April 27 order preventing enforcement of the Colorado AI Act through June 30 remains in place. The legislative session closes May 13. Governor Polis’s workgroup framework for a replacement bill hasn’t become legislation. Don’t assume the original law disappears. The xAI lawsuit is still live.

• 🇬🇧 UK | ICO Code of Practice regulations in force May 12. SI 2026/425 comes into force next week. It creates the statutory obligation for the ICO to draft and consult on a Code of Practice covering AI and automated decision-making. Expect a draft Code to appear in late 2026, and plan for a consultation response at that point.

• 🇬🇧 UK | Children’s online safety consultation closes May 26. AI chatbots and generative tools accessible to under-16s are in scope. Final obligations land in 2027, but if your product reaches minors, the window to respond is 19 days.

• 🇺🇸 USA | Chatbot disclosure bills advancing in Oklahoma and Hawaii. Both appear poised for passage. Requirements are straightforward: disclose that users are talking to an AI. Low compliance cost, but you need to track which states you’re now caught by.

• 🇺🇸 USA | Bartz v. Anthropic fairness hearing: May 14. See In Focus above. If approved, $3,000 per book is the benchmark. If modifications are requested, watch for what the judge focuses on.

The one thing to do this week

Connecticut’s employment notification obligations are now law in all but signature. If you build hiring AI, map your Connecticut customers today, and check whether your product can produce the notification information they’ll need by October 1.

Deadline tracker

EU | GPAI model enforcement (AI Office powers, documentation requirements) | 2 August 2026 | 87 days; Omnibus delay does not apply to GPAI; documentation must be in progress now

EU | Annex III high-risk AI systems (employment, credit, biometrics, education) | 2 August 2026 (current law) | Omnibus deal failed April 28; May 13 trilogue is next attempt; August 2 remains legally binding

EU | Digital Omnibus political agreement | 13 May 2026 | Next trilogue scheduled; deal must precede June 30 Cypriot Presidency expiry

EU | AI-generated content watermarking obligation | 2 November 2026 (proposed) | Dependent on Omnibus outcome; not yet law

EU | Annex III high-risk delay (if Omnibus passes) | 2 December 2027 | Not yet law; August 2 remains binding until Official Journal publication

USA | Colorado AI Act: high-risk AI in employment, credit, housing | 30 June 2026 | Enforcement paused by court order; legislature closes May 13; rewrite still a draft

USA | Bartz v. Anthropic copyright settlement fairness hearing | 14 May 2026 | $1.5B settlement; ~$3,000/book benchmark if approved; 91.3% claim rate

USA | Connecticut AI Responsibility and Transparency Act: employment notification obligations | 1 October 2026 | Passed House 131-17 on May 1; governor to sign; effectively law

USA | Connecticut AI Responsibility and Transparency Act: companion chatbot obligations | 1 January 2027 | Same bill; minors protections, manipulative design prohibitions

USA | Texas TRAIGA high-risk AI obligations | 1 January 2026 | In force

USA | Oregon SB 1546 / Washington HB 2225 (AI companion chatbots) | 1 January 2027 | Coming

UK | SI 2026/425: ICO Code of Practice regulations | 12 May 2026 | In force from next week; ICO must now draft statutory Code

UK | ICO automated decision-making consultation | 29 May 2026 | 22 days remaining; respond at ico.org.uk

UK | Children’s online safety consultation | 26 May 2026 | 19 days remaining

UK | FCA Mills Review report | Summer 2026 | Coming

DISCLAIMER

The information is intended to be helpful, but is in no way a substitute for seeking professional advice for your specific situation or intent. This applies to business, financial, legal, or other matters discussed herein. Please read the full DISCLAIMER

Most AI acceptable use policies I’ve seen are either written for enterprises with a legal team to maintain them, or so vague they don’t tell anyone anything useful. “Use AI responsibly” is not a policy.

This one is different. I created it for small teams and solo operators who need something they can put their name on and hand to staff, a client, or a regulator if asked. It covers the approval process for new AI tools, data rules, prohibited uses, staff responsibilities, incident reporting, and a jurisdiction-by-jurisdiction summary of where regulation currently stands across the EU, UK, USA, Canada, Australia, and India. Everything in square brackets is a prompt to fill in your own details. Everything else is ready to use.

It won’t replace legal advice if you’re in a heavily regulated sector. But for most small businesses and early-stage operators, it’s a solid starting point that would otherwise take several hours to produce from scratch.

This policy is free to download. However, if you’re on a free subscription and want full access, upgrading takes about two minutes. You’ll get access to the archive, multiple issues a week, and everything I release to paid subscribers going forward.

Upgrade

This policy is a practical starting point, not legal advice. Have a lawyer review it before you finalise it.

Download the draft policy…

Download

DISCLAIMER

The information is intended to be helpful but is in no way a substitute for seeking professional advice for your specific situation or intent. This applies to business, financial, legal, or other matters discussed herein. Please read the full DISCLAIMER

Three Jurisdictions, One Question: Does Your User Know They’re Talking to a Machine?

If your product has a chat interface, you have compliance obligations. Customer-facing chatbots sit at the intersection of consumer protection law, data protection law and, in the EU, AI-specific regulation that becomes fully enforceable this August. The core question regulators are asking is simple: does the user know they’re talking to a machine? The answer varies by jurisdiction, by sector and by what your chatbot is actually doing.

Read more

More than 70% of large employers now use some form of AI to filter, rank or score job applicants before a human sees anything, CV screening tools, automated video interview scorers, skills assessors, chatbot pre-qualification flows. If your product is in this space, or you use AI to hire your own people, all three major jurisdictions now have specific rules that apply to you. The EU’s are about to become enforceable.

🇺🇸 USA

No single federal AI hiring law, but existing discrimination law bites hard. Under Title VII of the Civil Rights Act, the Age Discrimination in Employment Act and the Americans with Disabilities Act, you’re liable for disparate impact from AI tools even if you didn’t build them and didn’t know they discriminated. “We bought it from a vendor” is not a defence.

The EEOC removed its original 2023 AI guidance in January 2025 following the change of administration, then issued new guidance in September 2025. Current position: employers must be able to justify algorithmic decisions affecting protected groups and should conduct regular bias testing. Less prescriptive than the old guidance, but the underlying liability under discrimination law is unchanged.

If you operate in New York City, NYC Local Law 144 adds harder requirements: an annual independent bias audit of any automated employment decision tool, public disclosure of the results, and written notice to candidates at least 10 business days before the tool is used on them. Candidates can opt out. The NYC State Comptroller found in December 2025 that enforcement had been weak, but that’s shifting.

Illinois, Colorado and several other states have their own layers. The US is a patchwork. If you’re multi-state, map each one.

What’s clear: disparate impact liability, in full, applies to AI tools regardless of who built them.

What’s ambiguous: how deep bias testing needs to go at the federal level. The September 2025 EEOC guidance is directional, not prescriptive.

🇬🇧 UK

The ICO published its Recruitment Rewired report on 31 March 2026 — the most detailed statement yet of what it expects from employers using automated tools in hiring. Its headline finding: most employers using AI in recruitment don’t realise they’re making automated decisions. They believe they’re getting “decision support.” The ICO’s view is that the practical reality of how the tool is used counts, not how you label it.

Three requirements the ICO treats as non-negotiable: tell candidates an automated tool was used and what it did; ensure any human review is genuinely capable of changing the outcome rather than rubber-stamping it; and test regularly for fairness and bias across demographic groups.

The Data (Use and Access) Act, in force since February 2026, widened the lawful bases available for automated decision-making in recruitment. Legitimate interests can now apply where previously only consent or contractual necessity were available.

Consultation on the ICO’s updated guidance closes 29 May 2026. Final guidance will likely tighten what “meaningful human involvement” actually requires.

What’s clear: transparency to candidates, real human oversight and bias monitoring are expected now, not August. What’s ambiguous: how detailed candidate notifications need to be, and precisely what makes human review meaningful rather than nominal.

🇪🇺 EU

AI hiring tools are explicitly listed as high-risk systems in Annex III of the EU AI Act. The full suite of high-risk obligations becomes enforceable on 2 August 2026.

Deployers (companies using someone else’s AI tool to hire) must: inform candidates that AI was used, give them the right to a human explanation of any decision, keep usage logs and implement documented human oversight.

Providers (companies building or selling AI hiring tools) must: produce technical documentation, conduct a conformity assessment, register in the EU database and design the system for human oversight with documented accuracy and bias testing.

GDPR Article 22 runs alongside all of this: candidates retain the right not to be subject to solely automated decisions with significant effects unless they’ve consented, it’s contractually necessary, or law authorises it.

Fines for failing high-risk system obligations: up to €15 million or 3% of global annual turnover, whichever is higher.

What’s clear: Annex III applies. 2 August 2026 is the hard deadline. What’s ambiguous: whether using a general-purpose AI model for CV screening makes you a provider (with full provider obligations) or only a deployer.

The Practical Minimum

Across all three jurisdictions, the floor looks like this:

Tell candidates AI is being used in their assessment, what it does and what it decides. Keep a human in the loop who can genuinely change the outcome, document how and when they do it. Test your tools for demographic bias at least annually and keep records. Have a clear data retention policy for candidate data.

If you sell into the EU or hire EU-based people, register any high-risk systems before 2 August 2026. If you operate in NYC, commission an annual independent bias audit and publish the results.

The Grey Zone

Three things that lack precise enough definition to act on with full confidence.

First, what “meaningful human involvement” actually requires, both the ICO and EU AI Act demand it but neither specifies the minimum. A human who reviews an AI-ranked shortlist and always approves it is probably not enough. But how much deviation is required to prove genuine oversight? Unclear.

Second, whether using a general-purpose LLM for CV screening makes you an EU AI Act provider with full documentation and conformity assessment obligations, or merely a deployer. The EU AI Office has not issued definitive guidance on this yet.

Third, at what point a tool that “assists” a hiring decision becomes one that effectively “makes” it. The ICO’s answer in Recruitment Rewired is to look at what happens in practice, not what you call it, useful, but not a bright line.

The information is intended to be helpful but is in no way a substitute for seeking professional advice for your specific situation or intent. This applies to business, financial, legal, or other matters discussed herein. Please read the full DISCLAIMER

The Digital Omnibus deal failed Monday night after twelve hours of negotiations in Brussels. The political agreement that would have formally delayed the EU AI Act’s Annex III high-risk dea…

Read more

People who read about AI regulation for a living get asked a particular question more than most: do you actually use this stuff?

The honest answer is yes, every day. I use AI to get through research f…

Read more

Five AI compliance conflicts waiting for you if you operate across the US and EU

If you’re building or deploying AI tools across both the US and EU right now, you’re not dealing with two regulatory re…

Read more

AI regulation has arrived in your classroom. Most schools and EdTech founders haven’t noticed.

AI Governance in EdTech - Spring 2026

Everything an EdTech founder or school leader actually needs to know about AI regulation right now, across the EU, the US, and the UK. It’s out today as a PDF, attached to this post.

No jargon. No padding.

The picture across those three jurisdictions is genuinely complicated, and some of it has already arrived without much fanfare. The EU banned emotion recognition in educational settings in February 2025. Most EdTech products affected by that ban are still running. Updated COPPA rules hit in April 2026. The UK changed the legal basis for automated student decisions in February. And the EU’s hard deadline for high-risk AI compliance, which explicitly covers admissions, assessment, and exam proctoring, is August 2, 2026.

Who is this report for?

The briefing covers what each of those positions means practically, for two audiences:

• Founders building AI-enabled EdTech products, and

• Schools, colleges, and universities buying and deploying them. Both have obligations.

Both are covered separately.

There’s also a 90-day action plan on the final pages, split by audience. If you do nothing else, map your AI features against the Annex III high-risk categories this week, and ask every EdTech vendor you’re currently using whether they have removed emotion recognition functionality.

Read this and...

• You’ll know exactly which AI features in EdTech products trigger high-risk classification under the EU AI Act, and what full compliance requires before August 2, 2026.

• You’ll understand why schools are not just customers in this regulatory picture. Under EU law, institutions deploying non-compliant AI tools carry their own liability alongside the vendor.

• You’ll get a plain-English map of where the EU, US, and UK actually stand right now on AI in education, including what is already in force and what is still coming.

• You’ll find out whether any of the AI tools you’re currently running contain features that have been prohibited in EU educational settings since February 2025.

• You’ll understand what the COPPA 2026 changes actually require, why the LLM API call is the most common undetected FERPA exposure in EdTech, and what to do about both.

• You’ll know what Ofsted inspectors are now asking schools about AI governance, what a ratified AI policy needs to cover, and what the DfE’s January 2026 product safety standards require from vendors.

• You’ll know what to watch as the Education Select Committee’s current inquiry works toward a report, and why its recommendations are likely to become statute.

The PDF is attached below. If you are a free subscriber, you can upgrade to access the report.

Note that this briefing is for informational purposes only and doesn’t constitute legal advice. For questions specific to your work, talk to a qualified lawyer in your jurisdiction.

Here is the link ….

Read more

The law targets developers of “frontier m…

Read more

Digital righ…

Read more

What creators need to know about training data, labelling, and copyright in 2026. For writers, artists, musicians, journalists, photographers, newsletter publishers, and podcasters.

AI Regulation for Creators, spring 2026

I spent the last few weeks pulling together everything a working creator actually needs to know about AI regulation right now, across the EU, the US, and the UK. It’s out today as a PDF, attached to this post.

No jargon. No padding.

The picture across those three jurisdictions is genuinely messy. The EU has the most structured rules on paper, but the opt-out is your responsibility, not the AI company’s. In the US, the courts are doing the work that Congress won’t, and the $1.5 billion Bartz v. Anthropic settlement in January rewrote how AI companies think about training data sourcing. The UK consulted 11,500 people, rejected the opt-out model it spent two years developing, and is now running a market pilot instead of passing a law.

The briefing covers what each of those positions means practically: what you can do today to protect your work, what rights reservations and metadata standards are worth your time, what to watch over the next 90 days, and what you can safely ignore.

There’s also a cross-border checklist on page 10. Eight actions, all available now, most free. If you do nothing else, robots.txt and a copyright registration (if you’re in the US) are worth doing this week.

Subscribe now

Read this and …

• You’ll know exactly what the EU’s mandatory AI content labelling rules require from you before the August 2026 deadline.

• You’ll understand why the Bartz v. Anthropic settlement matters even if you’ve never published a book, and what it means for how AI companies can legally train on your work going forward.

• You’ll get a plain-English comparison of where the EU, US, and UK actually stand right now, not where they were headed six months ago.

• You’ll find out whether you’ve already opted out of AI training on your content, or whether you’ve accidentally left the door open.

• You’ll know which eight actions are available today, cost nothing, and create a legal record that could matter later.

• You’ll understand what AI-generated content you can and can’t copyright in all three jurisdictions.

• You’ll know what to watch in the UK courts this year, and why the Getty v. Stability AI appeal could change the rules for every creator whose work has ever been scraped.

The PDF is attached below.

Here is the link ….

This briefing is for informational purposes only and doesn’t constitute legal advice. For questions specific to your work, talk to a qualified lawyer in your jurisdiction.

Read more