Skip to content

AI Is Changing Privacy Laws–Here’s What You Need to Know

A woman sitting at a desk and using a computer to research sustainable building materials with the help of an AI assistant.

AI is everywhere. Even if you’re not logging into ChatGPT every day, everything you do on the internet is touched by AI. That may look like reading content written by an LLM, asking for help from an AI customer service representative, or scrolling through a social media platform with an algorithm that is heavily curated by AI. 

Privacy-conscious internet users are likely asking themselves how AI is currently impacting their data, and what role it might play in the future. The problem is that most privacy laws were authored before AI emerged. That means that our data is affected by systems that aren’t yet regulated. 

Privacy law is playing catch-up, and the rules are changing fast. It’s important to pay attention to these laws and understand how they may affect you, your data, and your privacy.  

Why are new data protection laws needed? 

AI runs on data. 

The more data an AI platform has in its database, the more effective it is at training models, personalizing experiences, and making predictions about behavior. This is true for personal data, too. The more information that a platform has about you, the more accurate its predictions and information can be. 

This creates a pretty obvious tension: The same thing that makes an AI tool powerful is what makes it risky for your privacy. 

Most people don’t realize just how much of their personal information is already in circulation. Every search, purchase, location ping, and online interaction generates data, which can be collected, sold, and combined with other data. When that information is fed into AI systems, the privacy issues abound.

AI raises the following concerns for privacy-conscious consumers: 

  • Facial recognition and biometrics that can identify and track you without your knowledge or consent
  • AI-based profiling that infers sensitive details about your health, finances, or beliefs from data that seems unrelated 
  • Chatbots and AI companions that can have a direct impact on users’ mental health, especially children
  • Automated decision-making that can affect your access to loans, jobs, housing, insurance, etc. 
  • Data brokers who compile and sell detailed profiles that AI systems can use to target or manipulate you 
  • Training data that often includes personal information that has been scraped from the web without your knowledge 

The laws covered in this article are all, in different ways, attempts to draw boundaries around these risks. Some are further along than others, but all of them are in play to keep your data more secure in an AI era. 

The EU AI Act (+ GDPR)

The EU passed its cornerstone data protection law, the GDPR, in 2016. Implementation was mandatory by 2018, and any business that does business in the EU is probably familiar with these protections. 

The core protections for European internet users that companies have to follow include: 

  • Compliance with all data-related laws
  • Transparency in data usage
  • Purpose-limited collection of data
  • Limited amount of data that can be collected (only what is necessary)
  • Rules related to how data can be stored, processed, and protected
  • Confidentiality must be prioritized
  • Accountability and reporting 

In 2025, proposed changes to the GDPR include:

  1. What counts as “personal data” is narrowing. If a company can’t re-identify pseudonymized data on its own, it may be able to treat that data as outside GDPR’s scope, even if someone else theoretically could re-identify it.
  2. Right now, companies often need consent to process personal data for AI development. The proposals would allow “legitimate interests” as a legal basis instead, which is a much lower bar. Some safeguards would still apply.
  3. People’s right to access their own data gets limited. Companies could refuse or charge a fee for data subject access requests if they believe the request is being made in bad faith or is abusive. That’s a significant shift from the current near-absolute right.
  4. More first-party cookies would be exempt from consent requirements. A machine-readable yes/no preference system would replace the current banner model.
  5. If a company reasonably believes a person already knows how their data is being used, it may not have to disclose it again. There are some exceptions for high-risk processing, automated decision-making, and third-party sharing.
  6. The reporting deadline would extend from 72 to 96 hours, a single reporting portal would replace the current patchwork of different requirements, and a standardized template would be introduced.
  7. Companies could process sensitive personal data specifically to identify and fix bias in AI systems, which isn’t currently permitted under the standard GDPR framework.

These changes will not go into effect until they are finalized. 

What does this mean for everyday internet users? 

The changes are a bit of a mixed bag. All over the world, users are affected by GDPR, as so many companies work both in and out of the US. Websites don’t have geographical boundaries, after all. That means that no matter where you live, you might notice some changes. 

Consider cookie banners, those relentless pop-ups that follow you around the internet. These could actually get simpler and less frequent. A basic yes/no preference setting stored for six months sounds a lot better than clicking through layered consent screens every time you visit a new site. 

On the other hand, some protections are quietly shrinking. Your right to ask a company “what data do you have on me?” and expect a full answer could get harder to enforce. If a company decides your request looks suspicious or opportunistic, they could refuse it or charge you for it. That’s a real erosion of something that currently belongs to you by default.

The AI training piece matters too, even if it sounds abstract. Companies will have an easier time using your personal data to train AI systems without asking your permission first. You may never know your data contributed to a model, and opting out will likely fall on you to initiate. 

What does this mean for business owners? 

The compliance headaches ease up in several ways. More flexibility on cookie consent, a longer breach reporting window, and a simpler framework for pseudonymized data all reduce the administrative load, especially for smaller businesses that have struggled with the cost of full GDPR compliance.

The AI training provision is particularly meaningful. If your business develops or fine-tunes AI tools, “legitimate interests” as a legal basis is much easier to justify than obtaining explicit consent from every person whose data touched your training set. That could meaningfully lower the barrier to building AI products in Europe.

The catch is that “simpler compliance” doesn’t mean “no compliance.” The rules are still in flux, the proposals still have to survive the EU legislative process, and what comes out the other side may look different from what was proposed. Businesses that assume the rules are loosening and get ahead of themselves could still find themselves on the wrong side of enforcement.

California’s CCPA and the New Automated Decision-Making Rules

In the US, states can make their own rules governing companies that have to work in the US. In California, companies have to abide by the California Consumer Privacy Act (CCPA). However, CCPA has recently been amended, and is now referred to as the California Privacy Rights Act (CPRA). 

Here’s how the state’s Attorney General describes the basic protections of the CCPA: 

The updated CPRA adds: 

  • The right to correct inaccurate personal information that a business has about them; and
  • The right to limit the use and disclosure of sensitive personal information collected about them.

In September 2025, another update played a part.

California finalized new CCPA regulations in September 2025, adding new teeth to the CCPA. Businesses have until early 2027 to get compliant on that piece, with cybersecurity audit deadlines staggered by company size through 2030.

If you’ve ever been turned down for a loan, flagged by a hiring algorithm, or denied an insurance claim without a clear explanation, California’s new rules are worth knowing about. Starting in 2027, businesses operating in California that use automated systems to make significant decisions about people will have to play by new rules around transparency and consumer rights. This includes things like credit, employment, housing, or health. 

That means you may have more say over whether an algorithm gets to weigh in on decisions that affect your life, and companies will have to be more upfront about when and how they’re using those tools. It’s the most direct attempt yet by any U.S. state to put guardrails on AI-driven decision-making at the consumer level.

A close-up of a person scanning their fingerprint on a glowing biometric security terminal at an office entrance.

Illinois’ Biometric Information Privacy Act (BIPA)

Illinois passed BIPA back in 2008, making it the first state in the country to give residents legal control over their own biometric data. The law covers the kind of physical identifiers that are increasingly valuable to AI systems: facial geometry, fingerprints, voiceprints, iris scans, and similar data points.

Under BIPA, a company can’t collect any of that information without telling you in writing what they’re taking, why they’re taking it, and how long they plan to keep it. They also need your written consent before collecting anything. And they can’t sell it.

What makes BIPA unusual is that individuals can sue companies directly for violations. Most privacy laws leave enforcement to regulators. BIPA hands that power to regular people, which is why it has generated some of the largest privacy settlements in U.S. history.

AI is pushing BIPA into the spotlight in new ways. Facial recognition tools, voice-enabled software, and AI systems trained on images and recordings all have the potential to sweep up biometric data at scale. In 2025 alone, courts approved settlements totaling tens of millions of dollars against companies whose AI tools processed the faces and voices of Illinois residents without proper consent.

The law is also under pressure from multiple directions. Several bills have been introduced in the Illinois legislature that would narrow BIPA’s reach, create new exceptions, or make it harder for individuals to sue. Privacy advocates consider those efforts a serious threat to the strongest biometric protection law in the country.

COPPA

The Children’s Online Privacy Protection Act, better known as COPPA, has been around since 1998. It was built for a very different internet, one where the biggest concern was websites collecting kids’ email addresses. The basic rule is straightforward: companies can’t collect personal data from children under 13 without verifiable parental consent.

AI is complicating things. 

Today’s newest digital products for kids aren’t just websites, and COPPA has to catch up. Conversational AI companions pose serious risks to young people’s mental health, as well as their data security. These AI chatbots can remember details, build “relationships,” and collect massive amounts of behavioral and personal data. 

The question of what counts as “personal information” when a child is chatting daily with an AI that tracks their moods, preferences, and problems is one COPPA was never designed to answer.

Some of the specific concerns include:

  • AI companions that build ongoing personal relationships with children while quietly collecting sensitive behavioral data
  • Chatbots with no meaningful age verification, making “adult” products easily accessible to minors
  • Data collected through natural conversation, which kids and parents may not recognize as data collection at all
  • AI systems that remember and reference personal details across sessions, creating detailed profiles of individual children over time

That gap is where state attorneys general have started moving in. Several states launched investigations in 2025 targeting AI products accessible to minors, focusing on whether companies were being straight with parents and kids about how data was being used. 

A coalition of 44 attorneys general collaborated on a letter to AI industry leaders, expressing serious concerns about the possibility of children interacting with AI chatbots. 

California went furthest, passing legislation specifically targeting companion chatbots directed at children. The pattern looks a lot like what happened with social media regulation: states acting because federal law is moving too slowly to keep up with the technology.

Is COPPA creating a privacy risk for adults? 

If the goal of COPPA is to protect kids, everyone must support it, right? That’s not the case. Many privacy experts have raised concerns about the fact that the worthwhile goal of protecting kids might be creating additional privacy issues for adults. 

In 2026, the FTC began incentivizing age verification for online websites and companies, aligned with COPPA’s goals. Some platforms, like Discord, plan to require users to submit their ID or comply with an age-verifying facial scan to gain access to certain areas of their sites. The initial backlash to this plan was swift and unified, so Discord has pushed back their rollout to the second half of 2026. Critics are still concerned, because they worry that this kind of COPPA compliance is creating situations in which adults’ privacy is being violated. 

Age verification laws meant to protect minors are pulling millions of adults into AI-powered identity checkpoints. About half of U.S. states now require platforms to screen users before granting access, and the data collected by third-party vendors can be retained for years and handed over to law enforcement.

The industry hasn’t landed on a clean solution, and some platforms argue verification should happen at the device or app store level rather than site by site. Where things appear to be heading is a persistent digital age credential that follows users across platforms, meaning adults may soon need to prove their identity once and carry that verification everywhere they go online.

A desktop workspace featuring a computer monitor displaying "Privacy Settings & Laws," surrounded by a legal gavel, a "Privacy Compliance" folder, and law books on a wooden desk.

What AI Means for Your Privacy

Privacy laws have always lagged behind technology. That’s nothing new. What’s new is the scale and speed of what AI makes possible, and the fact that the data already collected about you is valuable to these platforms. 

The laws covered in this article represent real progress. Some are stronger than others, some are still being finalized, and some are already under pressure from industry lobbying. None of them are a complete solution. But they’re evidence that regulators, lawmakers, and ordinary people are pushing back.

Here’s what that means practically if you’re reading this:

  • Know your rights. Depending on where you live, you may already have the right to access, correct, or delete data a company holds about you. Those rights only work if you use them.
  • Pay attention to opt-out signals. Tools like Global Privacy Control let you take control of your data preferences. More platforms are being required to honor them.
  • Read the permissions. AI companions, chatbots, and apps that feel conversational are still collecting data. The casual feel of a chat interface doesn’t change what’s happening underneath it.
  • Watch what happens in California. What passes there tends to spread. The automated decision-making rules taking effect in 2027 could eventually reshape how AI-driven decisions get made everywhere.

The internet you’re using today is being shaped by decisions happening right now in courtrooms, legislative chambers, and regulatory agencies. Staying informed is the most practical thing you can do.

Related Articles

All
  • All
  • Easy Prey Podcast
  • General Tech Topics, News & Emerging Trends
  • Home Computing to Boost Online Performance & Security
  • IP Addresses
  • Networking Basics: Learn How Networks Work
  • Online Privacy Topics to Stay Safe in a Risky World
  • Online Safety
  • Uncategorized
A young woman sits in a cozy room, literally and metaphorically encircled by a vibrant, 360-degree holographic bubble of personalized social media, videos, and apps.

What Is a Filter Bubble? How Algorithms Shape What You See Online

When you and your friend in another city search for the exact same thing on Google, you…

[Read More]
A woman sitting at a desk and using a computer to research sustainable building materials with the help of an AI assistant.

AI Is Changing Privacy Laws–Here’s What You Need to Know

AI is everywhere. Even if you’re not logging into ChatGPT every day, everything you do on the…

[Read More]
Adjusting your browser security settings can help you stay safer online.

Browser Security Settings Make a Difference to Online Safety

If you’re getting online, you’re using a browser. Whether you’re a Firefox fan, a Chrome devotee, or…

[Read More]
Diagram comparing public and private IP addresses: local devices use private IPs via a router, which connects to the internet through a single public IP from an ISP.

Public IP vs. Private IP Address: What’s the Difference and Why It Matters

Have you ever looked up your IP address on a tool like WhatIsMyIPAddress.com’s tool and noticed what…

[Read More]
A server room featuring a laptop connected to a glowing neon cloud network, illustrating the concepts of IP address data exchange

What Is an IP Address and What Information Does an IP Address Reveal?

Every time you go online, you leave a trail, and your IP address is one of the…

[Read More]
Courtney Werning talks about investment fraud and recovery options.

Investment Fraud: When Investing Losses Aren’t Just from Risk

If you invest money anywhere, you hopefully know that investing comes with inherent risk. But not every…

[Read More]