State AI Data Privacy Laws Tackle Training Data Disclosure in 2025

Written By MultiState Associates

Weekly Update, Vol. 87.

Key Takeaways

  • State AI data privacy laws are moving away from comprehensive frameworks and instead targeting practical questions about how companies collect, use, and share consumer data with AI systems.

  • AI training data disclosure requirements are gaining traction in states like New York and Washington, where proposed bills would require generative AI developers to publish documentation about their training datasets, including data sources and whether personal information is included.

  • Generative AI personal data restrictions are being proposed in several states, with Florida's AI Bill of Rights prohibiting companies from selling user information to AI systems unless it's been deidentified, while Illinois and Virginia are pursuing consent-based approaches.

  • AI output ownership rights are being addressed in Arkansas and Iowa, where laws establish that users who provide input to AI systems own the resulting output, though employers retain ownership when AI is used as part of employment duties.

  • In 2025, state AI legislation is focusing on data protection despite federal preemption concerns, with lawmakers proposing targeted bills that require transparency from developers and restrict how personal data can be shared with AI models.

  • If you’re a subscriber, click here for the full edition of this update. Or, click here to learn more about our MultiState.ai+ subscription.

One month into the legislative year, artificial intelligence has emerged as one of the most active policy areas in state capitols. Rather than pursuing sweeping AI framework bills, lawmakers are zeroing in on practical questions that directly affect how AI systems are built, trained, deployed, and commercialized. This focus has led to increased scrutiny on the datasets used by AI models, who is sharing data with those models, and what protections are needed for the data they produce.

Artificial intelligence systems require vast amounts of data, often data derived from consumers. That data can be subject to existing privacy laws, but many state lawmakers are proposing AI-specific obligations. Last year, California lawmakers enacted a law (CA SB 361) that requires data brokers to disclose whether a consumer's data was shared or sold to a generative AI developer. Other proposals focus on three data-protection fronts: requiring disclosure of training datasets, limiting what data may be shared with AI developers, and regulating the outputs generated by AI systems.

If you’re a subscriber, click here for the full edition of this update. Or, click here to learn more about our MultiState.ai+ subscription.

MultiState Associates
Next

Florida's "AI Bill of Rights" Tackles Chatbots and Privacy