19 AI laws in two weeks: what the state regulation patchwork means for franchise networks

The pace has changed

For most of the past several years, U.S. AI regulation at the federal level moved slowly enough that franchise networks could reasonably wait to see how things settled. That window has closed faster than most expected.

As of March 2026, 1,561 AI bills had been introduced across 45 states, according to data from the multistate.ai tracker and the Brookings Institution. That figure already exceeded the total number of AI bills introduced across all of 2024. Then, in the final two weeks of March 2026, governors in seven states signed 19 AI laws, jumping the year-to-date total of enacted laws from 6 to 25, according to Cooley's State AI Laws tracker.

Utah's Governor Spencer Cox alone signed nine AI bills during that two-week period, covering areas from AI literacy and deepfake restrictions to health insurance disclosure and government oversight. These are not aspirational frameworks. They are law, with compliance deadlines, enforcement authority, and penalties.

Morgan Lewis summarized the dynamic clearly in an April 2026 analysis: federal agencies are applying existing statutes to AI conduct while states move aggressively to enact targeted AI laws, and private plaintiffs are advancing novel liability theories in parallel. State enforcement is accelerating even as federal AI policy remains unresolved.

What franchise networks are actually facing

The compliance challenge for a franchise network is not simply a matter of reading one law and adapting. Reading different laws for each state in which locations operate, and then working out how franchisor-level tools and franchisee-level tools interact with each one, is the actual task.

Three states illustrate how different these requirements already are.

Colorado enacted SB 205, which creates what Cooley describes as the first comprehensive state AI regime. Effective June 30, 2026 (pending legal challenges and a proposed legislative revision that could shift the date to January 1, 2027), the law covers consequential AI decisions in eight domains: employment, housing, financial services, healthcare, education, insurance, government services, and legal services. Deployers must notify consumers when high-risk AI systems affect consequential decisions, conduct impact assessments, and retain records for three years. Penalties fall under the Colorado Consumer Protection Act, reaching up to $20,000 per violation. The Colorado Attorney General holds exclusive enforcement authority and has already signaled active intent.

California is running two distinct regimes simultaneously. SB 53, the Transparency in Frontier AI Act, took effect January 1, 2026, with penalties up to $1 million per violation enforced by the California Attorney General. Separately, the California Privacy Protection Agency finalized Automated Decision-Making Technology regulations under the CPRA, also effective January 1, 2026. These regulations apply a functional definition rather than an "AI" label: any computation that replaces human decision-making in employment, financial services, housing, healthcare, or education falls under its scope. Pre-use notices, opt-out rights, and impact assessments are all required before deployment.

The U.S. Chamber of Commerce has estimated that California's rules will impose approximately $16,000 in annual compliance costs on small businesses, combining the CalPrivacy obligations with related privacy and cybersecurity requirements.

New York takes a different approach. Its AI Disclosure Law, effective June 1, 2026, focuses on synthetic performers in advertising. Any commercial advertising that uses AI-generated models or performers distributed in New York, or targeted to New York consumers through digital channels, must include a conspicuous disclosure. Penalties start at $1,000 for a first violation and reach $5,000 for subsequent ones.

For a franchise network that produces national creative assets and pushes them to franchisees for local use, that law applies at the point of distribution, not at the point of creation. Akerman LLP has noted directly that New York's requirements "touch on classic franchise tensions: centralized control versus local execution, technological efficiency versus statutory disclosure, and brand uniformity versus state-by-state compliance."

New York's new AI requirements touch on classic franchise tensions: centralized control versus local execution, technological efficiency versus statutory disclosure, and brand uniformity versus state-by-state compliance.

The vendor contract problem

When franchise networks adopt AI tools, the compliance responsibility does not transfer to the vendor. That point is worth sitting with.

According to analyses by Jones Walker and CIO Magazine, 88% of AI technology providers cap their liability, typically at no more than a single month's subscription fee. Vendor contracts routinely claim broad data usage rights while committing to very little on the compliance side.

A franchise network deploying an AI scheduling tool, an AI-generated hiring workflow, or an AI-assisted pricing engine across locations in Colorado, California, and New York is the regulated deployer under each state's law. The vendor's terms of service will not provide coverage if the state attorney general comes calling.

Franchise Times captured the current practitioner view from Antonia Scholz at Cheng Cohen, a franchise-focused law firm: "Most of the conversations I have with clients are not about whether to use it, but more about building smart guardrails around how it's being used."

Most of the conversations I have with clients are not about whether to use it, but more about building smart guardrails around how it's being used.

Jessica Dempsey at Spadea Lignana, also speaking to Franchise Times, pointed to where those guardrails need to land structurally: "Comprehensive guardrails may include adding language around data privacy and compliance in franchise disclosure documents and operations manuals."

That framing matters. The FDD and operations manual are where franchisors set the terms of franchisee behavior. If franchisees are deploying AI-generated content in their local markets without understanding New York's disclosure requirements, or using an AI-assisted hiring tool without noticing that it triggers Colorado's consequential decision requirements, the franchisor is accountable for having failed to set standards that would have prevented that.

Where the patchwork stacks up

The difficulty is not any single state's law in isolation - it is the interaction between them.

A franchise network operating in 30 or more states is not facing a single compliance problem. It is facing potentially dozens of overlapping compliance requirements with different definitions of "AI," different scope rules for which decisions qualify as consequential, different notification requirements, different record-keeping timelines, and different enforcement agencies.

*Colorado effective date pending legal challenges and possible legislative revision to January 1, 2027.

The U.S. Chamber of Commerce has modeled what a broader application of Colorado-style regulations would mean at the national level: 92,000 jobs lost if applied broadly, with a potential $53.7 billion GDP impact by 2030. Their analysis reflects advocacy for a federal risk-based framework rather than a state-by-state patchwork, but there is no federal framework in place today, and the Trump administration's primary intervention has been to direct legal challenges to specific state laws rather than to enact replacement standards.

Colorado provides an early window into how contested this terrain will be. The Colorado AI Policy Work Group proposed replacing the original SB 205 with a streamlined regime, and a potential effective date shift to January 1, 2027 is under consideration. The U.S. Department of Justice joined xAI's lawsuit challenging SB 205 in April 2026, and the Colorado Attorney General agreed to halt enforcement pending a court ruling. The law is still real, its June 30 effective date remains the operative date unless changed, and the legal uncertainty is itself a compliance signal: the environment is actively contested, not resolved.

What governance looks like in practice

For franchise networks, the compliance response requires working at multiple levels simultaneously.

At the franchisor level, the FDD and operations manual are the levers. Franchise Times attorneys recommend adding AI-specific appendices and updating them annually as state laws take effect. These documents are also the mechanism for requiring franchisees to notify the franchisor before deploying new AI tools, because a franchisee installing an AI hiring assistant without franchisor review is a liability event the franchisor may not discover until after enforcement begins.

At the vendor management level, franchisors should audit current AI vendor contracts for liability caps and compliance commitments before assuming coverage exists. Requiring vendors to flag synthetic-performer content, include indemnity for nondisclosure, and maintain proof of disclosure compliance has become standard guidance from franchise-focused law firms. Most vendor contracts do not currently provide any of this.

At the system level, Colorado SB 205 includes a meaningful precedent: organizations that build governance on the NIST AI Risk Management Framework receive a statutory safe harbor under the law. That is not a California standard or a New York standard, but it signals the direction regulators are considering as they design compliance-by-design incentives.

The underlying dynamic

What is happening in state legislatures is not primarily a technology debate. It is a consumer protection debate, expressed in the language of automated decision-making.

When a franchise network uses AI tools to screen job applicants, determine pricing, approve financing, or generate the marketing materials that shape how prospective customers perceive a brand, regulators in Colorado, California, and New York have each decided those are consequential decisions that require accountability. Their definitions differ, their penalties differ, and their enforcement agencies differ. But the underlying intent is consistent: someone needs to be responsible.

In a franchise structure, the entity with the clearest accountability is the franchisor. Vendors will not carry it. Individual franchisees operating without guidance cannot be expected to track 19 new state AI laws in two weeks. The governance function lands at the center of the network.