🔍 3rd-Party AI Audits Coming Your Way?

Illinois is set to become the first US state to require annual third-party safety audits for AI systems. The bill (which, as of this writing, hasn’t yet been signed into law) would only apply to “large frontier developers” building the most computationally intensive models—essentially just OpenAI, Google, and a short list of others. Almost certainly not your organization.

But the structure Illinois chose is worth watching regardless of whether it applies to you directly.

AI governance best practices are still an open question, and there’s plenty of room for risk among the customers of frontier AI developers, even if those developers are adhering to strict safety standards themselves. Annual independent audits—the same model that's governed financial services and healthcare compliance for decades—may become the norm for businesses deploying AI models in their products and services, or even as internal tooling.

The bills moving in Illinois, Connecticut, and New York this session also confirm that states aren't waiting for federal AI legislation to materialize. That jurisdictional patchwork is already forming—and the compliance infrastructure privacy teams are building today will be the foundation they're asked to extend when the thresholds eventually come down.

If audit requirements for AI systems follow the same trajectory as state privacy law, how far out do you think you are from being in scope?

Best,

Arlo

In Case You Missed It...

Blog: The Louisiana Data Privacy Act (LDPA): What to Know About Data Privacy Compliance on the Delta

Louisianans know how to let the good times roll–and nothing stops a good time dead in its tracks faster than a lack of privacy. Starting January 1, 2027, businesses serving Louisianans will need to honor privacy rights and meet key obligations to stay in compliance with the Louisiana Data Privacy Act (LDPA). Learn more in our blog.

Read more

Events

Webinar: Privacy Enforcement 2026: Regulators’ Focus and Compliance Priorities

2026 is more than halfway through, but it feels like a year’s worth of data privacy developments have already transpired—and there’s already more on the horizon. Join Osano’s Senior Privacy Program Manager Ashley Fowler and Red Clover Advisors’ Jodi Daniels for a webinar that’ll clarify the complexity of 2026’s privacy enforcement and compliance.

Save your seat | June 30, 1 pm EST

Top Privacy Stories of the Week

EU Member States (and Google) Suddenly Want to Keep Cookie Banners

One of the EU's Digital Omnibus’s proposals was to replace cookie banners with a browser-side automatic signal, sidestepping the need for consumers to endlessly indicate their privacy preferences in cookie banners. Privacy advocacy group NOYB reports that several EU member states and Google are lobbying to preserve cookie banners instead. They argue that the removal of cookie banners would effectively kill targeted advertising wholly.

Read more

EU Parliament Adopts AI Omnibus Including Ban on Nudifier Apps

The European Parliament has approved updates to the EU AI Act, including a ban on "nudifier" apps—tools that use AI to generate non-consensual intimate images. The amendments also postpone the application of certain parts of the AI Act for high-risk AI systems. The nudifier ban reflects growing regulatory attention to AI-enabled image abuse at the intersection of AI governance, data protection, and personal dignity rights.

Read more

Vermont Enacts Significant Amendments to Data Broker Law

Vermont Governor Phil Scott recently signed into law House Bill H. 211, which significantly amends Vermont’s existing data broker registration law by expanding compliance obligations, creating new consumer rights, enhancing registration requirements, adding data breach notification requirements, and strengthening enforcement and penalties for non-compliance.

Read more

Illinois Advances Frontier AI Transparency and Audit Requirements

Illinois is poised to become the first US state to require annual independent safety audits of high-risk AI systems. The law—among several AI bills crossing finish lines in Illinois, Connecticut, and New York—would require companies to assess and disclose potential harms, including privacy risks, on a regular basis. It's a clear signal that AI compliance is now an immediate operational reality.

Read more

Canada's Privacy Commissioner Finds Grok Chatbot and Deepfakes Violated Privacy Law

Canada's Office of the Privacy Commissioner has ruled that xAI's Grok violated PIPEDA by collecting personal data without adequate consent and without proper safeguards or sufficient consideration of potential privacy harms. The ruling is among the first by a major data protection authority to address the privacy implications of generative AI outputs, and could set a precedent for how regulators elsewhere treat synthetic media.

Read more

Like What You See in the Privacy Insider newsletter?

There's more to explore:

🎙️The Privacy Insider Podcast

We go deeper into additional privacy topics with incredible guests monthly. Available on Spotify or Apple.

📱 The Osano Subreddit

Join our official subreddit to stay up to date on the latest news, analysis, guidance, and content from Osano!

📖 The Privacy Insider: How to Embrace Data Privacy and Join the Next Wave of Trusted Brands

The book inspired by this newsletter: Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start building a privacy program from the ground up. More details here.

If you’re interested in working at Osano, check out our Careers page!