For years, the conversation about regulating AI went in circles. Too early. Too complex. Too risky to slow down. The industry would self-regulate. The market would sort it out.
Then it didn't. And now the laws are starting to come.
The RAISE Act took effect on March 19, 2026. Colorado's AI Policy Work Group released a revised framework the same month. California's Governor signed a new executive order tightening AI procurement standards for state contracts. The federal government is moving — slowly, but moving — on AI governance requirements that would impose transparency and accountability standards on companies that build and deploy AI systems.
This is genuinely good news. It's also incomplete. And understanding the difference matters if you're trying to make informed decisions about the AI tools you use.
What the new laws actually say
The RAISE Act — Responsible AI Safety and Ethics — establishes baseline requirements for AI systems deployed in high-stakes contexts: hiring, lending, healthcare decisions, and certain consumer applications. It requires companies to document how their AI systems make decisions, disclose when AI is being used in consequential contexts, and provide mechanisms for users to contest AI-driven outcomes.
It does not regulate how AI companies handle your conversational data. It does not require transparency about training practices. It does not set standards for engagement design. It focuses primarily on the decision-making outputs of AI systems, not on the data and design practices that shape those systems in the first place.
Colorado's framework goes further in some areas — particularly around algorithmic transparency and developer accountability — but it applies to Colorado-based deployments and carries significant carve-outs for smaller companies and early-stage systems.
The federal government's procurement clause, which generated significant industry pushback before being deferred, would have imposed strict "eyes off" data handling requirements and prohibited the use of government data for AI training. That language tells you something: even the most privacy-protective requirements being actively considered don't fully address what happens to your personal conversations with consumer AI products.
What's still not covered
Here's the honest reality of where AI regulation stands in 2026. The new laws are primarily focused on high-stakes automated decisions — the things AI does to you in contexts like employment and credit. They are much less focused on the things AI does with you in consumer contexts: conversations, emotional disclosures, behavioral data, training pipelines.
The questions that matter most to everyday AI users — does this app train on my conversations? Does it sell my data? Is it designed to maximize my engagement at the expense of my wellbeing? — are largely not addressed by any current law. They are left to company policies, terms of service, and the market.
Which is to say: they are left to trust.
And trust, in the absence of structural accountability, is a bet.
Why structure matters more than policy
We've been saying since we launched that Blob's privacy commitments are structural, not aspirational. We want to explain what we mean by that, because it's relevant to how you should evaluate any AI product — ours or anyone else's.
A privacy policy is a legal document. It tells you what a company intends to do. But intentions can change. Leadership changes. Business models change. Acquisition happens. A company that genuinely means its privacy promises today can, under different circumstances, mean something different tomorrow.
Structural commitments are different. When your business model is subscriber-funded — when your only revenue comes from the people who use your product — the incentive to monetize user data doesn't exist in the same way. There's no advertiser to satisfy. There's no data partner waiting for behavioral profiles. The financial logic of the business points in the same direction as the privacy promise.
That's what we mean by structural ethics. Not that companies with ad-based models are evil. But that the structure of a business shapes what it can and can't promise — and whether those promises hold under pressure.
What you can actually do right now
Regulation is coming, but it moves slowly and it won't cover everything. In the meantime, the most effective thing you can do is make informed choices about the tools you use.
A few things worth knowing before you decide how much to share with any AI platform:
Read the training section of the privacy policy. Not the whole thing — just the part about whether your conversations are used to train AI models. Most major platforms either train on user data by default or reserve the right to do so. Some require you to actively opt out. Some don't offer an opt-out at all.
Look at the business model. Free products need revenue. If an AI platform is free and doesn't charge for anything, ask yourself what they're getting instead. Usually, the answer involves your data in some form.
Notice the design. Does the app send you notifications pulling you back? Does it reward streaks or daily logins? Does the conversation feel designed to continue rather than to conclude? These are engagement mechanics — and they exist for a reason.
The regulation that's coming will eventually catch up to these practices. But "eventually" is doing a lot of work in that sentence. For now, the most reliable protection is a clear understanding of what you're agreeing to — and choosing accordingly.
FAQs
What is the RAISE Act?
The Responsible AI Safety and Ethics Act, which took effect March 19, 2026, sets baseline requirements for AI systems used in high-stakes decisions — hiring, lending, healthcare, and some consumer applications. It requires transparency about AI decision-making and gives users the right to contest AI-driven outcomes. It does not cover how AI companies handle conversational data or training practices.
Does the RAISE Act protect my AI conversations?
Not directly. The RAISE Act focuses on AI-driven decisions in consequential contexts, not on how consumer AI platforms handle the conversations you have with them. Your conversational data is largely still governed by company privacy policies and terms of service rather than federal law.
What is Colorado's AI regulation?
Colorado's AI Policy Work Group released a revised framework in March 2026 focusing on algorithmic transparency and developer accountability. It is more comprehensive than the RAISE Act in some areas but applies primarily to Colorado-based deployments and includes carve-outs for smaller companies.
Why doesn't regulation cover AI conversation data?
Consumer AI privacy is a newer and more politically complex area than AI decision-making in employment or credit. Regulators have moved faster on high-stakes automated decisions because the harms are more visible and legally established. Conversational AI privacy — including training practices, engagement design, and data monetization — is still largely unregulated at the federal level.
How does Blob's approach differ from what regulation requires?
Blob exceeds current regulatory requirements. We don't train on your conversations, encrypt your data at rest, retain conversations for only 90 days, run no ads, and earn revenue only through subscriptions. None of these practices are currently required by law — we chose them because we believe they're right, and because our business model makes them sustainable.
What should I look for in an AI privacy policy?
Focus on three things: (1) whether conversations are used to train AI models, (2) whether you can opt out and what that actually covers, and (3) what happens to your data if the company is acquired or changes its policies. These are the sections that matter most and are most often written to obscure rather than inform.