Last reviewed: April 26, 2026
Key Takeaways
- The US has no AI-specific liability statute. When AI causes harm, plaintiffs use existing legal theories: product liability, negligence, discrimination statutes, biometric privacy laws, and consumer protection.
- The most consequential ruling so far: Mobley v. Workday (N.D. Cal., 2025) held that an AI vendor can be liable as an employer’s “agent” under Title VII. This means plaintiffs can now sue AI tool makers directly — not just the companies that deploy them.
- Section 230 probably does not protect AI-generated content. Courts and the Congressional Research Service increasingly distinguish between platforms distributing third-party content (protected) and platforms generating content through AI (not protected).
- BIPA settlements exceed $3 billion cumulatively. Illinois’s biometric privacy law — with its private right of action — has generated more AI-related damages than all federal enforcement combined.
- The EU withdrew its AI Liability Directive in October 2025, leaving both the US and EU without a dedicated AI liability framework. The difference: the EU still has the Product Liability Directive (2024 revision). The US has tort law.
The US AI Liability Patchwork
No single federal law governs AI liability. Instead, practitioners face overlapping frameworks at the federal, state, and common law levels. This is not a gap — it is a feature of the US legal system. The question is never “is there a law?” but “which of the many applicable laws applies?”
The frameworks, roughly in order of litigation volume:
- Product liability (tort law) — AI as defective product
- Biometric privacy (state statutes, especially Illinois BIPA) — AI using biometric data
- Employment discrimination (Title VII, ADA, ADEA, state laws) — AI in hiring
- Consumer protection (FTC Act Section 5, state UDAP) — deceptive or unfair AI
- Copyright (Copyright Act) — AI training on protected works
- Sector-specific (FCRA, ECOA, HIPAA, FDA SaMD) — AI in regulated industries
- Section 230 — immunity question for AI-generated content
Legal Theories for AI Harm
Product Liability: Is AI a “Product”?
The threshold question in AI product liability is whether software — and AI specifically — qualifies as a “product” subject to strict liability. Courts are trending toward yes.
Garcia v. Character Technologies (2025, M.D. Fla.): A teenager’s family sued Character.AI after the teen died by suicide following extensive interactions with an AI chatbot. The court treated the AI chatbot as a “product” for purposes of the plaintiff’s defect claims. This is the first major ruling applying product liability analysis to an AI application.
Social Media Addiction MDL (March 2025): The court allowed negligent design claims against social media platforms using a functionality-based test for product status — not requiring physical tangibility. This reasoning extends naturally to AI systems.
Design defect theory for AI: The emerging argument treats an AI system’s training data, architecture choices, safety guardrails (or absence of them), and alignment techniques as “design” decisions that can be defective. If a reasonable alternative design — better guardrails, different training data, additional safety filters — would have reduced the risk, the AI system may be defectively designed.
California reinforced this with AB 316 (2025), which precludes “the AI acted autonomously” as a defense in civil litigation. You cannot blame the AI.
Employment Discrimination: AI as Employer’s Agent
AI hiring tools face claims under Title VII (race, sex, religion), the ADA (disability), the ADEA (age), and state equivalents.
Mobley v. Workday (N.D. Cal., 2024-2025): The court held that Workday — an AI hiring platform — could be liable as an “agent” of the employer under federal discrimination statutes. Class action certified in May 2025. This ruling is consequential because it opens a path for plaintiffs to sue the AI vendor directly, not just the employer that purchased the tool. Before this ruling, AI tool makers could argue they were not the decision-maker.
Harper v. Sirius XM (E.D. Mich., 2025): Alleges AI screening tools used zip codes and educational institutions as race proxies. The plaintiff was rejected from approximately 150 positions. Class certification sought for Black applicants rejected since January 2024.
Intuit/HireVue (2025): A deaf Indigenous employee filed an administrative complaint after HireVue’s AI video interview tool failed to accurately capture their speech through automatic speech recognition, leading to a denied promotion. Filed with EEOC and Colorado Civil Rights Division by ACLU and Public Justice.
Biometric Privacy: The $3 Billion Engine
Illinois BIPA (740 ILCS 14) is the single most consequential AI-adjacent law in US litigation — driven entirely by its private right of action and per-violation penalty structure ($1,000 negligent, $5,000 intentional).
Major settlements:
| Case | Amount | AI Technology |
|---|---|---|
| Meta (Facebook) | $650M | Facial recognition auto-tagging |
| Meta (Texas CIPA) | $1.4B | Facial recognition without consent |
| $100M | Facial grouping in Photos | |
| TikTok | $92M | Facial feature analysis |
| Clearview AI | $51.75M | 3B+ scraped facial images |
| BNSF Railway | $228M (verdict) | Fingerprint scanning |
SB 2979 (August 2024) capped per-violation damages at one recovery per person per collection event, producing a 34% decline in settlement values from 2024 ($206M) to 2025 ($136.6M). But BIPA litigation remains massive — and other states (Texas CIPA, Washington) have their own biometric laws.
Consumer Protection: FTC Section 5
The FTC uses its Section 5 authority (“unfair or deceptive acts or practices”) to enforce against AI systems. Key precedents:
Rite Aid (2023): First FTC action targeting algorithmic discrimination. Rite Aid deployed facial recognition that generated false-positive shoplifting alerts disproportionately affecting women and people of color. Remedy: 5-year ban on facial recognition plus deletion of all AI models and training data.
Everalbum/Paravision (2021): First “algorithmic disgorgement” order — the FTC required deletion of AI models trained on improperly collected data. This remedy has been applied repeatedly since.
Operation AI Comply (September 2024): Coordinated sweep targeting AI business opportunity schemes. DoNotPay ($193K), Ascend Ecom (banned), FBA Machine (banned), Air AI (banned March 2026). The Rytr consent order was set aside by the Trump-era FTC in December 2025.
Section 230 and AI: The Unsettled Question
Section 230 of the Communications Decency Act provides immunity for platforms distributing third-party content. The critical question: when AI generates content, is that the platform’s own speech or third-party content?
The Congressional Research Service (LSB11097) concluded that Section 230 immunity is “unlikely to apply” where the AI agent itself generates material portions of the content. Courts are tracking this direction:
- Platform distributes user content → Section 230 likely applies
- Platform’s AI modifies user content → Possibly applies (case-by-case)
- Platform’s AI generates original content → Likely does not apply
- AI chatbot gives advice that causes harm → Likely does not apply
The Social Media Addiction MDL (March 2025) reinforced this distinction: Section 230 protects against claims targeting third-party content, not claims targeting the platform’s own design architecture. An AI chatbot’s responses are the platform’s product, not a user’s speech.
For companies deploying AI chatbots, customer service bots, or recommendation engines that generate original content: do not rely on Section 230 as a defense. Structure your liability mitigation around product liability and negligence instead. Note that Senator Marsha Blackburn’s TRUMP AMERICA AI Act discussion draft (March 18, 2026) proposes repealing Section 230 entirely for AI outputs and creating a federal AI liability cause of action with private right of action — if enacted, it would explicitly remove Section 230 as a defense and add a new federal liability layer beyond state tort law. See our White House AI Framework analysis for the legislative context.
State Laws Creating New Liability Pathways
Three state laws create liability exposure beyond what federal law provides:
Colorado AI Act (SB 24-205, effective June 30, 2026). Creates a duty of care for developers and deployers of high-risk AI systems. Violations are treated as deceptive trade practices with up to $20,000 per violation. AG-exclusive enforcement. NIST AI RMF compliance provides an affirmative defense.
Texas TRAIGA (HB 149, effective January 1, 2026). Narrower scope — prohibits specific harmful uses (CSAM, behavioral manipulation, biometric capture without consent, discrimination). Intent-based liability with penalties up to $200,000. See our TRAIGA compliance guide.
Washington HB 2225 (signed March 2026). Regulates AI companion chatbots interacting with minors. Notable because it includes a private right of action — the first state AI law to do so outside of BIPA. This creates direct litigation exposure for AI chatbot providers.
US vs. EU: Two Liability Models
| Dimension | US | EU |
|---|---|---|
| Dedicated AI liability law | None | AI Liability Directive withdrawn Oct 2025 |
| Product liability for AI | Tort law (Restatement Third) | Product Liability Directive (2024 revision, effective 2026) |
| Burden of proof | Plaintiff must prove defect, causation, damage | PLD creates presumption of defect for high-risk AI when output-based proof is disproportionately difficult |
| Discovery/evidence access | Broad discovery rights | PLD Art. 8: right of access to evidence from manufacturer |
| Enforcement model | Private litigation + agency enforcement | National courts + market surveillance authorities |
| Penalties | Case-by-case (damages, injunctions) | PLD: unlimited damages; AI Act: up to EUR 35M / 7% turnover |
| Class actions | Yes — active and growing | Limited (EU Representative Actions Directive, 2023) |
The EU withdrew its AI Liability Directive in October 2025, leaving a gap. But the revised Product Liability Directive (effective 2026) fills much of it by explicitly covering software and AI as “products” and creating a burden-shifting presumption for AI defects. For the full EU side of this comparison, see our EU Product Liability Directive guide. The US has no equivalent — plaintiffs must still prove their case under traditional tort standards.
For multinational companies: the EU’s Product Liability Directive will likely be the higher standard. Build your documentation and testing practices to meet EU requirements, and US litigation defense follows naturally.
Reducing Your AI Liability Exposure: 6 Steps
1. Document everything. Design decisions, training data provenance, safety evaluations, known limitations, and deployment context. In US litigation, what you documented matters as much as what you built.
2. Test for bias before deployment. The Workday, Sirius XM, and Rite Aid cases all involve AI systems that were deployed without adequate bias testing. Under both Colorado’s outcome-based standard and Texas’s intent-based standard, documented testing demonstrates good faith.
3. Implement the NIST AI RMF. The framework’s four functions (Govern, Map, Measure, Manage) provide a documented governance structure that supports litigation defense. Colorado explicitly names it as an affirmative defense.
4. Do not rely on Section 230. If your AI generates content, assume Section 230 does not protect you. Design your liability mitigation around product quality, safety guardrails, and user warnings instead.
5. Get biometric consent. If your AI processes facial geometry, voiceprints, fingerprints, or iris scans, get informed written consent before collection. The $3B+ in BIPA settlements demonstrates the cost of not doing this.
6. Monitor the insurance market. AI-specific insurance products are emerging (Armilla AI, Munich Re, Testudo), but major insurers (AIG, Travelers, Hartford) are also adding AI exclusions to standard policies. Review your coverage annually.
Related Reading
US AI Regulation Series:
- NIST AI Risk Management Framework — The governance defense Colorado explicitly recognizes
- Texas TRAIGA Compliance Guide — State-level intent-based liability framework
- White House AI Framework 2026 — Federal preemption + Blackburn TRUMP AMERICA AI Act
- Colorado AI Act 2026: What Developers and Deployers Must Do — the closest US state analogue to EU Annex III; KILO draft watch
- SEC and AI: What Financial Firms Need to Know — sector enforcement playbook, six AI washing cases
- EU vs US AI Regulation: The Definitive Comparison — cross-jurisdiction picture, NIST RMF as bridge, Digital Omnibus status
- Colorado High-Risk AI Classifier (interactive tool) — test your AI system against SB 24-205 in six questions
- Illinois AI Employment Law 2026: AIVICA + HB 3773 — disparate-impact standard with private right of action via IHRA
- NYC Local Law 144: AI Bias Audit Guide — first US mandatory bias audit; DCWP enforcement now active
- FDA AI Medical Devices: PCCP + EU AI Act Comparison — 1,451+ AI devices authorized; PCCP framework for adaptive AI
EU Comparison:
- EU Product Liability Directive for AI — The PLD’s burden-shifting presumption and December 2026 deadline
Sources
Primary Sources
- Garcia v. Character Technologies, M.D. Fla., Case No. 8:24-cv-02267 (2025)
- Mobley v. Workday Inc., N.D. Cal. (class certified May 2025)
- Section 230, Communications Decency Act, 47 U.S.C. § 230
- Congressional Research Service, “Generative Artificial Intelligence and Section 230,” LSB11097
- Illinois BIPA, 740 ILCS 14
- Colorado SB 24-205, AI Act (leg.colorado.gov)
- California AB 316 (2025)
Analysis
- Gibson Dunn, “AI Litigation Tracker” (gibsondunn.com)
- McGuireWoods, “Can Social Media or AI Be a Defective Product?” (March 2026)
- Fisher Phillips, “Comprehensive Review of AI Workplace Law and Litigation” (January 2025)
- Duane Morris, “Annual BIPA Report” (2025 edition)
- CRS, “Generative AI and Section 230” (congress.gov)
This article provides general information about AI regulation and does not constitute legal advice. Laws and policies change frequently. Consult qualified legal counsel for compliance decisions specific to your organization.