Two weeks before a Series B close, the investor's counsel sends a questionnaire. One line reads: "Provide documentation of your compliance with applicable state AI laws, including Illinois HB 3773, NYC Local Law 144, Connecticut SB 5 / Public Act No. 26-15, Colorado SB 26-189, California's ADMT obligations, Texas TRAIGA, and any other laws applicable to your hiring, consumer, and user-facing decision processes."
The founder who paused compliance to wait out federal preemption has nothing to hand over. That turns into a negotiating point, a valuation haircut, or a closing condition they have to satisfy after the wire clears.
The state AI patchwork is now a diligence problem. The thesis of this piece is simple: build the file before investor counsel asks for it.
Federal preemption (that's when a federal law overrides state laws on the same subject, so states can't enforce their own rules) did not arrive. On July 1, 2025, the Senate stripped a proposed 10-year moratorium on state AI regulation out of the One Big Beautiful Bill reconciliation package by a vote of 99-1, as reported by the Senate Commerce Committee. One senator dissented. Then the 2026 National Defense Authorization Act, the second realistic vehicle for preemption, was enacted without the moratorium language, confirmed by the final NDAA bill text (S.2296). The White House issued Executive Order 14365 on December 11, 2025, directing the Department of Justice to challenge state AI laws in court. That is real pressure. But an executive order is a directive to federal agencies; it cannot cancel a state law that was properly passed. Only Congress can preempt state law, under the Supremacy Clause of the Constitution (Article VI), and Congress has said no twice.
State obligations are already live or imminent. If your company uses AI in hiring, lending, insurance, healthcare, housing, education, credit, or another decision that materially affects a person, and your employees, applicants, customers, or users touch Illinois, New York City, Connecticut, Colorado, California, or Texas, you may already have state or local AI obligations. The map keeps growing. Governor Jared Polis signed Colorado Senate Bill 26-189 on May 14, 2026, repealing and reenacting the original Colorado AI Act and replacing the earlier framework with a narrower version that takes effect January 1, 2027. Two weeks later, on May 27, 2026, Connecticut Governor Ned Lamont signed SB 5, enacted as Public Act No. 26-15, one of the most comprehensive state AI laws in the country. Connecticut now sits alongside Illinois, Colorado, California, Texas, and New York City in the state-and-local AI compliance map, with some obligations already live and others entering their build window now.
The practical answer is building a state AI compliance file. Not a compliance overhaul. Many founders using off-the-shelf AI tools have pieces of the required process already in place. The problem is that nothing's written down, nobody owns it, and no document proves it. That documentation gap is the center of gravity here, and it matters more than the compliance gap because it is the one investors actually surface in diligence.
This piece is the long-form companion to Issue 06 of The Thursday Redline, my LinkedIn newsletter. The Redline has the quick-action version. This one goes deeper: the state AI compliance map, the founder self-screen you can run in a few minutes, and how a documentation gap becomes a deal variable before you even know there's a problem.
Why Waiting for Preemption Is No Longer Defensible
Four events define where things stand today, and each one eliminates a planning assumption founders have been leaning on.
The Senate 99-1 vote (July 1, 2025). Senators Marsha Blackburn (R-TN) and Maria Cantwell (D-WA) amended the One Big Beautiful Bill to strip out the proposed 10-year preemption provision. It wasn't close. The lone dissent came from Senator Thom Tillis (R-NC). A 99-1 vote in this Senate is as clear a bipartisan signal as the chamber produces.
The 2026 NDAA omission (autumn 2025). The 2026 National Defense Authorization Act (S.2296) was the second realistic legislative vehicle for preemption. It passed without the moratorium language, after pushback from House Armed Services Committee Chair Mike Rogers (R-AL), Senate Armed Services Committee Ranking Member Jack Reed (D-RI), and state policymakers who argued that letting states experiment with AI rules was producing useful data.
Colorado SB 26-189 signed (May 14, 2026). Colorado didn't wait for Washington. The new law repeals and reenacts the original Colorado AI Act, replacing the earlier framework with a narrower, disclosure-and-human-review-focused statute that takes effect January 1, 2027. The Colorado General Assembly's bill page carries the final text.
Connecticut SB 5 signed (May 27, 2026). Less than two weeks after Colorado, Connecticut enacted Public Act No. 26-15, a comprehensive AI and online-safety law covering employment AI, consumer-facing AI companions and chatbots, synthetic-content provenance, and AI-related layoff notices. It is the newest entry on the map, and it lands while founders are still absorbing Colorado. The direction of travel is one way: the count of state regimes goes up, not down.
The bet that preemption arrives before the next diligence questionnaire is no longer a planning assumption you can defend.
What Does This Mean for Business Decisions?
The risk shows up when a founder assumes the patchwork is somebody else's problem.
Growth-stage companies scaling nationally are exactly the companies most likely to have an engineer in Illinois, a job posted to a NYC board, and customers in California and Texas. That overlap isn't a coincidence. It's where startup activity concentrates. The practical effect: most growth-stage founders are already operating inside the scope of at least two of these laws, whether they've registered that or not.
The decision point isn't "do I need to comply?" It's "can I prove I've complied?" Those are different questions with different price tags. A company that's been running a standard AI-powered applicant tracking system since January 2026 may already be doing most of what Illinois HB 3773 requires. But if nobody wrote down the notice they gave candidates or the basis for their hiring decisions, they can't show that to an investor's diligence counsel, and they can't show it to an Illinois Department of Human Rights investigator either.
This is how the documentation gap surfaces: not in an enforcement letter or a court filing, but in that diligence questionnaire. Investors can tell the difference between a file you kept as you went and a record you reconstructed under deal pressure.
Our read is that the documentation gap is more common right now than the compliance gap. Many founders are closer to compliance than they think, but farther from proving it than they realize. The problem is that nothing's in writing, no owner is assigned, and no document proves it. The practical job in front of most founders isn't a compliance overhaul. It's a documentation build.
One honest counterpoint: a founder with zero connection to any of these six jurisdictions (the five states plus New York City) doesn't have live exposure under these specific laws. No Illinois or Connecticut employees, no NYC-based roles, no consumer-facing AI reaching Connecticut residents, no Colorado or California customers, no Texas users? Then the laws covered here don't reach you today. That founder gets rarer as companies scale nationally, but they exist. The self-screen below names the triggers precisely so you can check your own situation instead of guessing.
The State AI Compliance Map: Six Active Regimes, One Federal Overlay, and a Sector-Specific Layer
What follows is a plain-English reference for the five state laws, New York City's Local Law 144, and the federal layer sitting on top of them. It isn't a substitute for legal analysis. It's a working map for a leadership conversation about where to focus first.
A couple of terms you'll see repeated, in plain English. A deployer is the company that uses an AI system in its own operations (you, if you run the hiring tool). A provider or developer is the company that built the AI and sold it to you. A consequential or significant decision is one that materially affects a person's access to a job, a loan, housing, insurance, education, or healthcare. And a private right of action means an individual can sue you directly; where it's absent, only a government agency can bring a case.
Illinois HB 3773 (amends the Illinois Human Rights Act, 775 ILCS 5)
Trigger: Your company uses AI to influence or support any employment decision affecting Illinois employees or applicants, including hiring, promotion, discharge, discipline, tenure, or terms and conditions of employment.
Obligation: Give written notice to candidates and employees when AI is used to inform an employment decision. Discriminatory impact from AI use is prohibited, including disparate-impact liability, which means you can be on the hook for an outcome that disadvantages a protected group even without any intent to discriminate.
Enforcer: Not a direct path to court. An aggrieved employee or applicant files a written charge with the Illinois Department of Human Rights (IDHR) within one year of the alleged violation. (A "charge" is a formal complaint that opens an agency investigation.) IDHR investigates. If it finds substantial evidence, it files a complaint with the Illinois Human Rights Commission. Only after that administrative process runs its course, or if the complainant opts to bypass it under Section 7B-102 of the IHRA, can a civil lawsuit be filed in Illinois Circuit Court. There is a gate in front of the courthouse that adds time and a required step before litigation is even possible.
Status: Live since January 1, 2026.
Diligence artifact: Investor diligence asks for your candidate-notice records, a list of which AI tools feed your employment decisions, and any IDHR charge history. That's the file.
NYC Local Law 144
Trigger: Your company uses an automated employment decision tool (AEDT, meaning software that screens or ranks candidates) for NYC-based positions, including remote roles that report to a NYC office.
Obligation: Commission and publish an annual independent bias audit of any such tool used in NYC hiring. Post the audit results on your public website. Notify candidates and employees before you use it. A "bias audit" is an impartial evaluation by a third party assessing whether the tool produces discriminatory results across demographic groups.
Enforcer: No private right of action; individuals can't sue directly. The NYC Department of Consumer and Worker Protection (DCWP) enforces it. Penalties run $500 to $1,500 per violation per day. A December 2, 2025 audit by the New York State Comptroller found earlier enforcement had been weak: DCWP flagged only 1 violation while auditors found 17 or more in the same sample. DCWP committed to shifting from reactive complaint-handling to proactive enforcement starting in 2026.
Status: Effective since July 5, 2023; enforcement materially ramping in 2026.
Diligence artifact: The bias audit report, the public URL where it's posted, and any DCWP correspondence. If you can't produce the audit, you can't clear this line item.
Connecticut SB 5 / Public Act No. 26-15 ("An Act Concerning Online Safety")
Trigger: Broad and multi-part. It reaches employers using automated employment decision tools on Connecticut employees or applicants; companies offering consumer-facing AI to Connecticut residents, including AI companions and chatbots, synthetic-content and other generative tools; and large generative-AI providers.
Obligation: For employment AI, developers must give deployers the information deployers need, and deployers must notify affected employees and applicants. Using an AI tool is not a defense to a discrimination claim, and courts may weigh anti-bias testing. For consumer-facing AI, companion-chatbot safety protocols and disclosures with heightened protections for minors. Large generative-AI providers must embed provenance data in content their systems generate or materially alter. Employers issuing layoff notices must disclose whether the layoffs relate to AI.
Enforcer: Connecticut Attorney General. No private right of action for the employment and chatbot provisions.
Status: Signed May 27, 2026. Effective dates are staggered: most provisions, including provenance and the layoff-notice rule, October 1, 2026; companion-chatbot safeguards January 1, 2027; the employment developer and deployer notice obligations October 1, 2027.
Diligence artifact: Employment notice records and the list of tools that feed those decisions; consumer-facing disclosures and self-harm and minor-user safety-response documentation; synthetic-content provenance records; and any governance records you rely on.
Colorado SB 26-189 (repeals and reenacts the original Colorado AI Act, SB 24-205)
Trigger: Your company uses automated decision-making technology that materially shapes consequential decisions (employment, education, lending, financial services, insurance, healthcare, and essential government services) affecting Colorado residents.
Obligation: Give a clear, conspicuous notice before the AI-influenced decision, at the point of interaction. After an adverse outcome driven by the AI, provide a plain-language explanation within 30 days. Let affected people correct inaccurate personal data. Provide a real human review and a second look on request. AI developers are also required to hand deployers the technical documentation they need.
Enforcer: Colorado Attorney General only. No private right of action.
Status: Signed May 14, 2026; effective January 1, 2027.
Diligence artifact: If you have Colorado-resident customers in any covered category, investors will ask for your notice setup, your human-review process, and records of any adverse-outcome disclosures. Year-end 2026 is the build window.
California CPPA ADMT Regulations
Trigger: Your business uses automated decision-making technology (ADMT, meaning any technology that uses computation to make or materially influence decisions) to make significant decisions affecting California consumers in lending, finance, housing, education, employment, or healthcare.
Obligation: Give notice before you use the AI in a significant decision. Let consumers opt out. Explain the logic behind a decision if a consumer asks. Allow correction of inaccurate personal data. The CPPA finalized these rules on September 23, 2025, confirmed by the CPPA's announcement.
Enforcer: California Privacy Protection Agency (CPPA) only. No private right of action.
Status: The regulations took effect January 1, 2026. Businesses subject to the ADMT requirements must comply with those specific obligations beginning January 1, 2027. So: the general regulatory framework is live now; the ADMT-specific compliance obligations phase in on January 1, 2027. In practical planning terms, 2026 is the build year for the 2027 ADMT deadline.
Diligence artifact: California consumer-facing AI companies, particularly in fintech, insurtech, and healthtech, face the most detailed notice-and-opt-out build. Investors in those sectors ask for CPPA documentation specifically: notice templates, opt-out mechanisms, and the data correction process.
Texas TRAIGA (HB 149, Responsible Artificial Intelligence Governance Act)
Trigger: Any company developing or deploying AI systems that Texas residents can access.
Obligation: Prohibits using AI for behavioral manipulation (exploiting someone's vulnerabilities or psychological weak spots to cause harm), unlawful discrimination, creating or spreading non-consensual intimate images or unlawful deepfakes, and infringing constitutional rights. Liability turns on intent.
Enforcer: Texas Attorney General only. No private right of action. Penalties run $10,000 to $200,000 per violation, plus $2,000 to $40,000 per day for continuing violations.
Safe harbor note: TRAIGA provides an affirmative-defense protection for companies that can demonstrate substantial compliance with the NIST AI Risk Management Framework (NIST AI RMF, the federal voluntary governance standard published by the National Institute of Standards and Technology, organized around four functions: Govern, Map, Measure, and Manage) or comparable standards. This is a meaningful protection, not a guarantee of immunity in every scenario, but documenting substantial compliance with a recognized governance framework is the fastest route to preserving that defense.
Status: Signed June 22, 2025 by Governor Greg Abbott; effective January 1, 2026. Bill text at the Texas Legislature's official archive.
Diligence artifact: Investors with Texas-reaching portfolio companies ask whether you've documented substantial compliance with the NIST AI RMF or an equivalent governance framework before deployment. That documentation is the affirmative-defense record.
Federal Overlay (Executive Order 14365 + DOJ AI Litigation Task Force + FTC)
What it is: Not preemption. Federal pressure through three channels: (1) the DOJ AI Litigation Task Force, created by EO 14365, to find and challenge state AI laws federal agencies believe clash with national AI policy; (2) a spending lever through BEAD broadband program funds tied to a state's posture; (3) an FTC policy statement on AI and unfair or deceptive practices under Section 5 of the FTC Act.
Why it isn't preemption: An executive order tells federal agencies what to do. It cannot override or cancel a state law that was properly passed. Only Congress can preempt state law under the Supremacy Clause. State attorneys general keep their enforcement authority while federal litigation plays out, and federal appeals can take years.
A second federal action (June 2, 2026): A White House fact sheet and executive order, "Promoting Advanced Artificial Intelligence Innovation and Security," set a federal AI security and innovation agenda: AI-enabled cybersecurity tools, critical-infrastructure protection, an AI cybersecurity clearinghouse, classified frontier-model benchmarking, voluntary federal early-access frameworks, and enforcement against AI-enabled cybercrime. It speaks to frontier developers, federal contractors, cybersecurity vendors, and critical-infrastructure operators, and it expressly disclaims creating any mandatory federal licensing, pre-clearance, or permitting for developing or releasing AI models. It does not touch the state-law obligations that apply when you use AI in hiring, consumer, healthcare, lending, housing, insurance, or education decisions. Federal AI security policy and state AI compliance documentation now run on parallel tracks.
Status: EO 14365 signed December 11, 2025. The June 2, 2026 fact sheet and executive order followed. The litigation strategy and Commerce Department policy notice timing are still developing.
Diligence artifact: Federal litigation pressure matters for enterprise sales and government contracting. It does nothing to reduce the compliance documentation investors are asking for in diligence right now.
The Sector-Specific Layer
Underneath the six-jurisdiction map sits a second layer: states regulating AI by sector rather than across the board. Georgia now has chatbot and minor-safety rules (SB 540, effective July 2027) and a healthcare rule limiting AI-only insurance coverage decisions (SB 444, effective January 2027). Maryland enacted the first state law restricting personalized pricing in the food sector (HB 895, effective October 2026). Maine regulates AI in the delivery of mental-health services, keeping a licensed clinician responsible for therapeutic decisions rather than a chatbot (LD 2082). The point is not to track every state bill. The point is to stop assuming the six-regime map is complete if your product sits in a regulated sector like healthcare, insurance, consumer pricing, mental health, or conversational AI. A sector law can ask for documentation none of the six general regimes do, and it can surface in the same diligence questionnaire.
The State AI Compliance File
This is the founder's minimum file. An investor's counsel will ask for some version of each item below. Building it before diligence opens is faster and cheaper than reconstructing it under deal pressure.
1. AI systems inventory. A list of every AI system your company uses in decisions that affect employees, applicants, customers, or users. Name the system, the vendor, and what decision it informs.
2. Jurisdictions triggered. A mapping of which state laws apply to your operations, based on where your employees, applicants, and customers are located. This is the output of the self-screen below.
3. Notices and disclosures in use. The actual notice language you give candidates and employees under Illinois, NYC, and Connecticut employment rules, the disclosures you give consumers under Connecticut, Colorado, and California rules, plus any Texas-facing governance disclosures your product or sales process uses. Where does the notice appear? Who owns it? When was it last reviewed?
4. Human-review or opt-out process. Documentation of how affected people can request human review or opt out of an AI-driven decision. This primarily covers Colorado and California. For NYC, keep the related candidate notice and bias-audit process in the same file. A process that exists in practice but isn't written down doesn't hold up in diligence.
5. Vendor documentation. The technical documentation your AI vendors have provided, including any representations about their systems' design, testing, and known limitations. Colorado SB 26-189 requires developers to supply this to deployers; asking your vendor for it is a reasonable first step regardless of which state applies.
6. Bias audit or assessment records. If you post NYC-based roles and use a screening tool, this is the annual independent bias audit and the public link to its results. If you are building toward the California ADMT obligations or Texas safe harbor, any internal assessment of your AI's outputs on protected groups goes here.
7. Named internal owner and last review date. One named person responsible for keeping this file current, and the date of the last review. A file with no owner ages out quickly and reads as abandoned in diligence.
Founder Self-Screen
You don't need a lawyer to run these. They tell you whether your company has live exposure now or a 2027 build deadline you need to plan for today.
1. Does my company use AI in hiring or employment decisions involving Illinois or Connecticut employees or applicants?
"Employment decision" under Illinois HB 3773 covers recruiting, hiring, promotion, discipline, renewal, discharge, and the terms and conditions of employment. "AI" here includes commercial AI-powered applicant tracking systems, any screening tool with an algorithmic scoring component, and AI-assisted resume review. If yes, Illinois HB 3773 has applied to you since January 1, 2026, and the notice to candidates and employees should already be in place. Connecticut's Public Act No. 26-15 adds developer and deployer notice obligations for employment AI that phase in October 1, 2027, and it makes clear that using an AI tool is not a defense to a discrimination claim.
2. Do I post NYC-based roles, or remote roles that report to a New York City office?
If yes, NYC Local Law 144 requires an annual independent bias audit of the screening tool and the audit results posted publicly. The enforcement shift documented in the December 2025 Comptroller audit means 2026 is the year the city is going looking rather than waiting for complaints. Your gap is the audit itself and the records of how you use the tool.
3. Do I offer subscription AI, AI companions, synthetic-content tools, or other consumer-facing AI to Connecticut residents?
If yes, Connecticut's Public Act No. 26-15 reaches you. Companion-chatbot safety protocols and disclosures take effect January 1, 2027; provenance for large generative-AI providers and most other provisions take effect October 1, 2026. Your artifacts are consumer disclosures, self-harm and minor-user safety-response documentation, and synthetic-content provenance records.
4. Does my company use AI in consequential decisions affecting Colorado or California residents, or deploy AI systems that Texas residents can access?
For Colorado and California, January 1, 2027 is your planning window: the notice setup and human-review or opt-out process need to exist before year-end 2026. Texas is a different question. The obligation is live now, and it turns on prohibited-use categories plus an affirmative defense; documenting substantial compliance with the NIST AI RMF or an equivalent framework is the fastest route to preserving that defense.
5. Are you in a regulated sector, such as healthcare, insurance, consumer pricing, mental health, conversational AI, or frontier-model development?
If yes, the six-jurisdiction map above is not the whole picture. Run a sector-specific check before diligence does, and don't assume the general regimes are complete.
If you answered yes to any of these, the next move is figuring out who in the company owns the compliance documentation for each obligation and what document actually proves it.
Decision Framework
In a leadership meeting, three questions do the work. Which of your AI systems shape decisions that materially affect a person (hiring tools with algorithmic scoring, loan-decisioning models, credit scorers, insurance underwriting, not a dashboard that only produces internal reports)? Which of the six jurisdictions do your employees, applicants, and customers actually touch? And if diligence counsel asked for your state AI compliance file today, what could you hand over? A yes to either of the first two with no answer to the third is the gap this article is about, and the point to bring counsel in.
Audience-Specific Implications
For Founders
The preemption window has closed. The job in front of you is a documentation build, not a compliance overhaul. Most companies using off-the-shelf AI tools are already close to what these laws require; the gap is that nothing's in writing and no one owns it. That gap is what surfaces in a term sheet conversation.
For Investors and Boards
State AI compliance is now a standard diligence category, alongside data privacy, security, and IP chain of title. A target using AI in hiring or consequential consumer decisions without documentation is carrying a gap that gets priced in, conditioned, or passed to the next round. Boards should add one standing question: which state AI laws apply to our product, and what documentation proves we comply?
What We're Seeing in Practice
In conversations with founders prepping for Series A and Series B rounds this year, the pattern keeps repeating. State AI law compliance isn't on the diligence prep list until the investor's counsel asks for it. The question tends to surface in the technology-and-legal-compliance section of the questionnaire. The founders who've been tracking it are ready. The ones who haven't scramble to reconstruct documentation for practices they've been following informally, and that reconstruction is harder than building the file from scratch. A retroactive record reads differently from one you kept as you went. Investors notice the difference.
A related pattern: founders who started building toward the original Colorado AI Act's impact-assessment and duty-of-care requirements, then stopped when the fight over that law heated up, are now finding out that SB 26-189 is a different statute with a different set of obligations. The work they started isn't wasted, but it isn't finished. The notice, disclosure, and human-review obligations in SB 26-189 call for a different documentation structure.
Practical Takeaways
- Run the founder self-screen before your next board meeting, and assign an owner to each yes. The screen tells you which jurisdictions apply based on how you actually operate. Each yes needs a named internal owner and a date the documentation will be complete. No owner means no documentation, and no documentation means a diligence gap.
- Build the State AI Compliance File before your next financing round, and assign an owner to keep it current. The seven-item file above is what diligence counsel will ask for, and a record kept as you went reads differently than one assembled under a deal clock. This is also where the supporting artifacts live: your Illinois and Connecticut employment notices, your NYC bias audit, your Texas NIST AI RMF substantial-compliance record, and any sector-specific documentation.
- If you post NYC roles, treat the Local Law 144 bias audit as a 2026 budget line item, not a someday problem. DCWP has committed to proactive enforcement. If you haven't commissioned the annual audit, Q3 2026 is the window before enforcement risk sharpens. The audit and its public posting are the visible artifacts diligence asks for first.
- Treat the 2026 and 2027 deadlines for Colorado, California, and Connecticut as build windows that are already open. Colorado SB 26-189 and California's ADMT obligations both phase in January 1, 2027; Connecticut's employment-notice obligations follow on October 1, 2027, with its consumer-facing safeguards live sooner. Each requires notice and decision-rights infrastructure, though the specific rights differ, so the build has to start now. Texas TRAIGA is already live, and a documented NIST AI RMF substantial-compliance record is the fastest way to preserve its affirmative defense.
- Understand that federal action is pressure, not protection. Executive Order 14365 and the June 2, 2026 federal AI security action run on a track aimed at frontier developers, federal contractors, and critical-infrastructure operators. Neither wipes out your state obligations. Federal litigation takes years, and state attorneys general keep their enforcement authority while it proceeds. Federal AI security policy and state AI compliance documentation now run on parallel tracks.
Closing Perspective
Congress had two clean shots at preempting state AI law: the reconciliation bill and the NDAA. It took neither. The 99-1 vote wasn't a procedural fluke. It was a bipartisan statement that state AI experimentation has enough support to survive even when the White House would rather it didn't. An executive order can't close that gap.
The honest uncertainty here is the DOJ litigation track. If federal courts start issuing injunctions against specific state AI laws, the picture could shift. But an injunction against one statute on one claim isn't federal preemption. Until Congress acts, every state law that was validly enacted stays valid. That's where your planning has to start.
The founders best positioned for the next wave of diligence aren't the ones with the most elaborate compliance programs. They're the ones who ran the screen, assigned owners, and built a file. A process that runs in practice but lives nowhere on paper doesn't survive diligence. The file doesn't have to be long. It has to exist and it has to be current, because the investor's counsel is going to ask for it.
Build the file before they ask. In this patchwork, the file is the play.
This article is general educational analysis, not individualized legal advice, and it offers no client-specific recommendations or outcome guarantees. Every company's situation is different. Consult qualified legal counsel before making compliance decisions based on the developments discussed here.